Skip to main content

Data Protection Impact Assessment Direct Care APIs (GP Connect)

Date Published:
31 January 2025

Current Chapter

Data Protection Impact Assessment Direct Care APIs (GP Connect)

View all

Next Chapter

Consultation with stakeholders
Page contents

Purpose

A Data Protection Impact Assessment (DPIA) is a useful tool to help NHS England demonstrate how we comply with data protection law.

DPIAs are also a legal requirement where the processing of personal data is “likely to result in a high risk to the rights and freedoms of individuals”. If you are unsure whether a DPIA is necessary, you should complete a DPIA screening questionnaire to assess whether the processing you are carrying out is regarded as high risk.

By completing a DPIA you can systematically analyse your processing to demonstrate how you will comply with data protection law and in doing so identify and minimise data protection risks.

Introduction to Direct Care APIs/GP Connect service

This service is known as ‘GP Connect’ to the wider NHS And Direct Care APIs within NHS England.

For consistency, the term “GP Connect” will be used throughout this document.

Organisations who are planning to use or have developed a GP Connect product should use this document to understand NHS England’s and their own responsibilities as a Controller or Processor under Data Protection Legislation.

This document can be used as a starting point for organisations considering their own privacy and data risks and how they should be mitigated and managed locally.

The DPIA is a living document and will continue to be updated as the service launches, progresses new functionality and products through First of Type testing and then moves into live service. Use in new care settings will also be noted.

Direct Care APIs have been in use since 2019.

The latest version of this DPIA (January 2025) introduces the use of GP Connect by medical examiners for their statutory purpose of reviewing deaths. For convenience, in this document, whenever direct care is stated, this includes use by medical examiners. The legal basis for this use is summarised in the relevant section of this DPIA. The Department of Health and Social Care has directed NHS England to include this exception to the limitation of use of GP Connect for direct care purposes only.

The Department issued and continues to manage the Digital Interoperability Platform Direction. A consultation with national stakeholders has confirmed that this change is acceptable to the publishers and consumers of GP Connect information (GPs and the clinical teams that access the data).

This DPIA provides additional detail to NHS England’s audit functions and responsibilities, in relation to system use.

New uses for GP Connect

In terms of use cases the following were new for 2024:

  • private providers – Access Record: HTML
  • pharmacy – update patient record
  • patient facing services – NHS App and with the new NHS market entrant for GPs, Medicus

Last edited: 11 February 2025 3:13 pm

Chapters

  1. Data Protection Impact Assessment Direct Care APIs (GP Connect)
  2. Consultation with stakeholders
  3. Purpose of the processing
  4. Nature and scope of the processing
  5. Summary of GP Connect service
  6. Data flow diagram
  7. Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?
  8. Demonstrate the fairness of the processing
  9. Is it necessary to collect and process all data items?
  10. Identify and assess risks
  11. Further actions