Skip to main content

Part of Data Protection Impact Assessment Direct Care APIs (GP Connect)

Demonstrate the fairness of the processing

Previous Chapter

Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?

Current Chapter

Current chapter – Demonstrate the fairness of the processing

View all

Next Chapter

Is it necessary to collect and process all data items

GP Connect services are passed over NHS England Infrastructure to allow seamless information sharing where it is necessary for a patient’s direct care.

The processing is only for the purposes of direct care should be in line with the sharing that a patient would reasonably expect between clinicians for the purposes of caring for that patient.

GP Connect respects a patient’s ‘Dissent to Share’ decision and also respects anything marked as sensitive or private within the record, and this information is not shared.

Audit data is captured when any message is transferred using either the SSP or MESH, this collection is limited to what is needed for service management to be able to support the service.

All End Users must reflect their use of GP Connect within their Transparency notices and make reasonable efforts to communicate this to their patients, along with options to dissent from this data usage, in line with Data Protection legislation requirements.

What steps have you taken to ensure individuals are informed about the ways in which their personal data is being used?

Transparency information about the data collected by NHS England is published on the NHS England GPDR register.

End User Organisations are notified of their duty as Controllers to be fair and transparent about their processing of their patients’ data and to ensure that their transparency notices are fully updated with how they may be using GP Connect functionality details regarding this can be found at NHS England's GP Connect in your organisation pages.

NHS England have published some draft privacy materials that can be inserted or appended to existing privacy notices to reflect GP Connect usage- there are system/use case agnostic and may need to be edited to match local requirements

End Users are required to ensure they are GDPR and DSPT compliant to complete a declaration for GP Connect, which is a prerequisite to deployment. As part of this compliance,  they have to ensure that they have updated their Privacy information about how patient data is being used.

NHS England has a new portal which aims to explain the sharing of data through this service by end user organisations.

Last edited: 11 February 2025 3:49 pm

Previous Chapter

Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?

Next Chapter

Is it necessary to collect and process all data items

Chapters

  1. Data Protection Impact Assessment Direct Care APIs (GP Connect)
  2. Consultation with stakeholders
  3. Purpose of the processing
  4. Nature and scope of the processing
  5. Summary of GP Connect service
  6. Data flow diagram
  7. Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?
  8. Demonstrate the fairness of the processing
  9. Is it necessary to collect and process all data items?
  10. Identify and assess risks
  11. Further actions