Information governance and the General Practice Extraction Service (GPES)

The legal framework governing the use of confidential patient information in general practice is complex. It includes the Health and Social Care Act 2012,  the UK General Data Protection Regulation and the Data Protection Act 2018.

Collection and analysis

Directions

The Health and Social Care Act 2012 (the 2012 Act), under section 254, sets out the powers of the Secretary of State for Health and Social Care (Secretary of State) to direct us on matters concerning the provision of health services or adult social care in England.

All data we collect via GPES is collected under a Direction issued by the Secretary of State.

A list of all Directions provided by the Secretary of State to NHS England is published on our website.

Data Provision Notices (DPNs)

Where we have been directed to establish information systems for the collection and analysis of information under section 254 of the 2012 Act, we have powers to require the provision of information from general practices in accordance with our powers under s259(1)(a) of the 2012 Act. Practices are notified of the requirement to provide us with data under a DPN.

The DPN is a clear, simple statement of: 

• the purpose and benefits of the data collection  
• our legal basis for collecting the data 
• what the data looks like, how it should be submitted, by who and when 
• what the data will be used for. 

We aim to send out DPNs by email to general practices approximately 6 weeks ahead of the first data submission. 

A list of all DPNs, which have been provided to general practices, is published on our website.

Stakeholder consultation

Before we are able to establish information systems for the collection and analysis of information, under section 258 of the 2012 Act, we must consult:

• DHSC as the directing organisation
• representatives of persons who we consider are likely to use the information to which the Direction relates
• The British Medical Association and Royal College of General Practitioners (via the Joint GP IT Committee) as representatives of general practices

Burden

We have a statutory duty under section 253(2) of the 2012 Act to seek to minimise the burden we impose on general practices. In support of our obligation under section 265(3) of the 2012 Act, we have an assessment process to validate and challenge the level of burden incurred through introducing new information standards, collections and extractions.

This process is carried out by our Data Governance and Assurance Team which assures burden assessment evidence as part of the overarching Data Alliance Partnership Board (DAPB) approval process. The DAPB, acting under authority of the Secretary of State, oversees the assurance, approval and publication of information standards and data collections for the health and social care system in England.

Publication

Our powers to publish information collected under a Direction provided by the Secretary of State under section 254 of the 2012 Act are set out under section 260 of the 2012 Act.

We are required to publish all information we obtain by complying with a Direction under section 260(1) unless the information falls within subsection (2) and, subject to subsection (3), if the information falls within that subsection, we must not publish it.

Dissemination

Our powers to disseminate information collected under a Direction provided by the Secretary of State under section 254 of the 2012 Act are set out under section 261 of the 2012 Act.

Per section 261(1A), we may only disseminate information if we consider that disseminating the information would be for purposes connected with the provision of health or adult social care, or the promotion of health.

Where we collect personal data from general practices, we undertake a Data Protection Impact Assessment (DPIA) – the DPIA is a process designed to support us in systematically and comprehensively analysing our processing activity to help identify and minimise data protection risks.

In accordance with the UK GDPR transparency principle and data subjects’ rights under the UK GDPR, we also publish transparency notices for all personal data collections to:

• inform patients about how we use their personal data (including what type of data we will use) and for what purpose(s) their personal data will be used
• reassure patients that their personal data will remain safe and will only be used for its intended purpose

The transparency notices relating to the processing of data extracted via GPES are published on our website.

Where we disseminate personal data to external organisations in accordance with our powers under section 261 of the 2012 Act, we ensure all requests are managed by our Data Access Request Service (DARS), with data sharing agreements implemented where appropriate. This aligns with the Code of Practice published by the Information Commissioner’s Office (ICO).