Skip to main content

Part of Data Protection Impact Assessment Direct Care APIs (GP Connect)

Purpose of the processing

Previous Chapter

Consultation with stakeholders

Current Chapter

Current chapter – Purpose of the processing

View all

Next Chapter

Description of the processing and supporting framework
Page contents

Purpose

The GP Connect service allows GP practices and clinical staff to share GP practice clinical information and data between IT systems quickly and efficiently for the purpose of direct care.

This makes data from clinical systems available in real time, in a standardised format that can be used across different systems and be made available to health and social care professionals (or those who work under their authority) who need access to the data for direct patient care.

From a privacy and data protection perspective, the service provides a method of secure information transfer and reduces the need to use less secure or less efficient methods of information transfer, such as email or telephone. 

Context of the processing

NHS England is also responsible for ensuring that the messages traverse NHS England’s Infrastructure securely, accurately and safely to and from provider and consumer systems for the purposes of direct patient care.

NHS England is the data controller of the message audit data.

The patient information contained within the messages is not collected or stored by NHS England. NHS England processes the messages on behalf of the GP practices, which are controllers of the GP patient record.

This DPIA assesses the risks associated with NHS England’s role as controller as part of GP Connect Service. This means that it covers how the messages are transferred securely over NHS England infrastructure, including

  • the safe and accurate transfer of messages over NHS England Infrastructure to provider and consumer systems
  • the collection and storage of audit data which is collected as part of the message transaction
  • the assurance of the components that directly interact with the NHS England infrastructure to deliver the GP Connect Service

Details of NHS England’s responsibilities are set out within this DPIA. 

This DPIA also consider the risks to end users of GP Connect from the perspective of those who are both providers and consumers.

It is the legal responsibility of each data controller who is a user of the GP Connect Service, to assess and manage their own data protection risks.

Last edited: 27 March 2025 3:48 pm

Previous Chapter

Consultation with stakeholders

Next Chapter

Description of the processing and supporting framework

Chapters

  1. Data Protection Impact Assessment Direct Care APIs (GP Connect)
  2. Consultation with stakeholders
  3. Purpose of the processing
  4. Nature and scope of the processing
  5. Summary of GP Connect service
  6. Data flow diagram
  7. Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?
  8. Demonstrate the fairness of the processing
  9. Is it necessary to collect and process all data items?
  10. Identify and assess risks
  11. Further actions