In view of COVID-19, you can find supplementary information regarding data sharing here. And further information is available here.

Please click the links to view the information.


GDPR Policy 1.2

Data Breach under GDPR

How we use your information leaflet

Subject Access Request Leaflet For Patient

COVID-19 Privacy Notice

Due to the unprecedented challenges that the NHS and we at Grimethorpe Surgery face due to the worldwide COVID-19 pandemic, we may need to share your personal information in order to look after your health care needs, including medical records, with staff from other GP Practices including Practices within our Primary Care Network, as well as other health organisations (i.e. Clinical Commissioning Groups, Commissioning Support Units, Local authorities etc.) and the National bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.

Our Legal Basis for sharing data with NHS Digital

The Secretary of State has served notice under the Health Service (Control of Patient Information) Regulations 2002 (COPI)to require organisations to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI.

NHS Digital has been legally directed to collect, process and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak under The Health and Social Care Act 2012. More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) under Article 6 (1c) and Article 9 (2g)of the personal data collected and analysed jointly for Research and Pandemic Planning with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

Grimethorpe Surgery is only required to process such confidential patient information:

  • where the confidential patient information to be processed is required for a Covid-19 Purpose and will be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI
  • from 20th March 2020 until 30th September 2020.

Details of the information to be collected can be found on the NHS Digital website

In Barnsley, a population health management programme has been introduced to use linked data from primary, secondary and community care to understand population health more effectively.  This only uses pseudonymised data i.e., where information that identifies you has been removed and replaced with a pseudonym.  This will only ever be reidentified if we discover that you may benefit from a particular health intervention, in which case only the relevant staff within your practice will be able to see your personal information to offer this service to you.

To carry out this data linkage, your pseudonymised data will be passed to the North of England Commissioning Support Unit, who are part of NHS England, who will link this to other local and national data sources to be able to carry out appropriate analyses.  These linked datasets will also be securely shared with Optum and your Clinical Commissioning Group to carry out any further analysis needed to support improvements to the local populations health and to target health and social care resources effectively.  

Only a small number of staff based within these UK based organisations will be able to access this data and as this will be pseudonymised in accordance with the ICO Anonymisation Code of Practice, no one will be able to identify you within these organisations.  

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.  

To find out more or to register your choice to opt out, please visit

How and why NHS Digital will share you data

Data will be collected nationally from all GP Practices every fortnight. NHS Digital will analyse the data the data they collect securely and lawfully share data with other appropriate organisations, including Health and Social Care organisations, bodies engaged in disease surveillance and research organisations for the purpose of Coronovirus ONLY. These purposes include protecting public health, planning and providing health, social care and public services, identifying covid19 trends, monitoring and managing the outbreak and carrying on vital covid19 research and clinical trials.

National Data Opt-out

The application of the National Data Opt-out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during and emergency the National Data Opt-out will generally not apply.

What we will do at Grimethorpe Surgery

  • A record will be kept by Grimethorpe Surgery of all data processed under this Notice.
  • Data protection and electronic communication laws will not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
  • It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
  • We have an obligation to protect our staff and employees’ health, so it is reasonable for staff at Grimethorpe Surgery to ask any visitors to our practice to tell us if they have visited a particular country, or are experiencing COVID-19 symptoms. This must only be in pre-approved circumstances and we would also ask all patients to consider government advice on the NHS 111 website and not attend the practice.
  • Where it is necessary for us to collect information and specific health data about visitors to our practice, we will not collect more information than we need, and we will ensure that any information collected is treated with the appropriate safeguards.

Your rights over your personal data

To read more about what choices and rights you have in relation to the processing by NHS Digital or your personal data , see:

 Review and Expiry of this Notice

This Notice will be reviewed on or before 30 September 2020 and may be extended by The Secretary of State.  If no further notice is sent to us by The Secretary of State this Notice will expire on 30 September 2020.

Updated :- 18th May 2020      

GPES Cardiovascular Disease Prevention Audit (NHS Digital Information)

Data Provision Notice to require the submission of general practice data in connection with the national Cardiovascular Disease Prevention Audit (CVDPREVENT Audit).


NHS England has directed NHS Digital to collect and analyse data in connection with Cardiovascular Disease Prevention Audit (referred hereafter to as “CVDPREVENT Audit”).

The NHS Long Term Plan identifies cardiovascular disease (CVD) as a clinical priority and the single biggest condition where lives can be saved by the NHS over the next 10 years. CVD causes a quarter of all deaths in the UK and is the largest cause of premature mortality in deprived areas.

The CVDPREVENT Audit is a new national primary care audit being commissioned by NHS England to support the implementation of the NHS Long Term Plan, the annually negotiated General Medical Services contract and the national CVD Prevention programme.

Scope of the collection

All General Practices in England.

NHS Digital has been directed by NHS England under section 254 of the Health and Social Care Act 2012 (2012 Act) to establish and operate a system for the collection and analysis of the information specified for this service.

All GP Practices in England are legally required to share data with NHS Digital for this purpose under section 259(1)(a) and (5) of the 2012 Act.


This General Practice Extraction Service (GPES) data will be extracted as an initial full-year extract of data and thereafter as an extract on a quarterly basis. The first extract is scheduled to take place in the second half of 2020-21 financial year and will cover the previous financial year of 2019-20.

The GP live collections timetable provides further details of when this data collection will take place. Please note that this timetable is a live document and is frequently edited to reflect changes to the GPES collection schedule; users are advised to check this regularly for updates.

Read the Data Provision Notice

Transparency notice: how NHS Digital uses your personal data

This page sets out how we use personal data, in line with the General Data Protection Regulation (GDPR). It includes a register of processing activities, and your rights if information about you is included.

NHS Digital is the name we operate under. Our official name is the Health and Social Care Information Centre, which was created by the Health and Social Care Act 2012 as an executive non-departmental public body reporting to the Department of Health and Social Care.

Our legal duties include collecting, analysing and publishing health and care data, providing national technology infrastructure, producing information standards and providing advice and support on information and cyber security. Read more about NHS Digital.

This transparency notice provides information on our data processing activity.


NHS Digital is the Controller for most of our processing of personal data and is registered as required by Data Protection legislation.

Our Data Protection Officer is Kevin Willis, whose duties include monitoring internal compliance and advising the organisation on its data protection obligations, and can be contacted via

As an executive non-departmental body reporting to the Department of Health and Social Care most of our processing activity is directed by the Secretary of State for Health and Social Care. These directions create a legal obligation for our processing. Where we have a different legal basis to support a processing purpose this will be explained.

Your rights

Data protection laws in the UK give people a number of rights concerning their personal data. Not all rights apply equally to all our processing activity as certain rights are not available depending on the lawful basis for the processing.

When you view an entry in our register of processing activities, we have highlighted which rights apply and which may not. To help understand why some may not apply the following should help.

Examples of where rights may not apply – where our lawful basis is:

  • Public Interest (Task) then rights of erasure, portability do not apply.
  • Legal Obligation then rights of erasure, portability, objection, automated decision making and profiling do not apply

If you require further detail each link below will take you to the Information Commissioner’s Office’s website where further detail is provided in section ‘When does the right apply’.

These rights are:

1. Right to be informed

2. Right of access

3. Right to rectification

4. Right to erasure

5. Right to restrict processing

6. Right to data portability

7. Right to object

8. Rights in relation to automated decision making and profiling.

We want you to feel confident that we look after everyone’s personal data in line with the law. If you have any questions about your rights, you can get in touch with us at

Your choices

You can also read more about other choices you have, including the national data opt out, which are provided over and above the rights that Data Protection Legislation gives you, giving you more control and confidence over how we use your data. 

Requesting a copy of your information

Typically, we collect information from health and care organisations providing your care and would advise contacting them directly for a more complete record of your care or treatment. We do not hold your whole medical or care record.

Where we store and use personal data collected from care and treatment records, it is mostly held as codes rather than words. We will provide a list of codes used to help you understand the information we give you. If you would like to request a copy of your personal data that NHS Digital is processing then you will need to complete a Subject Access Request Form and email or post it to the contact details on the form.

Following your request, we may write back to you within the 30-day timeframe to request you to narrow or modify your requirements. This may also result in an extension of a further 60 days whilst we examine your request.

Sharing information

There are very strict rules about who can access the personal data we process, and what it can be used for. When information is shared with other organisations, these organisations have to go through our Data Access Request Service to make sure they will store it safely and legally, and they have a good reason for using it that will benefit health and care. Information is never passed to marketing or insurance companies without consent. We publish all of our data releases on our data release register

Data retention

All data is retained and erased in accordance with our Records Management Policy. Specific retention periods are identified within each processing purpose listed below. If a specific purpose requires a different retention period outside of our policy this will be explained.


If you wish to raise a complaint concerning NHS Digital’s processing activity, visit our Feedback and Complaints page. You also have the right to raise a concern with the Information commissioner’s Office at any time.

GPES COVID-19 At Risk Patients data collection by NHS Digital

The objective of this collection is on an ongoing basis to identify patients registered at General Practices who may be more at risk of getting seriously ill with COVID-19 and who would be potentially eligible for treatment should they contract COVID-19. The data collected will be analysed and linked with other data NHS Digital holds to identify a list of potentially eligible patients.

Treatment options are available for some people who have tested positive for coronavirus (COVID-19). NHS Digital is providing the technology to support the NHS to identify patients eligible for the drugs.

This General Practice Extraction Service (GPES) data will be extracted weekly and will feed a variety of COVID-19 related cohorting programmes including COVID-19 therapeutics and vaccination programmes and will continue as long as the rationale continues for the collection of data.

The data, as specified by the DPN, supports the COVID-19 Public Health Directions 2020 from the Secretary of State for Health and Social Care. Organisations that are in scope of the notice are legally required to comply. 

General Practices will be automatically enrolled into the data extract and will not be required to participate. This will reduce burden on GP’s as there will be no offer of participation on Calculating Quality Reporting Service (CQRS).

As NHS Digital is collecting personal data from General Practices through this collection, General Practices have a legal duty to be transparent and to provide patients with transparency information under UK GDPR about the data they are sharing with NHS Digital.

Therefore, General Practices need to update their own Transparency Notices on their websites to include details of this collection. NHS Digital has produced a COVID-19 response transparency notice which GPs can use to do this. 

About GPES COVID-19 At Risk Patients data collection version 5

The General Practice Extraction Service (GPES) will require the data on a weekly basis until further notice and a decision is made to end the extract.

The GPES COVID-19 At Risk Patients data collection has been completely revised. This is in line with the identification of cohorts to align with the McInnes report changes:

The revised data collection will feed a variety of COVID-19 related cohorting programmes including COVID-19 therapeutics and vaccination programmes and will continue as long as the rationale continues for the collection of data. These are outlined in Appendix A – Specification in the DPN.

The GPES data extraction will identify all patients currently registered with a General Practice who fall under the cohort count and code clusters specified in the business rules. These are outlined in Appendix A – Specification in the DPN.

For each patient above, NHS Digital will require the following personal data, as well as the General Practice that individuals are registered with:

  • NHS Number
  • surname and forename
  • date of birth
  • date of death
  • address and postcode
  • ethnicity
  • age
  • sex

Where a patient’s record contains a defined long-term medical condition, such as Downs syndrome, cancers, haematological disease, renal disease, liver disease, immunosuppression, transplants and neurological disease which poses a COVID-19 risk and/or a condition/code which identifies a patient as being at risk of complications from flu/COVID-19, data will be extracted for:

  • the associated SNOMED  CT code(s) and date(s) for the:
    • medical condition
    • recorded activity for COVID-19 in the patient’s medical record
    • drug treatment(s)
  • any values such as scores or prescriptions associated with the SNOMED CT code(s)

There is a dedicated section about Data Provision Notices and Directionson our website.