Confidentiality and trust are essential to the relationship between GPs and their patients.
The information a patient provides to their GP is confidential, and they can expect that any information that is shared for their direct care will remain confidential.
GP Connect relies on 'implied consent'.
Explicit consent is not required when information is shared for a direct care purpose. If a patient does not want their information to be shared using GP Connect, they can opt out.
The NDSA and its terms and conditions stipulate that any information received or accessed about a patient for direct care purposes must remain confidential.
In addition to the NDSA, health and social care professionals are also subject to their own professional codes of confidentiality and are aware that any information received via GP Connect is provided in confidence, which must be respected.
Organisations using GP Connect are notified of their duty as 'controllers' to be fair and transparent about their processing of their patients’ information and to ensure that their transparency notices are fully updated with how they may be using GP Connect functionality.
NHS England helps support the mitigation of information sharing risks by ensuring that:
- NHS England audit data access is subject to two-factor authentication and role-based access controls - only certain assured users can have access to the full audit logs
- a completed Supplier Conformance Assessment List (SCAL) which covers service and capability specific compliance requirements and controls of the consumer system is in place
It is the responsibility of organisations using GP Connect to ensure that they comply with the NDSA, and their statutory and legal obligations regarding data protection and confidentiality.