Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

GP Connect privacy notice

Information for health and social care organisations who use the GP Connect service.

The GP Connect service allows GP practices and clinical staff to share GP Practice clinical information and data between IT systems, quickly and efficiently via Application Programming Interfaces (APIs).

Context of the data processing

NHS Digital has been directed under Section 254 of the Health and Social Care Act 2012 by the Department of Health and Social Care to establish and operate the GP Connect Service. Read the signed Direction - Establishment of systems: digital interoperability platform 2019.  

To comply with the Direction, NHS Digital is a Controller for the delivery of the GP Connect Service, which means NHS Digital is responsible for establishing and maintaining a service which enables interoperability between GP IT systems. For NHS Digital to support the GP Connect service, audit data about the message transactions is collected, which is used for operational support by service management. NHS Digital is a Controller for the message audit data collected on Spine.

To fulfil the role of Controller, NHS Digital is also responsible for the content of the messages as they traverse NHS Digital Infrastructure, and ensuring that they are passed securely, accurately and safely to and from provider and consumer systems for the purposes of Direct Patient Care. The content of the messages is not collected or stored by NHS Digital. NHS Digital processes the messages on behalf of the GP practices, who are Controllers of the GP patient record.  

Uplift existing DPIAs to reference direct care APIs/GP Connect

The following paragraph is provided for end user organisations to uplift their DPIA to reference direct care APIs/GP Connect, if they wish.  

NHS Digital has been commissioned to develop and operate a series of services which support new models of care and allow health and care professionals to get the information they need to deliver the best possible care for patients. Together these services are known as the Digital Interoperability Platform, it brings together care information related to the patient at the point of care. The services support wider sharing of records along care pathways and across organisational boundaries.  

The Direct Care APIs are part of the wider Digital Interoperability Platform. The GP Connect service allows GP practices and clinical staff to share GP Practice clinical information and data between IT systems, quickly and efficiently via Application Programming Interfaces (APIs). These APIs make data from clinical systems available in a standard format that can be used across different systems and be made available to clinicians who need access to the data for direct patient care. From a privacy/data protection perspective, the service provides more secure information transfer using the APIs, removing the need to use less secure methods of information transfer, such as email or fax.  

End user organisation privacy notice statement

The following paragraph has been written to be included in an organisation’s privacy notice, should they wish to use it. When using the paragraph, it may need to be edited to include the services that reflect those available locally, although the record will be available wherever the patient presents for direct care within England provided the appropriate consent is in place.

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.
GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect. 

The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services. 

Legal basis for sharing this data

In order for your Personal Data to be shared or processed, an appropriate “legal basis” needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

  • for the processing of personal data: Article 6.1 (e) of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
  • for the processing of “Special Category Data” (which includes your medical information): Article 9.2 (h) of the UK GDPR:  “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.

Your rights

Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.

Find out more about GP Connect.

More information

For more information about how NHS Digital uses your information, and what choices and rights you have, see how we look after your health and care information, and our general transparency notice.

Changes to this privacy notice

This notice may be amended at any time, so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Last edited: 26 January 2023 9:59 am