Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

National Data Sharing Arrangement for GP Connect

The best practice arrangement for all GP Connect users.

New National Data Sharing Arrangement for GP Connect

A National Data Sharing Arrangement (NDSA) has been launched for GP Connect users. 

The GP Connect NDSA sets out the data sharing requirements and obligations for the use of GP Connect for end user organisations. 

If your organisation already uses GP Connect, you don't need to sign the NDSA but please review our action to take guidance.

The GP Connect National Data Sharing Arrangement (NDSA) sets out the data sharing requirements and obligations for the use of GP Connect. This ratifies the safe sharing of clinical information through GP Connect to support direct patient care.

The NDSA is endorsed by key stakeholders, including the Information Commissioners Office (ICO), National Data Guardian (NDG), the Royal College of General Practitioners (RCGP), and the British Medical Association (BMA). 

All GP Connect users have actions to take to satisfy the NDSA. These are explained below in the action to take section below.


As a part of the response to the COVID-19 pandemic, a Control of Patient Information Notice (COPI Notice) was issued. Under this, it was agreed with national stakeholders that GP Connect should be enabled across all GP practices to share patient data nationally for direct care purposes.

The COPI mechanism was used as the simplest and quickest way to accommodate the changes to GP Connect required during a time of national crisis. However, the legal basis under which GP Connect operated pre-pandemic was not affected by COPI and remains in place.

The legal basis for GP Connect is Article 6(1)(e) and Article 9(2)(h) of the UK GDPR (General Data Protection Regulation). For Common Law Duty of Confidentiality, implied consent with opt out is used.

The law on information sharing has not changed since the response to the crisis. Legal basis is driven by parliamentary law, and NHS policy is driven by NHS England, the Department of Health and Social Care, and national stakeholders.

Purpose of the NDSA

The NDSA has been developed to support data sharing for direct care via GP Connect. Local data sharing agreements were in place for GP Connect before the pandemic. These were not legally needed but were identified by the Information Commissioner’s Office as good practice. The NDSA has been developed to follow the precedent.

The NDSA also details the actions and guidance that GP Connect users need to follow into one place.

Action to take

New GP Connect users

Any new GP Connect users are asked to review and sign the NDSA as part of their supplier's onboarding process. They should do this through the NDSA sign up portal

Existing GP Connect users

Existing GP Connect users who are live with GP Connect, should review the NDSA through the NDSA sign up portal and ensure they satisfy the actions outlined below but they don’t need to sign it. This is because the NDSA has been developed to allow existing users to indicate their acceptance and to accede the new terms by continuing to use the GP Connect products. 

Our transparency portal allows you to check whether you are using GP Connect Search by Organisation Name - National Data Sharing Portal for GP Connect

Action checklist

The NDSA actions are:

1.  Ensure that transparency notices detailing this arrangement are made available to any potentially affected data subjects.

2. Engage in appropriate communications strategies to promote awareness of this sharing to your patients.

3. Ensure that patients are aware of their ability to dissent from this data sharing mechanism.

4. Ensure that you are able to provide data subjects with an audit trail of access to their records upon request.

5. Determine what personal data can be accessed and the manner and form in which a record can be shared.

6. Agree that you may be subject to audits from NHS England to ensure that organisations meet the obligations of the NDSA and Acceptable Use Policy, including the Data Security and Protection Toolkit (DSPT).

7. Have appropriate role-based controls in place to ensure staff members (or classes of staff members) can access data appropriately.

8. Ensure the personal data retained is limited only to that necessary for the agreed purposes.

9. Users should be aware that GP Connect may be only one of the interoperability solutions available locally and should take this into account when developing and reviewing  transparency materials.


Last edited: 15 November 2023 3:25 pm