NHS Register with a GP Surgery online service - Data protection impact assessment
Background/purpose
In 2021-2022, NHS Digital (now NHS England) were commissioned to research and develop a new online service for patients to register with a GP practice in England. The service went live in October 2022 and is known as the ‘NHS Register with a GP Surgery’ service. More information about the service is available on our Register with a GP surgery service page.
The traditional process for patients to register with a GP practice is paper based. This requires GP practice staff to manually type up (rekey) the information provided by the patient on the paper form (known as the GMS1 form) into the GP IT system. Mistakes from misinterpreting handwriting, spelling and typing errors are currently a source of inaccuracy for the demographics data held in the Personal Demographics Service (PDS), which is the national NHS database of patient demographic details and operated by NHS England.
The Register with a GP Surgery service provides a number of benefits to patients, GP practices and the wider NHS. For example:
- patients (registering individuals) can register online rather than having to visit their GP practice to collect a paper GMS1 form
- the service checks whether the registering individual lives within the GP practice’s catchment area
- registering individuals are matched to their NHS number, with around a 90% success rate which helps to improve the quality of the data in the PDS
- it reduces the administrative burden on GP practice staff who currently have to manually type up (rekey) information from paper GMS1 forms and will reduce mistyping errors
- GP IT systems suppliers also benefit from being able to ingest structured data for registering patients into GP IT systems
You can also download this dataprotection impact assessment (DPIA)
Consultation with stakeholders
To develop the service, NHS Digital (now NHS England) consulted with:
- patients (registering individuals)
- GP practices
- NHS England (NHSE)
- Primary Care Support England (PCSE)
The service went through a Government Digital Services (GDS) review covering the following areas:
- Start with user needs
- Do less
- Design with data
- Do the hard work to make it simple
- Iterate. Then iterate again
- This is for everyone
- Understand context
- Build digital services, not websites
- Be consistent, not uniform
- Make things open: it makes things better
User workshops are regularly held with patients (registering individuals) where they are given a prototype to use the service and provide feedback. This user research helps to inform the content of the pages and the design patterns used, which helps NHS England to make improvements to the service ensuring that it meets user needs and is easy to use and understand.
User research has also been undertaken with GP practice staff to observe how they process patient applications to register with their practice, to understand the existing process and how the Register with a GP surgery service can provide benefits to GP practices.
Workshops were also held with Primary Care Support England (PCSE) who manage GP practice patient lists on behalf of NHS England. When a GP practice accepts a patient’s application to register with them, the demographic information of the patient and which GP practice they are registered with flows to NHS England’s Primary Care Registration Management (PCRM) system/National Health Application and Infrastructure Services (NHAIS)1 system and to the Personal Demographics Service (PDS).
1 NHAIS is due to be decommissioned Oct-Dec 2024 and will be replaced by the Primary Care Registration Management (PCRM) system
Description of the processing
Scope of the service
The Register with a GP Surgery service is an online service (available via web browser and available as a connected service in the NHS App). It is available for use by patients with and without an NHS login account. This is because NHS England policy determines that GP registration does not require proof of address or immigration status, ID or an NHS number. Although using NHS login offers advantages in terms of verification by matching registering individuals to the PDS, the service must be inclusive and cater to those who do not have mobile phone or email addresses, which are prerequisites for an NHS login account.
This service is available for all residents of England. The registration types it will support are:
- Births
- First Acceptance
- Visitors and migrants
- Ex-Services
- Transfers
Parents/guardians/carers can also use this service to register their children or someone else that may need help, with a GP practice ‘by proxy’.
Registering individuals are asked to enter information which is mandatory to register at a GP practice. This is:
- first name
- surname
- date of birth
- sex
In addition, they can provide clinical information which the GP Practice requires to provide a standard of care for their patients and also supplementary information to aid other services (such as blood/organ donation preferences).
For visitors and migrant registration types, supplementary questions to determine charging eligibility and European Health Insurance Card (EHIC) information is also requested (if applicable). This information is then sent to NHS England’s National Back Office (NBO) team for further processing.
We have published a full data specification of the data items collected by the service.
Type 1 opt-out and the Register with a GP surgery service
Patients can register a Type 1 opt-out with their GP practice. This prevents information which identifies the patient from being shared by their GP practice for purposes beyond their direct care (such as for planning and research purposes).
The Register with a GP Surgery service will not collect patients’ Type 1 opt out preferences. NHS England is prohibited from identifying individuals who have set a Type 1 opt-out by virtue of the Patient Objections Directions 2015. NHS England can only collect aggregate information about the number of Type 1 opt-outs made and withdrawn.
Additional functionality for P9 level (high-level verification) NHS login users
The Register with a GP surgery service also enables patients to login to the service using their NHS login account. If they are P9 verified (high level verification) they will be able to update their contact and address details which then triggers an update to NHS England’s Personal Demographics Service (PDS)2 via an API feed. NHS login user identity verification levels are explained at How NHS login works.
Making the service available in the NHS App
The Register with a GP surgery service will also be made available as a ‘connected service’ in the NHS App.
If an NHS App user consents for their NHS login details to be shared with the Register with a GP Surgery service, the data that will be shared from the NHS login service to the Register with a GP Surgery service will be:
- NHS number
- date of birth
- first name
- last name
- identity (proofing level)
- email address
- mobile number
This allows the service to pre-fill key information for the user. The information pre-filled is dependent on the user’s identity verification (proofing) level as detailed in the table below.
It is also possible for the user to opt out of this pre-fill function and continue without NHS login. This would follow the Unauthenticated journey in the table below.
User journeys
The Service (both web version and NHS App version) will provide different journeys for different user-groups:
| User group | Description | Journey |
|---|---|---|
| Unauthenticated* | Someone using the service, without an NHS login account. | The user will only see the data they have entered during their session using the service. |
| P0* | Someone who has created an NHS login account, verified their email and phone number, but has not been matched to an NHS number by the NHS login service. | The user will only see the data they have entered during their session using the service. |
| P5 | Someone who has created an NHS login account, verified their email and phone number, and has been matched to an NHS number by the NHS login service. |
The service will pre-populate some demographic information (name, date of birth, email address, mobile phone number) into the service, allowing the user to skip pages. But NHS number and geographic information (current GP practice, current address) will not be prepopulated for P5 users. |
| P9 | Someone who has created an NHS login account, verified their email and phone number, has been matched to an NHS number and verified their identify (by providing documents with photo ID which they match) through the NHS login service. | The service will pre-populate demographic information (name, date of birth, email address, mobile phone number, NHS Number, current GP practice, current address) into the service, allowing the user to skip pages. |
| Sensitive flag (S-flag) – vulnerable patient with a P5 or P9 level NHS login account | Someone who has a P5 or P9 NHS login account, but also has the 'sensitive' flag set on their PDS record. Access to their contact or location data in PDS is restricted. | The service will pre-populate limited demographic information (name, date of birth, NHS Number) into the service, allowing the user to skip pages. |
* Note that Unauthenticated and P0 journeys will not be available via the NHS app.
Cookies
The service will also collect both essential and non-essential cookies. The non-essential cookies will be used for analytics purposes (service improvement) to help NHS England measure how patients use the service. These analytics cookies are optional and can be rejected by using the cookie banner. If a user rejects analytics cookies, it does not affect their ability to register with a GP using the service.
The service links to a cookie policy which explains more about the analytics cookies, including that Adobe is used to collect information on how the service is used and that Adobe is NHS England’s data processor for this purpose. It explains that a 'Client IP address' (unique identifier) is transmitted to Adobe as part of performance data but is not stored and that a unique identifier (AMCV_##@AdobeOrg) is tracked by the service. Adobe collects information about the device, browser type, operating system, date/time the user Copyright ©2024 NHS England Page 9 of 33 used the service and how the user interacted with the service to help improve the service. NHS England does not allow Adobe to use or share our analytics data for its own purposes.
The cookie policy also explains the use of pixel tracking. If a citizen enters the service with JavaScript not enabled in their browser, their IP address will be recorded through pixel tracking (along with the number of times that IP has tried to access this page). This data will be recorded to measure the accessibility and inclusivity of the service. It will not be used for any other purpose.
Secure transmission of data to GP practices
The registering individual’s application will be securely transferred to the GP practice in either 2 ways:
1. NHSmail - The registering individual’s information will be transferred to the GP practice using secure NHS email. This will be used for practices that have not enabled the auto-acceptance feature (see below) and for applications submitted by non-NHS login and P0 and P5 NHS login users of the service.
or
2. Auto-acceptance pathway - For GP practices who have enabled this feature, the Register with a GP surgery service will send a registration request event through the National Events Management Service (NEMS) API, this event will be used by the GP IT systems to initiate the automatic creation of a patient record. The GP IT systems will retrieve the demographic data of the patient from the Personal Demographics Service (PDS) to populate the new record. Additionally, the health/lifestyle information provided by the patient when using the Register with a GP surgery service, will be transmitted to the GP IT systems via the Register with a GP Surgery service API, ensuring a complete patient record is created. This auto-acceptance pathway is available to patients that meet certain auto-acceptance criteria - that is, they are NHS login P9 verified, aged 18 or over and in the GP practice catchment area.
Robotic Process Automation
Some GP practices use Robotic Process Automation (RPA) middleware suppliers to automate the entry of registration data collected by this service into their GP IT systems. This is an optional service that requires a contract between the GP practice (data controller) and RPA supplier (processor on behalf of the GP practice).
PDS update method
A PDS Fast Healthcare Interoperability Resources (FHIR) API search is done using the demographic information provided by the user to match the patient to their PDS record and to obtain their NHS number so that this can be sent to their GP practice along with their application.
In addition, if the user logs into the service using their NHS login account and if they are P9 verified (high level verification) they will be able to update their contact and address details which then triggers an update to NHS England’s Personal Demographics Service (PDS)2 via an API feed. Read more about NHS login user identity verification levels.
The old demographic data will be moved to a historic state in PDS for audit purposes.
Nature of the data processed by the service
The data collected by the Register with a GP Surgery service includes personal data (demographics data) and special categories of personal data (health data) of the individuals registering with a GP practice. This is to allow GP practices to process their application and to provide an adequate level of care to their patients.
Context of the processing
Why an online service has been developed:
At present, GP registration is mostly performed in person at the GP Practice by means of a paper form (GMS1 form). The GP administrative staff review the paper form and type it into the GP IT system. This process is time consuming for both the registering individual and the GP administrative staff and introduces data quality issues when transcribing the data. The registration process also varies widely from practice to practice.
The Register with a GP surgery service will improve the accessibility and usability for registering individuals, reduce the amount of time it takes to register with a GP practice, reduce GP admin bureaucracy and improve data quality. The digital journey fits into the NHS ecosystem of providing services online - see National General Practice Improvement Programme - NHS England.
Roles and responsibilities
NHS England is a joint controller with the Secretary of State for Health and Social Care in relation to determining the purposes of the processing of personal data to provide this service pursuant to the ‘Register with a GP Surgery Directions 2022’.
NHS England also has a legal duty to provide GP registration services, under Schedule 3, Part 2, paragraph 17 of the National Health Service (General Medical Services Contracts) Regulations 2015.
NHS England as a controller is responsible for:
- the collection and the security of the personal data that is collected by the web form (‘Register with a GP Surgery service’)
- securely transferring the data to GP IT systems (either via NHSmail, via an API or via the GP practice’s RPA supplier)
- monitoring and audit of the service to ensure it is secure and has appropriate security controls
- monitoring how the service is used to make improvements to the service by using analytics cookies (optional) and also by retaining some information in log data to carry out analytics to:
- monitor the uptake of the service, such as how many applications result in practice acceptance
- analyse demographic data to understand the reach of the service and to understand if the service is meeting the needs of vulnerable groups - those who do not have a permanent address for example. Data minimisation is undertaken where possible but some identifiable information is required such as NHS number (where provided) to match to PDS. If NHS number is not provided, then a combination of full postcode, date of birth and surname are used. Example metrics include registration acceptance rate by address status and registration acceptance rate over time (64% of total applications were from female applicants).
- tracking the status of the application and investigating and resolving any errors in the patients’ application submission, such as if an invalid character is entered into a field which causes an error
- authenticating users’ identities if they choose to log into the service using their NHS login account. Doing so provides additional functionality (such as pre-populated fields drawn from data held in PDS) for P5 and P9 level verified users
- providing the functionality for patients with P9 level NHS login (high level verification) to update their contact information into the online service, and for this data to be sent via API to update these fields in their PDS record
NHS England is also a controller for patient registration data passed from the GP practice systems to the Personal Demographics Service and used in management of GP practice patient lists.
GP practices are controllers for their patients’ registration information when they receive a patient’s application which is submitted via this service. The GP IT system suppliers or contracted RPA vendor are processors, acting under the instruction of GP practices. In addition, the RPA middleware providers are also NHSE’s processor, acting under NHSE’s instruction to securely transmit the data into GP IT systems using RPA technology.
2 PDS is the central electronic database for NHS patient details, such as name, address, date of birth, NHS number (known as demographic information).
Describe the legal basis for the processing (collection, analysis or disclosure) of personal data?
Collection and analysis of personal data
Statutory authority
Register with a GP Surgery Directions 2022
On 1 February 2023, the statutory functions of NHS Digital transferred to NHS England under the Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023 (Transfer Regulations). Under these Transfer Regulations, all directions from either the Secretary of State for Health and Social Care (SoS) or NHS England (NHSE) to NHS Digital (NHSD) are now treated as directions from the SoS to NHSE.
Reg 3(1) of the Transfer Regulations provide that from the Transfer Date (01 Feb 2023), section 254(1) and section 260(2)(d) or (3) Directions from NHSE to NHSD are treated as if contained in a Directions of the SoS to NHSE. Reg 3(2) of the Transfer Regulations provides that from the Transfer Date, section 254(6), section 255(5) or (6), section 261(1) (3) or (5), section 277C(3) Directions of the SoS or NHSE to NHSD are to be treated as contained in Directions of the SoS to NHSE under section 13ZC of the 2006 Act.
Reg 323 elements of Directions from NHSE to NHSD are not covered by the Transfer Regulations and fall away on Transfer. NHSE utilises existing powers to undertake those systems to meet their statutory functions.
Therefore, for the Register with a GP Surgery Directions 2022 these are now treated as section 254 Directions from the SoS to NHSE in respect of the Information System (the collection and analysis of information as are necessary to provide the Register with a GP Surgery service). In addition, NHSE relies on powers under section 1(H), section 2(2) and sections 13E, 13G and 13N of NHS Act 2006 to exercise system delivery functions to enable and facilitate the Register with a GP Surgery service.
Common Law basis
Legal obligation to comply with the Register with a GP Surgery Directions 2022.
UK GDPR – Article 6 basis - UK GDPR Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject (the Register with a GP Surgery Directions 2022).
UK GDPR Article 9 basis and Data Protection Act 2018 basis:
UK GDPR Article 9(2)(g) - processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject, supplemented by:
- Data Protection Act 2018 (DPA 2018) Schedule 1, Part 2, paragraph 6: Statutory etc and government purposes.
DPA Appropriate Policy document in place - NHS England has an Appropriate Policy document for the purposes of Part 4, paragraph 39 of Schedule 1 of the DPA 2018
Legal basis to update demographic data in PDS:
Collection and analysis of personal data
Statutory authority
NHS England has been Directed under section 254 of the Health and Social Care Act (the 2012 Act), by the Secretary of State for Health and Social Care, to establish and operate systems for the collection and analysis of information as are necessary for it to deliver Spine Services, including the Personal Demographics Service (PDS) under the Spine service (no. 2) 2014 Directions.
Common Law basis
Legal obligation – by virtue of the Spine service (no. 2) 2014 Directions
UK GDPR – Article 6 basis - Article 6(1)(c) – the processing is necessary for the compliance with a legal obligation to which the controller is subject.
Legal basis to process data via NHS login to authenticate users
Statutory authority
NHS login Directions 2021 issued to NHS England by the Secretary of State for Health and Social Care under s.254 of the Health and Social Care Act 2012: NHS Login Directions 2021 - NHS England
Common law basis
Legal obligation by virtue of the NHS Login Directions 2021 - NHS England
UK GDPR – Article 6 basis - Article 6(1)(c) – the processing is necessary for the compliance with a legal obligation to which the controller is subject
UK GDPR – Article 9 basis - Article 9(2) (h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.
Data Protection Act 2018 basis - Data Protection Act 2018, schedule 1, part 1, paragraph 2, sub paragraph (2), sub paragraph (f) – ‘the management of health care systems or services or social care systems or services’.
Legal basis to set cookies for web analytics purposes:
Article 6(1)(a) - ‘consent of the individual’ (solely for the purposes of non-essential cookies, which comprise personal data, which are placed on the platform).
3 Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013 (S.I. 2013/259).
Demonstrate the fairness of the processing
To apply to register with a GP practice, individuals can just provide a small number of mandatory data items (first name, surname, date of birth and sex). The individual can choose to provide more information into the digital service should they wish but this is not mandatory.
This service digitises an existing paper-based process. Individuals are accustomed to providing demographic and health information in order to register with a GP practice and would reasonably expect that a digital service would need to collect this data in order to send their application to their chosen GP practice so that it is processed more efficiently and effectively.
It is also in the reasonable expectations of individuals that the service will analyse some data to understand the reach of the service, how it is being used and to understand if it is meeting the needs of vulnerable groups (such as those who do not have a permanent address). Users can opt-out of analytics cookies via the cookie banner.
Registering individuals are informed about how their personal data will be processed when they use the service via:
- ‘just in time’ notices when they complete certain fields
- the service’s privacy policy
- the service’s cookie policy
What steps have you taken to ensure individuals are informed about the ways in which their personal data is being used?
The service has published a privacy policy and cookie policy which explains how NHS England process personal data to provide the service and what individuals’ rights are in respect of their data. The service also displays ‘just in time’ notices for users when they complete certain fields which explain why they are being asked to provide certain information.
Is it necessary to collect and process all data items?
Data categories - information relating to the individuals
Conditional (C) - Conditional data items are logic driven. These are questions which are only asked in the user journey where a certain option has been populated, such as if the user says ‘yes’ to ‘Is a language interpreter required?’ then the conditional question they are asked is ‘which language’.
Justify - There must be justification for processing the data items. Consider which items you could remove, without compromising the purpose for processing.
| Data categories | Mandatory (M), Optional (O), Conditional (C) | Justify |
|---|---|---|
| Patient supplied NHS number | O | To match the patient to an NHS record |
| Prefix | M | Prefix is a mandatory data item required for an individual to register with a GP practice |
| First name | M | Patient name is a mandatory data item required for an individual to register with a GP practice |
| Middle name | O | Middle name is an optional field which may be used to communicate with the patient |
| Last name | M | Patient name is a mandatory data item required for an individual to register with a GP practice |
| Previous last name | O | Used to match a patient to their NHS record |
| Date of birth (DoB) | M | Date of birth is a mandatory data item required for an individual to register with a GP practice |
| Previous UK address | C | Used to match a patient to their NHS record |
| Previous UK postcode | O | Used to match a patient to their NHS record |
| Current UK address | O | Required to communicate via post and arrange home visits. |
| Current UK postcode | O | Required to communicate via post and arrange home visits. |
| Email address | O | May optionally be provided by a patient if they wish NHS and social care organisations to be able to communicate with them via email. |
| UK mobile phone number | O | May optionally be provided by a patient if they wish NHS and social care organisations to be able to communicate with them via a mobile phone number. |
| UK home phone number | O | May optionally be provided by a patient if they wish NHS and social care organisations to be able to communicate with them via a home phone number. |
| Sex on your NHS record | M |
Used to match a patient to their NHS record. Patient can also select ‘Prefer not to say’. |
| Ethnicity | M |
Used in GP practice Quality and Outcomes Framework (QOF) data. Patient can also select ‘Prefer not to say’. |
| Interpreter required? | M | To assist the patient with communication |
| Language required for interpreter? | C | To assist the patient with communication |
| Do you have an emergency contact? | M | Provides the GP practice information on who to contact in the event of an emergency |
| Emergency contact name | C | Provides the GP practice information on who to contact in the event of an emergency |
| Emergency contact relationship | C | Provides the GP practice information on who to contact in the event of an emergency |
| Emergency contact telephone number | C | Provides the GP practice information on who to contact in the event of an emergency |
| Emergency contact next of kin | C | Provides the GP practice information on who to contact in the event of an emergency |
| Have you ever been a member of the armed forces or are a family member registered with the defence medical services? | M | This information is used to determine the type of registration |
| Have you recently moved to the UK from another country? | C | This information is used to determine the type of registration |
| Country of birth | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| When did you enter the UK? | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| Have you moved to the UK from living in the EU, EEA or Switzerland? | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| Chargeable status | C | To ask the patient for their chargeable status for NHS care |
| Patient has EHIC/S1 | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| EHIC - Full name | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| EHIC - Date of birth (DoB) | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| EHIC - Country code | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| EHIC - Personal identification number | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| EHIC - Identification number of the card | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| EHIC - Identification number of the institution | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| EHIC - Expiry date | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| Date left UK | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| Returning to the UK | C | This information is mandatory for type 4 (visitor/migrant) registrations |
| Current GP address details | O | This information assists the GP practice in transferring electronic records in the event of an automated system failure |
| Are you a student? | C | This information is used to identify students for university affiliated GP practices |
| Student ID number | C | Required for university GP practices to validate students for acceptance at their practice |
| Course end date | C | Required for university GP practices for the purpose of deductions and validating students for acceptance at their practice |
| Student address and room number | C | Provides a more accurate address for university students (such as those living in student accommodation halls) |
| Data categories | Mandatory (M), Optional (O), Conditional (C) | Justify |
|---|---|---|
| Existing or pre-existing medical conditions | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Existing or pre-existing medical conditions details | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| More details about existing and pre-existing condition | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Allergies | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Allergies details | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Mental health conditions | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Mental health details | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Disabilities | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Disabilities details | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Current prescription medication | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Prescriptions medication details | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Repeat prescription | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| How often do you drink alcohol? | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Alcohol unit consumption in an average week | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| How often have you had six or more units of alcohol on a single occasion in the last year? | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Smoking | O | Used to identify any additional actions that need to be taken upon registration at the GP practice |
| Have you ever spent more than 6 months in a country where there was an increased risk of catching tuberculosis (TB)? | C | To identify those patients that may be eligible for TB screening offered by the GP practice |
| Registration completed by patient | M | This field indicates whether the registration application was submitted by the registering individual or by someone else on behalf of the registering individual. |
| Relationship to dependant | C | To identify the relationship of the person that is submitting the registration application on behalf of the registering individual. |
| Carer details | C | To identify what type of carer the person submitted the registration is to the dependant |
| Carer details - First name | C | The first name of the person who is submitting the registration |
| Carer details - Last name | C | The last name of the person who is submitting the registration |
| Carer details - Relationship to patient | C | The relationship of the person who is submitting the registration |
| Carer details - Contact telephone number | C | The telephone number of the person who is submitting the registration |
| Under 1 year - Place of birth | C | This field is collected specifically for patients that are under a month old |
| Under 1 year - Postcode at birth | C | Gathered to try and match the patient to a PDS record |
| Nominate a pharmacy | M | This is to identify if the patient would like to nominate a pharmacy |
| Nominated pharmacy address | C | Address of the nominated pharmacy for prescription collection |
| Education attendance | C | To allow the GP to make sure the patient is getting their correct vaccinations |
| School name | C | The name of the school attended |
| School postcode | C | The postcode of the school attended |
| School contact telephone number | C | The telephone number of the school attended |
| Nursery name | C | The name of the nursery attended |
| Nursery postcode | C | The postcode of the nursery attended |
| Nursery contact telephone number | C | The telephone number of the nursery attended |
| Home school postcode | C | The postcode of the place of home school |
| Home school contact telephone number | C | The telephone number of the place of home school |
| Professional care provider | C | To help the GP understand the patients care needs |
| Routine vaccinations | C | To help the GP understand if the patient is up to date on vaccinations |
| Vaccinations in UK | C | To help the GP understand if the patient is up to date on vaccinations |
| Patient carer | M | To identify to the GP if the registering individual is a carer |
| Patient carer description | C | To identify to the GP what type of carer the patient is |
| Data categories | Mandatory (M), Optional (O), Conditional (C) | Justify |
| Registration type | Auto generated | For downstream processing the registration will be one of six types |
| Date and time of submission | Auto generated | To identify when the application is submitted to the GP practice |
| Application reference number | Auto generated | To identify the application and allows patient and GP practice to communicate about a single application |
| Identity proofing level | Auto generated | To identify whether the user has verified their identify via NHS login |
| PDS match | Auto generated | To identify if the user has been matched to an NHS record |
| PDS death | Auto generated | To identify if the user has been matched to an NHS record and the patient is marked as deceased |
| PDS matched NHS number | Auto generated | To provide the NHS number of the matched NHS record |
| Current Organisation Data Service (ODS) code | Auto generated | To provide the ODS code of the current GP practice the patient wishes to leave |
| PDS NHS number different to patient entered NHS number | Auto generated | To identify if the patient supplied NHS number is different to the NHS number on the matched NHS record |
| Patient EHIC to NBO | Auto generated | If the user has EHIC data, this field indicates that the data has been sent to the National Back Office |
| Previous health authority | Auto generated | To provide the health authority to the GP practice, this is a mandatory field for Transfer types |
| Sex | Auto generated | Calculated from patient answers, used to match record and provide adequate health care |
| Website cookies/similar technologies | Auto generated |
1. Optional Analytics Cookies, if consent to analytics cookies is given. Used for integration with Adobe, used for analytics to improve the service. 2. No JavaScript pixel tracking - If a citizen enters the service with JavaScript not enabled in their browser, their IP will be recorded through pixel tracking (along with the number of times that IP has tried to access this page). This is used as an accessibility measure to understand more about how many users do not have a browser that supports Javascript or have it actively disabled. This is used to measure the accessibility and inclusivity of the service. |
The service collects patient feedback but this information is collected anonymously.
A full list of the questions and data items collected by the service is published in our data specification.
Any proposed changes to the data items collected by the service and how they are processed will require an update to the DPIA and assurance from Information Governance (IG).
Describe if personal datasets are to be matched, combined or linked with other datasets? (internally or for external customers)
Ordnance Survey Places API
The Register with a GP surgery service uses the Ordnance Survey Places API to look up and validate addresses, when the user enters their postcode. This allows the user to select their address from a drop-down list. This helps to ensure that only a valid address is sent to the GP practice as part of the application and only valid addresses are stored in the PDS. The user is also shown a confirmation screen to check the information they have entered on the web form is accurate.
Logging in to the service using NHS login
The Register with a GP surgery service enables patients to login to the service using their NHS login account. If they are P5 verified (medium level verification) or P9 verified (high level verification), their demographic information is used to match them to their PDS record and some fields will be pre-populated with their demographic information. This is to improve the user experience, so that it takes less time for the user to complete the application.
Using the service without NHS login
If a user does not have an NHS login account, they can still use the web application version of the service. On entering their demographic information, a PDS FHIR API matching search is completed to locate their PDS record to locate:
- The patient’s NHS number (in the case of a unique match)
- Any presence of a ‘date of death’ on the PDS record (in the case of a unique match)
This information is then sent to the GP practice as part of the application.
If no unique match is found, it is the responsibility of the GP practice administrative staff to use the registration exceptions process to determine if an existing PDS record exists for the patient.
Describe if the personal data is to be shared with other organisations and the arrangements you have in place
The service sends the patient’s application to the GP practice via secure transfer method: either NHSmail, via API or using the GP practice’s chosen RPA supplier. Upon receipt, the GP practice is the data controller for the data contained in the application.
NHS England has Controller to Processor Data Processing Agreements in place with each RPA middleware supplier, in accordance with Article 28 of UK GDPR.
How long will the personal data be retained?
Four types of log data are retained by the service.
| Group | Log level | Purpose | Data items | Patient Identifiable Data (PID) with justification of retention | Retention Period | Examples/ key metrics | Access control |
|---|---|---|---|---|---|---|---|
| Audit | Info | Security and legal | Includes NHS number, ODS code, Date of birth, Sex |
Yes PID is required to ensure that a record of service activity is available for compliance and policy enforcement |
7 years | Fulfilment of Subject Access Requests, legal claims, investigate in the event of a security incident, for example | Non-security clearance (SC) but controlled |
| Operational |
Info Warning Error |
Incident investigation | Includes information such as user navigation and session times | No | 3 months | Analysing user drop out rates and drop out points | Non-SC but controlled |
| PatientID |
Info Warning Error |
Incident investigation Service improvement |
All user entered fields will be stored, including demographic and health questionnaire |
Yes PID is required to allow short term analysis to aid incident investigation |
3 months |
User has entered an invalid character into a text box that has caused an error. PDS match improvements |
Non-SC but controlled |
| Analytics | Info | Key performance indicators (KPIs)/ analytics – matching to PDS | See table 1 below - PID data items are NHS number, full postcode, full date of birth and surname | Yes PID is required to match submissions to PDS to check for practice acceptance. NHS Number is used where provided to ensure exact match. Where NHS number is not provided, a combination of Date of Birth (DOB), Surname and Full Postcode is used to monitor that the service is catering for vulnerable groups that may not have an NHS number or a permanent address. | 2 years | 64% of total applications were female Registration acceptance rate by address status Registration acceptance rate over time | Non-SC but controlled |
Analytics data stored in logs (2 years)
| Original registration data supplied by patient | Data stored in the logs |
|---|---|
| Who's registering | Myself/someone else |
| NHS login | Yes/No + authentication level |
| Relationship to patient | N/A, Parent, Guardian, Carer, Other |
| Type of carer (if applicable) | Young, Paid, Unpaid, Foster, None of the above |
| NHS number (if known) | Yes/No |
| NHS number | Where provided, NHS Number is used for matching submissions to PDS to check for practice acceptance of the application. |
| Surname | Surname is required to enable matching to PDS where an NHS number has not been entered as part of the service. This is to monitor that the service is catering for vulnerable groups that may not have an NHS number. |
| Date of birth | Full date of birth is required to enable matching to PDS where an NHS number has not been entered as part of the service. This is to monitor that the service is catering for vulnerable groups that may not have an NHS number. |
| Current address | Yes/No |
| Current address postcode | Full postcode is required to enable matching to PDS where an NHS number has not been entered as part of the service. This is to monitor that the service is catering for vulnerable groups that may not have an NHS number or a permanent address. |
| Home phone provided | Yes/No |
| Mobile provided | Yes/No |
| Email provided | Yes/No |
| Post selected | Yes/No |
| Gender identity | Female, Male, Indeterminate/Not Specified, Not answered, Not known/Unknown |
| Ethnicity | Option chosen |
| Language interpreter | Yes/No |
| Language | Option chosen |
| Nominate pharmacy | Yes/No |
| Armed forces | Yes/No |
| Emergency contact | Yes/No |
| Previous address | Yes/No |
| Previous address postcode | First half of postcode |
| Medical conditions | Yes/No/Prefer not to say |
| Allergies | Yes/No/Prefer not to say |
| Mental health | Yes/No/Prefer not to say |
| Disabilities | Yes/No/Prefer not to say |
| Is patient a carer | Yes/No/Prefer not to say |
| Type of carer | Young, Paid, Unpaid, Foster, None of the above |
| Does patient have a carer | Yes/No |
| Type of carer | Young, Paid, Unpaid, Foster, None of the above |
| Prescription medication | Yes/No |
| Drink alcohol | Never, Monthly or less, 2 to 4 times a month, 4 or more times a week, Prefer not to say |
| Smoke | Yes/No/Prefer not to say |
| Registration type | 1, 2, 3, 4 or 5 |
| PDS match | Yes/No |
| NHS login authentication level | 0, 5, 9 |
| In catchment | Yes/No |
| ODS code | ODS code |
| Date of submission | DD/MM/YYYY |
| Summary care record | Yes with additional information/Yes without additional information/No do not share/Keep existing preference |
| Guardian registration status | Registered N/A /Not registered/Not planning |
| Armed forces | Yes/No/Not answered |
| Needs accessible format | Yes/No/Not answered |
| Student | Yes/No |
| Student ID number (if known) | Yes/No |
| Student ID number | First half of student ID number |
| Course end date | Year |
| Room number (if known) | Yes/No |
Where you are collecting personal data from the individual, describe how you will ensure it is accurate and if necessary, kept up to date
The data collected from registering individuals will be checked against known patterns (such as phone number and email addresses have known character formats). If an individual enters invalid information, an error message will prompt them to correct it.
NHS login will be used to gather verified demographic data for those individuals who have NHS login accounts. If they are P9 verified, they can update their address and contact details.
Patients also have the option to update their details through existing methods such as by contacting their GP practice or using the NHS App.
How are individuals made aware of their rights and what processes do you have in place to manage such requests?
The Register with a GP surgery service’s privacy policy explains what data protection rights the individual has. These are:
Right to be informed – NHS England has published a privacy policy and cookie policy which explains how the service processes personal data. ‘Just in time’ notices are also used for certain fields, which explain why the service is asking for certain information.
Right of access – data subjects can submit a Subject Access Request (SAR) as explained via the NHS England website or submit a SAR to the GP practice they are registering with.
Right to rectification – data subjects have the right to have inaccurate data about them corrected. They can contact the DPO at [email protected] to exercise this right. Once registered at a GP practice, if they need information on their GP record corrected, they will need to contact their GP practice.
Right to restrict processing – data subjects will have a right to restrict the processing of their data where they contest the accuracy of their data and NHS England need to verify the accuracy of the data. The data subject can contact the DPO at [email protected] to exercise this right and have their request considered on a case-by-case basis
Right to raise a concern with NHS England, their GP practice and the Information Commissioner’s Office (ICO) at any time – this is explained within the privacy policy.
In relation to personal data processed for web analytics (analytics cookies):
Right to withdraw consent – individuals can change their cookie settings at any time to withdraw consent for the collection of analytics cookies. This will not affect their ability to use the service to register with a GP practice.
Auto-acceptance pathway and 'automated decision making'
Under Article 22 of the UK GDPR, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The auto-acceptance feature which GP practices can choose to enable, is an automated process which streamlines the registration process for applications made by individuals. They must be:
- NHS login P9 verified
- aged 18 years or over
- within the GP’s catchment area
If these criteria are met, the GP IT systems create a patient record for the applicant and the information they submit as part of the service is securely transmitted to the GP IT systems via an API. On consideration, this processing does not meet the criteria of 'automated decision making' under Article 22 of UK GDPR. Whilst the processing is automated based on the application meeting certain criteria, no automated decisions are made which produce a legal effect or a similarly significant effect on the individual. Rather, it is a more efficient way for the application to be transferred to the GP IT systems so that the patient can be registered, instead of the application being transferred via NHSmail. The process is not used to reject applications. If the application does not meet the above criteria, it is still sent to the GP practice via NHSmail.
What technical and organisational controls for 'information security' have been put in place?
NHS login will be used to verify the identity of individuals, where they have an NHS login account.
For individuals without accounts, it is the GP practice’s responsibility to ensure the registration is matched to the correct PDS account, following the same process as for the paper form.
Data will be passed securely via Hypertext Transfer Protocol Secure (HTTPs) secured APIs.
If the GP practice is not using the GP Systems integration, then data will be sent to their GP practice via secure NHSmail.
If the GP practice is using automation services from an RPA middleware supplier, then data will be sent to the RPA supplier via MESH. All suppliers are to have undergone penetration testing and cyber security assurance (Cyber Essentials minimum), with GP Registration service providing the recommendation for vendors to have undergone assurance as required by GP IT Futures Catalogue (such as Cyber Essentials Plus).
The service has undergone a penetration test and has a system-level security policy in place which details the full technical controls.
In which country/territory will personal data be stored or processed?
The data will be processed in the Amazon Web Service (AWS cloud) with physical servers based in London, United Kingdom (UK). AWS act as NHS England’s processor in respect of the secure storage of the log data. Article 28 compliant contract clauses are in place with AWS, which ensures, via contractual obligation, that the data is only processed in the UK.
Where processing is completed by RPA vendors, data will also remain and be processed in the UK as stipulated by the data processing agreement in place with each vendor.
Does the National Data Opt-Out apply to the processing?
The National Data Opt-out does not apply to the NHS Register with a GP surgery service as the service processes confidential patient information for the provision of direct care.
Identify, assess and mitigate risks
[REDACTED]
Further actions
The completed DPIA should be submitted to the [email protected] for review.
The IAO should keep the DPIA under review and ensure that it is updated if there are any changes (to the nature of the processing and/or system changes).
Signatories
The DPIA accurately reflects the processing and the residual risks have been approved by the Information Asset Owner:
Information asset owner (IAO) signature and date
[REDACTED]
For PTT and office of the DPO use only:
Summary of high residual risks
| Risk no. | High residual risk summary |
|---|---|
Summary of DPO advice:
Data Protection officer (DPO) - Signature and date
ICO consultation outcome:
Office of DPO - Signature and date
Next steps
DPO to inform stakeholders of ICO consultation outcome.
IAO along with DPO and SIRO to build action plan to align the processing to ICO’s decision.
Glossary of terms
| Term | Definition |
|---|---|
| API | Application programming interface |
| AWS | Amazon Web Services |
| DPIA | Data protection impact assessment |
| EHIC | European Health Insurance Card |
| FHIR | Fast Healthcare Interoperability Resources |
| GMS1 form | Family doctor services registration form completed by patients to register with a GP practice |
| GP | General practitioner |
| HTTPs | Hypertext Transfer Protocol Secure |
| ICO | Information Commissioner’s Office |
| NBO | National Back Office |
| NHAIS | National Health Application and Infrastructure Services |
| NHSE | National Health Service England |
| NHS login identity verification levels (P0, P5, P9) | NHS login user journeys |
| PCSE | Primary Care Support England |
| PDS | Personal Demographics Service |
| S1 form | S1 forms show that your state healthcare is paid for by the UK if you live in an EU country or Switzerland |
| SAR | Subject access request |
| S-flag | Sensitive flag Management of NHS Numbers and PDS Records |
| SLSP | System level security policy |
Last edited: 19 June 2025 12:26 pm