Part of Data Protection Impact Assessment Direct Care APIs (GP Connect)
Is it necessary to collect and process all data items?
Is it necessary to collect and process all data items?
Personal data
| Data categories | Justify | |
|
(Information relating to the individual's)
|
Yes |
(there must be justification for processing the data items. Consider which items you could remove, without compromising the purpose for processing) |
| General Identifier for example NHS Number | x |
Patient Data – the NHS Number is used in some of the message URLS transferred over the SSP to inform the provider system whose information is required by the consumer system. The URL is stored in the SSP Audit Log. |
| General Identifier for example, Registration details | x |
Practitioner information – the details of the practitioner involved in the consultations or appointments is used in some of the message URLS transferred over the SSP to inform the provider system whose information is required by the consumer system. The URL is stored in the SSP Audit Log. |
| Online Identifier for example, IP Address/Event Logs | x | GP Connect User – IP Address of device used by the user when interacting with Spine, this is stored as part of the audit log of which organisations have passed messages using GP Connect. |
Special category data
| Data categories | Justify | |
| Physical / Mental health or condition | x | Patient Data – GP Connect passes messages containing patients’ health data safely and securely over NHS England infrastructure between authorised health and care professionals for the purposes of direct care. The patient information contained within the messages is not collected or stored by NHS England. |
Describe if personal datasets are to be matched, combined or linked with other datasets (internally or for external customers)
As part of transactions, the API components check against PDS records for individual patient matches
How long will the personal data be retained?
Data is not retained or persisted within the GP Connect.
Data will be transferred and retained within systems if the “Send Document” or “Appointment Management” facility is used - this will be integrated within the Record and will fall under the same retention as is appropriate for the record type.
Audit data within the consumer and provider systems is retained within those systems- this data will reflect how a patient’s information has been accessed and shared using GP Connect, but how this is presented may vary from system to system.
Direct Care API audit held by NHS England is retained under the same retention period as that of Spine 2, where audit data is required to be retained for a 2-year period.
Where you are collecting personal data from the individual, describe how you will ensure it is accurate and if necessary, kept up to date?
Direct Care AIP, in most use cases, is a mechanism to share data already present within clinical systems, and as such this responsibility falls with the remit of the appropriate Data Controller to ensure that it is accurate at the point of sharing.
In cases where new data is created by a GP Connect transaction (Send Message or Appointment Management) it is the responsibility of:
- the creator to ensure that the new data is correct and accurate
- the sending system to ensure that this sent correctly
- NHS England to ensure that the API functions effectively to facilitate this
How are individuals made aware of their rights and what processes do you have in place to manage such requests?
| Individual right | Yes/No | Justifications |
| Right to be informed (Articles 13 and 14) | Yes |
It is the responsibility of organisations using GP Connect to ensure that this usage is accurately reflected within participating organisation’s transparency notices. NHS England has supplied some sample text on their website which can be used for this purpose- this text is system and use case agnostic and will need to be amended to reflect exact circumstances.
Transparency information has been published on the NHS England website so the public can see how their data may be being used via GP Connect Information about the collection of organisation data is laid out in this DPIA which is available on the End User Organisation Portal and is also available on request from the GP Connect mailbox. |
| Right of Access (Article 15) | Yes | Subject Access Requests can be made |
| Right of Rectification (Article 16) | Yes | Will comply with corporate policy |
| Right to Erasure (Article 17) | No | Assumption that data will not be processed unlawfully |
| Right to Restrict Processing (Article 18) | Yes | Will comply with corporate policy |
| Right to Data Portability (Article 20) | No | This right is not applicable as Consent is not the legal basis for this processing |
| Right to Object (Article 21) – | Yes | |
| Right not to be subject to automated decision-making (Article 22) | No | This right does not apply as no automated decision-making is performed |
What technical and organisational controls for “information security” have been put in place?
Local Measures
NHS England/API Measures
GP Connect is covered by the following NHS England System Level Security Policy
| SLSP | Unified register ID |
| Spine core | SLSP0000028 |
NHS England helps support the mitigation of information sharing risks by ensuring that the following are in place
- NHS England audit data access is subject two factor authentication and role-based access controls. Only certain assured users can have access to the full audit logs.
- A completed Supplier Conformance Assessment List (SCAL) which covers service and capability specific compliance requirements and controls of the consumer system.
- The End User Organisations of the GP Connect Service have to meet be compliant with the GP Connect requirements which cover IG, Clinical Safety, and acceptance of the Terms of Use of NHS England services.
- As part of the Onboarding process, a list of participating End User Organisations is provided. Data sharing verification may be implemented to restricted access to GP Connect services to only those with valid data sharing rules within the SSP or bypassed where national data sharing rules apply
- When MESH is used, a sending organisation will have to provide both the Mailbox ID and Workflow ID of the target organisation to be able to retrieve the matching MESH mailbox. MESH messages include a mandatory Workflow ID field that identifies the type of data being sent. Workflow IDs are pre-defined and grouped into Workflow Groups which are then defined against MESH mailboxes to identify the types of messages it can send and receive.
The full required security specifications to which systems must adhere to use GP Connect are available on the developer pages
In which country/territory will personal data be stored or processed?
NHS England commits to storage and processing in England.
Does the National Data Opt Out apply to the processing?
The national data opt-out is defined based on purpose and applies to any disclosure of data for purposes beyond individual care- as GP Connect processes data for the purposes of direct care, the national data opt-out will not apply.
Though the National opt-out is not applicable, GP Connect doesn’t transfer a patient’s record (via either HTML or Structured capabilities) if there is ‘dissent to share’ flag or an ‘S’ flag on a patient’s record.
Appointments can still be booked for patients with the ‘dissent to share’ flag as only limited demographic information is transferred during the booking process.
Last edited: 27 March 2025 3:50 pm