We’ve put some small files called cookies on your device to make our site work.
We’d also like to use analytics cookies. These send information about how our site is used to a service called Google Analytics. We use this information to improve our site.
Let us know if this is OK. We’ll use a cookie to save your choice. You can read more about our cookies before you choose.
Change my preferences I'm OK with analytics cookies
Date published : 1 November, 2023 Date last updated : 16 August, 2024 Download as a PDFVersion 1.0 3 July 2023
Being able to access patient data promptly in primary care allows us to work efficiently and provide a high standard of care. In certain circumstances, primary care data can also be used to guide both population health management and clinical research. It is, therefore, vital to ensure that patient information is used appropriately and processed and stored in a secure manner.
Information governance provides a framework to help us use information in a legal and ethical way, ensuring that data is:
Importantly, information governance also helps patients understand clearly and transparently what their data is used for, why it is used, and how it is used.
The best place to find in-depth, practical guidance relating to information governance is the NHS Transformation Directorate website. You can find up-to-date information relating to topics such as access to records through the NHS app, and sharing information with the police. These should be used to supplement the other subjects covered in these guidelines.
Your organisation should have data protection policies in place. As a minimum, your policies should cover:
These should be reviewed at regular intervals and be available to staff and the general public. For more information, please see the governance section of the Data Security and Protection Toolkit guidance.
All staff (including new starters, locums, temporary staff, students, volunteers and staff contracted to work in the organisation) that have access to personal data must complete an appropriate data security and protection induction and training. They must also be aware of any data protection policies which they must follow relating to their role.
When using emails and text messages to communicate with patients, such as for appointments or reminders, you should ensure that information is used and shared safely.
For information on what you need to make clear to patients when using text or email messaging systems, as well as patient preferences, confidentiality and recording information, please see the NHS Transformation Directorate guidance on email and text message communications.
You should have a policy and processes in place for conducting video conferencing calls, whether they occur between staff members or between clinicians and patients.
For information on using video conferencing tools securely, protecting patient confidentiality and making notes or recordings, please see the NHS Transformation Directorate guidance on using video conferencing and consultation tools. There is also another article in this series on Online and video consultations.
It may be appropriate for staff members of primary care organisations to work from home on a part-time or full-time basis, provided they are able to fulfil their function.
For a brief summary of key things to consider for remote working including using your own device, security protocols, and accessing confidential patient information, please view ‘COVID-19 questions for health and care organisations’ on the NHS Transformation Directorate’s IG question time page. There is also another article in this series on Microsoft Teams and remote working.
During the COVID-19 pandemic, the Royal College of General Practitioners produced some key principles relating to receiving, storing and sending intimate clinical images. Although not all images will be considered ‘intimate’ by patients, these principles provide a good basis which can be applied more broadly when using clinical images.
In primary care, you are likely to receive various types of requests for information:
Your organisation is responsible for information security, and you are required by law to protect personal and confidential patient information.
Personal data breaches are rare, but there may be times when things go wrong. A personal data breach is an accidental or deliberate breach of security which leads to:
If you become aware of a personal data breach, you should follow your organisation’s procedure for reporting such an event. This will usually be via the incident reporting process in your organisation. If you are not sure what to do you should tell your data protection officer (DPO).
Breaches should be reported as soon as they become apparent. If you are not sure if a breach has occurred, you should still report it via your organisation’s incident reporting system.
For more information, please see the NHS Transformation Directorate guidance on personal data breaches.
Your organisation will need to allocate some time and resources to complete the DSPT each year. This is an online self-assessment tool that allows general practices and other organisations to measure their performance against the National Data Guardian’s 10 data security standards.
Completing the DSPT is a mandatory requirement to demonstrate that your organisation is practising good data security and handling personal data correctly. The Care Quality Commission (CQC) uses the DSPT to measure general practice performance against the National Data Guardian’s security standards.
Personal data identifies an individual including staff, patients, family or friends, and members of the public. Data protection laws, including UK General Data Protection Regulation (GDPR) apply to personal data.
Data protection laws do not apply to deceased people, but the common law duty of confidentiality does apply. For more information, please see NHS England’s Transformation Directorate guidance on access to the health and care records of deceased people.
Pseudonymisation ensures that you cannot identify an individual without the use of additional information. It is important to remember that pseudonymised data is still personal data so it cannot be shared freely.
It could involve replacing an NHS number, a name or an address with a unique number or code (a pseudonym). For example, you could be working with other GP practices to identify patients in the area who would benefit from a new service. Other practices would not need to know the names of your patients so you could replace identifiers with a pseudonym for the discussion. It would be important that the information about which patient had been allocated which pseudonym was kept securely at your practice and not shared. Once it had been agreed which patients were suitable for the new service, only your practice would be able to re-identify these patients because you are directly involved in the patient’s care.
Anonymous data
Anonymous data is data that no longer identifies a person or people. Truly anonymised data is not considered personal data under the UK GDPR. This means it is not subject to the same restrictions as personal data. Anonymous data may be presented as general trends or statistics.
Your organisation needs to appoint a Caldicott Guardian. Caldicott Guardians are senior people within organisations that help ensure confidential information about patients is used ethically, legally, and appropriately.
Their responsibilities include:
If it is not proportionate or feasible to appoint a member of your own practice staff to the Caldicott Guardian role, your organisation may choose to share a Caldicott Guardian with its primary care network (PCN) or a group of GP practices.
A DPO is an independent advisory role held by an expert in data protection, who advises you on how to comply with your data protection obligations.
A DPO’s duties include:
Specific arrangements for appointing a DPO can vary:
See the ICO website or more information about the role requirements and who to appoint.
The British Medical Association’s (BMA) website has guidance tailored to GP practices.
Common law is a form of law based on previous court cases decided by judges. The common law duty of confidentiality says that information about a person cannot be disclosed without that person’s consent.
In these cases, you do not need to explicitly ask the patient for consent. When sharing confidential patient information for other purposes, for example research, you will generally need to obtain explicit consent from the patient.
You should not share confidential patient information (even for individual care) if you have reason to believe that a person has objected or would be likely to object to the information being shared. There are some exceptions to this, for example, where you have safeguarding concerns about a child.
The UK GDPR sets out seven key rules called data protection principles. Health and care professionals must follow these strict principles:
There must be legal grounds for using and sharing information. People must be made aware of how their information is used and shared, for example in your practice’s privacy notice and on your notice board and website. You must use personal data in a way that is fair for example you must not mislead individuals or use data in a way they would not expect.
You must be clear about why you are collecting information and can’t collect it for one thing but use it for something else. For example, you can’t tell people you are collecting their personal information for their care, and then use it for marketing.
You should only collect, use and share the information you need. For example when sharing information with a colleague, you should share only the information they need to provide care.
You should make sure that you keep factually accurate and up-to-date records.
You should only keep information for as long as it is necessary. NHS England has produced clear guidance about how long health and care records should be kept.
You should ensure that information is used and shared securely. This includes ensuring that information is not lost, destroyed or damaged.
Your practice will need to demonstrate how you are complying with all these principles.
The Caldicott Principles are designed to ensure people’s information is kept confidential and used appropriately. They align with data protection laws and will help guide you in how to use information.
Please email the Good Practice Guidelines team here for more information on this subject.
This email address is not intended for use by members of the public, patients and their representatives who should instead contact the NHS England Customer Contact Centre – england.contactus@nhs.net
NHS colleagues and contractors should use this mailbox for queries relating to the management of the GPGv5 and should contact the relevant NHS England team or programme for further information on topic content.