This includes:

• tight control over who is able to register for a 'Smartcard' to gain access to the NHS CRS,
• role-based access controls, which limit what people can do on the system according to their job role, and
• 'legitimate relationships', which prevent people who are not involved in your care from gaining access to your sensitive personal information.

However, patients can also choose to further restrict access to their personal information. These choices have been promised as part of the Care Record Guarantee (PDF 92Kb).

The main choices are:

1. Consent/dissent to share

   You can choose to prevent confidential information being shared between organisations like your GP practice, local hospitals and primary care trusts.

   If you choose to do this, it will allow information to flow as part of normal clinical communications between organisations – for example, if you are referred by your GP for a hospital appointment and when the hospital then sends information back to your GP when you are discharged.

   It would prevent the information recorded by one NHS organisation from being accessible by another NHS organisation without your consent (other than in exceptional circumstances where the law allows).

   This applies to both your detailed records (which are held locally in the organisations that provide you with care) and to your Summary Care Record, if you choose to have one, (which can be accessed by authorised NHS staff caring for you anywhere in England).

2. Sealing

   You will be able to 'seal' information within your record which you feel is particularly sensitive. Sealed information is available to the team that sealed it (which will normally be the team that record it) but will be withheld from other people who try to access it.

   For example, suppose that John attends a genito-urinary medicine clinic. He is found to be suffering from syphilis. John asks for the diagnosis to be sealed. The next time he goes to the clinic, he sees a different doctor and that doctor is able to see the information (although she is informed that the syphilis diagnosis and the associated information is sealed).

   An appointment is made for John to see the ophthalmologist. The ophthalmologist looks on the computer for the history of diagnoses recorded for John. All of John's diagnoses are revealed apart from syphilis. An icon is displayed to show that some information has been withheld.

   The ophthalmologist asks John for permission to see the hidden information as it could be relevant to his care. John agrees in this instance and the ophthalmologist is able to view the sealed information.

   An alert is raised with the information governance officer in the hospital. The sensitive information is only available to the ophthalmologist, and only whilst he remains logged on to the system.

3. Sealing and locking

   Sealing and locking is a stronger version of sealing which prevents a person's sensitive information from ever being accessed outside of the sealing team. So, in the example above, the ophthalmologist would never know that John had sealed and locked the syphilis diagnosis.

4. Consent/dissent to store

   A Summary Care Record will be created for you (and every other patient in England), unless you explicitly object. If you do explicitly object, it means that you will not have a record containing important health information like allergies and medications available for authorised NHS staff when you are treated, including when you are away from home, out of hours or in an emergency.

More detailed information about these choices will be added.