Skip to main content

GP Connect Transparency Notice

New National Data Sharing Arrangement for GP Connect

A National Data Sharing Arrangement (NDSA) was launched in 2023 for GP Connect users. 

The GP Connect NDSA sets out the data sharing requirements and obligations for the use of GP Connect for end user organisations. 

If your organisation already uses GP Connect, you don't need to sign the NDSA but please review our action to take guidance.

Overview

GP Connect helps clinicians gain access to GP patient records during interactions away from a patient’s registered practice and makes their medical information available to appropriate health and social care professionals when and where they need it, to support the patient’s direct care.

It provides a suite of technical standards that system suppliers can develop and offer to their customers in their own familiar system.

From a privacy, confidentiality and data protection perspective, GP Connect provides a method of secure information transfer and reduces the need to use less secure or less efficient methods of transferring information, such as email or telephone.  

GP Connect - key points
  • GP Connect can only be used for direct care purposes.
  • Individuals can opt out of their GP patient record being  shared via GP Connect by contacting their GP practice.
  • Access to GP Connect is governed by role-based access control (RBAC) and organisational controls; only people who need to see the GP patient record for a patient’s direct care should be able to see it.
  • All organisations using GP Connect must comply with the National Data Sharing Arrangement (NDSA) and end-user agreement that sets out their responsibilities and obligations.
  • All individuals who have access to the GP patient record using GP Connect must agree to terms and conditions of use.
  • All systems that allow the use of GP Connect must undergo a robust compliance process and the organisations involved must sign a connection agreement holding them to high standards of information security.

GP Connect is for direct care use only

GP Connect products can help health and social care professionals share, view or act on information that could be required for a patient’s direct care, but they would otherwise have difficulty accessing easily (for example if they are using different IT systems).

Organisations can have access to relevant information in GP patient records to provide direct care to patients only.

To be granted access to GP patient records organisations must:


Type of organisations that use GP Connect

Examples of organisations that may wish to use GP connect to view GP patient records include:

  • GP surgeries that patients are not registered at - for example, if they need to see a doctor when they are away from home
  • secondary care (hospitals) if they need to attend A&E or are having an operation
  • GP hubs/primary care networks (PCNs)/integrated care systems (ICSs), partnerships between healthcare providers and local authorities
  • local 'shared care' record systems
  • ambulance trusts, so paramedics can view GP patient records in an emergency
  • healthcare professionals such as community services
  • acute and emergency care service providers
  • NHS 111
  • pharmacies
  • optometrists
  • dentistry
  • mental health trusts
  • hospices
  • adult and children’s social care supported by assured solutions for digital social care record
  • care and nursing homes

Details regarding how GP Connect can be used in various care settings can be found at NHS England’s GP Connect in your organisation pages.

All access to your GP patient record is stored within an audit trail at your GP practice and within the organisation that information has been shared with.

Details of the data held within the audit trail can be found in Appendix 1.


Who uses GP Connect?

We have developed a GP Connect Data Transparency Portal where further information on which health care settings use GP Connect and the reason why this organisation is using a particular product.

Any new GP Connect users will need to agree to the terms of the products they intend to start using, and will be listed on these web pages.

GP Connect can work in different ways, depending on how it has been set up in a particular area.

Organisations using GP Connect are described as 'providers' and 'consumers', depending on the capacity in which they are acting.

A provider is a GP practice that makes available GP patient records via the GP Connect service.

A consumer is an organisation providing health and social care, which accesses the GP patient record made available by Providers for the purpose of direct care.


The GP Connect products

A real life example

A patient with complex medical needs can call NHS 111 with a suspected infection, have their record triaged by an NHS 111 clinician (Access Record), get themselves an appointment with their local out of hours service, attend the appointment (Appointment Management)  and have antibiotics prescribed and information regarding their encounter can be sent in a PDF back to their registered GP to be added to the patient record, (Send Document) where the information will then be available the next time someone uses an Access Record product.

In the future, the information will be able to be auto-ingested into the GP Patient record (subject to extensive engagement with the GP profession) removing the burden on general practice in digesting the PDFs from Send Document we call this Update Record .


GP Connect: Access Record

GP Connect: Access Record allows authorised clinicians to access GP patient records held on their practice system. Access Record has two methods of retrieving information:

  1. Access Record: HTML enables a read-only view of a patient record which can be viewed within another care setting via an accredited system or application.
  2. Access Record: Structured provides access to 'sections' of a patient record in a structured format.
  3. Access Document allows access to any documents which are saved in a patient's GP record via an accredited system or application.

GP Connect: Update Record

GP Connect: Update Record allows authorised clinicians to update a patient's GP record from a community  pharmacy with structured data.

Each message sent using this integration uses the GP Connect Messaging components, MESH, and ITK3, to deliver the message. 


GP Connect: Send Document

GP Connect: Send Document provides a simple way of updating a GP patient record. It sends a summary of a consultation in a document format to the patient’s registered GP practices that can be read and added to the GP patient record


GP Connect: Appointment Management

GP Connect: Appointment Management allows organisations to book appointments on behalf of a patient directly into their registered practice or another care setting within their primary care network.

Appendix 2 shows in more detail what data is used for each product.



Confidentiality

Confidentiality and trust are essential to the relationship between GPs and their patients.

The information a patient provides to their GP is confidential, and they can expect that any information that is shared for their direct care will remain confidential.

GP Connect relies on 'implied consent'.

Explicit consent is not required when information is shared for a direct care purpose. If a patient does not want their information to be shared using GP Connect, they can opt out.

The NDSA and its terms and conditions stipulate that any information received or accessed about a patient for direct care purposes must remain confidential.

In addition to the NDSA, health and social care professionals are also subject to their own professional codes of confidentiality and are aware that any information received via GP Connect is provided in confidence, which must be respected.

Organisations using GP Connect are notified of their duty as 'controllers' to be fair and transparent about their processing of their patients’ information and to ensure that their transparency notices are fully updated with how they may be using GP Connect functionality.

NHS England helps support the mitigation of information sharing risks by ensuring that:

  • NHS England audit data access is subject to two-factor authentication and role-based access controls - only certain assured users can have access to the full audit logs
  • a completed Supplier Conformance Assessment List (SCAL) which covers service and capability specific compliance requirements and controls of the consumer system is in place

It is the responsibility of organisations using GP Connect to ensure that they comply with the NDSA, and their statutory and legal obligations regarding data protection and confidentiality.


Data rights

Under the legal basis used for GP Connect, patients have the following rights:

The right to be informed - patients have the right to be informed of how their data is being processed. This should be reflected in the patient’s GP practice privacy notice.

The right to object - patients have the right to object to their data being used in this way. If patients do not wish for their data to be shared, they should contact their GP practice.

The right of access - in addition to the right for copies of their information, patients also have other rights, including the rights: 

  • to be advised of the reasons why their data is being shared in this way
  • to know what data is being shared
  • to know who it has been shared with

The right to rectification - if patients find that the data that has been shared is factually incorrect, they have the right to request that this is corrected.

The right to restrict processing - Patients have the right to request processing is stopped, whilst either an objection is processed, or they are awaiting rectification of data.

More information regarding data rights available from an organisation that has shared or viewed a patient’s data can be found within that organisation’s privacy notice.


Opting out of GP Connect

If patients do not wish their information to be shared using GP Connect, they can opt out by contacting their GP practice.


National Data Opt-out

The National Data Opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.

The National Data Opt-out only applies to any disclosure of data for purposes beyond direct care, so having National Data Opt-out will not prevent your GP patient record being shared via GP Connect.


Further information

Last edited: 24 January 2024 3:31 pm