Frequently asked questions
- General questions
- Accessibility
- The online survey
- The paper survey
- Confidentiality and data protection
Please note the survey has now closed.
Confidentiality and data protection
The information in this section explains how and why we are using your personal data for the GP Patient Survey. We also outline your rights and how to contact us if you have any questions or concerns about the use of your data.
How did we get your contact details?
Ipsos is sending you this questionnaire on behalf of NHS England. Names were chosen at random from the NHS list of patients registered with a GP. NHS England has shared a limited amount of your personal data so that Ipsos can invite you to take part in this research. This data includes:
- your name and address
- GP practice code and NHS number
- gender and month/year of birth
- mobile telephone number and email address (if available)
Ipsos will keep your data confidential and will only use your contact details to invite you to take part in the survey. Once the survey is finished, Ipsos will securely destroy your contact details, unless you agreed to being re-contacted about future research, in which case Ipsos will securely hold onto your contact details for 24 months. Ipsos has no information about your health.
What is our legal basis for processing your personal data?
NHS England is carrying out this research to help the NHS improve GP practices and other local NHS services. This will help them better meet local needs in response to patients' survey answers. They have a legal duty (under section 13Q of the NHS Act 2006) to involve the public in the commissioning of services for NHS patients.
NHS England is the data controller for the processing of personal data for the GP Patient Survey, which means that they are responsible for making sure that the processing complies with the UK General Data Protection Regulation (UK GDPR).
NHS England’s basis for lawful processing for the GP Patient Survey is Article 6(1)(e) - “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. Processing special category personal data (such as data about health, racial or ethnic origin or sexual orientation) must meet an additional condition, Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”. This means that NHS England can use the personal data they hold about you for research with appropriate safeguards in place. Ipsos is the data processor acting on instructions of NHS England to deliver the survey.
You can access NHS England’s Privacy Notice at https://www.england.nhs.uk/contact-us/privacy/privacy-notice/.
Taking part in the survey is voluntary. However, if you do not want to take part, please email GPPatientSurvey@ipsos.com. In the email, please include your access code (located at the top of the letter or on the front of the questionnaire) and indicate that you wish to opt out.
Are National Data Opt-outs applied to this survey?
No. The Department of Health and Social Care has confirmed that the National Data Opt-out only applies when confidential patient information is being used for purposes other than care for the individual. Confidential patient information includes clinical data about the individual (such as any medical conditions, prescriptions or care received), and any information about the individual that has been accessed via the person’s medical record. The GP Patient Survey uses demographic data and contact details drawn from the patient registration record of GP practices to select and contact people to be surveyed. This personal data is not classified as confidential patient information as no clinical information is used or accessed. As such, the National Data Opt-out does not apply to the GP Patient Survey.
Have we got access to your health data?
No, absolutely not. Ipsos has only been given your GP practice code and NHS number, name, contact details, month and year of birth, and gender. NHS England have not given Ipsos any information about your health – this remains confidential between you and your GP.
Ipsos are given your NHS number so that they can make sure they do not contact you again if you have previously opted-out of the survey. Your contact details are used to contact you to take part in the survey, and GP practice code will only be used to link answers to GP practices.
Information about month and year of birth and gender will only be used to make sure that the anonymised survey data matches the profile of the practice population as closely as possible.
Who are your contact details shared with?
Ipsos is working with certain supplier organisations to run the survey. They will need to share your contact details with the following supplier organisations to invite you to take part:
- Adare SEC; printing letters and questionnaires
- Cisco (Healthcare Communications); distributing text message invitations
- The Delivery Group and Royal Mail; distribution and postage
- Sagacity; optimising delivery of letters and text messages
Google Cloud Platform (GCP) provide Ipsos with hosting services for all applications and data used to collect survey responses (this is all managed by Ipsos).
All these suppliers are approved and compliant with the UK GDPR.
Cookies
Some online surveys collect information through the use of 'cookies'. These are small files stored on your computer. They are used as sparingly as possible and only for quality control and validation. It is possible for you to delete 'cookies' or to prevent their use by changing the browser settings on your computer.
Ipsos also automatically capture information about your operating system, display settings and browser type, to ensure that the survey questionnaire is delivered in a form suited to the software your computer is using. Ipsos do not capture any other information from your computer.
What happens to your answers? Will your doctor see your answers to this survey?
Once you have filled in the survey, Ipsos will put your answers together with the answers from other people to publish the results. Your answers will be kept confidential. Ipsos may share your answers from the survey with approved researchers, but only in a way that doesn't identify you, and in line with strict rules about data processing. Nobody will be able to identify you in any published results.
Your answers are not sent back to your doctor or GP practice. Ipsos, on behalf of NHS England, publish them anonymously with other feedback about your practice, on the GP Patient Survey website: https://gp-patient.co.uk/.
Who are approved NHS England staff and researchers and how can they use the findings?
In order to be able to use the survey data at the individual patient level, all researchers, including those employed by NHS England and other organisations, must apply for permission. Each application must go through a rigorous approval process, setting out the work that will be done, with an agreement that any publication will only refer to completely anonymised data. All other users may only access anonymised data at national, ICS, PCN or practice level.
Where will your personal data be held and processed?
The application used to collect survey responses is hosted by Google Cloud Platform (GCP) using Virtual Private Cloud (VPC) in Frankfurt, Germany, all managed by Ipsos.
Once you have taken part, all of your personal data will be stored by Ipsos in data centres and servers within the United Kingdom hosted by RackSpace UK. RackSpace UK provide Ipsos group managed hosted services, this is dedicated infrastructure for Ipsos only. RackSpace provide support up to the operating system level and Ipsos manage their installed applications and data. Personal data may also be stored within the data collection platform hosted in GCP for the duration of the research period.
How will we ensure your personal information is secure?
Ipsos takes its information security responsibilities seriously and applies various precautions to ensure your information is protected from loss, theft, or misuse. Security precautions include appropriate physical security of offices and controlled and limited access to computer systems. Strict measures have been taken to ensure personal information is securely stored and seen only by the personnel directly involved in the project.
Ipsos has regular internal and external audits of its information security controls and working practices and is accredited to the International Standard for Information Security, ISO 27001.
Your individual answers to the questions are not linked to your name, contact details, or NHS number. Ipsos, and approved NHS England staff and researchers, treat individual answers as confidential. They adhere to all aspects and terms of the UK General Data Protection Regulation and all other relevant legislation, including requirements for secure storage.
If you gave your permission to be contacted about follow-up surveys or research, your answers may be linked to your name and contact details. For further information, please see the ‘What happens if I agreed to be recontacted for further research?’ FAQ under ‘Online survey’.
How long will Ipsos hold your personal data and identifiable responses?
Ipsos will only hold your data in a way that can identify you for as long as is necessary to support the research project and findings. In practice, this means that once we have reported the anonymous findings in an acceptable way, we will securely remove your personal, identifying data from our systems and those of our suppliers.
For this study, we will securely remove your personal data from our systems by September 2025.
If you gave your permission at the end of the survey to be contacted about follow-up surveys or research, your contact details will be removed from our systems by April 2027.
How is your GP practice involved in this survey?
The questionnaire is being sent to a random selection of people who are registered with a GP in England, and your name was selected randomly from the list of patients registered with a GP held by NHS England.
GP practices should be aware that the survey is happening. After the survey has been completed they will have access to the anonymised, statistical results for their practice available via the GP Patient Survey website: https://gp-patient.co.uk/. They will not have access to individual answers.
Has the survey received ethical approval?
Before starting the first survey in 2007 Ipsos consulted the Central Office for Research Ethics Committee (COREC). Ipsos was advised that this survey is ‘service evaluation’ rather than ‘pure research’ – to evaluate the service provided by GPs to their patients. As a result, this survey does not require formal medical research ethical approval. However, Ipsos strictly adheres to the Market Research Society code of research ethics, and the patient details given are not used for anything other than the purpose of this survey.
UK General Data Protection Regulation (UK GDPR)
The UK GDPR includes various rights, although not all of these apply where the legal basis for processing is public task, including the right to erasure and data portability.
You have the right to request access to any personal data that is held by Ipsos up to September 2025 when it will be deleted. You can object to the processing of your personal data or survey answers you provide, at any time before the data is processed for reporting (31 March 2025).
NHS England must generally respond to requests in relation to your rights within one month, although there are some exceptions to this. NHS England’s Privacy Notice explains your rights and how to exercise them.
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you have concerns on how we have processed your personal data. You can find details about how to contact the Information Commissioner’s Office at https://ico.org.uk/global/contact-us/ or by sending an email to casework@ico.org.uk.
How can you contact Ipsos and NHS England about this survey and/or your personal data?
Contact Ipsos:
If you have any questions about this research or if you require further information about this privacy notice, our compliance with data protection laws or information we hold about you, please contact the research team. They can be contacted by:
Email: GPPatientSurvey@ipsos.com
Post:
The GPPS Team - Ipsos
3 Thomas More Square
London E1W 1YW
Contact NHS England:
Email: england.contactus@nhs.net
Telephone: 0300 311 22 33
Post:
NHS England
PO Box 16738
Redditch
B97 9PT