Skip to main content

National Record Locator (NRL) Data Sharing Arrangement

We ask all organisations wishing to use the National Record Locator Service (NRLS)  to acknowledge that they are happy to agree with the terms set out in the Data Sharing Arrangement (DSA).

This Data Sharing Arrangement (DSA) sets out the purpose and lawful basis for which personal data is shared between the organisations via the National Record Locator (NRL). Each being an independent Controller. We ask all organisations wishing to use NRL to acknowledge that they have read and understood the terms set out in the DSA.

Background

The National Record Locator (NRL) is a service set up by NHS Digital under the NHS Digital (Establishment of Systems: Digital Interoperability Platform) Directions 2019 from the Department of Health and Social Care (DHSC) to provide the Digital Interoperability Platform. The NRL enables sharing of nationally defined patient data required to inform clinical decisions across all health and care settings and improve the experience of service users by enabling and enhancing the flow of patient information.

The NRL is a national index of pointers to patient care plans. A care plan is created for and is intended to be shared and used across health and care settings for the patient. It is created with the patient to inform those involved in their care of their health, care and wellbeing needs (“Care Plan”). Organisations that hold a Care Plan will create a pointer to it which can then be accessed by the Permitted Recipients for their purposes. Permitted Recipients will ensure that users can access the record when necessary for the purposes of patient health and care. This could be an authorised clinician, care worker and/or administrator, in any health or care setting, to support that patient’s direct care.

This data sharing arrangement (“this Arrangement”) sets out the purposes for which, and the basis on which, the Shared Personal Data can be shared and received by the Parties, as independent Controllers. The terms set out in this Arrangement apply to all the parties that are sharing, accessing and processing care plans on the National Record Locator for the purposes of direct care. Parties to this Arrangement are expected to only share and receive data in accordance with the agreed purposes and obligations as set out in Annex 1.      

The Shared Personal Data is accessed by a pointer which gives the location of the Care Plan and allows access to the Care Plan by the Permitted Recipients for the Agreed Purposes pursuant to the data subject’s consent as detailed in Annex 1 of this arrangement. 

The Permitted Recipients of the Shared Personal Data are those organisations either providing health and social care where the Care Plan is necessary for the purpose of provision of health and care, treatment, medical diagnosis and provision of social care services. 

Definitions

Agreed Purposes: shall have the meaning as set out in Annex 1of this arrangement;

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing:  shall have the meanings as set out in the Data Protection Legislation in force at the time;

Data Protection Legislation:  means (i) the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK, (ii) the Data Protection Act 2018, and (iii) any other laws and regulations relating to the processing of personal data and privacy which apply to a party and, if applicable, the guidance and codes of practice issued by the relevant data protection or supervisory authority;

Data Subject Request: means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation;

Law: means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, bye-law, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which the Parties are bound to comply;

Party, Parties: means the Record Publisher party to this Arrangement and any Permitted Recipient receiving the Shared Personal Data;

Record Publisher; means the health and care organisation that will create a “pointer” showing the existence and location of a patients Care Plan, with the intention that ‘Permitted Recipients’ may access the Care Plan for the purpose of direct care when they need it.

Permitted Recipients:  means those organisations providing health and social care, which have been approved and assured for access by NHS Digital, as they have demonstrated that access to the care plan is lawful and necessary for the purpose of provision of health and care, treatment, medical diagnosis and provision of social care services. These include but are not limited to:

  • ambulance trusts/services
  • acute and emergency care service providers
  • NHS 111 service providers
  • care homes

Shared Personal Data: means the personal data made accessible by the “pointer” published by the Record Publisher to all Permitted Recipients enabling access to Care Plans by those Permitted Recipients for the Agreed Purposes set out in Annex 1 of this Arrangement.

Technical and Organisational Obligations: means the obligations set out in Annex 1 in respect of the technical and organisational measures to be put in place in relation to the Shared Personal Data.

Independent Controllers of Shared Personal Data

1. With respect to Shared Personal Data provided by the Record Publisher and accessed by the Permitted Recipients (“Parties”), each Party acts as Controller.  Each Party shall comply with the applicable Data Protection Legislation in respect of their Processing of such Shared Personal Data as Controller, and shall not cause the other Party to breach their Data Protection Legislation obligations.

2. Any material breach of the Data Protection Legislation or the terms of this Arrangement by one Party shall give grounds to NHS Digital to terminate a Party’s involvement in the Arrangement and deny access to the NRL service.

3. Each Party shall Process the Shared Personal Data as set out in Annex 1 of this Arrangement and in accordance with the Agreed Purposes.

4. Where a Party has provided Shared Personal Data to the Parties, the Permitted Recipients of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Parties may reasonably require.

5. The Parties shall be responsible for their own compliance with Articles 13 and 14 GDPR in respect of the Processing of Personal Data for the purposes of this arrangement. In particular, each Party shall give full information to any Data Subject whose Personal Data may be Processed under this arrangement of the nature of such Processing. This includes giving notice that, on the termination of this Arrangement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees.

6. The Parties will provide the Shared Personal Data to each other under this Arrangement:

a. As set out in and for the Agreed Purposes only and shall make such data available to enable the Parties to perform their respective obligations for the delivery of health and care; and

b. in compliance with the Data Protection Legislation

7. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its Processing of Personal Data as Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR, as well as the Technical and Organisational Obligations as described at Annex 1.

8. Where applicable, Parties must have met the standards as set out in the Data Security and Protection Toolkit (“DSPT”).

9. A Party Processing Personal Data for the Agreed Purposes shall maintain a record of its Processing activities in accordance with Article 30 GDPR and shall make the record available to the other Party upon reasonable request.

10. Where a Party receives a Data Subject Request in relation to the Personal Data provided to it by the other Party for the Agreed Purposes (“Request Recipient”):

a. the other Party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or

b. where the request or correspondence is directed to the other Party and/or relates to that other Party's Processing of the Personal Data, the Request Recipient will:

i. promptly, on receipt of the request or correspondence, inform the other Party that it has received the same and shall forward such request or correspondence to the other Party; and

ii. provide any information and/or assistance as reasonably requested by the other Party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation.

11. Each Party shall promptly notify the other Party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other Party for the Agreed Purposes and shall:

a. do all such things as reasonably necessary to assist the other Party in mitigating the effects of the Personal Data Breach

b. implement any measures necessary to restore the security of any compromised Personal Data

c. work with the other Party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein) and

d. not do anything which may damage the reputation of the other Party or that Party's relationship with the relevant Data Subjects, save as required by Law

12. Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s respective obligations for the Agreed Purposes.

13. The Parties acknowledge that the use of the NRL service is subject to the terms of this Arrangement, including the Annex, as amended from time to time. This Arrangement may be updated only by NHS Digital to reflect changes in the processing activities and/or the obligations on the Parties. The Parties shall ensure they keep up to date with any such changes, which will be communicated to the parties in the form of a revised arrangement.

Annex 1: Processing personal data

Identity of controller for each category of personal data

The record publisher creates a ‘pointer’ to a care plan. Permitted Recipients may only access the care plan for the purpose of direct care for the patient to whom the care plan relates.

The record publisher will create a ‘pointer’ showing the existence and location of a record which:

  • informs of the existence of a health and care record for a patient;
  • provides the location of a record, which allows the record to be retrieved via a standardised API; and
  • provides contact details of the organisation which holds the record, which allows information about the record to be requested.

The location of where the data can be retrieved is maintained by NHS Digital for audit and monitoring purposes.

A care plan is a record that is intended to be shared. It is created with the patient to inform those involved in their care of their health and care and wellbeing needs. This arrangement includes but is not limited to the following care plans:

  • mental health crisis plans
  • anticipatory care plans
  • end of life care plans
  • urgent care plan (Co-ordinate my care)
  • integrated care and support plan

Processing as independent controllers

The parties are independent controllers of shared personal data for the purposes of the Data Protection Legislation subject to the terms of this arrangement and as set out below

Record publisher

The record publishers are independent controllers in respect of the data collection and creation of the care plan, creation of the pointer and publication of the pointer to the NRL, and the sharing of the pointer to the permitted recipients. In particular, the record publisher is responsible for

  • determining the lawful basis and consent/best interest assessment for the creation and sharing of the care plan in order to meet data protection obligations and the duty of confidence
  • whether to disclose the Care Plan and the extent of information to be to disclosed
  • the accuracy and maintenance of the pointer, and in particular, ensuring it points to the correct and up-to-date record
  • ensuring the accuracy of the Care Plan and rectifying or completing inaccurate or incomplete information and
  • removal of the pointer and Care Plan due to objection, restriction or withdrawal of consent where required under the Data Protection Legislation

Permitted recipients

The Permitted Recipients are independent Controllers in respect of the processing of the Shared Personal Data once they have received it by way of a pointer under this Arrangement.

The Permitted Recipients have a responsibility to ensure that that the Shared Personal Data is processed lawfully and fairly and in accordance with Data Protection Legislation. In particular, the Permitted Recipient is responsible for:

  • notifying the Record Publisher of any inaccuracies in relation to the pointer or Care Plan;
  • notifying the Record Publisher where it becomes aware that a Data Subject has withdrawn their consent for the publication of their Care Plan, or there is otherwise no legal basis for the processing of the Shared Personal Data;
  • assisting the Record Publisher in respect of any Data Subject Requests (in accordance with clause 10); and
  • notifying the Record Publisher of any Personal Data Breach (in accordance with clause 11).

Agreed technical and organisational obligations

The Shared Personal Data shall be processed in accordance with the principles set out in Article 5 GDPR in that it must be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • (adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the data are processed; and
  • processed in a manner that ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures

In order to meet the above principles, the Record Publisher’s obligations include, but are not limited to

  • populating the data contained in the pointer using the template provided by NHS Digital
  • ensuring there is a lawful basis for processing; that the patient has given consent for the creation of the Care Plan; that a description of this arrangement is given to the data subject
  • determining the personal data that can be accessed and manner and form in which a record can be retrieved either by providing an API or contact details to the record
  • ensuring accuracy of the pointer e.g. that it refers to the correct patient and record and contains the correct information
  • validating the patient’s NHS number on the Personal Demographics Service as part of this process;
  • ensuring accuracy of the contact details the pointer refers to e.g. that correct phone number is provided
  • maintaining the pointer to reflect any changes to the record the pointer refers to e.g. when a record is updated or reaches the end of its retention period. NHS Digital provide guidance to support this
  • maintaining the pointer to reflect changes to a patient’s PDS data for example change of NHS number
  • auditing pointer publication (or any subsequent amendments or deletion) to meet the responsibilities of its controllership and
  • ensuring the data provided on each pointer is limited only to that necessary for the Agreed Purposes

Agreed purposes

The Shared Personal Data is processed only for the purposes of direct care and the provision of health and care and treatment, medical diagnosis, and social care.

The legal basis for the processing of care plans is for the delivery of health and care in the exercise of the official authority of the Controllers party to the agreement. Consent is given under Article 6(1)(a) for the creation of the care plan and the processing is for the Article 6(1)(e) and Article 9(2)(a)(h) for the processing for the purposes of health and care.

Legal basis and confidentiality

Controllers are responsible for ensuring they have obtained consent from the patient for the creation of the Care Plan; where the patient does not have capacity they must ensure that consent has been obtained from those with Lasting Power of Attorney, or a clinician has undertaken a best interest assessment.

Common Law Duty of Confidence is met by the Parties by ensuring that patients are informed, have given consent for the creation of a Care Plan to be created for the purposes of informing health and care organisations of their care needs. Patients have a right to dissent to the processing of a Care Plan, upon such a request an assessment will be made by a clinician as to whether the processing is in the best interests of the patient. 

Duration of the processing

Processing will continue until a Party withdraws from the Arrangement or the Arrangement is otherwise terminated.

Nature of the processing

The NRL is to facilitate the sharing of care plans created for the purposes informing those delivering direct care to patients and services. This is done by publishing pointers that indicate that a Care Plan is available and can be accessed if needed. 

Organisations that hold Care Plans (the Record Publisher) will create a pointer to a patient’s Care Plan which can then be accessed by  an authorised clinician, care worker and/or administrator, in any health or care setting, to support that patient’s direct care (the Permitted Recipient).  The Permitted Recipients should only access such Care Plans made available by a pointer under this Arrangement where such Care Plan relates to a patient to whom the Permitted Recipient is providing health or social care. 

NHS Digital will facilitate the sharing of Care Plan and will assist the controllers in meeting their data protection obligations. NHS Digital is responsible for:

  • creating and maintaining the pointer data model i.e. the template that NRL Providers populate to publish a pointer
  • validating the pointer metadata provided by the NRL Provider to ensure that it has been populated using data that is relevant and in the correct format. This validation supports the proper functioning of the index e.g. so that pointers can be effectively searched for. If a pointer fails this validation it will not be published on the NRL index
  • audit pointer retrieval to assist and support the controllers in meeting their responsibilities
  • supporting investigations e.g. into system misuse or clinical incidents
  • monitoring whether access controls are operating as intended
  • fulfilling subject access requests relating to the data it has shared
  • fulfilling requests from Data Controllers and Caldicott Guardians detailing who has accessed patients’ health record pointers and
  • providing a mutual authentication process

Type of personal data

The pointer will contain personal and special category data including NHS number, location of record and type of care plan, health information.

Categories of data subject

Patients and service users of mental health services, social care, care homes, primary care services and secondary care services, such as hospitals and community care.

Plan for return and destruction of the data once the Processing is complete

Unless requirement under union or member state law to preserve that type of data

The data is processed by the Controllers for the duration of the episode of care and retained for the appropriate record retention period.  

The Care Plan once retrieved by the Permitted Recipient must not retain a pointer beyond the retention period relevant to the care they have provided. Further detail is provided in the NRL Business Requirements Catalogue. 

Use of NRL service is subjected to these terms, including the Annex, as amended from time to time.  

Download

You can download this Data Sharing Agreement in PDF format.  

NRLS DSA acceptance form

Form submitted successfully

Thank you. Your acceptance of the NRLS Data Sharing Arrangement will be recorded.