Welcome. Your GP practice and other organisations involved in your care and treatment collect information about you and share it into the Surrey Care Record. This Privacy Notice is for use by these organisations. It tells you about how that information may be used and how it is kept confidential. It also confirms your rights concerning your health and social care data.
What is the Surrey Care Record?
Individuals’ health and social care records (including related documents) are held on each partner’s secure clinical system (local record). Graphnet, a supplier of healthcare systems has designed a secure system that integrates data from those multiple electronic health and care systems to provide a real-time and read-only summary of that data to health or social care professionals.
What are the benefits of the Surrey Care Record?
Benefits of such a system are:
- Improved quality of care – information about your care will be instantly available to clinicians for more accurate diagnosis and on-going treatment. Duplication of tests will be avoided.
- Improved patient safety – there will be greater visibility for your health and social providers about your current medications, allergies and adverse reactions.
- Reduced delays in care – test results will be readily available reduces patient waiting time.
- Improved effectiveness of the local health and care system and integration of services – people have timely access to appropriate services
- Health & care planners and researchers can use data about all the patients in an area to:
- understand more about disease
- develop new treatments
- monitor safety
- plan services and
- see if NHS policy is working.
What is the TVS Shared Care Record Programme?
The Surrey Care Record is one of five Shared Care Record systems included within the Thames Valley and Surrey (TVS) Care Records partnership.
The TVS Care Records is a way of sharing patient information with health and care staff. It means information recorded about your health such as illnesses, hospital admissions and treatments can be accessed by different people who are involved in your care, wherever you are seen in Buckinghamshire, Berkshire West, Frimley, Milton Keynes, Oxfordshire and Surrey.
The TVS Shared Care Record programme also includes ICT systems and Secondary Purposes activities that support the development and effective operation of regional and local health and care systems.
Further information is available here.
What Purposes will my data be used for?
Direct Care – e.g. providing you with care and treatment relating to an illness. Direct care can also include:
Other (Secondary / Indirect Care) Uses – this includes activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition. It also covers health services management, preventative medicine, and medical research.
Planned Secondary Uses of data held on the Surrey Care Record includes:
- Risk Stratification
- Population Health Management
- Population Health Management improves population health by data-driven planning and delivery of care to achieve maximum impact. It includes data analysis to identify patterns of health needs and risks for individuals and groups, and in turn designing and targeting interventions to prevent ill-health and to improve care. This approach provides more proactive support for people with ongoing health conditions and reduces unwarranted variations in outcomes for patients
- Ensuring Effective Design and Operation of Health Services
- This includes the planning, commissioning, and monitoring of integrated Health & Social Care services provided by the Surrey Heartlands Integrated Care System (ICS Partnership), Integrated Care Partnerships / Provider Led Partnerships, and Primary Care Networks
- Including that relating to COVID-19, cancer, and other illnesses
What do I do if don’t want my data to be used for these purposes?
- You can object to having your data being shared for Direct Care Purposes by contacting your GP Practice however you should be aware that:
- This may affect your care and treatment
- Due to technical limitations data shared by non-GP partners within Surrey Heartlands may still be uploaded to the Surrey Care Record but will be made inaccessible to users of this
- You will also need to contact the Surrey Care Record Privacy Officer if you have received care from multiple partner organisations within other TVS Care Record areas. Please email email@example.com
- You can opt-out of having your Pseudonymised data used for Secondary Purposes by:
- Asking your GP Practice to add an opt-out flag to your GP Record – please refer to your GP Practice’s website for further information, and
- Submitting an NHS National Opt-out to NHS Digital
- You cannot object to de-identified / anonymised data being used for Secondary Purposes
What types of data will be used?
For Direct Care purposes we will use:
- Personal data (including your name, address, and NHS / Hospital Number etc.)
- Special category personal data (including health data and data relating to ethnicity etc.). Health data may include blood test results, MRI scan results, etc. However, not every element of your information is part of the joint record. Examples of the sensitive information that will be left out include fertility treatment records, domestic violence and criminal records.
For Other / Secondary Purposes we will use:
- De-identified Data – this is data that has been anonymised according to the ICO Code of Practice. It is no longer considered to be personal data as you cannot be identified from this, even if it is added to other data.
- Pseudonymised Personal Data – where personal data which could be used to identify you has been replaced with a pseudonym. This is still considered to be personal data, as you can be easily re-identified if there is a legitimate reason for this (e.g. patient safety risk identified).
What organisations can access my data?
The following organisations which work together to provide integrated health and social care services for Surrey Heartlands residents may currently access data that is shared for Direct Care purposes:
We expect the following organisations to also have access in the future:
- End of Life / Hospice Service Providers including:
- Phyllis Tuckwell Hospice
- Catherine’s Hospice
- Sussex Community NHS Foundation Trust (Midhurst Macmillan)
- Community Pharmacies (access by registered Pharmacists and Pharmacy Technicians only)
- District and Borough Councils (eg to support delivery of Social Prescribing)
Under the TVS Shared Care Record programme your records may be accessed by the following types of organisations which may be involved in providing your care and treatment:
- Providers of Unscheduled or Emergency Care
- Acute / Hospital Service Providers
- Emergency Service Providers
- Community Service Providers
- Social Care Service Providers
- Providers of Hospice Services and End of Life Care
Please see here for further information TVS Shared Care Record Programme.
The following types of organisations may also access personal data (including pseudonymised data) that is used for purposes other than providing your care and treatment (Secondary Purposes).
- NHS Clinical Commissioning Groups (which have a lawful basis to undertake the planning, commissioning, and monitoring of health care services)
- Local Authorities, including County Councils (which have a lawful basis to undertake the planning, commissioning, and monitoring of social care services)
- NHS Service Providers including GP Practices (which have a lawful basis to undertake the planning, commissioning, and monitoring of integrated health & social care services as part of Provider Led Partnerships and Primary Care Networks etc.)
- NHS Digital / NHS England (which have statutory duties relating to monitoring of health and social care systems)
- Universities and other authorised Research Partners
Other organisations which provide the ICT systems and other support services that support both Direct Care and Secondary Uses activities (Data Processors) will also have access to data held on the Surrey Care Record – these include:
- NHS Surrey Heartlands Clinical Commissioning Group (that host the Programme Team and Privacy Officer function for the Surrey Care Record)
- Frimley Health Foundation Trust (that host the TVS Programme Team and Privacy Officer function for TVS systems)
- System C / Graphnet that provide the ICT systems that support the TVS Shared Care Record Programme and Surrey Care Record
- Advanced that provide the ICT system that support sharing of documents
- NHS England (via NELCSU) that provide related data linking support for some participating GP Practices
- NHS England (via other Commissioning Support Units) that provide related data processing services to TVS Care Record partners
What is the lawful basis for processing my data?
The processing (sharing) of Personal Data for these purposes detailed above is permitted under Article 6(1)(e) of the General Data Protection Regulation (Public Task) as the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing (sharing) of special categories of Personal Data is permitted under Article 9 (2) (h) of the General Data Protection Regulation (Health & Social Care) as the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
We also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” and comply with these.
Who is the data controller of my data?
Surrey Care Record partners are joint data controllers of the data held on the Surrey Care Record and are jointly responsible for ensuring that all processing complied with data protection related legislation. NHS Surrey Heartlands CCG act as lead data controller on behalf of all partners and their Data Protection Officer can be contacted at: firstname.lastname@example.org
How can I access a copy of my records?
To access your Personal Data you should contact the CCG’s Information Governance Team by emailing them at email@example.com
How can I have incorrect data corrected?
If you believe that the data receive in response to the request contains errors, you should contact the relevant Surrey / TVS Care Record partner’s Data Protection Officer (details of these will be provided to you with our response for access to your records).
What other rights do I have?
Under the Data Protection Legislation, you have the right to:
- be informed of our uses of your data (the purpose of this document);
- request copies of your personal information and to use these for data portability;
- request rectification of any inaccuracy in your Personal Data or special categories of Personal Data;
- restrict the processing of your personal information where the accuracy of the data is contested or, where the processing/sharing is no longer needed;
- not be subject to automated decision making or profiling. There is no solely automated decision making or profiling undertaken of data uploaded to the Surrey Care Record; and;
- complain about our handling of your data
NHS Surrey Heartlands Clinical Commissioning Group (the CCG) co-ordinate information rights related requests relating to the Surrey Care Record and you should therefore contact the CCG’s Information Governance Team if you wish to exercise your rights.
You also have the right to contact the UK’s supervisory authority (Information Commissioner’s Office) by:
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)
- Email: https://ico.org.uk/concerns/handling/
How do you ensure my personal information is kept safe and secure?
It is really important that we keep your data safe. There are a number of ways we do this:
- Complying with Data Protection Legislation and following a Privacy by Design & Default development process
- Using technology to restrict who can access your data. This can be done with passwords, swipe cards or encryption etc.
- Making sure that anyone who can access your data has had the right training.
- Making sure that anyone who can access your data is approved by their organisation.
- Keeping computer systems up to date to protect against viruses and hacking.
- Having an audit trail every time personally identifiable data is looked at or used.
If someone misuses your data, they could lose their job and be prosecuted.
How long is my data kept?
The retention of data is set by individual partners who follow the NHS Records Management Code of Practice for Health and Social Care 2016 and any successor guidance.
Where can I go for further information?
Please see information available at:
Reviews of and Changes to this Privacy Notice
We will regularly review the information contained within this notice and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your data.
This version was last updated by the CCG’s DPO on 06/08/2021.