Contact Us:  01772 846 687

GP Connect Usage and Data Protection Policy

Purpose of GP Connect at Cadona Care

Cadona Care is committed to ensuring that patients receive timely and appropriate care across all health and social care settings. To support this, we utilise GP Connect, a service that allows clinicians to access GP patient records during interactions that take place away from the patient’s registered GP practice. This service ensures that the patient’s medical information is available when and where it is needed to support their direct care, improving the quality of care provided. GP Connect also allows Cadona Care to share important patient information with appropriate health and social care professionals, when necessary, in a secure and efficient manner.

Privacy, Confidentiality, and Data Protection

Cadona Care is committed to maintaining the privacy, confidentiality, and security of all patient information shared via GP Connect. The service facilitates the secure transfer of patient data, significantly reducing the reliance on less secure methods such as email or telephone for transferring medical records. Access to patient data will only be granted for direct care purposes.

Access Control and Usage Restrictions

Access to GP Connect is governed by strict role-based access control (RBAC) and organisational controls. Only authorised personnel who require access to a patient’s GP record for the purpose of direct care will be granted access. Unauthorised use of GP Connect, including accessing records for purposes other than direct care, is prohibited. The only exception to this is for the medical examiner use case, which relates to the investigation of deaths.

Compliance with National Standards

Cadona Care, as an organisation using GP Connect, ensures compliance with the following:

• National Data Sharing Arrangement (NDSA)
• End-User Agreement, outlining our obligations and responsibilities
• NHS England’s Connection Agreement, ensuring compliance with high security and data protection standards
• Supplier Conformance Assessment List (SCAL), demonstrating that the IT systems used by Cadona Care are fully compliant with NHS England’s standards for secure data exchange

Roles and Organisations Involved in GP Connect

As a consumer organisation, Cadona Care accesses GP patient records via GP Connect to support the direct care of our patients. These records are accessed by clinicians and healthcare professionals at Cadona Care, including those providing primary, community, and social care services. GP practices, referred to as Providers, make patient records available for access, while Cadona Care acts as a Consumer, accessing those records to provide care.

GP Connect Products Used at Cadona Care

Cadona Care utilises several GP Connect products to ensure that patient records are available for our clinicians when needed for direct care:

• Access Record: Allows Cadona Care clinicians to access a patient’s GP record, including:
• HTML View: A read-only view of the record.
• Structured View: Access to specific sections of the record, such as medications or allergies.
• Send Document: Enables Cadona Care to send consultation summaries in a document format to the patient’s registered GP practice for inclusion in the patient’s medical record.
• Update Record: Used by Cadona Care’s community pharmacy team to update patient GP records with structured data following consultations.
• Appointment Management: Enables Cadona Care to book appointments directly into patients’ GP practices or other care settings, facilitating seamless patient care.

Legal Basis for Data Sharing

The sharing of patient data through GP Connect is based on the following legal provisions under the UK General Data Protection Regulation (UK GDPR):

• Article 6(1)(e): Necessary for the performance of tasks carried out in the public interest or in the exercise of official authority.
• Article 9(2)(h): Necessary for the purposes of preventive medicine, medical diagnosis, the provision of health or social care, or treatment.

In addition, medical examiners have the legal right to access GP records for deceased patients, overriding confidentiality for the purpose of investigating deaths under the Access to Health Records Act 1990.

Confidentiality and Patient Rights

At Cadona Care, we adhere to the principles of confidentiality and ensure that any patient data shared through GP Connect remains confidential. The following rights apply to patients regarding their data:

• Right to Be Informed: Patients are informed of how their data is processed and shared through GP Connect via our privacy notice.
• Right to Object: Patients have the right to object to the sharing of their GP patient records via GP Connect and can opt out by contacting their GP practice.
• Right of Access: Patients can request information on how their data is being shared, who it is being shared with, and why.
• Right to Rectification: Patients can request corrections to inaccurate data that has been shared.
• Right to Restrict Processing: Patients can request that the processing of their data be stopped while they await the resolution of an objection or correction request.

Opting Out of GP Connect

Patients have the option to opt out of having their GP patient records shared via GP Connect by contacting their GP practice directly. It is important to note that opting out of GP Connect does not apply to the National Data Opt-out, which relates to the use of data for research or planning purposes beyond direct care.

Data Security and Auditing

Cadona Care ensures that all access to patient records via GP Connect is properly logged in an audit trail, both at the GP practice and within Cadona Care. These logs will include details of when and by whom the records were accessed. Cadona Care uses two-factor authentication and role-based access controls to secure access to patient data. Only authorised users are allowed access to sensitive information.

Responsibilities of Cadona Care

As a provider and consumer of GP Connect services, Cadona Care is responsible for:

• Ensuring that patient data is only accessed for direct care purposes and that all staff members comply with this policy.
• Maintaining a privacy notice that clearly informs patients of their rights and how their data is being used via GP Connect.
• Ensuring compliance with the National Data Sharing Arrangement (NDSA), NHS England’s security standards, and data protection regulations.