Data Choices

Data Protection, Privacy and Confidentiality
There are a number of situations where your medical records are shared outside of Whitley Road Medical Centre:
These are as follows:
For your personal care
e.g., When we do a referral for you to a specialist at the hospital, we include information like your main past medical history, drugs & allergies
At your request and authorisation
e.g., For an insurance report, or Subject Access Request
When we are required by law
e.g., court order, in the interests of public safety, Department of Work & Pensions reports, Coroners reports
Summary Care Record
Key summary medical information is held on the NHS database along with your demographic data. (See below)
NHS Digital
Your medical record is used for important national research and planning. (See below)
Greater Manchester Care Record Integrated Record
Your medical record is linked with information from other health and social care providers across Greater Manchester. (See below)
Transferring your electronic record
When you move practices, your data that is held electronically will be transferred to your new practice. 

Summary Care Records

Information about drugs, allergies, key medical conditions are linked to your demographic data (e.g., name, address, date of birth, NHS number & contact details).  This can be accessed by any health care provider across the NHS should you need care in another area say when on holiday.  You are automatically opted into this.  You cannot opt out of sharing of your demographic data, but you can choose to opt out of the sharing in 3 different levels

  • Sharing your significant past and present medical history, your medications, allergies, immunisations, any end-of-life care information. (This level is automatic and requires no further action)

  • Share only your medication and allergy information.

  • Share no information.

For the last 2 options, please complete and return the SCR opt out form which can be obtained at our reception desk.

NHS Digital

From 1 September 2021 some of your health record would have been provided from your GP record in a pseudo-anonymised form.  This means that all your demographic data is removed (like name, date of birth, address) and a unique code is used.  Not all your data is collected, but only main structured and coded information and not the description text.  For example, at a consultation a GP may code ‘chest infection’ and in the description text they might add detail about how long there has been a cough etc, and details of findings at clinical examination.  It will also not include letters & photos. The information is then used for the very important work of research and planning e.g., responding to the COVID 19 pandemic.  Rarely, the unique code can be used to trace the record back to your details. 

Should you wish to opt out there are 2 opt out options, you may want to do one or both:

  • To opt out of your GP records being shared with NHS digital then you need to complete the Type 1 opt out form and return it to the Practice, as follows:

  • To opt out of NHS digital using any of your identifiable data collected from your GP records and/or other sources then you should register a National Data Opt-out using this form… This cannot be done at the practice.

Please note that during the COVID 19 Pandemic the practice has been legally required to provide your data.  You can find out more information relating to this subject from the General practice transparency notice for GPES data for pandemic planning and research (COVID-19) and from the NHS general Privacy Notice.

Greater Manchester Care Record

Your health and social care information is shared across Greater Manchester to help provide you with good care e.g., should you be admitted to a hospital in another part of Greater Manchester the doctor or nurse there can access vital information in your record.  More detailed information is held in this than is provided in the Summary Care Record and is collated from other providers e.g., hospitals and mental health services as well as GP practices.  You can find out more information from the Greater Manchester Care record and the Health Innovation Manchester guidance links.

The GM Care Record is also being used for research & planning services during the pandemic under current legislation and in the future, it is hoped that is will be able to be used for this once further information governance requirements are in place.

Further information & Privacy Statement

For more detailed information on how we take care of your records please read the Practice Privacy Notice below:

GP Practice Privacy Notice 2021 Protecting Your Data Introduction This privacy notice explains in detail why we use your personal data which we, the GP practice, (Data Controller), collects and processes about you. A Data Controller determines how the data will be processed and used with the GP practice and with others who we share this data with. We are legally responsible for ensuring that all personal data that we hold, and use is done so in a way that meets the data protection principles under the General Data Protection Regulation (GDPR) and Data Protection Act 2018. This notice also explains how we handle that data and keep it safe. The GP Practice also has a Caldicott Guardian. A Caldicott Guardian is a senior person within a health or social care organisation, preferably a health professional, who makes sure that the personal information about those who use its services is used legally, ethically, and appropriately, and that confidentiality is maintained. The Caldicott Guardian for the GP practice is:  Lee Ebere, the Practice Business Manager.  We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the Law. When such changes occur, we will revise the last updated date as documented in the version status in the header of this document. What we do? We are here to provide care and treatment to you as our patients. To do this, the GP practice keeps personal demographic data about you such as your name, address, date of birth, telephone numbers, email address, NHS Number etc. and your health and care information. Information is needed so we can provide you with the best possible health and care. We also use your data to: • Confirm your identity to provide these services and those of your family / carers • Understand your needs to provide the services that you request • Obtain your opinion on our services (with consent) • Prevent and detect fraud and corruption in the use of public funds • Make sure we meet our statutory obligations, including those related to diversity and equalities • Adhere to a legal requirement that will allow us to use or provide information (e.g. a formal Court Order or legislation) Definition of Data Types We use the following types of information / data: Personal Data This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under GDPR, this now includes location data and online identifiers. Special categories of data (previously known as sensitive data) This is personal data consisting of information as to: race, ethnic origin, political opinions, health, religious beliefs, trade union membership, sexual life and previous criminal convictions.

Under GDPR, this now includes biometric data and genetic data. Personal Confidential Data (PCD) This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. Pseudonymised Data or Coded Data Individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity. When data has been pseudonymised it still retains a level of detail in the replaced data by use of a key / code or pseudonym that should allow tracking back of the data to its original state. Anonymised Data This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available. Aggregated Data This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data. Our data processing activities the law on data protection under the GDPR sets out several different reasons for which personal data can be processed for. The law states that we must inform you what the legal basis is for processing personal data and if we process special category of data such as health data what the condition is for processing.

The types of processing we carry out in the GP practice and the legal bases and conditions we use to do this are outlined below: Provision of Direct Care and administrative purposes within the GP practice Type of Data Personal Data – demographics Special category of data – Health data Source of Data Patient and other health and care providers Legal basis for processing personal data and Condition for processing special category of data Article 6 (1)(e) - Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority Article 9(2)(h) - Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Common Law Duty of Confidentiality basis Implied Consent Direct care means a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. This is carried out by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship with. In addition, this also covers administrative purposes which are in the patient’s reasonable expectations. To explain this, a patient has a legitimate relationship with a GP for them to be treated and the GP practice staff process the data in order to keep up to date records and to send referral letters etc. Other local administrative purposes include waiting list management, performance against national targets, activity monitoring, local clinical audit, and production of datasets to submit for national collections. This processing covers most of our tasks to deliver health and care services to you. When we use the above legal basis and condition to process your data for direct care, consent under GDPR is not needed. However, we must still satisfy the common law duty of confidentiality and we rely on implied consent. For example, where a patient agrees to a referral from one healthcare professional to another and where the patient agrees this implies their consent.

Your Data Matters to the NHS

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.

How your data is used

Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital.  It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.

Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.

You have a choice

You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.

Will choosing this opt-out affect your care and treatment?

No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What do you need to do?

If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.

To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit

Download a copy of the patient leaflet

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website