Skip to main content

National Data Sharing Arrangement for GP Connect

The GP Connect National Data Sharing Arrangement (NDSA) sets out the data sharing requirements and obligations for the use of GP Connect. This ratifies the safe sharing of clinical information through GP Connect to support direct patient care.

Page contents

New GP Connect users

  1. Read below Step 1: Before you apply.
  2. Review the current version through the NDSA sign-up portal and ensure you satisfy steps 1 to 3 outlined below.
  3. You should have been referred by your system supplier.

 

Existing GP Connect users

Users who are already using GP Connect, do not need to re-sign the NDSA.

How to tell if you’re an existing user: 

Look up on our transparency portal to check which organisations are using GP Connect.

Step 1: Before you apply

  1. You should hold a current (valid) Data Security and Protection Toolkit (DSPT) for the ODS code you are using to apply to the NDSA.
  2. Read and review the NDSA and ‘Agree’ that you may be subject to audits from NHS England.
  3. You will be asked to confirm that your organisation can meet the obligations of the NDSA and Acceptable Use Policy.
  4. Failure to comply with the above will cause your application to be rejected.

Step 2: Application

  1. GP Connect will confirm whether your application has been successful.
  2. Email your system supplier to progress your application to get your product live and raise any queries you may have.

Step 3: Next steps

  1. Update your transparency notices to include ‘GP Connect’. Use our transparency notice and privacy notice for guidance.
  2. Organise your product training with your system supplier.
  3. Cascade any information on consent options to relevant staff.
  4. Ensure that you know how to provide data subjects with an audit trail of access to their records upon request.

Important

All GP Connect users have actions to take to satisfy the NDSA. These are explained in ’Steps 1-3’ above.

Supporting information

Legal basis

The legal basis for GP Connect is Article 6(1)(e) and Article 9(2)(h) of the UK GDPR (General Data Protection Regulation). For Common Law Duty of Confidentiality, implied consent with opt out is used.

The legal basis is driven by parliamentary law, and NHS policy is driven by NHS England, the Department of Health and Social Care, and national stakeholders.

Medical examiners use case
Healthcare providers are legally obliged to provide medical examiners with medical records relating to deceased individuals for the purposes of reviewing a death. As these individuals are deceased, they are not covered by UK GDPR - however, there are still obligations under the Common Law Duty of Confidentiality. 

Medical examiners have a legal right to access the records of deceased patients and there is a legal obligation for healthcare providers to provide the records to medical examiners under the Access to Health Records Act 1990. As such, the duty of confidentiality is overridden.

Transparency notice

Read the GP Connect transparency notice.

Products covered by the NDSA

Find out which products are covered by the NDSA in the GP Connect transparency notice.

Accession to the NDSA

If you are already using GP Connect you do not need to sign the NDSA, but you can review the current version through the NDSA sign-up portal. Read about accession to the NDSA.

Endorsements

The NDSA is endorsed by key stakeholders, including the Information Commissioner's Office (ICO), National Data Guardian (NDG), the Royal College of General Practitioners (RCGP), and the British Medical Association (BMA). 

Version notes

The current version of the arrangement now supports private health care providers and pharmacy to use GP Connect. Updates to the NDSA are described in the version notes

Last edited: 31 January 2025 7:42 am