Information Sharing Policy

Sharing of confidential patient information is an essential requirement in providing care to patients.  The information collected also plays an important role in planning and evaluating health and care services and supporting medical research. 

All clinical and administrative staff working in primary care are responsible for knowing how, and when, to seek patient consent for information sharing.  It is important that you understand both your professional responsibilities and legal obligations.

It is essential that staff recognise the difference between obtaining consent for information sharing in order to provide optimal treatment to patients, and consent for information sharing for planning and research purposes.

Advice and support about data protection issues generally, including consent to using and sharing patient information, may be available through your local Integrated Care Board.  Local arrangements differ, though, and practices may choose to make their own arrangements for securing the services of a Data Protection Officer.

Why your data is important

The NHS uses information about patients (patient data) to research, plan and improve:

  • the services we offer
  • the treatment and care patients receive

We get this data from your GP surgery, hospitals and other healthcare providers. The organisation that collects your data is called NHS England.

To help improve services, NHS England shares this data with researchers from organisations such as universities or hospitals. This type of data-sharing has been happening for many years.

All data that is collected and shared is protected by strict rules around privacy, confidentiality and security.

Information:

We never sell patient data or share it with insurance or marketing companies.

Find out more about how NHS England is looking after your data.

You can choose whether your data is used for research and planning. There are different types of data-sharing you can opt out of.

This is called a Type 1 Opt-out.

  • To do this you need to fill in an opt-out form and return it to your GP surgery. Download a Type 1 Opt-out form.
  • Only your GP surgery can process your opt-out form. They will be able to tell you if, and when, you have been opted out.

If you choose a Type 1 Opt-out, your GP will not share your data for research and planning. However, NHS England will still be able to collect and share data from other healthcare providers, such as hospitals.

This is called the National Data Opt-out.

  • To opt out online or find out more, visit Make your choice.
  • If you choose this opt-out, NHS England and other health and care organisations will not be able to share any of your personal data with other organisations for research and planning, except in certain situations. For example, when required by law.
  • If you want to check if you have opted out, you can enter your details again at Make your choice or check your settings in the NHS App.

Data used for your care

If you choose to opt out of sharing your data, your personal health information will still be used to make sure you get the treatment and care you need. For example, your data may be shared so that you can be referred to hospital or get a prescription.

Key Aspects of GP Information Sharing Policies

  • Purpose of Sharing: Information is shared primarily to provide direct care (e.g., sharing with hospitals via GP Connect) and for secondary purposes like research, planning, and public health.
  • Legal Framework: Practices act as data controllers under the Data Protection Act 2018 (GDPR), ensuring personal data is handled securely, lawfully, and transparently.
  • Confidentiality: All staff are bound by legal, contractual, and professional confidentiality duties. Access to patient information is on a "need to know" basis.
  • Patient Opt-Outs:
    • Type 1 Opt-out: Patients can instruct their GP practice to stop sharing their data with NHS England for research and planning purposes.
    • National Data Opt-out: A separate, national, system-wide choice to prevent data from being used for research or planning.
  • Public Interest/Legal Obligations: Under the Health and Social Care Act 2015, NHS Digital can request data without consent, although this is usually anonymised or pseudonymised where possible.
  • Transparency: Practices must display privacy notices, often notifying patients at least four weeks before starting a new data-sharing project. Boultham Park Medical Practice informs their patients they are eligible for the research. A questionnaire is sent out to the eligible patients where they can opt In OR Out of the research. If the patient OPTS In, then at that point the organisation will further contact the patient for consent to information sharing. Boultham Park Medical Practice does not share information or data.

SystmOne Record Sharing

The practice uses a clinical computer system called SystmOne to store your medical information. This system is also used by other GP practices, Child Health Services, Community Services, Hospitals, Out of Hours, Palliative Care Services, and other NHS bodies. This means that your information can be shared with other Clinicians so that everyone caring for you is fully informed about your medical history, including medication and allergies. You can control how your medical information is shared with other organisations that use this system. To enable you to receive the best possible treatment across the NHS, it would be great if we could share your records with the organisations.

Sharing Out - This controls whether your information stored in the Practice can be shared out with other NHS Services.

Sharing In - This controls whether information made shareable at other NHS care services can be viewed by us, your GP practice.

The sharing consent can be given Verbally or Written. Often other organisations will request this consent and contact Boultham Park Medical Practice, where our team will add this organisation to share your record while you are under their care. This only applies to the organisation that has requested and has obtained the consent.

Legal and professional requirements

Duty to share

Registered health and care professionals have a legal and professional responsibility to ensure that information is shared appropriately to support care, as set out by the GMCNursing & Midwifery Council (NMC) and Health & Care Professions Council (HCPC).

In addition, the Caldicott Guardian Principles state that:

‘The duty to share information for individual care is as important as the duty to protect patient confidentiality’

Sharing information for planning and research

When using confidential patient information for purposes other than individual care, such as planning, or research, you must always consider whether confidential patient information is needed.  If it is essential, then explicit consent is normally required to share that information for purposes beyond individual care.

Objection to information sharing for planning and research purposes

Patients have a choice about whether their information is used for the purposes of planning of services and research.

Individual patients can opt out of sharing confidential patient information by completing a Type 1 opt out form, personally identifiable patient data to be shared outside of your GP practice for purposes except your own care.  This includes confidential patient information for both the General Practice Extraction Service (GPES – including the GPES data for pandemic planning and research).

Patients can also register for ‘National data opt-out’ which means that their confidential patient information will not be used by other healthcare organisations for research and planning (except in certain circumstances e.g. when required by law). 

The national data opt-out does not apply where explicit consent has been obtained from the patient for a given specific purpose.

Further information on the national data opt-out, including how a patient can register their choice is on the NHS website

You should be willing to discuss any concerns about confidentiality with the patient which may address their concerns.  Many patients raising objections may, for example, wrongly fear their information will be used for marketing or for insurance purposes without their consent.

National Data Opt Out Programme

The national data opt-out is a new service that allows people to opt out of their confidential patient information being used for research and planning. Patients can ring 0300 303 5678 to opt out of sharing their confidential patient information for research and planning purposes. PLEASE NOTE: this is not the same as sharing your medical record with other medical practitioners involved in your active health and social care.

https://digital.nhs.uk/services/national-data-opt-out-programme 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything.

If you do choose to opt out, your confidential patient information will still be used to support your individual health care.

To find out more or to register your choice to opt out, please visit

https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ 

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations.

  • NHS Trusts / Foundation Trusts
  • GP’s
  • eMBED Health
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the practice an appropriate contract (art 24-28) will be established for the processing of your information.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

How can you access, amend move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP-to-GP data transfer and transfer of your hard copy notes

Page last reviewed: 18 February 2026
Page created: 18 February 2026