Part of Data Protection Impact Assessment Direct Care APIs (GP Connect)
Summary of GP Connect service
GP Connect is for direct patient care only*
GP Connect products can help health and social care organisations share, view or act on information that they may require, and be legally entitled to access, for purposes of direct care but cannot do so easily because they are using different IT systems.
GP Connects can only be used for direct patient care, and must not be used for planning, research or other "secondary uses", unless there is a specific direct care component for example, clinical audit, monitoring of the health of patients in clinical trials etc.
The definition used for “direct care” under which this service is available is that articulated within the Information Governance Review.
*The use of GP Connect for indirect care or purposes beyond individual care is prohibited except in relation to the sharing of information for the medical examiners use case.
A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.
For completeness, the Information Governance Review also defined what should be considered indirect care or purposes beyond individual care to be.
Activities that contribute to the overall provision of services to a population as a whole or a group of patients with a particular condition, but which fall outside the scope of direct care. It covers health services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit.
Any usage of direct care API for uses beyond direct care is prohibited and may result in restrictions upon the usage of the API.
Summary of main controls
- a patient can opt out via the local record sharing within their provider system
- access to Direct API functionality is governed by Role Based Access Control (RBAC)
- all users must accede to the National Data Sharing Arrangement
- all users must sign to a Connection Agreement or End User Agreement
Additional controls include
- parts of the record marked as sensitive or confidential are excluded from sharing
- RCGP exclusion dataset is respected, and no data shared
- PDS ‘S’ Flag rules are respected, and no data shared for patients with this flag
Audit trial data
This data is required as part of a GP Connect message-it may be used within provider or consumer systems to validate messages and populate audit trails.
How this information manifests within audit trails is dependent upon the type of consumer or provider system used.
| Field name | Description |
| User ID | ID of the user |
| Name | Name of the user |
| Role profile |
Role and organisation of the user (URP ID when Smartcard authenticated) |
| Identity of authority | The person authorising the entry of or access to data |
| Date on which the interaction occurred | Date of interaction |
| Time at which the interaction occurred | Time of interaction |
| Details of the nature of the event | Description of the event being audited - for example, the sections of the record for which a request was made |
| Identity of the associated data | Identity of data for example patient ID, message ID associated with the audited event |
| Sequence number | Number intended to protect against malicious attempts to subvert the audit trail by, for example, altering the system date |
| End-user device (or system) involved in the recorded activity | Identification of the device used during the audited event |
Access controls
A patient can opt out via the local record sharing within their GP Provider system- how this works varies by system used and GP Connect component being used and is shown below for the principal clinical system providers.
Organisations using GP Connect are advised to ensure they know how this interplay works within their selected supplier consumer system.
| Functionality | S1 | EMIS* |
| Access Records-HTML |
sharing flag set to “Yes” functionality is available sharing flag set to “no” functionality not available. If no flag set, then defaults to organisation setting for unflagged patients. |
If coded as “Dissent to share detailed record” then functionality not available. If coded for consent, or no dissent recorded, then functionality is available |
| Access Records- Structured |
sharing flag set to “Yes” functionality is available sharing flag set to “no” functionality not available. If no flag set, then defaults to organisation setting for unflagged patients. |
If coded as “Dissent to share detailed record” then functionality not available. If coded for consent, or no dissent recorded, then functionality is available |
| Appt Management | No action required- this facility is available regardless of flag setting | No action required- this facility is available regardless of consent/dissent codes present on the record |
| Send Message | No action required- this facility is available regardless of flag setting | No action required- this facility is available regardless of consent/dissent codes present on the record |
*Defined by most recent coded entry
Access to Direct API functionality is governed by Role Based Access Control (RBAC). This will vary depending upon the Consumer systems used and must be considered on an individual basis.
All users must accede to the National Data Sharing Agreement. This stipulates the conditions under which data is shared using GP Connect and the prerequisites required.
All users must sign to a Connection Agreement or End User Agreement. All suppliers must sign the NHS Connection Agreement, which includes clauses specific to GP Connect usage and a stipulation that all end user organisations must also agree to the terms of the End User Acceptable Use Policy.
Last edited: 27 March 2025 4:31 pm