Keeping your personal data safe is central to the GM Care Record

Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provided. The GM Care record pulls together the information from these different health and social care records and displays it in one combined record.

How is your personal information kept safe and secure in the GM Care Record?

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information.

Appropriate technical and security measures in place to protect the GM Care Record include:

  • complying with Data Protection Legislation;
  • encrypting Personal Data transmitted between partners;
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • a requirement for organisations to complete the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements;
  • use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the GM Care Record are auditable against an individual accessing the GM Care Record;
  • ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.

The NHS Digital Code of Practice on Confidential Information applies to all NHS and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.

Whilst you are automatically enrolled into the GM Care Record as a GM citizen, you have the option to object to your information being shared for individual care and to opt out of your data being used for research and planning. More information about this is available below:

Your Questions Answered

How can I object or opt out of my data being shared via the GM Care Record?

The purpose of the GM Care Record is to improve the care that you receive, however, if you don’t want your information to be shared, you have a legal right to object to your data being shared through the GM Care Record. Your objection will be considered on a case by case basis. When considering your objection, we will consider whether you can still be provided with safe individual care. Please contact your health and care provider to discuss this further. This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.

We ask you to think carefully before making this decision. Sharing your health and social care information will make it easier for services to provide the best treatment and care for you when you most need it.

Health and social care staff use your confidential patient information to help with your treatment and care. For example, when you visit a hospital your consultant may need to know the medicines you take.

Your health or social care provider can advise you of how you can opt out of having a GM Care Record. Please note this is separate to your Summary Care record for which you will need to opt out of separately if required. Find out more about the Summary Care record and opting out here.

Opt out of your deidentified information being used for research and planning:
The national data opt out is a service that allows patients to opt out of their deidentified patient information being used for research and planning. Visit this page to find out more information and to opt out.

What types of personal information are shared in the GM Care Record?

Personal information (or Personal Data) means any information about an individual from which that person can be identified. The Personal Data that is shared includes:

Identifying Data:
Forename, Surname, Address, Date of Birth, Gender, Age, Postal Address, Postcode, Telephone Number and NHS Number.

Other categories of Personal Data:
This includes:

  • A list of diagnosed conditions – to make sure your clinical and care staff have an accurate record of your care
  • Medication – so everyone treating you can see what medicines you have been prescribed
  • Allergies – to make sure you’re not prescribed or given any medicines you can have an adverse reaction to
  • Test results – to speed up treatment and care and to ensure tests are not repeated
  • Referrals, clinical letters and discharge information – to make sure the people caring for you have all the information they need about other care and treatment you are having elsewhere
  • Care plans (where available) – for health and care workers involved in your care to view a joined-up plan of care and the wishes you’ve asked for in relation to your care
  • Relevant information about people that care for you and know you well.
  • Basic details about associated people e.g. children, partners, carers, relatives etc.

What is the lawful basis for the sharing of information?

Health and social care organisations have a duty to share personal data under s251B of the Health and Social Care Act 2012, where it is:

(a) likely to facilitate the provision to the individual of health services or social care in England, and
(b) in the individual’s best interests.

Which organisations can access your personal information through the GM Care Record?

Personal Data will only be shared between the health and social care organisations that are signed up to the GM Care Record Data Protection Impact Assessment (DPIA). These include:

  • Primary care (e.g. your GP practice)
  • Community services
  • Mental health services
  • Local authority social care departments
  • Secondary care (e.g. hospitals)
  • Specialist services (e.g. ambulances)

The GM Care Record makes your patient information easily accessible for the purposes of your care and treatment.

How is information in the GM Care Record held?

A record of care is held on each organisation’s secure electronic system (local record) e.g. a GP practice will have their own system for recording patient information. Graphnet, a supplier of healthcare systems, has designed a secure system that integrates data from those multiple electronic health and social care systems to provide a live and read-only summary of that data to a health or social care worker when required for the purposes of your individual care.

How will the information be made available in the GM Care Record?

Data is presented as a read-only view; meaning that the Personal Data from an organisation’s local record is not changed. The data remains within each organisation’s database and staff using the GM care record are allowed a read-view access only. Access to your data depends on the professional having access in their own clinical/care systems – so professionals can only see information regarding patients that are being referred for treatment or have been treated by them.

How long will the data be held in the GM Care Record?

As the GM Care Record is an integrated digital care record that pulls together vital patient data from several health and social care providers, only data currently visible in each of the local systems will be visible in the GM Care Record. Each partner organisation feeding data into the GM Care Record has local retention rules set by the NHS Records Management Code of Practice for Health and Social Care.

Within the governance framework for the GM Care Record, the system supplier is also contractually obliged to comply with any requests by the partners to remove/delete data when instructed to do so.

What are your rights regarding information held in the GM Care Record?

Under the Data Protection Legislation, you have the right to:

  • be informed of our uses of your data (the purpose of this privacy notice)
  • request copies of your personal information, commonly referred to as a Subject Access Request (SAR)
  • have any factual inaccuracies corrected
  • request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances
  • not be subject to automated decision making or profiling. There is no automated decision making or profiling in the GM Care Record
  • complain about the handling of your data to an organisations data protection officer or to the regulator
  • also have the right to object to processing of your personal data in certain circumstances.

Details of how to exercise your rights are shown below.

How can I access the information you keep about me?

To access your Personal Data, you should contact your local appropriate organisation (Appendix A at the end of this page) and their Data Protection Officer.

If this data contains errors, you can exercise your right to correct this information via the Data Protection Officer.

Do I have a right to complain?

Please contact your local appropriate health or social care organisation (Appendix A at the end of this page) and their Data Protection Officer to raise a complaint.

You can get further advice or report a concern directly to:

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)
Further information about the way in which the NHS uses personal information and your rights is published by NHS Digital:

The NHS Care Record Guarantee
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under Data Protection Legislation.

The NHS Constitution
The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.

NHS Digital
NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.

National Data Opt-Out
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Visit the website below to find out more information or to opt-out of having your patient information being used for research and planning.

Download Appendix A
List of Data Protection Officers and Links to Privacy Notices Across GM Organisations