Skip to main content

General Practice Data for Planning and Research - DARS access/dissemination: GDPR information

Summary

Who we share General Practice Data for Planning and Research (GPDPR) data with and your rights.

Controller NHS Digital
How we use the information (processing activities)

Patient data from GP medical records kept by GP practices in England is used every day to improve health, care and services through planning and research, helping to find better treatments and improve patient care. The NHS is introducing an improved way to share this information - called the General Practice Data for Planning and Research data collection. NHS Digital will collect, analyse, publish and share this patient data to improve health and care services for everyone. This includes: (1) informing and developing health and social care policy (2) planning and commissioning health and care services (3) taking steps to protect public health (including managing and monitoring the coronavirus pandemic) (4) in exceptional circumstances, providing you with individual care (5) enabling healthcare and scientific research - Any data that NHS Digital collects will only be used for health and care purposes. It is never shared with marketing or insurance companies.

Does this contain sensitive (special category) data such as health information? Yes
Who are recipients of this data?

There are a number of organisations who are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:

  • the Department of Health and Social Care and its executive agencies, including Public Health England and other government departments
  • NHS England and NHS Improvement
  • primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)
  • local authorities
  • research organisations, including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies

All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service, to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.

Is data transferred outside the UK? NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow you to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK. Some of our processors may process patient data outside of the UK. If they do, we will always ensure that the transfer outside of the UK complies with data protection laws.
How long the data is kept We will keep your patient data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code of Practice for Health and Social Care 2016 and NHS Digital's Records Management Policy. Other organisations with whom we share your personal data must only keep it for as long as is necessary and as set out in the Data Sharing Agreement with that organisation. Information about this will be provided in their privacy notices on their websites.
Our lawful basis for holding this data Legal obligation
Your rights
  • Tick Be informed

    May not apply if our legal basis is vital interests or if the exemption under Article 14(5)(b) applies and we are sharing for scientific research or statistical purposes.


  • Tick Get access to it

    May not apply if we are sharing for scientific research or statistical purposes to the extent that applying this right would prevent or seriously impair the achievement of the purposes of the processing.


  • Tick Rectify or change it

    May not apply if we are sharing for scientific research or statistical purposes to the extent that applying this right would prevent or seriously impair the achievement of the purposes of the processing.


  • Cross Erase or remove it

    (Right to be forgotten) - may only apply if the sharing is necessary for the purposes of the legitimate interests of another organisation and the individual objects to the processing of their data and there is no overriding legitimate interest to continue this processing.


  • Tick Restrict or stop processing it

    May not apply if we are sharing for scientific research or statistical purposes to the extent that applying this right would prevent or seriously impair the achievement of the purposes of the processing.


  • Cross Move, copy or transfer it
  • Cross Object to it being processed or used

    May only apply if sharing is based on public task or another organisation’s legitimate interests or is necessary for scientific research or statistical purposes and the controller cannot demonstrate compelling legitimate grounds for the sharing which override the interests, rights and freedoms of the data subject.


  • Tick Know if a decision was made by a computer rather than a person
How can you withdraw your consent?

Consent is the not the basis for processing.

Is the data subject to decisions made solely by computers? (automated decision making) No
Where does this data come from? GP practices in England
The legal basis for collecting this data

Our legal basis for collecting and analysing this patient data is Article 6(1)(c) legal obligation, as we require the data to comply with the General Practice Data for Planning and Research Directions 2021.

Our legal basis for collecting and analysing patient data relating to health is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the General Practice Data for Planning and Research Directions. It is substantially in the public interest to process patient data for planning and research purposes to improve health and care services for everyone. This is permitted under paragraph 6 of Schedule 1 of the Data Protection Act 2018 (DPA).

Read more about our legal basis for sharing this data

Our legal basis for sharing this data

Our legal basis for sharing patient data under the GDPR will depend on the organisation we are sharing the data with and how they plan to use it.

This will include:

  • Article 6(1)(c) – legal obligation, for example, where the NHS Digital Control of Patient Information (COPI) notice applies
  • Article 6(1)(d) – vital interests, for example, where it is necessary to protect a data subject or another’s vital interests
  • Article 6(1)(e) – public task, for example, where we are sharing data with another public authority for the purposes of them exercising their statutory or governmental functions
  • Article 6(1)(f) – legitimate interests of another organisation, for example, where we are sharing information with a pharmaceutical company or charity to carry out research

Our legal basis for sharing patient data under GDPR relating to health includes:

  • Article 9(2)(g) – substantial public interest, where we are sharing data with another public authority for the purposes of them exercising their statutory or governmental functions - this is permitted under paragraph 6 of Schedule 1 of the DPA
  • Article 9(2)(h) – health or social care purposes, for example where we are sharing data with another health or social care body for the purposes of managing the health and social care system - this is permitted under paragraph 2 of Schedule 1 of the DPA
  • Article 9(2)(i) – public health purposes, for example where we are sharing data with other bodies to manage and monitor the coronavirus pandemic - this is permitted under paragraph 3 of the DPA
  • Article 9(2)(j) – scientific research or statistical purposes, for example where we are sharing data with researchers to carry out health research - this is permitted under paragraph 4 of the DPA

Further information