Show Side Menu
To view, print or save our practice booklet, click here
Review Our Practice (External Link)
NHS Choices Feedback (External Link)
Call 111 - When it is less urgent than 999

Protect Your Medical Privacy FAQ

Medical records in England are no longer confidential. Unless you take action, identifiable information will be uploaded from your GP-held record to central systems from where it may be passed on to others including Commissioning bodies, researchers and private companies.

So what has changed?

The government has passed legislation and the NHS Constitution has been rewritten so that confidential information will be extracted from your GP-held record in identifiable form, and no longer be under the control of the doctor you shared it with.

Until recently the default position was that your medical notes were confidential and remained within your GP’s surgery systems. This is no longer true. The new default is that excerpts from your records will be uploaded to NHS England’s new Health and Social Care Information Centre system (HSCIC) unless you say otherwise.

When is this happening?

Pilots of the new scheme – called ‘’ – are about to begin in 100 GP practices in England. Once these have been completed, probably in late Autumn 2013, HSCIC will start extracting information from every GP practice in England.

What information will be taken from my medical records?

Every month, details of your diagnoses, referrals, health conditions and treatments plus ‘lifestyle’ information such as smoking / drinking habits and whether you are obese will be extracted. They will be uploaded to HSCIC together with your NHS number, date of birth, postcode, gender and ethnicity.

But they say my data will be ‘anonymised’…

First of all, the information will not be anonymised when it leaves your GP’s surgery; it will be extracted with your personal details still attached. HSCIC will then determine which parts of your information it will share with others, and whether this will be in a form that identifies you. NHS England, for example, has already been granted a legal exemption to pass identifiable data about patients between various Commissioning bodies.

Even if your information is passed on or published without identifying details, your anonymity can never be guaranteed. Re-identification of apparently ‘anonymous’ data can be surprisingly easy, and the way HSCIC will treat the data is specifically designed to allow it to link and match records at patient level.

How will my information be used?

Aside from the de-identified data that HSCIC intends to publish, your information may also be shared with or sold to researchers and private companies; registered ‘customers’ can pay extra to receive data in identifiable form. This will be done without your knowledge and you will have no control over who receives it.

Identifiable data will also be passed to regional processing centres, local Clinical Commissioning Groups and the units that support them – which include private companies. These Commissioning bodies will use your information for a number of administrative purposes, including Audit and monitoring, service planning and targeting, validating invoices and to provide evidence about the effectiveness of services.

Is it just my GP-held records that will be treated this way?

No. Extracting GP records is only the first step in a far bigger programme. Hospitals have been told to be ready for similar uploads from 2014, and social services from 2015 – this is, after all, the ‘Health and Social Care Information Centre’. Ultimately information about all of the medical and social care you receive will be collected and stored on the HSCIC system.

Will I be asked for permission?

No, and they’re not intending to tell you directly either. In fact, NHS England recently ruled out running a national publicity campaign. Instead they are relying on putting up posters in GP receptions or notices in newsletters.

What can I do?

The good news is that you can opt out. But if you don’t want your confidential information collected or passed on by HSCIC, the onus is on you to tell your GP. Under the new legislation, GPs will not be able to stop your information being released to HSCIC unless you specifically tell them not to upload it and to make an official note of this in your record.

We provide a letter on our website that you can download, fill in and send to your GP or use as a framework for writing your own letter:

If you do have any particular concerns, we recommend you talk to your GP about them.

Will opting out affect my care in any way?

No. Opting out of these ‘secondary uses’ of your data will not affect your direct medical care. Nor should it affect the way your GP is paid for providing you with care; that is done with aggregate, non-identifiable data.

Why are there two opt out codes in the letter?

As we said, extracting GP records is only the first step in a much wider programme. Information about you may be collected by HSCIC from sources other than your GP, e.g. from hospitals or clinics. This information will also be identifiable, and may be linked to other data it holds or passed to other agencies and third parties.

If you want to stop HSCIC from passing on your confidential information in identifiable form to any other bodies, including private companies, you have to tell your GP to add that opt out code to your record as well.

Isn't this the same as the Summary Care Record (SCR)?

No, but it does cover some of the same data, e.g. your prescriptions. The SCR was a far more limited collection, whereas this new scheme –known as ‘’ – is a wholesale, monthly extraction of identifiable information about every patient in England.

I've already opted out of SCR. Do I need to do anything?

Yes, you must opt out all over again. Though the Health Minister, Jeremy Hunt, originally stated that existing opt outs “would be respected”, there has since been a U-turn and opt outs for SCR will not be carried over to this new scheme.

What about my data being used for medical research?

In December 2011, the Prime Minister promised an opt out for those who specifically didn’t want their information to be used for medical research. This has not happened. Your only option at this point is therefore to opt out altogether from uploads to HSCIC or accept that your information will be used for a wide range of purposes, only some of which are to do with medical research.

What is medConfidential?

medConfidential is an independent, non-partisan organisation campaigning for confidentiality and consent in health and social care. We work with patients and medics, service users and care professionals, charities, patient groups and other concerned parties providing information and making the case for patient privacy and choice.

medConfidential was founded in January 2013 by several existing organisations – Privacy International, Big Brother Watch, NO2ID, FIPR and TheBigOptOut – in direct response to radical changes in the way patient health information is collected and used in the NHS.

medConfidential is coordinated by Terri Dowty, former Director of ARCH, and Phil Booth, former National Coordinator of NO2ID. You can contact us on:

or @medConfidential on Twitter



Your Neighbourhood Professionals. Just a Click Away!