NHS Data Sharing
www.nhsdatasharing.info

This non-commercial website was written by Dr Neil Bhatia, General Practitioner (GP)
Records Access Lead, Caldicott Guardian, Information Governance Lead, Data Privacy Officer, Data Protection Officer, Data Autonomy Advocate.

Twitter: @docneilb

This is a personal website and in no way affiliated with any GP surgery, PCN, ICB, NHS England, the NDG, the UKCGC, the ICO, or any other organisation.

All information is correct (most of it released to me under FOI), and up to date, as far as I can tell.
Opinions on lawfulness, fairness, confidentiality, and privacy, are my own.

There is no third-party user tracking technology present on this website.
See my privacy policy

This site tells you about NHS Data sharing (in England) - the very many ways by which information from your electronic GP record is, or can be, made available to others, or used.

It tells you how your personal confidential information is being used - and misused.

The largest amount of information on this site relates to shared care records, where (almost) your entire GP record is made accessible to very many people outside of your GP surgery.

"Confidentiality, once breached, is lost for ever"

Cream Holdings Limited and others (Respondents) v. Banerjee and others (Appellants) [2004] UK House of Lords

This site tells you how to control your GP record, so that you decide what happens to your personal confidential information. Once you know what can happen, or is already happening, to your personal information, then you can make an informed choice as to whether to allow such data sharing to happen or continue - in other words, whether to opt-out or not.

So you can share data on your terms.

This site helps you find information about Shared Care Records (ICRs, LHCRs, LHCREs), where information from your GP record is combined with your hospital records, mental health records, and social care records, and made available to many organisations - and potentially thousands of individuals - outside of your GP surgery

And it tells you if your personal confidential information is being unlawfully disclosed by your GP surgery, and processed by organisations such as Microsoft, under the guise of "shared care records", in a breach of your confidentiality.

It tells you about the Type 1 ("9Nu0") opt-out (or objection) - an electronic flag added to your GP record, at your request, that prohibits the use of your personal confidential information in various ways. It tells you what it does, and what it does not do; where it works, and where it seems to have no effect (when it should).

It tells you about the National Data Opt Out, which replaced the Type 2 opt-out from October 2018.

It tells you how you can limit the ways that NHS England can disseminate and sell information that it holds about you, obtained from your GP/hospital/social care/mental health and other such records, to third parties within and outside of the NHS (including commercial organisations).

It helps you find information about:

• Shared Care Records (ShCRs)


• The National Summary Care Record (SCR) - where information from your GP record (only) is extracted, uploaded, and made available to others across England


• Risk stratification databases


• Population Health Management databases


• National Audits, the Clinical Practice Research Datalink (CPRD), and other data extractions to NHS England, including "sick note" data extractions for the DWP


• Legal Obligations and Professional Duty to disclose information

This site tells you about other ways, completely unrelated to shared care records, by which your electronic GP record is, or can be, made available to health professionals providing you with direct medical care:

• Remote Consultations - where your GP record is accessible to another GP surgery, for a defined purpose and on a pre-arranged occasion


• Cross Organisational Consultations - another situation where your GP record is accessible to another GP surgery, for a defined purpose and on a pre-arranged occasion


• Secure online records access (as controlled entirely by you)


• Pharmacy Access

And this site mentions:

• Anonymised or aggregate data from GP records - that is, data that is completely de-identified at source, and how it is shared outside of the surgery


• GP referrals - information from your medical record when your GP has need to refer you to other healthcare professionals


• Other ways by which you can share your medical information with healthcare professionals outside of your GP surgery


• NHS England, and how you can limit what information about you it gives and sells to other organisations

GP surgeries, in particular, process personal confidential medical information in very many ways. Have a look at this detailed privacy notice to get any idea of just how many.

This infographic, showing data flows of personal confidential information, might also be useful.

For many of the NHS Databases, where your information is extracted and uploaded from your GP record:

• You will not be asked for your explicit permission before the extraction takes place
• If you do not opt-out then your information will be extracted and uploaded from your GP record
• Your GP surgery may not end up as the data controller for your uploaded information
• Your GP surgery may not be able to genuinely control who has access to your uploaded information, or how your uploaded information is used (particularly for secondary purposes)

For nearly all shared care records, the only way to prevent medical information about you from hospitals and other non-GP sources from being disseminated in this way is to opt-out at your GP surgery.

You can opt-out, of any or all of the NHS databases, at any time - it is never "too late" to opt-out.

And you can opt back in, to any or all of the NHS Databases, at any time - should you wish.

When you opt-out your GP surgery will add a special electronic flag (known as a read code) to your GP record, which will block any extraction and uploading of your personal confidential information to the relevant databases.

If information about you has already been uploaded, then opting out will ensure that no further information is uploaded, and that any already uploaded information is either "blanked" or made unavailable.

You can opt out of each database individually (amend the opt-out form below accordingly).

Or you can opt out of all of these databases at once, by downloading this single form (as .doc or .pdf), and either:

• handing it in to your surgery
• posting it to your surgery, or
• emailing it to your surgery
• sending an electronic administrative message to your surgery (e.g. via eConsult)

Almost without exception within the NHS, you need to actively object if you do not want your personal confidential information shared or disseminated in these ways.

"To be sure I must; and therefore I may assume that your silence gives consent."
Plato

How do I find out what I have already opted out of, or am opted out of?

You can find out what you have already opted out of by simply asking your GP surgery.

Alternatively, you can just opt out of the schemes that you wish to - right now (by using the form linked to above).

It doesn't matter if you opt out of any - or all - of them more than once.

Terminology:

Data protection: the lawful control and use of personal data held by an organisation (the data controller). Data protection encompasses data security, data privacy, and data ethics. An important part of data protection is ensuring control over the access of personal information, as held by the controller, to third parties; and in particular, ensuring that there is no unauthorised access or disclosure.

Data privacy: ensuring and empowering data subjects to control the use, dissemination, and access to, their personal (and sometimes confidential) information. It enables people to make their own decisions about who can process their data, and for what purposes - autonomy over their personal information. That means upholding a person's right to privacy under Article 8 of the Human Rights Act.

"Privacy is having the choice - it is the right to decide who we tell what, to establish boundaries, to limit who has access to our bodies, places and things, as well as our communications and our information."
Privacy International

Data security: the protection of data from accidental, or intentional but unauthorised, modification, destruction, or disclosure of data held by an organisation. In other words, and simply - keeping data secure. Not keeping data secure may result in a data breach.

Data ethics: the correct, appropriate, proportionate, responsible, fair, privacy-respecting, subject rights respecting, harm-avoiding, use (or processing) of an individual's personal information.
Fairness, transparency, accountability.
It includes respect for the individual's right to know what is happening to their information (to be informed), and their right to control it - the right to autonomy over their personal information.

"You need to stop and think not just about how you can use personal data, but also about whether you should.”
Information Commissioner's Office

Personal data: any information relating to an identified or identifiable natural person (data subject). Examples include your name, home//work address, email address, your computer IP address - and your medical records. Personal data includes personally identifiable information, special category data, and confidential data.

Personally identifiable data (or information): sometimes referred to as PII. Personal data which can be used to distinguish or trace an individual's identity, such as their name, NHS number, medical records, alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.

Special category data: sometimes called sensitive data. Personal data revealing or concerning certain types of data, such as racial or ethnic origin, political opinions, religious beliefs, genetic data, sexual orientation, and health data (medical records).

Confidential data (or information): information given in circumstances where it is expected that a duty of confidence applies, and that information cannot normally be disclosed without the information provider's permission. Your medical records are confidential data.

So your medical records, whether held by your GP surgery or a hospital, clinic, or service:

• is personal data
• is personally identifiable information (PII)
• is special category (sensitive) data
• is confidential data

Primary uses are uses of data for the main purpose for which they were originally collected directly from the individuals concerned.

For your GP record, this means making that information available, to healthcare professionals that you are seeing, within your GP surgery, for your direct medical care.

You can download a simple factsheet about data sharing between healthcare professionals here.

"Permission to View"

When your GP record is being accessed by someone outside of your surgery, such as access via a shared care record, for direct care (primary) purposes, you should be asked for your explicit permission before that clinician (or admin staff) accesses your personal confidential information. This is called permission to view (PTV).

But far from all shared care record schemes respect permission to view.

More information about permission to view can be found within the Shared Care Records section of this website.

Secondary uses are uses of existing data for purposes other than those for which they were originally obtained.

For your GP record, this means making that information available, to anyone (not just within the NHS), for purposes other than providing your direct medical care.

Examples of secondary uses include, research, audit, healthcare planning, "population health management", commercial and even political uses.

You can control the use of your medical records for secondary purposes by means of the Type 1 and National Data opt-outs.

You can download a simple factsheet about the Type 1 secondary uses opt-out here.

The National Data Opt Out

On 25th May 2018, NHS Digital launched the National Data Opt Out (NDOO), which replaced the GP Type 2 opt-out.

You can find information on the NDOO:

• at www.nationaldataoptout.info
• In this detailed factsheet


• In NHS Digital's brief factsheet
• On the NDOO website
• from medConfidential

The NDOO is nothing new. The Type 2 opt-out has been around for a number of years.

The National Data Opt Out doesn't stop you contributing to any research where you are asked first.

It only stops the use of your confidential medical information where you are not asked before your data is taken and used.

Shared Care Records (ShCRs)

For the purpose of commissioning medical services, including the creation of shared care records, England is divided into seven regions - North East & Yorkshire, North West, Midlands, East of England, London, South East, South West.
Each region is then divided into ICBs. ICB stands for “integrated care board”. These are areas where local NHS organisations, including GP surgeries, NHS hospitals, and local councils, draw up shared proposals to improve health and care in the areas they serve. So, for example, within the North West region, there are 3 ICBs, namely Cheshire and Merseyside, Greater Manchester, and Lancashire and South Cumbria

As far as shared records go:

Some areas within ICBs have their own shared record - a so-called “integrated care record”, or ICR. Wigan's “Share To Care” is one such example. Only the GP surgeries within Wigan contribute to it.

Some ICB's have one care record for the whole of the ICB, often called a Local Health and Care Record (LHCR). This could, in time, incorporate a number of ICRs.

Finally, mega care records, also known as Local Health and Care Record Exemplars (LHCRE), exist, spanning across one or more ICBs. One such example is the Yorkshire and Humber LHCRE. This aims to “join up” the shared records of a number of ICBs in the North East. That will necessarily include joining up the Doncaster ICR, the Rotherham ICR, and the Leeds Care Record (ICR).

You will not be asked for your explicit permission before your GP record is made accessible to others outside of your GP surgery.

And, in many areas, you will not be asked for your explicit permission before your GP record is accessed by others outside of your GP surgery.

When Permission to View (PTV) is upheld, you are always asked before your shared care record is accessed by anyone outside of your GP surgery.

What does the General Medical Council say about PTV?

"If you suspect a patient would be surprised to learn about how you are accessing or disclosing their personal information, you should ask for explicit consent unless it is not practicable to do so (see paragraph 14). For example, a patient may not expect you to have access to information from another healthcare provider or agency on a shared record."
“Asking for a patient’s consent to disclose information shows respect and is part of good communication between doctors and patients.”
"Trust is an essential part of the doctor-patient relationship and confidentiality is central to this. Patients may avoid seeking medical help, or may under-report symptoms, if they think their personal information will be disclosed by doctors without consent, or without the chance to have some control over the timing or amount of information shared.”

What does the British Medical Association say about PTV?

"If patients decide to have a shared record, their explicit consent to view must be obtained e.g. where a practice other than the patient’s is seeking to view the record for of out-of-hours care."

What does the National Data Guardian say about PTV?

"You are quite correct in stating in your correspondence with my office that my 2016 and 2013 reviews re-iterated the Caldicott Principles, and that only relevant information about a patient should be shared between health professionals in support of their care. Both took the position that explicit consent should be obtained before accessing someone’s whole record."

“The Review Panel concluded that consent should be obtained before sharing a patient’s whole care record with other registered and regulated health and social care professionals for the purposes of direct care. Any exceptions to this guidance should be based on professional judgement in individual cases.”

“Explicit consent should be obtained before accessing someone’s whole record."

"There should be ‘no surprises’ for the public in regard to how their confidential information is being used."

"There can be no assumptions made about today’s citizens. They have a right to know, and object about how their data is used, if they wish."

"In the material that you have sent us, you highlight an issue that my panel and I have seen occurring in a number of places this year, namely confusion between the requirement of GDPR and the common law, particularly on the issue of consent. I agree that when confidential patient information is being shared the requirements of both GPDR and the common law should be considered. I also agree that even where consent is the basis on which the duty of confidentiality is set aside, it is not necessarily the case that consent is the appropriate GDPR basis for processing."

What does the Information Commissioner (ICO) say about PTV?

That PTV would “be considered desirable from a GDPR perspective as it would increase transparency and promote legality and fairness”.
That “the GDPR does not prohibit the collection of consent (i.e. PTV) for the purposes of sharing data under the CLDC.""
That permission to view “would be consistent with GDPR”.
That “the process of obtaining consent or permission to view for the purposes of the CLDC would improve transparency and this is an important aspect when considering whether the processing falls within the reasonable expectations of the patient. For example, a patient would expect their GP to share information with the hospital in the context of a referral, however, the patient may not expect the GP to share data with the Local Authority for social care purposes”.
That “there is nothing from a GDPR perspective that would prohibit a prompt for obtaining patient consent for CLDC purposes”.

That “It appears that in an attempt to promote GDPR compliance, there has been a conflation of the concepts of consent as a lawful basis of processing under GDPR and consent as a basis to share confidential information under the CLDC”.
That PTV "should not be confused with providing GDPR Consent."

What does the NHS Constitution say about PTV?

"You have the right to be informed about how your information is used."
"You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis."
"The NHS also pledges: where identifiable information has to be used, to give you the chance to object wherever possible."
"All staff have responsibilities to the public, their patients and colleagues. You should aim to inform patients about the use of their confidential information and to record their objections, consent or dissent."

This DPIA contains detailed discussion about permission to view - and how the absence of it leads to the very real possibility of a breach of confidence, a breach of privacy, and unfair and unlawful processing of personal confidential information.

There is no technological, or administrative, or procedural reason why permission to view should be absent.
PTV does not hinder lawful, fair, proportionate, ethical, rights-upholding data sharing. It does not put “barriers” to data sharing.
To the contrary, asking the patient before accessing their shared record ensures that both the clinician - and the GP surgery allowing such access - is complying with lawful, fair, and ethical data processing, and upholds the patient's right to privacy and autonomy over their personal confidential information.

When an ICR joins a LHCR, or when an ICR/LHCR is incorporated into a LCHRE, then very many more individuals, teams, services, and organisations suddenly gain access to the shared medical record.
And if PTV is not upheld then there is no way for an individual to prevent those new organisations accessing their GP record - without opting out entirely and permanently.
That means that their shared record can never be accessed, by anyone.
And when - inevitably - all the LHCRs and LCHREs are linked, your medical records will be accessible across England, by thousands of organisations, and hundreds of thousands of individuals. And if PTV is not upheld then there is no way for an individual to prevent anyone from accessing their GP record - without opting out entirely and permanently.
That means that their shared record can never be accessed, by anyone.

And that is manifestly unfair.

What is the Common Law of Confidentiality (CLoC)?

“Respecting the confidentiality of health data is a vital principle in the legal systems of all contracting parties to the Convention”
MS v Sweden, ECHR 27 AUG 1997

You can download a factsheet on the Common Law of Confidentiality from this website.

The CLoC is precedent-based law, and the general principle is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed or used without the information provider’s consent. That absolutely applies to the information recorded by your GP surgery in your practice record, where personal medical information is recorded to assist those within the surgery to provide you with medical care.

Confidential patient information is defined in section 251 of the NHS Act 2006:

11. For the purposes of this section, patient information is “confidential patient information” where

• the identity of the individual in question is ascertainable
• from that information, or
• from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and
• that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual

When disclosing or using personal confidential information for purposes other than direct medical care (as is the case in some ICRs/LHCRs/LCHREs, for risk stratification schemes, and for stand-alone population health management schemes), it is only lawful when:

• The individual has given their explicit permission; or
• The disclosure is mandated by law (a legal obligation); or
• There is an overwhelming public interest (such as to save the life of the individual); or
• The duty to obtain explicit permission has been set aside by approval under Regulation 5 of The Health Service (Control of Patient Information) Regulations 2002 (so-called s251 HRA/CAG approval)
• The duty to obtain explicit permission has been set aside by approval under either Regulation 2 or Regulation 3 of The Health Service (Control of Patient Information) Regulations 2002

If none of these conditions are met then the disclosure of personal confidential information, by your GP surgery or local NHS trust or local authority, represents a breach of confidentiality.
It is unlawful processing - a breach of privacy; a breach of Article 5(1)(a) of GDPR.

Legal precedent for breach of confidence stems from the case of Coco v A N Clark (Engineers) Ltd: ChD 1968. In that seminal case, Megarry J set out three elements which would normally be required if, apart from contract, a case of breach of confidence is to succeed:

1. The information must be of a confidential nature
2. The information must have been communicated in circumstances importing an obligation of confidence
3. There must be an unauthorised use, dissemination, or disclosure of the information

The General Medical Council’s guidance on confidentiality is clear about this (paragraphs 80, and 103-105).

In particular, paragraph 85:

"If it is not practicable for the information to be anonymised within the direct care team, it may be anonymised by a data processor under contract, as long as:

The British Medical Association’s guidance is also clear.

CAG approval, i.e. under Regulation 5 of COPI 2002, or "s251 support",provides a way to set aside the normal common law of confidentiality requirement for the explicit permission of an individual before disclosure and processing of their personal confidential information for secondary purposes.

Such support is provided for one or more "classes", and permits lawful processing in that particular way. All such processing requires Class 6 support, and where information is being anonymised, or pseudonymised, as part of secondary uses then Class 1 support will be required.

"Only by demonstrating that health and social care can be trusted to be respectful and do the right thing with people’s data will we earn the goodwill to use their data."

National Data Guardian, December 2020

LHCREs