Greater Manchester (GM) Care Record

Supplementary Information About Your Privacy

About the Greater Manchester (GM) Care Record

Each health and care organisation in Greater Manchester collects information about you and keeps records about the care and services they have provide. The GM Care Record pulls together this key information about you from these different health and social care records and displays it in one combined record. This enables health and social care staff to find key information about your care in one place which helps them to make the most informed decisions and provide the best care to you as a patient or service user. It is also essential that health and social care staff have access to the most up to date information including alerts that may be helpful for staff involved in your care.

We also remove or scramble the information that identifies you such as your name, address, and date of birth so that we can use this information to better plan our services, make sure that we are providing the best care, and for research into different conditions.

Health Innovation Manchester works across Greater Manchester’s Health and Care system and is rolling out the GM Care Record on behalf of our partners.

You can find out more about the GM Care Record here.

The GM Care Record - Supplementary Information

Personal information (or Personal Data) means any information about an individual from which that person can be identified. The Personal Data that is shared includes:

Identifying Data: Forename, Surname, Address, Date of Birth, Gender, Age, Postal Address, Postcode, Telephone Number and NHS Number.

Other categories of Personal Data: This includes:

  • A list of diagnosed conditions – to make sure your clinical and care staff have an accurate record of your care
  • Medication – so everyone treating you can see what medicines you have been prescribed
  • Allergies – to make sure you’re not prescribed or given any medicines you can have an adverse reaction to
  • Test results – to speed up treatment and care and to ensure tests are not repeated
  • Referrals, clinical letters and discharge information – to make sure the people caring for you have all the information they need about other care and treatment you are having elsewhere
  • Care plans (where available) – for health and care workers involved in your care to view a joined-up plan of care and the wishes you’ve asked for in relation to your care
  • Relevant information about people that care for you and know you well.
  • Basic details about associated people e.g. children, partners, carers, relatives etc.

Health and social care organisations have a duty to share personal data under s251B of the Health and Social Care Act 2012, where it is:

  • (a) likely to facilitate the provision to the individual of health services or social care in England, and
  • (b) in the individual’s best interests.

Personal Data will only be shared between the health and social care organisations that are signed up to the GM Care Record Data Protection Impact Assessment (DPIA). These include:

  • Primary care (e.g. your GP practice)
  • Community services
  • Mental health services
  • Local authority social care departments
  • Secondary care (e.g. hospitals)
  • Specialist services (e.g. ambulances)

The GM Care Record makes your patient information easily accessible for the purposes of your care and treatment.

A record of care is held on each organisation’s secure electronic system (local record) e.g. a GP practice will have their own system for recording patient information. Graphnet, a supplier of healthcare systems, has designed a secure system that integrates data from those multiple electronic health and social care systems to provide a live and read-only summary of that data to a health or social care worker when required for the purposes of direct care.

Data is presented as a read only view; meaning that the Personal Data from an organisation’s local record is not changed. The data remains within each organisation’s database and users are allowed a read-view access only. Access to your data depends on the professional having access in their own clinical/care systems, so professionals can only see information regarding patients that are being referred for treatment or have been treated by them.

As the GM Care Record is an integrated digital care record that pulls together vital patient data from several health and social care providers, only data currently visible in each of the local systems will be visible in the GM Care Record. Each partner organisation feeding data into the GM Care Record has local retention rules set by the NHS Records Management Code of Practice for Health and Social Care.

Within the governance framework for the GM Care Record, the system supplier is also contractually obliged to comply with any requests by the partners to remove/delete data when instructed to do so.

We ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information.

Appropriate technical and security measures in place to protect the GM Care Record include:

  • complying with Data Protection Legislation;
  • encrypting Personal Data transmitted between partners;
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • a requirement for organisations to complete the Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements;
  • use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the GM Care Record are auditable against an individual accessing the GM Care Record;
  • ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.

The NHS Digital Code of Practice on Confidential Information applies to all NHS and care staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All staff with access to Personal Data are trained to ensure information is kept confidential.

Under the Data Protection Legislation, you have the right to:

  • be informed of our uses of your data (the purpose of this privacy notice)
  • request copies of your personal information, commonly referred to as a Subject Access Request (SAR)
  • have any factual inaccuracies corrected
  • request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances
  • not be subject to automated decision making or profiling. There is no automated decision making or profiling in the GM Care Record
  • complain about the handling of your data to an organisations data protection officer or to the regulator
  • also have the right to object to processing of your personal data in certain circumstances.

Details of how to exercise your rights are shown below.

To access your Personal Data, you should contact your local appropriate organisation (Appendix A at the end of this page) and their Data Protection Officer.

If this data contains errors, you can exercise your right to correct this information via the Data Protection Officer.

You have a legal right to object to your data being shared. Your objection will be considered on a case by case basis.  When considering your objection, we will consider whether you can still be provided with safe individual care.  Please contact your health and care provider to discuss this further.  This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.

We ask you to think carefully before making this decision. Sharing your health and social care information will make it easier for services to provide the best treatment and care for you when you most need it.

Health and social care staff use your confidential patient information to help with your treatment and care.  For example, when you visit a hospital your consultant may need to know the medicines you take.

Your health or social care provider can advise you of how you can opt out of having a GM Care Record. Please note this is separate to the Summary Care record for which you will need to opt-out of separately if required here.

Please contact your local appropriate health or social care organisation (Appendix A at the end of this page) and their Data Protection Officer to raise a complaint.

You can get further advice or report a concern directly to:

  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)
  • Email:

Further information about the way in which the NHS uses personal information and your rights is published by NHS Digital:

The NHS Care Record Guarantee

The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under Data Protection Legislation.

The NHS Constitution

The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.

NHS Digital

NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.

National Data Opt-Out

The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Visit the website below to find out more information or to opt-out of having your patient information being used for research and planning.

Your Information and the COVID-19 Pandemic

With the outbreak of Covid-19, health and social care services are working to support citizens in response to the pandemic. This includes the way we use your data – a vital tool in how quick and effective our response to the virus can be.

Sharing your health and care information is essential in delivering the best care, to support health and care services and to protect public health. Your information is also vital in researching, monitoring, tracking and managing the pandemic.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this pandemic. The Secretary of State has required NHS Digital; NHS England and Improvement; other bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 pandemic. Any information used or shared during this time will be limited to the period of the pandemic unless there is another legal basis to use the data. Further information is available on here and some FAQs on this law are available here.

During this public health emergency, opt-outs will not generally apply to the data used to support the Covid-19 pandemic, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.

Sharing personal/confidential patient information from the GM Care Record with health and care organisations and other bodies engaged in disease surveillance will be required for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the pandemic. Further information about how health and care data is being used and shared by other NHS and social care organisations to support the Covid-19 response is here.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms, it may be needed to collect specific health data about you. Where this is necessary, no more data than what is required will be collected and assurances will be in place that any information collected will be treated with the appropriate safeguards

Back to top