The GP Connect service allows GP practices and clinical staff to share GP Practice clinical information and data between IT systems, quickly and efficiently via Application Programming Interfaces (APIs).
Context of the data processing
NHS England has been directed under Section 254 of the Health and Social Care Act 2012 by the Department of Health and Social Care to establish and operate the GP Connect Service. Read the signed Direction - Establishment of systems: digital interoperability platform 2019.
To comply with the Direction, NHS England is a Controller for the delivery of the GP Connect Service, which means NHS England is responsible for establishing and maintaining a service which enables interoperability between GP IT systems. For NHS England to support the GP Connect service, audit data about the message transactions is collected, which is used for operational support by service management. NHS England is a Controller for the message audit data collected on Spine.
To fulfil the role of Controller, NHS England is also responsible for the content of the messages as they traverse NHS England Infrastructure, and ensuring that they are passed securely, accurately and safely to and from provider and consumer systems for the purposes of Direct Patient Care. The content of the messages is not collected or stored by NHS England. NHS England processes the messages on behalf of the GP practices, who are Controllers of the GP patient record.
Uplift existing DPIAs to reference direct care APIs/GP Connect
The following paragraph is provided for end user organisations to uplift their DPIA to reference direct care APIs/GP Connect, if they wish.
NHS England has been commissioned to develop and operate a series of services which support new models of care and allow health and care professionals to get the information they need to deliver the best possible care for patients. Together these services are known as the Digital Interoperability Platform, it brings together care information related to the patient at the point of care. The services support wider sharing of records along care pathways and across organisational boundaries.
The Direct Care APIs are part of the wider Digital Interoperability Platform. The GP Connect service allows GP practices and clinical staff to share GP Practice clinical information and data between IT systems, quickly and efficiently via Application Programming Interfaces (APIs). These APIs make data from clinical systems available in a standard format that can be used across different systems and be made available to clinicians who need access to the data for direct patient care. From a privacy/data protection perspective, the service provides more secure information transfer using the APIs, removing the need to use less secure methods of information transfer, such as email or fax.
End user organisation privacy notice statement
The following paragraph has been written to be included in an organisation’s privacy notice, should they wish to use it. When using the paragraph, it may need to be edited to include the services that reflect those available locally, although the record will be available wherever the patient presents for direct care within England provided the appropriate consent is in place.
We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.
GP Connect is not used for any purpose other than direct care.
Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS England service called GP connect.
The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.
Legal basis for sharing this data
In order for your Personal Data to be shared or processed, an appropriate "legal basis" needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:
- for the processing of personal data: Article 6.1 (e) of the UK GDPR: "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".
- for the processing of "Special Category Data" (which includes your medical information): Article 9.2 (h) of the UK GDPR: "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services".
Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.
Why and how we process your data in the GP Connect programme and your rights. Why and how we process your data in the General Practice (GP) Connect Service, and your rights.
A Direction given by the Secretary of State for Health requiring NHS England to developer and operate such IT applications, IT infrastructure and IT systems as are necessary to deliver the digital interoperability platform.
For more information about how NHS England uses your information, and what choices and rights you have, see how we look after your health and care information, and our general transparency notice.
We collect the following data from every user of National Data Sharing Portal for GP Connect to monitor traffic and fix any issues:-
- information about web requests including browser information, IP address;
- data sent in response to such requests;
- data about specific health care setting searches, including the search parameters entered by the user;
- data in relation to the sign up process.
As part of the National Data Sharing Portal for GP Connect signup screens, we save personal information including name, email address and role. This data is used purely in the context of the National Data Sharing Portal for GP Connect and GP Connect and will not be shared with any other third parties or organisations. We may use the data to contact you regarding the signup process.
We use the collected data for various purposes in respect to National Data Sharing Portal for GP Connect:-
- to gather analysis or information so that we can make any necessary improvements and changes in functionality;
- to notify you about changes;
- to provide technical support in respect of your usage;
- to provide ongoing maintenance;
- to monitor the usage via audit information;
- to detect, prevent and address security and technical issues;
- for any other purpose which requires your consent.
Where your data is shared with third parties or otherwise, we will seek to share the minimum amount necessary and only with your prior consent.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
Most browsers automatically accept cookies but have an option for blocking or deleting cookies, which will prevent your browser from accepting new cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new cookie in a variety of ways. You can usually access these options through the "Settings" or similar menu in your browser.
For more information about cookies, including how to see what cookies have been set and how to manage and delete cookies, visit www.allaboutcookies.org
The National Data Sharing Portal for GP Connect creates the following cookies:
- Stores if the user has understood that cookies are used on the National Data Sharing Portal for GP Connect
- Stores session cookie values
- Registers a unique ID that is used to generate statistical data on how the visitor uses the website
- Prevents cross site request forgery attacks
How to contact us
Updated: November 2023