Part of Data Protection Impact Assessment Direct Care APIs (GP Connect)
Identify and assess risks
Open the table
|
Describe source of the risk and nature of potential impact on individuals |
Likelihood of harm (Remote; reasonable possibility or more likely than not) |
Severity of impact (Minimal impact; some impact; or serious harm |
Overall risk rating (Low; medium; or high) |
| 1. Provider and Consumer Organisation risk - There is a risk that Patients are unaware that their data may be shared using GP Connect for their direct care | Reasonable possibility | Some impact | medium |
| 2 Provider and Consumer Organisation risk – There is a risk of patient identifiable and confidential information being used for purposes other than direct care | Remote | Some impact | low |
| 3. Provider and Consumer Organisation risk – There is a risk of patient identifiable and confidential information being used for unassured use cases/clinical settings within direct care | Remote | Some impact | low |
| 4. Provider and Consumer Organisation risk – There is a risk of the Patient record being accessed by Consumer Systems which do not comply with the necessary security framework | Remote | Some impact | low |
| 5. Provider and Consumer Organisation risk – There is a risk of patient record access by end users without appropriate authorisation | Remote | Some impact | Low |
|
6. Provider and Consumer Organisation risk – There is a risk that the Patient record-sharing dissent is overridden |
Remote | Some impact | Low |
| 7. NHS England risk - Loss of availability of the GP Connect service | Remote | Some impact | Low |
| 8. NHS England risk - Whole system failure | Remote | Some impact | Low |
| 9. NHS England risk -DSAs set up on Spine incorrectly due to human error | Remote | Minimal impact | Low |
| 10. NHS England risk – There is a risk of an increase of Subject Access Requests directed to NHS England due to patient confusion about how to find out about their data use in Direct Care | Reasonable possibility | Minimal impact | Low |
| 11. NHS England risk – Risk that Services (GPs) confused about how to find out about their data use in GPC will contact NHS England. | Reasonable possibility | Some impact | Low |
| 12. Opt out confusion- due to the plethora of “opt outs” available (NDO, Type 1, SCR, care record etc) there is a risk of patients inadvertently applying opt outs incorrectly, or not opting out correctly. | More likely than not | Some impact | Medium |
| 13. Access Record (HTML)- There is a risk of unauthorised access to records against patient expectation, due to flag / dissent settings incorrectly applied- | Reasonable possibility | Some impact | Medium |
| 14. Access Record (HTML)- There is a risk that record access is blocked (with attendant clinical safety and data protection ramifications) against patient expectations due to flag / dissent settings incorrectly applied | Reasonable possibility | Some impact | Medium |
| 15. Proportionality- HTML records access allows “full record” sharing. There is therefore a risk of non-compliance with the UK GDPR Art 5. 1. (c) | Reasonable possibility | Some impact | Medium |
| 16. Issue re S1 EDSM “implied consent” (i.e. no flag set for patient) being overridden by org settings- currently S1 EDSM operates in such a way that if a patient has no clearly defined opt in/out flag on their records, then the organisational setting will take precedence- as such “implied consent” can be overridden by an organisational setting not to share – possibly against a patients expectations | Reasonable possibility | Some impact | Medium |
| 17. Issue re S1 EDSM “implied consent” (i.e. no flag set for patient) being applied by org settings- currently S1 EDSM operates in such a way that if a patient has no clearly defined opt in/out flag on their records, then the organisational setting will take precedence- as such “implied consent” can be applied by an organisational setting to share – possibly against a patients expectations | Reasonable possibility | Some impact | Medium |
| 18. Risk that patient’s expectation of how their data may share may not be fulfilled due to lack of consistency re consent/dissent with consumer systems- in areas with a mixed economy of clinical systems careful thought must be given to how this will operate in the context of for example, ShCR or local record sharing initiatives | Reasonable possibility | Some impact | Medium |
| 19. As PDS share flag is not respected, if patients move to practices with a different system supplier, their consent/dissent may not be respected- patient expectations are that their data usage preferences will not change if they move practice. | Reasonable possibility | Some impact | Medium |
| 20. Allergies and intolerances- allergy/intolerance information may not be fully interoperable between participating systems. Where allergy/intolerance information is not fully understood by a receiving system
Clinical safety controls are in place to prevent medications being prescribed in an unsafe manner, however there is still a risk of lack of compliance with GDPR Article 5.1 (d) (“Accuracy”) if this information is absent or not viewable. |
Reasonable possibility | Some impact | Medium |
| 21. Auditing access to the patient record- it is a reasonable expectation that patients would ask where and to whom their data has been shared, however different systems may surface this data in different formats and there is a risk that adequate and meaningful information may not be provided | |||
| 22. There is a risk of data sharing with new or unfamiliar organisations with whom Provider organisations may not otherwise have a long-standing legitimate relationship for example, practices in another part of the ICS, other NHS Trusts/organisations etc | |||
| 23. If data is accessed via GP Connect there is a risk of an unauthorised copy of the data being retained by the Consumer organisation | |||
| 24. There is a risk that the ability to effectively manage and fulfil SAR and other patients’ data rights may be impinged, or data rights requests may be sent to the wrong Data Controller | |||
| 25. Patients can opt out via the local record sharing within their GP Provider system- how this works varies by system used and GP Connect component and there is a risk that the patient’s expectation regarding sharing may not be met as they envisaged | |||
| 26. Lack of consistent RBAC Rules- currently lead by Consumer supplier system and a local decision, and there is a risk that there may be inappropriate access available within consumer organisations | Reasonable possibility | Some impact | Low |
|
27. Parts of the record marked as sensitive or confidential are excluded from sharing- possible risk due to incomplete data being available include:
|
Reasonable possibility | Some impact | Low |
| 28. Transparency materials etc contain hyperlinks to NHS England website and the NHS England public facing developer hub. There is a risk that these links will become inactive post the NHSE/D merger | Remote | Some impact | low |
Measures to mitigate (treat) risks
Against each risk you have identified, record the options/controls you have put in place to mitigate the risk and what impact this has had on the risk. Make an assessment as to the residual risk.
Also indicate who has approved the measure and confirm that responsibility and timescales for completion have been integrated back into the project plan.
View the table
| Risk | Options to mitigate (treat) the risk |
Effect on risk (Tolerate / Terminate / Treat Transfer) |
Residual risk (Low / Medium / H20igh) |
Measure approved (Name and Date) |
Actions integrated back into project plan (Date and responsibility for completion) |
|---|---|---|---|---|---|
| 1. Provider and consumer organisation risk - There is a risk that patients are unaware that their data may be shared using GP Connect for their direct care |
The End User Organisations and Commissioning Organisations are required to ensure they are compliant with Data Protection legislation. As part of this compliance to Data Protection legislation they have to ensure that they have updated their Privacy / transparency information about how patient data is being used. Actions since decision to treat risk: NHS England has published Transparency information about the GP Connect Service on its website and a portal will provide information on which organisations are using the service. |
Treat |
Low |
Michelle McDermott 07/11/2019 |
|
| 2. Provider and Consumer Organisation risk -– There is a risk of patient identifiable and confidential information being used for purposes other than direct care | All GP Connect documentation and guidance states that this information sharing is for the purposes of direct care only. The commissioning organisation has to agree to this on behalf of all in scope End User Organisations. A consumer supplier has to state it’s intended use when completing assurance. The system has to be for Direct Care only. NHS England retains ability to audit and check compliance to agreements and revoke access if consumers are not using the data for direct care. | Treat | Low |
Michelle McDermott 07/11/2019 |
|
|
3. Provider and Consumer Organisation risk -– There is a risk of patient identifiable and confidential information being used for unassured use cases/clinical settings within direct care |
All GP Connect documentation and guidance states that this information sharing is for the purposes of direct care only. The Commissioning Organisation has to agree to this on behalf of all in scope End User Organisations as part of completing the Declaration. A Consumer supplier has to state it’s intended use when completing assurance of its GP Connect system, the system has to be for Direct Care only. NHS England retains ability to audit and check compliance to agreements and revoke access if consumers are not using the data for direct care. Risk review 11/2022 Onboarding process ensure that consumer systems are only used within appropriate settings. All users will now be expected to accept Terms and Conditions re the use of GP Connect. |
Treat | Low |
Michelle McDermott 07/11/2019 Risk review Steve Creighton 23/11/2022 |
|
| 4. Provider and Consumer Organisation risk -– There is a risk of the Patient record being accessed by Consumer Systems which do not comply with the necessary security framework |
Consuming organisations and systems must be HSCN and Data Security and Protection Toolkit compliant and meet national requirements for Technical (Endpoint) Security. The SCAL and provider assurance requires suppliers to evidence their Information Security Management System (ISMS) and compliance with the standard BS ISO/IEC 27001:2005 BS7799-2:2005. NHS England retains ability to audit and check compliance to agreements and revoke access if consumers not compliant. Risk review 11/2022 Documented cases where organisations not compliant with DSPT standard have had access to records. NHSD Caldicott guardian recommends rolling audit programme. DSA now contains strengthened DSPT requirements. |
Treat | Medium |
Michelle McDermott 07/11/2019 Risk review Steve Creighton 23/11/2022 |
|
| 5. Provider and Consumer Organisation risk -– There is a risk of patient record accessed by end users without appropriate authorisation | The responsibility is picked up during consumer assurance via the SCAL End. User Organisations should ensure that appropriate role-based access is in place to access the information transferred via the Direct Care product developed. | Treat | Low |
Michelle McDermott 07/11/2019 |
|
| 6. Provider and Consumer Organisation risk – There is a risk that the Patient record-sharing dissent is overridden |
Patient clinical data is not provided in this scenario with a message sent to the Consumer system that the patient has dissented to share. These controls are part of the Provider System supplier IG requirements and SCAL submission. Direct does not accommodate the overriding of locally held Patient Dissent. |
Treat | Low |
Michelle McDermott 07/11/2019 |
|
| 7. NHS England risk - Loss of availability of the GP Connect service |
In the scenario where an End User Organisation suffers a loss of GP Connect service the organisation should revert the business process that was in place prior to the implementation of GP Connect. The loss of service should be flagged to the relevant service desk immediately. The National Service Desk at NHS England will coordinate and triage if the cause of the loss of availability is unknown or covers more than one supplier. |
Tolerate | Low |
Dan O’Neill 01/11/2019 |
|
| 8. NHS England risk - Whole system failure – SSP and MESH |
In the scenario where NHS England Infrastructure fails and causes a whole system failure the End User Organisations should revert the business process that was in place prior to the implementation of GP Connect. The loss of service should be flagged to the relevant service desk immediately. The National Service Desk at NHS England will coordinate and triage the work to identify the cause of the loss of availability. |
Tolerate | Low |
Dan O’Neill 01/11/2019 |
|
| 9. NHS England risk - Human error in setting up DSAs on Spine | All staff who amend the data sharing relationships on Spine are required to undergo training prior to using the tool. | Treat | Low |
Michelle McDermott 07/11/2019 |
DSAs no longer set up on Spine |
| 10. NHS England risk -– There is a risk of an increase of Subject Access Requests directed to NHS England due to patient confusion about how to find out about their data use in Direct Care | Usage is reflected within clinical system audit trails and can be accessed by patients under SAR/Article 15 process. NHS England has published Transparency information about the GP Connect Service on its website. It has also published information about the service and its purpose on its website. | Treat | Low |
Michelle McDermott 07/11/2019 |
|
| 11. NHS England risk – Services (GPs) confused about how to find out about their data use in GPC | Usage is reflected within clinical system audit trails and can be accessed by patient under SAR/Article 15 process. In addition, the portal will be developed to support data sharing. | Treat | Medium |
Michelle McDermott 21/5/2021 |
|
| 12. Provider risk- Opt out confusion- due to the plethora of “opt outs” available (NDO, Type 1, SCR, care record etc) there is a risk of patients inadvertently applying opt outs incorrectly, or not opting out correctly. |
Ensure a robust internal process with data quality checks to ensure any opt request is actioned appropriately and promptly, with clarification as to: a: exactly what is being opted out and b: what the patient wants to happen in regard their data being shared, and to ensure that there is congruity between the two. |
Choose an item | Medium | ||
| 13. Access Record (HTML)- There is a risk of unauthorised access to records against patient expectation, due to flag / dissent settings incorrectly applied | Ensure a robust internal process with data quality checks to ensure any patient request is actioned appropriately and promptly | Choose an item | Medium | ||
| 14. Access Record (HTML)- There is a risk that record access is blocked (with attendant clinical safety and data protection ramifications) against patient expectations due to flag / dissent settings incorrectly applied | Ensure a robust internal process with data quality checks to ensure any patient request is actioned appropriately and promptly | Choose an item | Medium | ||
| 15. Proportionality- HTML records access allows “full record” sharing. There is therefore a risk of non-compliance with the UK GDPR Art 5. 1. (c) |
Consideration must be given in each use case as to whether this level of access is appropriate and what organisational and technical controls have been put in place to ensure that data is disclosed safely. This issue is addressed in more detail in the “Summary of Risk for organisational types/sectors” table below |
Choose an item | High | ||
|
16. Consumer Organisation risk- Issue re S1 EDSM “implied consent” (i.e. no flag set for patient) being overridden by org settings- currently S1 EDSM operates in such a way that if a patient has no clearly defined opt in/out flag on their records, then the organisational setting will take precedence- as such “implied consent” can be overridden by an organisational setting not to share – possibly against a patients expectations |
Organisations must consider which organisational settings most accurately reflect their desired operating model, and ensure that this is reflected in privacy materials. This is discussed with suppliers as part of the onboarding process |
Choose an item | Medium | ||
| 17. Provider and Consumer Organisation risk- issue re S1 EDSM “implied consent” (i.e. no flag set for patient) being applied by org settings- currently S1 EDSM operates in such a way that if a patient has no clearly defined opt in/out flag on their records, then the organisational setting will take precedence- as such “implied consent” can be applied by an organisational setting to share – possibly against a patients expectations | Organisations must consider which organisational settings most accurately reflect their desired operating model and ensure that this is reflected in privacy materials. | Choose an item | Medium | ||
| 18. Provider and Consumer Organisation risk- Lack of consistency re consent/dissent with consumer systems- in areas with a mixed economy of clinical systems careful thought must be given to how this will operate in the context of for example ShCR or local record sharing initiatives |
Organisations must consider which organisational settings most accurately reflect their desired operating model, including the interoperability of different clinical systems, and ensure that this is reflected in privacy materials. |
Choose an item | Medium | ||
| 19. Provider risk-As PDS flag is not respected, if patients move to practices with a different system supplier, their consent/dissent may not be respected- patient expectations are that their data usage preferences will not change if they move practice. | Organisations and suppliers must consider carefully how their system respects opt out codes | Choose an item | Medium | ||
|
20. Consumer risk- Allergies and intolerances- allergy/intolerance information may not be fully interoperable between participating systems. Where allergy/intolerance information is not fully understood by a receiving system Clinical safety controls are in place to prevent medications being prescribed in an unsafe manner, however there is still a risk of lack of compliance with GDPR Article 5.1 (d) (“Accuracy”) if this information is absent or not viewable. |
Procedures to ensure that all participating organisations must be put in place so that have a common schema for recording these entries, or that degraded items are considered when making clinical decisions | Choose an item | Medium | ||
| 21. Provider and Consumer Organisation risk- Auditing access to the patient record- it is a reasonable to expect patients to ask where and to whom their data has been shared, however different system may surface this data in different formats | Ensure that all local providers are aware of what the capability of their system is to recover this data, and to reflect this in transparency material wherever appropriate | Choose an item | Low | ||
| 22. There is a risk of Data sharing with new or unfamiliar organisations with whom Provider organisations you may not otherwise have a long-standing legitimate relationship for example practices in another part of the ICS, other NHS Trusts/organisations etc |
Ensure all parties are aware of their responsibilities and obligations under the DSA and Connection Agreement/End User Declaration with regard to Transparency requirements. All new organisations must also record their use cases on the Portal |
Choose an item | Low | ||
| 23. If data is accessed via GP Connect there is a risk of an unauthorised copy of the data being retained by the Consumer organisation | Ensure that all parties are aware of their responsibilities and obligations, and censures and punishments that can be applied both under Data Protection legislation and under the DSA/Connection Agreement/End User Declaration | Tolerate | Low | ||
| 24. Provider risk- The ability to effectively manage SAR and other data rights may be impinged, or data rights requests may be sent to the wrong Data Controller | To ensure that there are robust local arrangements in place to ensure that any misdirected data rights request is communicated to the correct Data Controller | Tolerate | Medium | ||
| 25. Provider and Consumer Organisation risk- patients can opt out via the local record sharing within their GP Provider system- how this works varies by system used and GP Connect component. | Organisations using GP Connect need to ensure they know how this interplay works within their selected supplier | Tolerate | Low | ||
| 26. Provider and Consumer Organisation risk- Lack of consistent RBAC Rules- currently lead by Consumer supplier system and a local decision | Organisations using GP Connect need to ensure that access to records is governed by appropriate and robust RBAC, in conjunction with their consumer supplier | Tolerate | Low | ||
| 27. Consumer risk- Parts of the record marked as sensitive or confidential are excluded from sharing | Always the possibility of data that would be required not being available- no option to mitigate other than to ensure that end users are aware that data may be missing. | Tolerate | Low | ||
| 28. Transparency materials etc contain hyperlinks to NHS England website and the NHS England public facing developer hub. There is a risk that these links will become inactive post the NHSE/D merger | Programme to ensure that any ongoing amendments to the website are reflected in published transparency materials. | Tolerate | Low |
Summary of risk for organisational types/sectors
The summary below takes into account the requirements and risks already articulated elsewhere in regard to proportionality, security and transparency, and suggests any further mitigations that could be put in place to satisfy duty of confidentiality.
View the summary table
| Proportionate rationale for direct care use | Potential controls or risk mitigations | ||||
|---|---|---|---|---|---|
| Organisation type sector | Html | Structured | Appointment | Update records | |
| Other GP (for example as temp/imm necc/emergency patient patient) | Yes- however may still be perceived as disproportionate | Yes | Yes | Yes | Should be treated as “normal” registered GP appointment |
| Local PCN extended access/hours | Yes- however may still be perceived as disproportionate | Yes | Yes | Yes | Should be treated as “normal” registered GP appointment |
| ShCR | This will vary, due to the nature of partners within the ShCR environment. | Yes | Yes | Yes | ShCR may contain elements from multiple organisational types- controls should be a local decision, and wherever possible restrictions appropriate to clinical need for access should be put in place. |
| 111/OOH | Yes- however may still be perceived as disproportionate | Yes | Yes | Yes | Place limits on data that can be accessed- full record may not be relevant to specific episode of care. Structured record may be more appropriate. |
| Hospital | Yes- potentially unexpected use of full record- could be perceived a disproportionate if not related to the episode of care | Yes | Yes | Yes | Place limits on data that can be accessed- full record may not be relevant to specific episode of care. Structured record may be more appropriate |
| Community | Yes- potentially unexpected use of full record- could be perceived a disproportionate if not related to the episode of care | Yes | Yes | Yes | Place limits on data that can be accessed- full record may not be relevant to specific episode of care. Structured record may be more appropriate |
| Hospice/Palliative Care | Yes- potentially unexpected use of full record- could be perceived a disproportionate if not related to the episode of care | Yes | Yes | Yes | Place limits on data that can be accessed- full record may not be relevant to specific episode of care. Structured record may be more appropriate |
| Private provider | Yes- however may still be perceived as disproportionate | Yes | No | Yes | Private providers are currently out of scope for GP Connect, but there is potential for including an explicit consent model if required. |
| Adult Social Care | Yes- but likely to be perceived as unexpected and intrusive in many cases | Yes | Yes | Yes | Limited, as per current care home stipulation could be implemented |
| Care Homes | Yes, but possible to be perceived as unexpected and intrusive | Yes | Yes | Yes | Current limited view in place as mitigation |
| Pharmacy | Not a proportionate use of Access Record html and likely to be perceived as unexpected and intrusive | Yes | query | Yes | Not applicable |
| Clinical MDT | Yes- however may still be perceived as disproportionate to the episode of care | Yes | No | Yes | Place limits on data that can be accessed- full record may not be relevant to specific episode of care however the option to include an abstract or extract for distribution should be considered |
| MARAC/Safeguarding | Yes- however may still be perceived as disproportionate | Yes | No | Yes |
Dependent upon nature of issue longstanding records may be required however the option to include an abstract or extract for distribution should be considered |
| Medical Examiner/Coroner | Yes- but extent may be dependent upon statutory basis | Yes | No | Yes | Full access to record may be required under statutory powers |
| Patent Facing Services | Yes- full access required for Art15 fulfilment- note- may not be Direct Care | Yes | Yes | No |
Records would need to be reviewed and redacted for third party references, serious harm test etc The use of GP Connect for PFS is still under discussion |
| Children’s Social Care/Specialist School settings etc | Yes- but may be perceived as excessive | Yes | Yes | Yes | Place limits on data that can be accessed in line with Adult Social Care- full record may not be relevant to specific types of care provided |
| 3rd sector | Yes- however may still be perceived as excessively disproportionate | Yes | Yes | No | Place limits on data that can be accessed- full record may not be relevant to specific types of care provided, and this is likely to be dependent upon the type of care proved by the 3rd sector organisation. |
| Prisons and secure detained estates | Yes- however may still be perceived as disproportionate | Yes | Not required | Yes | Should be treated as “normal” registered GP |
Last edited: 11 February 2025 4:07 pm
Chapters
- Data Protection Impact Assessment Direct Care APIs (GP Connect)
- Consultation with stakeholders
- Purpose of the processing
- Nature and scope of the processing
- Summary of GP Connect service
- Data flow diagram
- Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?
- Demonstrate the fairness of the processing
- Is it necessary to collect and process all data items?
- Identify and assess risks
- Further actions