My Care Record


We know from surveys and other feedback from the public that you want health and social care organisations to be better connected and share information, so people don’t have to keep repeating information or have delays in treatment.

My Care Record is a programme of work to help make sure that health and care professionals  involved in your treatment and care can securely access up-to-date information about you to help them make the right choices about the care and medical attention you need. For example, a doctor treating you in hospital or a nurse working in the community could view the information they need from your GP record.

Partners to the programme include GPs, hospitals, community services, social care, and Out of Hours GPs.  The programme originally started in 2016 and building on progress made and the lessons learned, we are now introducing a new digital system which will make sharing easier and better.

The benefits of My Care Record


We know people understand the importance of health and social care professionals having access to basic information about patients and the people they care for. This is especially important when care is urgent or required during evenings and weekends. The information in My Care Record will save time and could also be life-saving in some circumstances.

Without My Care Record people need to wait for information to be sent from GPs during surgery hours, which could cause delay in providing treatment, care or medication. Shared care records reduce risks to patients.

The benefits for you

My Care Record is intended to make your health and social care safer, quicker and more coordinated.

With access to more information, health and social care professionals will be able to make more informed decisions, meaning you should get the most appropriate treatment at the right time.

For example, if you call 999, the paramedics that arrive will have access to information about your allergies, and other crucial health information that will help them care for you, even if you are unable to communicate.

Hospital based staff will be able to access 24/7 previous diagnoses, problems, medications you are already on and any tests you have already undergone, along with relevant social care and mental health information.

If you need social care support it will allow professionals to make more informed judgements about the services you receive. This will speed up their decisions and allow quicker responses from them.

Sharing this crucial information will help health and social care staff to work more closely together, which should help reduce things like drug errors, and improve your experience across health and social care.

How My Care Record works


Only health and social care professionals with appropriate levels of access working across Thames Valley and who are directly involved in your care will be able to access My Care Record. This means that they will have access to the most up to date information.

Only authorised staff can log on to My Care Record. All access is logged so we can track precisely who has accessed the record and for what purpose.

To view the organisations who will able to access your information if they are involved in your care, please click here. Each processing organisation named shall be subject to an “on boarding” process prior to being allowed to access your information, so as to ensure appropriate data security and protection compliance. These measures are further described below.

In order to comply with GDPR, all organisations are also expected to explain how they handle your information, who they share it with and for what purpose in a document called a Privacy Notice.  These should be made available via their website and other means. The GP practice Privacy Notice can be viewed by clicking here.

Further information

We have put together a list of My Care Record FAQs to help you understand more about My Care Record.

You can contact the Patient Advice and Liaison Service (PALS), Healthwatch Bucks, or your GP practice for more information.

Patient Advice and Liaison Service (PALS)

NHS South, Central and West Commissioning Support Unit (SCW CSU)

2nd Floor Albert House, Queen Victoria Road, High Wycombe, Buckinghamshire, HP11 1AG

Telephone 0800 328 5640 or email

Healthwatch Bucks or telephone 0845 260 6216 or 01844 348849.

For further details on Data Security and Protection/Information Governance Arrangements (described below), please contact the CCG Data Protection Officer.

Data Security and Protection/Information Governance Arrangements (including technical and organisational security measures)

The My Care Record approach is in line with the General Data Protection Regulation (GDPR), and Data Protection Act 2018), which between them provide the legal basis to share information between health and care services when it is needed to deliver care.  All your information will be processed securely. These arrangements also include compliance with the common law duty of confidentiality.

  1. The Data Processor for this programme of work is Graphnet Health Limited, as supplier of the CareCentric product suite through which the data is processed. Its parent company is System C. Graphnet sub-contract Microsoft Azure for cloud based computing capabilities. Microsoft has no access to data.
  2. The CCG does not receive personal identifiable data. Data will be anonymised for purposes of Population Health Management (which is not direct care), whereby consent is not required for anonymisation as that is a legitimate processing of the data.
  3. Data is explicitly not collected for the purposes of research, where research is something not related to Direct Care (as defined above) or for any purpose requiring ethics committee approval.  

There is a clear distinction between data processing tasks required for purposes of direct care, and tasks required for purposes of secondary use – both population health management and risk stratification. The legal bases under both common law duty of confidentiality and GDPR are explained here.

Measure Evidence
Information Commissioner’s Office (ICO) register of fee payers Graphnet Health Limited

System C

NHS Data Security and Protection Toolkit (DSPT)

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Graphnet Health Limited

System C

Cyber Essentials

Cyber Essentials is a UK government information assurance scheme operated by the National Cyber Security Centre (NCSC) that encourages organisations to adopt good practice in information security. It includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

Certifications can be searched here

Graphnet Health Limited certificate number 8910399320070954

System C certificate number 3526351253581538

Cloud services

Compliance with UK G-cloud 8 Framework accreditations. If a supplier which does not have this accreditation, it is not essential so long as other appropriate accreditation evidence has been supplied (i.e. ISO27001)

Digital Marketplace

This confirms accreditation with Microsoft named as a Digital Marketplace supplier

Graphnet Health Limited’s cloud processing arrangements on UK only based servers are described here

Data Protection Impact Assessment (DPIA)

This is signed by the CCG Data Protection Officer as a recommended DPIA to member practices and other organisations for their approval as data controllers.

DPIA My Care Record CCG DPO signed

The CCG is named only as the lead organisation and Data Controller (and therefore signatory) for contracting purposes with Graphnet as processor and is not otherwise a data controller for any other purpose. This is subject to approval by each participating organisation. This is taken as read where the Data Sharing Protocol (Tier 2) is signed.

Data Sharing Agreement (Tier 1)

Each participating data controller is required to sign a Tier 1 Buckinghamshire, Oxfordshire and Berkshire West (BOB STP) Data Sharing Agreement for Health and Social Care. This commits signature organisations to processing shared data lawfully: accepting the principles of information sharing and agreeing organisational responsibilities.

The template currently in widespread use is published here.
Data Sharing Protocol (Tier 2)

Organisations will sign specific Data Sharing Protocols for each distinct data flow. These protocols will be proposed by the organisation requesting the data; they will describe the purpose, legal basis and consent for sharing and will specify the data required, how and why it will be used, and by whom.

The template currently in use for My Care Record is published here: Tier 2 My Care Record Data Sharing Protocol (May 2020)

The CCG does not sign this protocol on behalf of any other data controller to share their data. It has been recently updated to reflect:

  1. The premise of data sharing does not only relate to Buckinghamshire, but where patients receive direct care across borders. The reasons and legal basis for sharing as otherwise contained within the DPIA remain unchanged.
  2. The fact that the organisations named within it and signatories to it may change, and therefore the list of approved organisations has been documented separately so that the protocol itself does not need to be re-signed each time the list of signatory organisations to the Protocol changes.
Contract Data Security and Protection/Information Governance clauses

These are covered within General Conditions (GC) 20 and 21 of the NHS national standard contract which forms the basis of the CCG’s signed contract with Graphnet as data processor.

For Graphnet, this is based on the Crown Commercial Services call off order form and call off terms for corporate software solutions.

This framework is known as having expired, but was the framework in use at the time when the contract was signed.

Privacy Policies/Notices (aka Fair Processing Notices)These also describe data flows and contact details for Data Protection Officers Graphnet Health’s Privacy Policy for the CCG and data controllers (as end users) is published here

The template GP (Primary Care) Privacy Notice template which member practices websites signpost to is published here, where “My Care Record” is referred to under the sub-heading of “What else might information be used for?”

It is not mentioned on the CCG’s Privacy Notice as there is no identifiable or pseudonymised flow which involves the CCG.

On boarding criteria as signatory to the Data Sharing Protocol

Any organisation deemed to need to become a party, and thereby signatory, to the Data Sharing Protocol, shall be required to meet on boarding criteria assessed through a checklist.

It is important to note that this process is to be completed only once – i.e. an organisation wishing to join a shared care record would not have to duplicate the checklist/due diligence where already subject to the equivalent process in a neighbouring area.

This may apply locally where an organisation is already a signatory to the Connected Care programme in Berkshire and Hampshire led by Frimley Health NHS Foundation Trust, or the shared care record programme in Oxfordshire. 

The checklist criteria for on boarding includes, as a minimum, the  following for any organisation accessing or sharing data:

  1. Registration as a fee payer with the Information Commissioner’s Office (ICO) where required.
  2. Completion of NHS Data Security and Protection Toolkit (DSPT) as a processor of NHS data as a processor of NHS data – “standards met” or “standards exceeded”:
    1. Entry Level (a) Time-limited level (subject to review) for social care providers. ·(b) Evidence items for critical legal requirements are being met; but some expected mandatory requirements have not been met. ( · (c) Allows access to NHSmail.
    2. Standards Met (a) Evidence items for all mandatory expected requirements have been met. (b) Access to NHSmail, other secure national digital solutions, e.g. Summary Care Records, and potentially local digital information sharing solutions.
    3. Standards Exceeded (a) Evidence items for all mandatory expected requirements have been met. (b) The organisation has external cyber security accreditation. ·(c) Evidence of best practice.

3. Signature of Tier 1 Data Sharing Agreement

For details of any other checklist criteria, please contact the CCG Data Protection Officer. The checklist is document controlled by the Buckinghamshire Integrated Care Partnership (ICP) Information Governance Steering Group, which includes representation from primary care member practices as data controllers.