Connecting Your Care

Privacy Notice – Direct Care

Plain English explanation

This privacy notice explains why health and care providers collect information about you and how that information may be used. For additional information about our ‘Connecting Your Care’ programme please also see ‘Connecting Your Care’ leaflet and Frequently Asked Question or visit:

The health and care professionals who look after you maintain health and care records that contain details of any treatment or care you have received previously or are receiving. These records help to provide you with the best possible care. 

NHS patient health and care records may be electronic, on paper or a mixture of both, and a combination of working practices and technology ensure your information is kept confidential and secure. Records which health and care providers hold about you may include the following information: 

  • Details about you, such as address, contact details and next of kin
  • Any contact the health or care provider has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes/reports and assessments about your health and care
  • Details about your planned treatment and care
  • Results of investigations, such as blood tests, x-rays, etc.
  • Relevant information from other health and social care professionals, relatives or those who care for you
  • If you have had a social care assessment, the type of assessment and the date of the next planned review. 

The information shared about you is used by the health and social care professionals looking after you to make sure they have the most up to date information available to them so that they can quickly assess you and make the best decisions or plans about your care. At the moment, each care organisation has a different system for managing your records, and there is no way for the information held in these records to be shared electronically in “real time”, i.e. immediately. This means that when a health or social care professional needs to know more about you, they must ask for this information by old fashioned methods, such as telephoning, faxing, or requesting paper copies of your records, all of which can take time, lead to losses of data, or gaps in what is provided.  

Connecting your Care will introduce a new system that will provide a “connected” electronic view between each of these different systems so that the people looking after you can immediately see important information from each of the services that you use, to help them make the best decisions about your care. 

We are required by law to provide you with the information in the following 9 subsections. We have also set out a list of definitions below.


1) Controller contact details



James Cross

2) Data Protection Officer contact details



Umar Sabat

3) Purpose of the processing

Information will be shared in order to facilitate “Direct Care” that is delivered to the individual – that is, where a health or care organisation has direct contact with a patient or service user in order to provide them with immediate care or treatment.

Direct Patient Care is defined by the Caldicott Review in 2013 as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this organisation, and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the: Data Protection Act 2018/General Data Protection Regulation 2016:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 


Health and social care services are under legal obligations to share information for the purposes of direct care.


We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” *


5) The Sources of the Data and the Recipient or categories of recipients of the processed data

For the first part of this programme we will be connecting your GP system with the local hospital, so your GP can see your hospital record and health professionals in hospitals can see your GP record. In some areas, where other services are already sharing more information than this, then these services will also be included in the first phase. 

When other organisations are joining or there is substantial change to the system you and the general public will be informed or you can visit our website for an update:


Organisations in the first phase are

  • SWL GP Practices (GPs in Croydon, Merton, Kingston, Richmond, Sutton and Wandsworth boroughs)
  • Croydon Health Services NHS Trust
  • St George’s Healthcare NHS Trust
  • Kingston Hospital NHS Foundation Trust
  • South West London and St George’s Mental Health Trust
  • Your Healthcare Community Interest Company
  • Royal Borough of Kingston Adult Social Care
  • Epsom & St Helier University Hospitals
  • London Borough of Sutton Adult Social Care
  • London Borough of Sutton Children’s Community Services
  • Epsom and St Helier University Hospitals Adult Community Services.


After this first phase, we will move into Phase 2 to gradually bring other care organisations on board, so your health and care record will be available wherever you go in London.

6) Right to Opt Out

You have the right at any time to opt out of electronic information sharing. If you decide to opt out, then no information will be shared about you via this system.

If you would prefer your information not be shared, you will need to submit an opt out form. These are available from your GP Practice, the Patient Advice and Liaison Office at your local hospital and can be downloaded from:

Opting out of the connected-care record view will not mean that your information will not be shared between the people looking after you, just that it will continue to be shared as it is now – via phone, email, fax and letter. Therefore, your care will be no different to how it is now - you will just not be able to take advantage of the benefits that sharing your important information quickly and “in real time” could bring you – especially in emergency situations. 

You will need to tell each health and care professional looking after you about your medical history, your treatment, allergies and medications at every appointment or hospital visit. Decisions about your care may take longer and appointments and tests may be repeated.

If you have any questions or concerns regarding the information held about you or the use of your information, please visit: or contact us at:


Phone:  020 3688 3100


7) Rights to object

You have the right to object to some or all the information being processed under Article 21 GDPR. Please see section 6 of this privacy notice or alternatively, contact the Data Protection Officer at your care provider for more information. You should be aware that this is a right to raise an objection which will be considered; this is not the same as having an absolute right to have your wishes granted in every circumstance.


8) Right to access and correct

You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider.

If your health or care provider holds information about you, and you make a subject access request they will:

  • Give you a description of it
  • Tell you why it is being held
  • Tell you who it could be shared with
  • Let you have a copy of the information in an intelligible form.


If you would like to make a ‘subject access request’, you will need to contact your health or care provider’s Data Protection Officer in writing.

There is no right to have accurate medical records deleted except when ordered by a Court of Law.


8) Retention period

The data will be retained in line with the law and national guidance.


9)  Right to Complain.

You have the right to complain regarding the use and sharing of your data, if you think the information has been shared inappropriately. Each provider will have their own complaints process and you will need to contact them directly.


You can also contact the Information Commissioner’s Office via the following link 


or call their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate).


* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or ‘case’ law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent or, in the absence of consent, a legitimising purpose.