National Record Locator - Data Sharing Agreement

The National Record Locator (NRL) is one of a number of services that was set up under the NHS Digital Establishment of Systems: Digital Interoperability Platform (DIP) Directions 2019 The purpose of the DIP was to “develop and operate such IT applications, IT infrastructure and IT systems as are necessary to deliver the digital interoperability platform”,  The Secretary of State considered (in accordance with Section 254(2)(b) of the Health and Social Care Act 2012),  that it was “in the interests of the health service in England or of the recipients or providers of adult social care in England” that these Directions be given.  Since NHS Digital has merged with NHS England, all services set up under this Direction are now managed by NHS England.

The NRL is a national index of pointers to the location of Patient Records of patients who live in England and/or who are registered with a GP in England. Providers that hold a relevant Patient Record will create a Pointer to the record, which can then be accessed by Consumers for the Agreed Purpose.

The NRL is an evolving service. Annex 1 (NRL Providers and Consumers) lists the types of Providers and Consumer organisations who currently share information through the NRL, and Annex 2 (Information Available on the NRL) lists the types of documents and information currently available on the NRL.  Additional Users and Types of Patient Records may be added to Annexes 1 and 2 in accordance with the Change Control Process. Parties should visit the National Record Locator website to view the current NRL Technical Specification and latest versions of the Annexes.

This Agreement sets out the purposes, the processes, and the lawful bases upon which Personal Data may be processed through the NRL.

The terms set out in this Agreement apply to all parties to this Agreement and to organisations where another responsible body (such as an Integrated Care Board or another NHS body who hosts the Connected Care Record) has accepted the Data Sharing Agreement on behalf of the providers in their region.

The Parties to this Agreement are Users of the NRL. 

Providers are Controllers of the Patient Record which they share through the NRL.  Consumers become Controllers for any Shared Personal Data which they receive via the NRL and which is incorporated into their care record system(s).

NHS England is not party to this Agreement as a User, however it is understood by the Parties that NHS England has been directed under the Digital Operability Platform Directions 2019 to establish and operate the NRL, and it is acknowledged by the Parties that NHS England has certain rights in relation to the NRL, as set out in the NRL Technical Specification and this Agreement, including (but not limited to) clauses 6c (Audit), 8 (Termination), 9 (Enforcement) and 10 (Variation) of this Agreement.

Notwithstanding the above, the Parties acknowledge that NHS England is responsible for the secure operation and functionality of the NRL, including management and maintenance of the register of Pointers, the security of the content of the messages traversed on the NRL service and collection of audit data about the message transactions for operational support purposes. The content of the messages is not collected or stored by NHS England.

Agreed Purposes means the sharing of Personal Data by a Provider to a Consumer for the purposes of enabling the Consumer to view appropriate Patient Record(s) where it is deemed by the Consumer to be “in the interests of health service in England or of the recipients or providers of adult social care in England” (as defined by the DIP) and within the scope of the NRL Technical Specification.

Change Control Process means the process set out in the NRL Technical Specification and which includes:

i. consultation with the relevant health and social care professionals to ensure access to the proposed Patient Record is necessary for the Agreed Purpose; and

ii. agreement and approval by the Interoperability Working Group (“IWG”) or any group, board or committee (within NHS England) with equivalent responsibility, that the Patient Record falls within scope of the Digital Interoperability Platform Directions 2019 and NRL Technical Specification, 

Consumer means a health and care organisation set out at Annex 1, who accesses the Shared Personal Data through the NRL, and which has been approved and assured for access by NHS England as having demonstrated that such access is lawful and necessary for the Agreed Purpose.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, Special Categories of Personal Data shall have the meanings as set out in Data Protection Legislation;

Controller Catalogue means the database which identifies which organisations are approved as Providers, the Type of Patient Records to which the Provider’s Pointers relate, and which Consuming organisations are approved to view information contained within the Pointers; 

Direct Care means “A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.'¹

Data Protection Legislation means (i) the UK GDPR, (ii) the Data Protection Act 2018, and (iii) any other laws and regulations which may apply to the Processing of Personal Data;

Law means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, byelaw, enforceable right within the meaning of, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements in force in England and Wales with which the Parties are bound to comply;

NRL Technical Specification means the current NRL Technical Specification; 

Patient Record means the types of records as set out in Annex 2, (as may be updated in accordance with the Change Control Process);

Provider means a health and care organisation set out in Annex 1 who publishes a “Pointer” on the NRL and which has been approved by NHS England as having Personal Data relevant to the Agreed Purpose and that the sharing of such data is lawful and necessary for the Agreed Purpose.

Pointer means the pointer that is published by a Provider on the NRL that identifies the existence and location of a Patient Record within a specified Type;

Shared Personal Data means the Patient Record which has been made accessible by the “Pointer”, in line with the Agreed Purpose;

Type means the type of document or information available to a Consumer via the NRL Pointer, for example Mental Health Crisis Plan.

UK GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation) as transposed into the national law of the United Kingdom by operation of section 3 of the European Union (Withdrawal) Act 2018, as modified by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and as may be further modified from time to time;

User means either a Provider or Consumer depending on the capacity in which they are acting. A User can be both a Provider and a Consumer if they both publish Pointers and access Shared Personal Data through Pointers published by other Users.

The NRL process is summarised below:

 a. The Provider will publish ‘Pointers’ on the NRL via their Electronic Patient Record (EPR). The Pointer confirms that a Patient Record is available and the available Type(s).  The Pointer includes a URL to retrieve the information via the NHS England provisioned proxy authentication service, and/or the contact details of the Provider.  Some Providers choose to upload their contact details only.

b.Consumer can request access to a Patient Record that is available within the Type of document(s) it is authorised to access, by clicking on the retrieval URL. The request to the Provider will include the Consumer’s ODS code but does not identify the member of staff making the request.  

c. The requested information is then collated by the Provider’s EPR and sent (via the proxy authentication service) to the Consumer. 

Consumers can request information from the NRL either via their EPR direct integration with the NRL or through the National Care Records Service (NCRS).

Each Provider and Consumer shall Process Personal Data through the NRL as an independent Controller and shall comply with the applicable Data Protection Legislation. For the avoidance of doubt, no Party acts as a Processor on behalf of any other Party.

Each Party shall Process the Personal Data only as set out in this Agreement and in accordance with the Agreed Purposes only.

Each Party acknowledges that: 

a. when acting as a Provider they are confirming that organisations acting as Consumers may access the Shared Personal Data upon request, subject to the terms of this Agreement and as per the Controller Catalogue;

b. when acting as a Consumer, they are requesting access to the Shared Personal Data to help make informed decisions about a patient’s care and wellbeing at the point of care, and (where relevant) to prioritise available resources most effectively at that time, to the extent such prioritisation is required for the provision of Direct Care to the patient whose Personal Data is being Processed;

c. they may be subject to audits from NHS England to ensure that they are meeting their obligations under this Agreement; 

d. their privacy notice(s) and/or other relevant communication materials must explain what Personal Data is Processed through the NRL, when and who it may be shared with and why, and how Data Subjects may object to their information being shared through the NRL; 

e. they must have appropriate role-based access controls in place to ensure staff members (or classes of staff members) access the Shared Personal Data appropriately;

f. It shall be responsible for its own compliance with Articles 12, 13 and 14 (“Transparency”) of the UK GDPR. 

g. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, each Party shall, with respect to its processing of personal data as Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the UK GDPR.

h. it must ensure that staff who have access to the Shared Personal Data have undergone training in the Data Protection Legislation and confidentiality, in line with each Controller's mandatory training programme;

i. It has a current NHS Data Security & Protection (DSPT) submission at ‘Standards Met’ or at ‘Approaching Standards’ with an NHS England validated improvement plan. 

j. It shall provide reasonable assistance to another Party to this Agreement or to NHS England regarding any communications from the ICO, or other regulatory or competent authority concerning compliance with Data Protection Legislation;

k. It shall maintain a record of its Processing activities in accordance with Data Protection Legislation and shall provide evidence to the other Party upon reasonable request; 

l. Any actions requested by a Data Subject in relation to information rights (including access to their records), will be dealt with by the receiving organisation in accordance with their processes for handling subject access requests. 

m. It shall promptly notify the other Party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other Party for the Agreed Purposes and shall: 
    i. do all such things as reasonably necessary to assist the other Party in mitigating the effects of the Personal Data Breach; 
    ii. implement any measures necessary to restore the security of any compromised Personal Data; 
    iii. work with the other Party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and
    iv. not do anything which may damage the reputation of the other Party or that Party’s relationship with the relevant Data Subjects, save as required by Law.

n. It can demonstrate compliance with its obligations under this Agreement; 

6.1. Additional obligations on the part of the providers

In addition to the obligations listed above, Providers shall:

a. Ensure that, where relevant, any electronic patient record (EPR) suppliers (acting as their data processors) have successfully completed NHS England’s live service onboarding process for NRL and accepted the conditions upon which they may connect to the NRL;

b. Take reasonable steps to ensure that Shared Personal Data is accurate and up to date at the point of sharing.

c. Populate the data contained in the Pointer using the template provided by NHS England;

d. Provide a link on the Pointer to allow Consumers to retrieve the record, or a link to up-to-date contact details, or both;

e. Ensure accuracy of the Pointer, i.e., that it refers to the correct patient and that the Patient Record contains the correct information;

f. Validate the patient’s NHS number on the Personal Demographics Service (PDS) and maintain the Pointer to reflect any changes to a patient’s PDS data;

g. Maintain the Pointer to reflect any changes to the Patient Record that the Pointer refers to;

h. Audit Pointer publication (including any subsequent amendments or deletions); 

i. Ensure the Personal Data made accessible is limited only to the Types as agreed by NHS England (as detailed in the Controller Catalogue) and which is necessary for the Agreed Purposes;

j. Remove the Pointer where an objection to the Processing has been received from the Data Subject (or their authorised representative) and the objection has been upheld by their clinician or designated care worker; and

k. Remove the Pointer upon receipt of a death notification for a patient.

6.2. Additional obligations on the part of consumers

In addition to the obligations listed above, Consumers shall:

a. Use information obtained from the NRL only for the Agreed Purpose and not for any other purpose(s); 

b. Inform the Provider in a timely manner if they become aware that Shared Personal Data is inaccurate or incomplete

c. Ensure that they have a legal basis for processing if they onward share patient identifiable information from the NRL.  Any information passed on must be relevant and proportionate to the agreed purpose

d) not retain the Shared Personal Data for longer than is necessary for the Agreed Purpose unless, as part of Direct Care, the Shared Personal Data is added to the Consumer’s own care records.

a.The Parties recognises that information shared under this Agreement is by its nature subject to a duty of confidentiality and has been provided in circumstances where it is expected that a duty of confidence applies. 

 b. For the purposes of this Agreement 'Confidential Information' refers to:
    (i)  Personal Data including Special Category Personal Data (as defined in the UK GDPR);
    (ii) Confidential Patient Data (as defined by the NHS Act 2006);

c. Subject to clause 7d, the Consumer agrees: 
    i. not to disclose Confidential Information to any third party or to use it to the detriment of the Provider or the patient; 
    ii. to maintain the confidentiality of the Confidential Information; and 
    iii. to not access, or attempt to access, Confidential Information except under the Agreed Purposes.

d. The Consumer may disclose Confidential Information: 
    i. to comply with the Law; 9)
    ii. to their staff, who will be under a duty of confidentiality;
    iii. to NHS Bodies for the purposes of carrying out their duties; and
    iv. as permitted or required for any NHS Counter-Fraud or Security Management processes.

a. A Party may withdraw from this Agreement by terminating its access to the NRL.   

b. The Parties agree that NHS England may issue written notice to terminate a Party’s access to the NRL if the Party commits a material breach of the Data Protection Legislation or the terms of this Agreement. For the avoidance of doubt, NHS England has the right to terminate access with immediate effect.

c. Any data protection or confidentiality obligation imposed on a Party under this Agreement will survive any termination or expiration of this Agreement.

a. The Parties acknowledge and understand that NHS England has been directed under the Digital Operability Platform Directions 2019 to establish and operate the NRL.

b.Each Party to this Agreement grants NHS England the right to enforce any of its rights under this Agreement against any other Party, which may include NHS England revoking a Party’s access to the NRL.  For the avoidance of doubt, this right is granted in addition to the rights a Party has to enforce its own rights under this Agreement against another Party, and the grant of such right to NHS England does not affect such Party’s rights or ability to pursue any action independently of NHS England (recognising that only NHS England has the technical means to revoke a Party’s access to the NRL).

a. The parties acknowledge that this Agreement may be updated only by NHS England.

b. Any change to the terms of this Agreement will be notified to the Parties, which may be by email and/or by written notification on NHS England’s website. Continued use of the NRL by a Party shall constitute that Party’s acceptance of the terms of such revised Data Sharing Agreement.

Except where expressly stated otherwise in relation to NHS England, this Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

This Agreement and any dispute or claim arising out of or in connection with this Agreement, or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

May 2025

Information permitted to share on the NRL (where the document type exists for the patient) is as follows:

• Care plans*
• NEWS2 Report – National Early Warning Scores
• Shared Care Record Summary document 
• International Patient Summary 

* Care plans:

• mental health crisis plan
• end of life care plan
•  emergency health care plan
• treatment escalation plans 
• personalised care and support plans
• contingency plans 

The Pointer is limited to:

• patient NHS Number
• ODS code for the Holder
• the name of the care setting
• what type of information is held
• A URL to contact details for the Holder (optional)
• A URL to retrieve the information (this is a spine secure proxy for the patient record)
• A location for the record which allows the information to be retrieved via a link or up to date contact details

Access by Consumers is currently view only. Once the Consumer closes the PDF, the Shared Personal Data is no longer accessible to them and if still required must be requested again through the same process.

For queries, please email [email protected].

Select the button below to complete our acceptance form.