GDPR and Privacy
Crown Heights Medical Centre and the GDPR
Crown Heights Medical Centre has ensured that it meets its obligations under the General Data Protection Regulation (GDPR), in force on 25th May 2018, and in particular how the surgery processes personal data, including sensitive health records.
You can find out more about the GDPR here:
This privacy notice explains why Crown Heights Medical Centre collects information about you, how we keep it safe and confidential, and how that information may be used.
We regularly review and update our Privacy Notice. This Privacy Notice was last updated on 15th October 2021
- Our Personal Data Breach policy (from 25th May) is here
- Our Right of Access (SAR) policy (from 25th May) is here
- Our Right to Object policy (from 25th May) is here
- Our Data Protection Impact Assessment (from 25th May) is here
- Our Data Protection Policy (from 25th May) is here
We will ensure that patients of CHMC are made aware of their rights under the new legislation and that the surgery meets its responsibilities under the GDPR.
You have the right to both:
- Opt out of any of the data sharing schemes
- Opt back into any of the data sharing schemes (that you may have already opted out of)
Your Information and How The NHS Uses It
GPDPR (GP Data for Planning and Research)
This practice is supporting vital health and care planning and research by sharing your data with NHS Digital.
Please click the link below to read the full privacy notice about GPDPR. You can also find the links to download Type 1 opt out forms from this link:
Type 1 Opt Out Forms
This form needs to be returned to us by 25th August 2021 in order to be processed in time for the change in how your data is handled (this comes into effect on 1st September).
Forms can be printed and handed in to our reception team or posted to the practice. Alternatively you can email your completed form back to the main practice email address: email@example.com
National Opt Out
If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt Out. Please click the link below for information about this.
Click on the following to watch a video about how the NHS uses data from GP practices:
The Care and Health Information Exchange (CHIE)
The Care and Health Information Exchange (CHIE) is a secure system which enables health and social care professionals across Hampshire, the Isle of Wight and surrounding areas to see the shared patient record. Please have a read of the leaflet.
National Data Opt Out
What is the National Data Opt Out (NDOO)?
The NDOO is a mechanism by which individuals in England can control, to a limited degree, certain aspects of their confidential medical information and, in particular, what NHS Digital can do with it once in their possession.
The NDOO only applies to confidential information, that is medical information that can identify you, for example by containing your name, DOB, address, NHS number etc.
And the NDOO only applies to uses of your confidential medical information for secondary purposes, that is unrelated to, and beyond, the direct medical care that GP surgeries and other healthcare organisations provide you with when you are unwell, or to keep you well.
Secondary purposes include healthcare planning, audit, population analytics, “risk stratification”, research, “commissioning”,commercial and even political uses.
The NDOO is not limited to electronic data and so includes paper records. It simply replaces the Type 2 (9Nu4) opt-out that has been in force for some years, and which you were able to express via your GP surgery.
It is, therefore, nothing new.
If I set, or keep, my NDOO status at “do not share”, what will this mean?
Confidential medical information obtained by NHS Digital from GP surgeries, hospital trusts, mental health providers and social care, will not be released/disseminated/sold by them in a format that can identify you.
In due course, the NDOO will prohibit certain data extractions from your GP record, where this involves confidential medical information, sand where your permission or consent has not been sought before your data was released (so-called section 251 approval).
The NDOO will, eventually, prevent confidential medical information leaving the Cancer Registry, certain other disease registries, the Clinical Practice Research Datalink (CPRD); and
By 2020, hospitals and other healthcare providers.
What will the NDOO not do?
The NDOO will in no way affect the sharing of information for the purposes of an individual’s care and treatment, e.g. where information is shared between a GP surgery and a hospital.
It will not stop your GP using the Electronic Referral Service (eRS), the Electronic Prescription Service (EPS), or GP2GP transfers of medical records.
The NDOO will in no way affect the National Summary Care Record (SCR).
You can opt-out of the SCR via your GP surgery.
The NDOO will in no way affect any local shared care record project or scheme, such as the Hampshire Health Record, the Great North care Record, the Bolton Care Record etc. (except if such schemes additionally process your uploaded information for secondary purposes).
You can opt-out of your local shared care record scheme via your GP surgery.
The NDOO will in no way affect situations where your GP surgery, or other healthcare organisation, is legally required to share your information (such as a court order or when mandated under section 259 of the Health and Social Care Act – but see later).
The NDOO will in no way affect you being invited, when appropriate, for any of the National Screening Programmes, such as cervical/breast/bowel/abdominal aortic aneurysm/diabetic eye screening.
You can opt-out of these separately, if you wish.
The NDOO will in no way affect situations where your GP surgery, or any other healthcare organisation, shares data in an anonymised or aggregate (numbers only) format, in other words where that data cannot identify an individual.
The NDOO will not stop:
Lifelong linked medical histories being disseminated by NHS Digital
Onwards release of data by non-NHS bodies (once provided with your information by NHS Digital)
What about Research?
The NDOO will in no way prevent you from taking part in accredited medical research, at your GP surgery/local hospital/other health organisation, where you have given your explicit consent to be involved (i.e. you have been asked first).
The NDOO will in no way prevent you from:
- Giving blood
- Joining the NHS Organ Donor Register
- Signing up to the Anthony Nolan register to donate your blood stem cells or bone marrow
- Donating your DNA for medical research
- Joining the 100K Genomes project
- Taking part in clinical drug trials
- Donating your body to medical science after your death
- Giving money (in a tax-efficient way) to any medical charity of your choosing
Will the NDOO stop my confidential GP information being uploaded to NHS Digital in the first place?
NHS Digital does not rely upon section 251 approval (any more) for data gathering, preferring instead to make such data collections compulsory under section 259 of the Health and Social Care Act.
However, the existing secondary uses, Type 1 (9Nu0), opt-out that many people have in force on their GP record will prohibit data (confidential and, in some cases, de-identified) from being extracted and uploaded from your GP record to NHS Digital.
In addition, the Type 1 opt-out will also prohibit section 251 approved data extractions, for example for “risk stratification”, as well as the mandatory section 259 extractions.
So how do I maximally limit secondary uses of my medical records, beyond my direct medical care?
Set your NDOO status to “do not share”, see later for how to do this. Or make sure that you have a Type 2 objection in force on your GP record - – do this via your GP surgery; and
Make sure you have a secondary uses, Type 1 (9Nu0) objection in force on your GP record – do this via your GP surgery
Consider contacting your local hospital trust, mental health provider, or social care organisation (local council) that you use (or have used) and express “the right to object” to the dissemination of confidential information about you to NHS Digital, where it is not legally mandated.
For example, you have the right to object where your data might be processed in this way and the organisation concerned is relying on Article 6(1)(e) – Official Authority – as the legal basis under the GDPR.
What about preventing NHS Digital releasing, disseminating, or selling anonymised and pseudonymised data about me?
You cannot – directly. And you have no control over why they are doing this, for what purpose(s), and to which organisation they are giving or selling your information to.
But you can limit how much information NHS Digital gathers about you from healthcare organisations, by maximally limiting the secondary uses of your medical records, as described above.
So how do I set, check, or update my National Data Opt Out status?
If you had previously requested a Type 2 objection to be in force, via your GP surgery, then this will have automatically have set your NDOO status to “do not share”. You will receive a letter from NHS Digital, confirming this, in due course. Any children aged 13yrs or over will receive their own letter as well.
It is not possible to directly view, set or change your NDOO status at your GP surgery, although you set it indirectly by expressing a Type 2 objection to your GP surgery – but only until October 2018.
This will automatically set your NDOO status to “do not share”.
Anyone aged 13yrs or over can set their NDOO status via an online service at www.nhs.uk/your-nhs-data-matters
Anyone aged 12yrs or younger, or if you are acting on behalf of another individual (i.e. as a proxy, perhaps with lasting power of attorney authority) cannot do this online but will have to ring 0300 330 9412 instead (or via other so-called “non-digital” methods).
More information about NHS data sharing, opting-out and objecting, and the NHS databases can be found at www.nhsdatasharing.info