Privacy, Freedom of Information

& information security

Patient Guide: Sharing your medical record

3. Patient Guide Sharing Your Medical Record v0.2

Patient guide to SystmOnline’s Sharing Preferences

4. Patient Guide SystmOnline Sharing Preferences v0.2

NHS Patient Data Handout (pdf)


Willowbrook Privacy Notice

willowbrook privacy notice

Privacy, information security and data policies

Click on the options below to see details on what information you can request, how information is used, and where you can opt of of data use if you desire. 

Overview of NHS data policy


  1. Overview
  2. Where confidential patient information is used
  3. Where your choice does not apply
  4. How to make your choice

Your health records contain confidential patient information, which can be used to help with research and planning. If you would like this to stop, you can opt out of this yourself or on behalf of someone else. For example, if you are a parent or guardian of a child under the age of 13.

Your choice will only apply to the health and care system in England. This does not apply to health or care services accessed in Scotland, Wales or Northern Ireland.


This information is also available in other languages and formats.

What confidential patient information is

Two types of information join together to become confidential patient information. This is information that:

  • can identify you
  • says something about your health care or treatment

One example can include your name and address (identifies you) along with what medicine you take (health care or treatment). Identifiable information on its own is used by health and care services to contact patients and this is not confidential patient information.

How we use your confidential patient information

Your individual care

Health and care staff may use your confidential patient information to help with your treatment and care. For example, when you visit your GP, they may look at your records for important information about your health.

Research and planning

Confidential patient information is also used to:

  • plan and improve health and care services
  • research and develop cures for serious illnesses

Where you have a choice

You can stop your confidential patient information being used for research and planning. Your confidential patient information will still be used for your individual care. Any choice you make will not change this.


Where confidential patient information is used

The NHS collects confidential patient information from all NHS organisations, trusts and local authorities. Confidential patient information is also collected from private organisations, such as private hospitals providing NHS funded care. Research bodies and organisations can request access to this information.

Research bodies and organisations include:

  • university researchers
  • hospital researchers
  • medical royal colleges
  • pharmaceutical companies researching new treatments

Who cannot use confidential patient information

Access to confidential patient information will not be given for:

  • marketing purposes
  • insurance purposes

(unless you specifically request this)

How confidential patient information is protected

Protection of your confidential patient information is taken very seriously and is looked after in accordance with good practice and the law.

Every organisation that provides health and care services will take every step to:

  • ensure data remains secure
  • use anonymised data whenever possible
  • use confidential patient information to benefit health and care
  • not use confidential patient information for marketing or insurance purposes (unless you specifically request this)
  • make it clear why and how data is being used
  • respect your decision if you decide to opt out
  • only use information about you where allowed by the law

All NHS organisations must provide information on the type of data they collect and how it is used. Data release registers are published by NHS Digital and Public Health England, showing records of the data they have shared with other organisations.



Where your choice does not apply

If you choose not to allow your confidential patient information to be used for research and planning, your data may still be used in some situations.

When required by law

Your confidential patient information may still be used when there is a legal requirement to provide it, such as a court order.

When you have given consent

Your confidential patient information may still be used when you have given your consent. Such as, for a medical research study.

Where there is overriding public interest

Your confidential patient information may still be used in an emergency or in situations where there is an overriding benefit to others. For example, to help manage contagious diseases and stop them spreading, like meningitis. In these situations, the safety of others is most important.

When information that can identify you is removed

Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first.

Where there is a specific exclusion

Your choice does not apply to a small number of specific exclusions. In these cases, your confidential patient information may still be used at any time. For example, when information is used to collect official national statistics, like the Population Census.

See more information on where your choice does not apply- opens in new window.

How to make your choice


Use this service to choose whether your confidential patient information can be used for research and planning.

If you choose not to allow your confidential patient information to be used for research and planning, this will be respected and applied by NHS Digital and Public Health England. These organisations collect, process and release health and adult social care data on a national basis.

Your decision will also be respected and applied by all other organisations that are responsible for health and care information by March 2020.

Making your choice

You can make or change your choice by using our online service or completing a paper form and posting it back to us. You can also ask for help using our telephone service. You must complete a paper form if you wish to make or change a choice on behalf of someone else.

Before you start

You must have an email address or phone number registered with an NHS service to use the online service. Ask your GP surgery for help if you need to confirm your contact information is up-to-date.

To continue you will need:

  • to be aged 13 or over
  • access to your email or mobile phone
  • your NHS number or postcode registered with your GP surgery

Where can I find my NHS number?

Start now

Other ways to manage your choice

If you are unable to use our online service or wish to set a choice on behalf of someone else, see other ways to manage your choice.

Other languages and braille/audio versions of patient handout

More NHS Digital services


Find leaflets, posters, recommended text for privacy notices and more information for health and care staff to use, so you can support patients on the national data opt-out.

Resources for patients

‘Your Data Matters to the NHS’ posters and handouts were sent to GP practices, NHS Trusts, pharmacies and dental practices in June 2018. These materials should be displayed in patient and public waiting areas.

Use the ‘Your Data Matters to the NHS’ resources below to help raise awareness.

You can also order copies of posters, patient handouts and accessible materials (such as Easy Read, braille, audio and large print versions) from the Health and Social Care Publications Orderline.

Accessible resources

Tailored resources for specific audiences

Other languages

Freedom of Information & the surgery publication scheme

The Freedom of Information Act creates a right of access to recorded information and obliges a public authority to:

  • Have a publication scheme in place.
  • Allow public access to information held by public authorities.

The Act covers any recorded organisational information such as reports, policies or strategies, that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland, however it does not cover personal information such as patient records which are covered by the Data Protection Act. Public authorities include government departments, local authorities, the NHS, state schools and police forces. The Act is enforced by the Information Commissioner who regulates both the Freedom of Information Act and the Data Protection Act. Information about the General Practitioners and the practice required for disclosure under this act can be made available to the public. All requests for such information should be made to the practice manager.

The Surgery publication scheme

A publication scheme requires an authority to make information available to the public as part of its normal business activities. The scheme lists information under seven broad classes, which are:

  • Who we are and what we do
  • What we spend and how we spend it
  • What our priorities are and how we are doing it
  • How we make decisions
  • Our policies and procedures
  • Lists and registers
  • The services we offer

Who can request information?

Under the Act, any individual, anywhere in the world, is able to make a request to a practice for information. An applicant is entitled to be informed in writing, by the practice, whether the practice holds information of the description specified in the request and if that is the case, have the information communicated to him. An individual can request information, regardless of whether he/she is the subject of the information or affected by its use.   

How should requests be made?

Requests must: be made in writing (this can be electronically e.g. email/fax) state the name of the applicant and an address for correspondence describe the information requested.  

What cannot be requested?

Personal data about staff and patients covered under Data Protection Act. For more information see these websites:


Data protection act, confidentiality, Information security and EU privacy law

The practice is registered under the Data Protection Act 1998. When you register, you will be asked for information about yourself so that you can receive the appropriate care and treatment. This information is kept with details of your health and treatment provided, so that the practice can ensure that the care you receive is appropriate and consistent with your medical history. The practice may pass information to other organisations and strict conditions must be complied with before information is released. (Read our FAQ) about how and why we use your information confidentially for risk stratification.  


Confidentiality is an absolute right and patients can be assured of confidentiality at all times. Patients will have access to their medical records, subject to any limitations in the law. The practice keeps up-to-date health records to give you the best possible care. This information may be used for management and audit purposes. However, it is usually only available to, and used by, those involved in your care.  

Information Security

No data is captured on the website, and the forms send emails into secure NHS systems without recording any Patient Identifying Data. Your medical data is never accessible to anyone except you and a secure NHS email address. This includes site administration, so even if the site gets hacked you are secure. The site itself is hosted from secure servers based in Nuneaton, and is SSL encrypted (which you can tell from the green padlock in the browser bar). This means that your connection to the site is fully secure at all times, and that your data cannot be captured or harvested (for example, while a form is being submitted). The site has no direct links to any medical systems or data, and therefore your data cannot be compromised through it. All links on the pages are to secure, verified sites.  

EU privacy law

Our entire infrastructure is based in the UK including all shared, reseller and backup servers. As such yes, we are fully compliant with laws that require your data never reside on servers outside the UK.

National Data Opt-Out program


The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.

Top tasks

Patients can find out more and set their opt-out choice at

Health and care staff can download leaflets, posters and other resources to use when informing patients.

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs. 

By 2020 all health and care organisations are required to apply national data opt-outs where confidential patient information is used for research and planning purposes. NHS Digital have been applying national data opt-outs since 25 May 2018. Public Health England have been applying national data opt-outs since September 2018. Find out more about compliance and organisations’ compliance status

The national data opt-out replaces the previous ‘type 2’ opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the national data opt-out. 

Patients can view or change their national data opt-out choice at any time by using the online service at

Join the national data opt-out mailing list

Fill in the national data opt out team contact form to be added to our mailing list for health and care professionals, to keep up to date with news on the national data opt-out. Please note, you cannot use this form to set an opt-out choice.

Further information

  1. Supporting patients – information and resources

Find leaflets, posters and more information for health and care staff to use, so you can support patients to understand their data choices and the national data opt-out.

  1. Information for GP practices

The national data opt-out has replaced type 2 opt-outs. GP practices must no longer use the type 2 opt-out code to record a patient’s opt-out choice.

  1. Guidance for all health and care staff

Guidance, factsheets and policy documentation on the national data opt-out.

  1. Compliance with the national data opt-out

All health and care organisations in England should comply with the national data opt-out policy by March 2020. Find out what you need to do, when, and see which organisations are already compliant.

  1. National Data Opt-Out: GDPR information

Why and how we process your data in the National Data Opt-Out and your rights.

  1. National data opt-out statistics

Statistical publication on the volume of national data opt-outs


 “How the NHS and care services use your information

(Willowbrook Medical Centre is one of many organisations working in the health and care system to improve care for patients and the public)[1]

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:


  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services


This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.


Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.


You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply


You can also find out more about how patient information is used at: (which covers health and care research); and (which covers how and why patient information is used, the safeguards and how decisions are made)


You can change your mind about your choice at any time.


Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.


Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is / is not currently’ compliant with the national data opt-out policy.[2]


[1] This paragraph to be inserted by national organisations such as ALBs

[2] It is recommended that this is included to be clear to patients whether your own organisation is currently compliant with the policy for applying national data opt-outs.