Part of Data Protection Impact Assessment Direct Care APIs (GP Connect)
Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?
Legal basis
Direction was given by the Secretary of State for the Department of Health and Social Care to establish and operate the Digital Interoperability Platform (which includes GP Connect) using the powers given under section 254 of the Health and Social Care Act 2012.
The legal basis for NHS England’s processing under GDPR is Article 6(1)(c) – the processing is necessary to comply with a legal obligation.
For the NHS Number and message content processing which may be considered special category data the legal basis for the processing is GDPR Article 9(2) (h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’ and Data Protection Act 2018, Schedule 1, Part 1, Paragraph 2, Sub paragraph (2) (f) – ‘the management of health care systems or services or social care systems or services’.
GP Connect can only be used for purposes of direct care (as previously stated in this document)
A suitable legal basis for direct care use by providers and consumers is:
Article 6.1. (e): “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
And Article 9.2 (h): “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
Common Law Duty of Confidentiality
For direct care purpose the use of “Implied consent” is usually considered sufficient.
The information a patient provides to their GP is confidential, and they can expect that any information that is shared for their direct care will remain confidential.
GP Connect relies on “implied consent” and explicit consent is not required when information is shared for a direct care purpose if a patient does not want their information to be shared using GP Connect, they can opt out.
The National Data Sharing Arrangement (NDSA) and its terms and conditions stipulate that any information received or accessed about a patient for direct care purposes must remain confidential.
In addition to the NDSA, health and social care professionals are also subject to their own professional codes of confidentiality and are aware that any information received via GP Connect is provided in confidence, which must be respected.
Organisations using GP Connect are notified of their duty as Controllers to be fair and transparent about their processing of their patients’ data and to ensure that their transparency notices are fully updated with how they may be using GP Connect functionality.
There are stipulations within the NDSA regarding the requirements of Transparency and Proactive communication, including making patients aware of their ability to opt out of their data being shared.
It is extremely important that Providers are aware of the appropriate mechanisms to record consent or dissent for sharing, and how this is manifested in Provider Clinical systems- the current functionality required to support “Implied Consent” is described in the table below.
| Functionality | Consent | S1 solution | EMIS solution |
| Access Records-HTML | implied |
sharing flag set to “Yes” functionality is available sharing flag set to “no” functionality not available. If no flag set, then defaults to organisation setting for unflagged patients |
If coded as “Dissent to share detailed record” then functionality not available. If coded for consent, or no dissent recorded, then functionality is available |
| Access Records- Structured | Implied |
sharing flag set to “Yes” functionality is available sharing flag set to “no” functionality not available. If no flag set, then defaults to organisation setting for unflagged patients |
If coded as “Dissent to share detailed record” then functionality not available. If coded for consent, or no dissent recorded, then functionality is available |
| Appt Management | Implied | No action required- this facility is available regardless of flag setting | No action required- this facility is available regardless of consent/dissent codes present on the record |
| Send Message | Implied | No action required- this facility is available regardless of flag setting | No action required- this facility is available regardless of consent/dissent codes present on the record |
Medical examiners
From 9 September 2024, health care providers are obliged to provide medical examiners with information for the purposes of investigating deaths. As these individuals are deceased, they are not covered by Data Protection Legislation. However, there are still obligations under the common law duty of confidentiality.
Medical examiners have a legal obligation to access the records of deceased patients and therefore where GPs use GP Connect to send information to medical examiners, their duty of confidentiality is overridden.
Coroners and Justice Act 2009
Schedule 21 Minor and Consequential Amendments para. 29
- Section 3 of the Access to Health Records Act 1990 (right of access to health records) is amended as follows.
- In subsection (1) (persons entitled to access), at the end insert –
“(g) where the patient has died, a medical examiner exercising functions by virtue of section 20 of the Coroners and Justice Act 2009 in relation to the death.”
- In subsection (4) (fee for access), at the end insert –
“Paragraphs (a) and (b) above do not apply in the case of access for which an application is made under subsection (1)(g) above”.
The Medical Examiners (England) Regulations 2024 section 8 states as follows:
Supply of information
8.—(1) A supply of information under these Regulations—
(a)does not breach any obligation of confidence owed by the person supplying the information; and
(b)does not operate to require or authorise the disclosure or use of information which would contravene data protection legislation.
(2) In this regulation, “data protection legislation” has the same meaning as in section 3(9) the Data Protection Act 2018(1).
Last edited: 31 January 2025 3:53 pm