Confidentiality and trust are essential to the relationship between GPs and their patients.
The information a patient provides to their GP is confidential, and they can expect that any information that is shared for their direct care will remain confidential.
GP Connect relies on ‘implied consent’.
Explicit consent is not required when information is shared for a direct care purpose. If a patient does not want their information to be shared using GP Connect, they can opt out.
The NDSA and its terms and conditions stipulate that any information received or accessed about a patient for direct care purposes must remain confidential.
In addition to the NDSA, health and social care professionals are also subject to their own professional codes of confidentiality and are aware that any information received via GP Connect is provided in confidence, which must be respected.
Organisations using GP Connect are notified of their duty as ‘controllers’ to be fair and transparent about their processing of their patients’ information and to ensure that their transparency notices are fully updated with how they may be using GP Connect functionality.
NHS England helps support the mitigation of information sharing risks by ensuring that:
NHS England audit data access is subject to two-factor authentication and role-based access controls – only certain assured users can have access to the full audit logs
a completed Supplier Conformance Assessment List (SCAL) which covers service and capability specific compliance requirements and controls of the consumer system is in place
It is the responsibility of organisations using GP Connect to ensure that they comply with the NDSA, and their statutory and legal obligations regarding data protection and confidentiality.
Opting out of GP Connect
If patients do not wish their information to be shared using GP Connect, they can opt out by contacting their GP practice.
National Data Opt-Out
The National Data Opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.
The National Data Opt-out only applies to any disclosure of data for purposes beyond direct care, so having National Data Opt-out will not prevent your GP patient record being shared via GP Connect.
Risk Stratification
Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. The identifying parts of your data are removed, analysis of your data is undertaken, and a risk score is then determined. This is then provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way in most circumstances, please contact the practice for further information about opt out.
Individual Risk Management at a GP practice level however is deemed to be part of your individual healthcare and is covered by our legal powers above.
Transferring the current paper medical records into patients’ electronic medical records.
The following provisions of the General Data Protection Regulation permit us to digitise existing paper medical records:
Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller…’’
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’
The paper patient records will be shared with [Scanning provider], who will scan and digitise the current paper medical records before destroying them. The paper patient records will be shared with the scanning provider above, who will scan and digitise the current paper medical records before destroying them.
Anonymised information
Sometimes we may provide information about you in an anonymised form. Such information is used analyse population- level heath issues, and helps the NHS to plan better services. If we share information for these purposes, then none of the information will identify you as an individual and cannot be traced back to you.
Medicines Management
The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. The reviews are carried out by the ICBs Medicines Management Team under a Data Processing contract with the Practice.
Research – National Institute for Health & Social Care Research (NIHR) – Clinical Research Network
Clinical Research Network West Midlands (CRN WM) provides a research delivery service to GP practices across the West Midlands. All CRN WM Delivery Support staff are employed by The Royal Wolverhampton NHS Trust. All NHS Staff members who have been allocated to work within the Practice will be issued with a Letter of access or assurance to confirm individual study placements and pre-employment checks.
The legal bases for processing this information
CRN WM processes data under the instruction of the individual research protocol, as delegated by the practice (data controller). You can opt out of being invited to participate in research at any time, please inform a member of the practice team and we will add the appropriate opt out code to your record.
Prior to informed consent:
The legal basis which allows us to process your personal data for research is GDPR article 6 (1)(f) …legitimate interests…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…’
Once informed consent has been given:
The legal basis which allows us to process your personal data is informed consent – Article 6 1(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and Article 9 (2) (a) the data subject has given explicit consent to the processing those personal data for one or more specified purposes.
Individual study consent forms will detail how to withdraw consent and who to contact, this will usually be via the study sponsor.
Categories of personal data
The data processed by CRN WM delivery staff, in addition to demographic and contact details, is likely to be special category information (such as health information) to determine eligibility for individual research studies.
Recipients of data
The data processed by CRN WM delivery staff will be used to invite potentially eligible patients into research studies. Once patients have consented to participate, data processed by the CRN WM delivery staff will be used to answer the research questions as outlined in individual research protocols.
For further information, please refer to the Clinical Research Network West Midlands Privacy Notice click here