GDPR & Your Data
What is GDPR?
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Higher fines for data breaches – up to 20 million euros
What is ‘patient data’
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
Consent is permission from a patient - an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.
Individuals also have the right to withdraw their consent at any time.
Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the GDPR Regulations.
The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.
This notice reflects how we use information for:
- The management of patient records;
- Communication concerning your clinical, social and supported care;
- Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
- Participation in health and social care research; and
- The management and clinical planning of services to ensure that appropriate care is in place.
Data Controller
As your registered GP practice, we are the data controller for any personal data that we hold about you.
Carnon Downs Surgery Privacy Notice, Leaflet & Quick Guide
Please click on the document below to see each version
Quick Guide - GDPR poster pdf.pdf
Freedom of Info leaflet 2024.docx
General Practice Data for Planning and Research (GPDPR)
The data held in the GP medical records of patients is used every day to support health and care planning and research in England, helping to find better treatments and improve patient outcomes for everyone. NHS Digital has developed a new way to collect this data, called the General Practice Data for Planning and Research data collection.
The new data collection reduces burden on GP practices, allowing doctors and other staff to focus on patient care.
Why NHS Digital collects general practice data
NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.
NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.
NHS Digital has engaged with doctors, patients, data and governance experts to design a new approach to collect data from general practice that:
- reduces burden on GP practices
- explains clearly how data is used
- supports processes that manage and enable lawful access to patient data to improve health and social care
What data is shared
This data was originally due to be shared from 1 Sept 2021. Data may be shared from the GP medical records about:
- any living patient registered at a GP practice in England when the collection started - this includes children and adults
- any patient who died after 1 July 2021, and was previously registered at a GP practice in England when the data collection started
NHS Digital will not collect patients’ names or addresses. Any other data that could directly identify patients (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.
This process is called pseudonymisation and means that patients will not be identified directly in the data. NHS Digital will be able to use the software to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason.
We will collect structured and coded data from patient medical records.
NHS Digital will collect:
- data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
- data on sex, ethnicity and sexual orientation
- data about staff who have treated patients
NHS Digital does not collect:
- name and address (except for postcode, protected in a unique coded form)
- written notes (free text), such as the details of conversations with doctors and nurses
- images, letters and documents
- coded data that is not needed due to its age - for example medication, referral and appointment data that is over 10 years old
- coded data that GPs are not permitted to share by law - for example certain codes about IVF treatment, and certain information about gender re-assignment
Opting out
If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.
Type 1 Opt-out (opting out of NHS Digital collecting your data)
We will not collect data from GP practices about patients who have registered a Type 1 Opt-out with their practice. More information about Type 1 Opt-outs go to GP Data for Planning and Research Transparency.
If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.
National Data Opt-out (opting out of NHS Digital sharing your data)
We will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.
NHS Digital won’t share any confidential patient information about you - this includes GP data, or other data we hold, such as hospital data - with other organisations, unless there is an exemption to this.
To find out more information and how to register a National Data Opt-Out, please go to:
More information can be found at:
National Data Opt Out Programme
The 25th May 2018 saw the introduction of the NHS 'National Data Opt-Out programme'; this is a service that enables data subjects to opt out of having their data shared for research and/or planning purposes. NHS Digital will be automatically converting patients' existing type 2 objections to the new op-out from May 2018.
Our patients do not need to take any action, and this will not affect the way your information is used. We are continuing to respect your original choice to not share confidential patient information beyond NHS Digital for research or planning, but your choice will recorded as a national data opt-out rather than a 'type 2 objection'.
Below is a useful link for patients from NHS Choices called 'Your NHS Data Matters' click on the logo for more information. The second link is a leaflet provided by the NHS
Or go to :
Your Data Matters Large Print Leaflet
Your Data Matters Easy Read Leaflet
Summary Care Records
The NHS in England is now using an electronic record called the Summary Care Record (SCR), which is being used to support patient care.
Your summary care record contains important information about any medication you are taking, any allergies you suffer from and any bad reactions to medicines that you have previously experienced.
Over the past few years there have been various announcements from the Government about sharing health records. The Summary Care Record (SCR) is an initiative which allows NHS England to hold a copy of some of the key information that is held on your GP records. This is referred to as “the national spine”. This information can only be accessed by other authorised health professionals with your consent and gives the opportunity to improve the safety and quality of your care. The Summary Care Record has recently been made now “live” at Carnon Downs Surgery. It only currently holds data about any medicines that you are prescribed and any allergies or bad reactions to medication that you have suffered. There is scope to open the SCR to further information in the future but only if the patient agrees. All healthcare workers are governed by the same strict rules on confidentiality and the Data Protection Act.
Please see the helpful leaflet, available from the download listed below on the NHS Summary Care Record for further information as it explains about the choices patients have about opting out. If you have already opted out of the Summary Care Record you may wish to re-consider that decision at this time. Access to your GP record could be vital in saving lives particularly in emergency situations when the patient may be unable to recollect important information.
Many people think that the GP record is already available to all health care professionals but this is not the case. In Cornwall, there has been a move to take information sharing one step further. GP Surgeries have been given the option of signing up to an agreement to provide the facility to share the full medical records. Patients are totally in control as they will always be asked to consent to allowing access to their records and should let the Surgery know if they choose not to have a shared record at all. By sharing the GP record, any other health professionals will have access to your most up to date and accurate information allowing safer and more effective care and helping to avoid mistakes. Please see the local information leaflet “Making your local health record work better for you”
Please click on the leaflet below for more information.
If you choose to opt out of having a Summary Care Record and do not want a SCR, you need to let us know by filling in and returning an opt-out form to reception. You can download and print off a copy of this form below.
DEVON AND CORNWALL CARE RECORDS (DCCR) Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive. This shared system is called the Devon and Cornwall Care Record. It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment. It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email. Only authorised health and care staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include. For more information about the Devon and Cornwall Care Record, please go to Click here for more information: |
At Carnon Downs Surgery, we are committed to protecting your privacy and ensuring the confidentiality of your information.
We want to provide you with insight into how BRAVE AI is utilised across Primary Care Networks in The Cornwall & Isles of Scilly Integrated Care Board area and its potential impact on your healthcare. BRAVE AI serves as a clinical decision support tool, empowering clinicians to make well-informed decisions about individualised care plans. It's essential to understand that the tool itself does not autonomously make decisions regarding interventions; instead, it assists healthcare professionals in their decision-making process.
BRAVE AI employs sophisticated computer algorithms to evaluate the complexity of each patient's health needs within our practice. By assigning a score, it helps identify individuals at risk of deteriorating health, potentially necessitating hospitalisation. This innovative tool enhances our ability to recognise patients who may otherwise be overlooked, including those with borderline health indicators or infrequent medical interactions.
It's crucial to emphasize that BRAVE AI does not utilise identifiable patient data. However, the provision of NHS numbers enables our practice to pinpoint individual patients who may benefit from interventions. Furthermore, all data processed by BRAVE AI is stored securely within NHS network servers, inaccessible from external sources. Confidential patient information is exclusively disclosed to clinical teams directly involved in patient care.
The primary objective of BRAVE AI is to promote preventive healthcare practices over reactive treatments. It facilitates proactive discussions with patients regarding their overall wellbeing, extending beyond mere medical concerns. These conversations may involve various healthcare professionals, including Health Coaches and nurses, in addition to GPs.
Should you have any questions or concerns regarding the processing of your data alongside BRAVE AI, we encourage you to contact us at for the attention of the Practice Manager.
National Obesity Audit NHS England Transparency Notice
The impact of obesity on population health and the NHS is significant and increasing, but data collected and analysed is of variable quality which limits both service providers’ and researchers’ ability to fully understand and track the impact of obesity, and to understand and monitor which interventions are most effective and where they are best located.
NHS England has established the National Obesity Audit (NOA) data collection as part of the National Clinical Audit and Patient Outcomes Programme (NCAPOP) to measure service provision and outcomes to support current and future services with the information they need to deliver efficient, effective and equitable prevention and care programmes.
For more information please click this link