Keeping your information secure
The Surrey Care Record is hosted within the NHS network, so it is secure. Patient information is encrypted so that only those people authorised to view the information can do so. All health and care professionals have a duty to protect the confidentiality of patient and service user information and are trained to ensure they have your consent before they access your Surrey Care Record (unless you are unable to provide consent, e.g. if you are unconscious, and access is considered to be in your best interests).
The Surrey Care Record holds information drawn from health and social care providers across Surrey which you may have had contact with in the past.
Your GP Practice provides a core set of structured data from their computer systems including:
- Date of Birth
- NHS Number
- Telephone Number
All data provided by you GP Practice will be in the form of ‘coded’ data and no free text is shared.
Data from other providers
Each health and social care provider which supports the Surrey Care Record is responsible for deciding which data to share into the record. In most cases this will be the information they hold within their computer systems and believe will be beneficial for other health and social care professionals involved in your care to have access to.
For details of what data each organisation shares into the Surrey Care Record, please contact them directly.
The Surrey Care Record is accessible by health and social care professionals across Surrey.
The Surrey Care Record is managed by Surrey Heartlands Health and Care Partnership (the local NHS partnered with Surrey County Council, North West Surrey, Guildford and Waverley and Surrey Downs Clinical Commissioning Groups) and NHS East Surrey Clinical Commissioning Group.
The Surrey Care Record is powered by Patients Know Best. Patients Know Best are bound by contractual agreements with every organisation supporting the Surrey Care Record and sharing data into it to ensure information is kept confidential and secure.
The primary purpose of the Surrey Care Record is to provide health and social care professionals with complete, accurate and up-to-date information when caring for you. This information will be used to support your direct care.
Surrey Care Record intends to provide a range of benefits to both patients and medical staff including:
- Reducing the need to repeat your medical history or social care information every time you deal with a new member of staff, service or organisation
- Clinical staff will be able to work with you to make the best decisions about your diagnosis, treatment and care plan
- Care professionals will be able to find shared information when they need it, such as test results, helping to avoid unnecessary appointments and further tests
- Where several organisations work together to support your care, sharing information via Surrey Care Record will help the various teams to co-ordinate your care, resulting in more time spent on better co-ordinated and safer care and less paperwork.
The security of information within the Surrey Care Record is of paramount importance. Your information is stored securely on a protected IT system. Authorised professionals involved in your care must have a legitimate reason to access your information and they will only be able to see the information needed to help with your treatment.
All clinical data within the Surrey Care Record is encrypted. Encryption makes data unreadable except to those who hold the decryption key. This means that if anyone were able to gain access to the data centre in which the data is stored, they would not be able to access any patient data because it would be unreadable.
The data centre in which encrypted patient data is stored is subject to the highest international standards. It is protected by the NHS National Network which all other NHS institutions use. Employees managing the data centre use ISO 27001 standard, the international standard for managing computer security. As part of this, servers are routinely updated with the latest security patches. Penetration testing is also undertaken every year.
Privacy and Confidentiality
Only authorised Health and Social Care professionals will be permitted to access the Surrey Care Record. Those involved in your care with a legitimate reason to access your information (such as your consent) will be able to see only the information needed to help with your treatment. In most circumstances, professionals will ask for your consent to access your Surrey Care Record before they do so to ensure you are happy for this to happen. Where you are unable to provide your consent (e.g. where you may be unconscious), professionals will have the ability to ‘break the glass’ and access your information where this is deemed to be in your vital interests. All access to the Surrey Care Record is audited to protect against unauthorised or inappropriate access.
Surrey Care Record ensures that authorised Health and Social Care professionals only have access to the information they need through the use of ‘Privacy Labels’. Privacy labels are a simple but flexible way of deciding who can see which parts of an individual’s record.
There are four privacy labels used within Surrey Care Record:
- General health: this covers most of the health record and includes information that most health professionals will use to deliver care;
- Sexual health: includes reproductive health and HIV;
- Mental health: for example, diagnoses of anxiety, depression or schizophrenia;
- Social care: information about the care from local authority social care teams, including disability funding. This is very useful in helping to manage home care services.
Each item of data available within the Surrey Care Record is assigned one privacy label. For example, a diagnosis of HIV may have a ‘sexual health’ label while a Lithium medication may have a ‘mental health’ label. Health and Social Care Professionals will only be able to see data which has been assigned the relevant privacy labels associated with the type of care they provide.
The use and sharing of personal data within the UK is governed by the General Data Protection Regulation (GDPR) and the UK’s Data Protection Bill (currently awaiting Parliamentary approval). Surrey Care Record is fully compliant with the law.
The Statutory ‘Duty to Share’
All providers of health and social care services have a statutory duty placed on them by the Health and Social Care (Safety and Quality) Act 2015 requiring them to share information where this will facilitate care for an individual. This ‘duty to share’ provides a statutory gateway enabling providers of health and social care services to share information where this supports direct care.
The Lawful Basis under the General Data Protection Regulation (GDPR)
The GDPR permits personal data to be shared where this is necessary for the performance of a public task:
Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The GDPR also allows special categories of personal data such as health information to be shared for medical purposes:
Article 9(2)(h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
The Surrey Care Record has been designed to ensure the rights of individuals are respected and upheld.
Everyone has the right to access their personal data. The information held within the Surrey Care Record is a copy of the information drawn from health and social care providers across Surrey which you may have had contact with in the past. You can access your personal data, including that which is held within the Surrey Care Record, by contacting the relevant organisation which has provided you with care.
Each of the providers which are supporting the Surrey Care Record and sharing data into it are responsible for ensuring the information they hold and share is accurate and up to date. You should ensure you inform your GP Practice, and others who may be providing you with care, of any changes which may have occurred since your last interaction.
Should you identify that any information held by an organisation is inaccurate you should inform the relevant organisation. This will enable them to amend the information they hold and ensure that accurate and up to date information is then shared into the Surrey Care Record.
Organisations are only permitted to keep information for as long as necessary. When information is no longer required it should be erased or destroyed. All information within the Surrey Care Record is retained in line with the Records Management Code of Practice for Health and Social Care 2016.
You can find specific details of the retention period for information held within the Surrey Care Record.
Further rights to erasure do not apply to the Surrey Care Record as it is considered a medico-legal record. If you have any questions or concerns about the content of your records you should contact the relevant organisation.
Restrictions and Objections
You have the right to restrict the processing of your data held within the Surrey Care Record, or to object to the sharing entirely. The restrictions you may wish to apply to your record include:
- Preventing certain information from being shared with certain organisations or teams;
- Preventing certain information from being shared with anyone;
- Preventing certain organisations or teams from accessing any of the information within your Surrey Care Record.
You can also choose to object to the sharing of any of your information via Surrey Care Record.
This will prevent any organisation or team from being able to access shared information about you via Surrey Care Record.
Should you wish to place any restrictions on your Surrey Care Record, or object to sharing entirely, you should contact the relevant organisation which holds the information you wish to apply the restriction to. For example, if you wanted to prevent information held by your GP Practice from being shared with other organisations or teams within Surrey, you should contact your GP Practice. You may contact any participating organisation to request that all sharing of your data via Surrey Care Record is disabled.
Should you wish to remove any restrictions previously placed on your record, this can be done at any time by contacting the relevant organisation which previously applied the restriction. For example, if you have previously requested an Acute Hospital not to share information about you, you should
contact them again to request that the restriction is removed.
Lodging a complaint with a supervisory authority.
You have a right to lodge a complaint with the supervisory authority, the Information Commissioner’s Office (ICO). Should you have a concern about the Surrey Care Record’s information rights practices you should first contact email@example.com. Should you remain dissatisfied you can find details of how to contact the Information Commissioner’s Office