Find your local branch
For home care 0151 726 8060
Work for us recruitment@mcja.co.uk
Find your local branch
For home care 0151 726 8060
Work for us recruitment@mcja.co.uk
Back to Home

Our Services

Back to Home

Our Locations

Back to Home

About

GP Connect Privacy Notice Statement

Merseycare Julie Ann uses a secure NHS England service called GP Connect to support the delivery of your direct care. GP Connect allows authorised health and social care professionals involved in your care to access relevant information from your GP record when it is needed to provide safe, effective, and appropriate care and support.

GP Connect is strictly for direct care purposes only and cannot be used for any other activity, Including administration, audit, research, or marketing.

Only authorised Clinicians and professionals with a legitimate relationship to your care such as GPs, NHS 111 clinicians, care home nurses (where applicable), secondary care trusts and social care professionals can access your information. Access is controlled through NHS approved, role-based controls systems in accordance with the National Data Sharing Agreement (NDSA), data protection laws and our organisational policies.

Legal basis for Processing Data through GP Connect

The processing and sharing of personal data through GP Connect is undertaken solely to support the delivery of direct care to the service user. The lawful bases for this processing are set out in the UK Data Protections laws and Merseycare Julie Ann GP Connect policy and are supported by the National Data Sharing Agreement (NDSA).

UK GDPR – Article 6 (Personal Data)

Article 6 – Lawfulness of processing (personal data)

Processing of personal data for GP Connect may rely on the following legal bases:

  • 6(1)(a) Consent
  • 6(1)(b) processing is necessary for the performance of a contract such as with them for private clients and to fulfil our obligations to them.
  • 6(1)(c) Legal obligation – Processing is necessary for compliance with a legal obligation (applicable in defined circumstances such as safeguarding or statutory requests).
  • 6(1)(d) Vital interests – Processing is necessary to protect the vital interests of the data subject (used only in emergencies).
  • 6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller – a legitimate interests assessment (LIA) for all new processing activities will need to be completed but this is not so different from a DPIA (see attached). This, consent and article 9(2)(h), I consider are your main day to day lawful reasons for processing.
Article 9 – Special category data (health information)

For processing health information and other special category data, the following legal bases apply:

  • 9(2)(a) explicit consent given to processing for one or more specified purposes
  • 9(2)(c) Vital Interests – Processing is necessary to protect the vital interests of the data subject where consent cannot be obtained.
  • 9(2)(h) Health or Social Care Provision – Processing is necessary for the provision of health or social care.

Your rights

Because GP Connect is used to support the delivery of your direct care, the lawful bases applied are the same as those used in other direct care activities within health and social care. This means that the legal rights you have over your personal data under UK Data Protection law remains exactly the same.

These rights including access, rectification, restriction, objection and others are explained in full within the main Merseycare Julie Ann Privacy Notice, which applies equally to any processing carried out through GP Connect.

Medical examiners use

As a provider of adult social care services, Merseycare Julie Ann is legally required to provide medical examiners with relevant health and care records relating to deceased individuals for the purposes of reviewing a death. Although the UK Data Protection laws no longer apply to information about a deceased person, their records continue to be protected under the Common Law Duty of Confidentiality.

Medical examiners have a statutory right to access the records of deceased service users under the Access to Health Records Act 1990, and Merseycare Julie Ann has a legal obligation to disclose these records when requested. Because this disclosure is required, the Common Law Duty of Confidentially is overridden in these circumstances. Information is only shared to the extent necessary to fulfil this statutory duty and to support the medical examiner in carrying out an independent and accurate review.

How We Protect Sensitive Information

Access to your personal data via GP Connect is strictly controlled through Role Based Access Controls (RBAC), as required by NHS England and the National Data Sharing Agreement (NDSA). This ensures that only authorised professionals with a legitimate need to support your direct care can access information from your GP record.

Data collection

Merseycare Julie Ann also receives information from other health and social care sources including:

  • GP Connect
  • Hospitals – (For discharge planning).
  • Local authorities & NHS commissioners (for referral for health and social care).
  • Other provider that are involved in your care.

All data is stored securely and access to our digital care planning system is protected by multi-factor authentication, device level controls and monitoring to ensure safe and lawful access.

Access to GP Connect is restricted to a small number of senior officers, who are authorised under our RBAC framework and accountable to the Data Protection Lead and our Senior information Risks Owner (SIRO).

In Merseycare Julie Ann these authorised roles are:

  • Regional Directors
  • Registered Managers
  • Deputy Managers
  • Compliance Manager or equivalent roles responsible for care planning, review, and monitoring.

Access is granted strictly on a ‘need to know’ basis, meaning GP Connect is only used where necessary to support safe and effective direct care. This may Include:

  • Confirming your current prescribed medications to ensure safe administration.
  • Checking relevant health conditions, diagnoses or clinical information needed to plan or deliver care and support safely.
  • Obtaining up to date medical information when your health needs change, or additional clinical context is required to manage your care.
  • Responding to concerns involving your medication or treatment, where information from your GP record is required to ensure your safety.
  • Supporting direct care related incident response, for example where a medication error needs immediate clinical clarification to protect your health.

These uses are consistent with GP Connect purpose, which is limited to direct care and support only and cannot lawfully be used for administration, commissioning, research, audit or any non-care activity known as secondary reasons.

Opting Out of GP Connect

You have the right to prevent Merseycare Julie Ann from accessing your GP record through GP Connect. If you do not wish for your GP practice to share your information via GP Connect, you should complete a Type 1 Opt Out Form and send it directly to your GP practice. A copy of this form is available at:https://assets.nhs.uk/nhsuk-cms/documents/Type1Opt-outform.docx

You may also inform Merseycare Julie Ann directly either verbally or in writing that you do not consent to us accessing your GP record. If you withdraw consent in this way, we

must immediately stop accessing GP Connect and ensure your record is unlinked in our system. A warning flag will be added to your service user file confirming you opt-out.

Opting out will not affect the care or support you receive from Merseycare Julie Ann. However, it does mean that our staff will be unable to view your GP record through GP Connect. If important medical information is needed to keep you safe such as during a hospital admission, for urgent clinical clarification, or when supporting your medication needs your GP or other health professionals may still share relevant information with us where this is legally permitted or necessary to protect your vital interests.

Stopping NHS England and Health and Care Organisations from Sharing Health Information

If you wish to prevent your confidential health information from being shared by NHS England or other health and care Organisation’s for the purpose such as research or planning, you can register your preference using the National Data Opt Out. This is completed online via the NHS website: (https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/)

Where a service user chooses to stop NHS England or other health and care organisations from sharing their information, this preference will be respected. The only exceptions are situations where sharing is required by law.

Please note that the National Data Opt-Out does not prevent data sharing for direct care and therefore does not apply to GP Connect.

If you wish to prevent Merseycare Julie Ann from accessing your GP record through GP Connect, you must complete:

  • a Type 1 Opt-Out Form submitted to your GP practice, and
  • the National Data Opt-Out (above) if you also want to prevent NHS England or other organisations using your information for planning or research.

Completing both forms ensures your preference applies to:

  •  direct-care access to your GP record (GP Connect), and
  • secondary uses such as research and planning (National Data Opt-Out).

Data sharing

Merseycare Julie Ann works in partnership with a range of health and social care organisations, including the NHS, allied health professionals, and other social care providers involved in delivering your direct care. We share information only when it is necessary, proportionate, and lawful to do so. The same ‘need to know’ principles that apply to accessing information through GP Connect also apply to how we share health information with other agencies involved in your direct care.

How we share information with other health and care partners is defined by the National Data Sharing Arrangements (NDSA) and includes the following safeguards:

  • There is a legitimate reason for sharing information (a clear direct care purpose).
  • The requesting organisation is directly involved in your care such as a District Nurse or Social Worker.
  • Your Consent to share has been obtained, unless an alternative lawful basis applies.
  • The receiving organisation is a signatory of the NDSA, ensuring they meet required data protection and security standards.
  • Only the minimum necessary information is shared to meet the specific care needs.
  • If consent is not available, information will only be shared where it is justified in the public interest for example, to protect your vital interests or where required by law, and only with the approval of Merseycare Julie Ann Information Governance Lead or SIRO.

Service User rights

You have a number of rights under the UK data protections regulations in relation to the personal information we hold about you. These rights apply equally to any information we record in your care file, including information obtained through GP Connect where it has been documented as part of your assessment, care planning or support records. Through a Subject Access Request, how you can correct any information that is incorrect and all other rights as defined by UK GDPR.

Your Right of Access (Subject Access Request – SAR)

You have the right to request access to the personal data we hold about you. To do this:

  •  You may make a Subject Access Request (SAR) verbally or in writing, including through email or social media.
  • You may request a SAR form from us, but you do not have to use a specific form for your request to be valid.
  • A third party (such as a family member, representative, or solicitor) may make a request on your behalf.
  • We will not charge a fee for responding to your SAR unless the request is manifestly unfounded, excessive, or requires additional copies.
  • We will respond within one month of receiving your request. Where requests are complex or numerous, we may apply a lawful extension of up to two further months and will inform you if this is necessary.
  • We will follow the Accessible Information Standard to ensure our responses are clear, accurate, and suited to your communication needs.
  • We will provide information to you securely, for example through encrypted email (Egress) or Recorded Delivery.
  • We will only refuse a request where an exemption applies under the Data Protection Act 2018, or where the request is manifestly unfounded or excessive.

Other UK GDPR Rights

In addition to your right of access, you also have the right to:

  •  request correction of inaccurate or incomplete information
  • request restriction of processing in certain circumstances
  • object to processing where the lawful basis permits
  • request erasure of your information in limited circumstances
  • be informed about how your data is used (fulfilled through this Privacy Notice and associated GP Connect Transparency Notice)
  • data portability (where applicable to the lawful basis)

We will explain these rights in full when responding to your request, and we will support you to exercise them wherever possible.

Security

Merseycare Julie Ann takes security of all data held by us extremely seriously. We have governance structures and internal controls in place to ensure compliance with the UK Date Protection regulations and wider information governance standards. To protect sensitive information, including data accessed through GP Connect, we use the following measures:

Physical and Organisational Security
  • Secure premises with restricted access to protect confidential information.
  • Clear governance and accountability, including oversight by senior managers and the Information Governance Lead.
System and Access Security
  • Two-stage (multi-factor) authorisation for accessing our digital care planning platform where your information is stored.
  • Strict Role-Based Access Controls (RBAC) for GP Connect, ensuring that only authorised senior personnel can access GP records.
  • Care workers cannot access GP Connect.
  • Access to sensitive information is restricted and based strictly on a legitimate “need-to-know” for delivering direct care.
Cyber and Network Security
  • Group-level network security protections to defend against cyber-attacks and unauthorised access.
  • Continuous monitoring and technical safeguards to ensure that data remains secure across all systems.

These measures ensure that your personal information remains protected, confidential, and accessed only by those who need it to deliver safe and effective care.