GDPR & Your Data

What is GDPR?

GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.

The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:

  •              Practices must comply with subject access requests
  •              Where we need your consent to process data, this consent  must be freely given, specific, informed and unambiguous
  •             There are new, special protections for patient data
  •             The Information Commissioner’s Office must be notified within 72 hours of a data breach
  •             Higher fines for data breaches – up to 20 million euros

What is ‘patient data’

Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc. 

What is consent?

Consent is permission from a patient - an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.

Individuals also have the right to withdraw their consent at any time.

Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the GDPR Regulations.

The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.

This notice reflects how we use information for:

  • The management of patient records;
  • Communication concerning your clinical, social and supported care;
  • Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
  • Participation in health and social care research; and
  • The management and clinical planning of services to ensure that appropriate care is in place.

Data Controller

As your registered GP practice, we are the data controller for any personal data that we hold about you.

Carnon Downs Surgery Privacy Notice, Leaflet & Quick Guide

Please click on the document below to see each version

  Quick Guide - GDPR poster pdf.pdf

Privacy Notice for Patients 2020

  Patient Leaflet How we Use your records.doc


General Practice Data for Planning and Research (GPDPR)

The data held in the GP medical records of patients is used every day to support health and care planning and research in England, helping to find better treatments and improve patient outcomes for everyone. NHS Digital has developed a new way to collect this data, called the General Practice Data for Planning and Research data collection.

The new data collection reduces burden on GP practices, allowing doctors and other staff to focus on patient care.

Why NHS Digital collects general practice data

NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.

NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.

NHS Digital has engaged with doctors, patients, data and governance experts to design a new approach to collect data from general practice that:

  • reduces burden on GP practices
  • explains clearly how data is used 
  • supports processes that manage and enable lawful access to patient data to improve health and social care

What data is shared (this date has been deferred until further notice) (23.7.21)

This data will be shared from 1 Sept 2021. Data may be shared from the GP medical records about:

  • any living patient registered at a GP practice in England when the collection started - this includes children and adults
  • any patient who died after 1 July 2021, and was previously registered at a GP practice in England when the data collection started

NHS Digital will not collect patients’ names or addresses. Any other data that could directly identify patients (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that patients will not be identified directly in the data. NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.

We will collect structured and coded data from patient medical records.

NHS Digital will collect:

  • data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
  • data on sex, ethnicity and sexual orientation
  • data about staff who have treated patients

NHS Digital does not collect:

  • name and address (except for postcode, protected in a unique coded form)
  • written notes (free text), such as the details of conversations with doctors and nurses
  • images, letters and documents  
  • coded data that is not needed due to its age - for example medication, referral and appointment data that is over 10 years old
  • coded data that GPs are not permitted to share by law - for example certain codes about IVF treatment, and certain information about gender re-assignment

GP Practice Privacy Notice

Opting out

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.

Type 1 Opt-out (opting out of NHS Digital collecting your data)

We will not collect data from GP practices about patients who have registered a Type 1 Opt-out with their practice. More information about Type 1 Opt-outs is in our GP Data for Planning and Research Transparency Notice, including a form that you can complete and send to your GP practice.

This collection will start on 1 July 2021 so if you do not want your data to be shared with NHS Digital please register your Type 1 Opt-out with your GP practice by 23 June 2021.

If you register a Type 1 Opt-out after this collection has started, no more of your data will be shared with us. We will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.

Printable Opt Out Form - return signed to CDS

National Data Opt-out (opting out of NHS Digital sharing your data)

We will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.

NHS Digital won’t share any confidential patient information about you - this includes GP data, or other data we hold, such as hospital data - with other organisations, unless there is an exemption to this.

To find out more information and how to register a National Data Opt-Out, please read our GP Data for Planning and Research Transparency Notice.


National Data Opt Out Programme

The 25th May 2018 saw the introduction of the NHS 'National Data Opt-Out programme'; this is a service that enables data subjects to opt out of having their data shared for research and/or planning purposes.  NHS Digital will be automatically converting patients' existing type 2 objections to the new op-out from May 2018.

Our patients do not need to take any action, and this will not affect the way your information is used.  We are continuing to respect your original choice to not share confidential patient information beyond NHS Digital for research or planning, but your choice will recorded as a national data opt-out rather than a 'type 2 objection'.

Every patient who is now aged 13 or over with a type 2 objection recorded will receive a personal letter explaining the change.  The letters wil be issued from June 2018 and will include a handout which explains more about the scheme.  The letter will ask patients to contact NHS Digital should they have any questions.

Below is a useful link for patients from NHS Choices called 'Your NHS Data Matters' click on the logo for more information.  The second link is a leaflet provided by the NHS - copies are available at the surgery.

Your NHS Data Matters Leaflet



Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website