Data security
It depends what has been discussed and agreed locally with the GP practice, which acts as the data controller.
There is a template in the NHSX guidance for the data sharing agreement (DSA) and the data protection impact assessment (DPIA). Both have been signed off by NHSX Information Governance (IG) team for local use and adaptation.
DPIAs for direct care need to be completed locally.
- D1 Template – GDPR data sharing agreement template for care homes/practice
- D1a Template – Data protection impact assessment template
Yes, this is recommended best practice. Before proxy access can be set up, care homes must have an NHSmail account or a secure email system that meets NHS standards.
To get an NHSmail account (which is recommended) you first need to complete the DSPT assessment. There is a guide to getting a secure email service that you can download.
Care home managers sign a proxy access request form which includes a statement to say they have verified the identity of the staff member concerned. If a GP practice has any concerns about an individual’s identity, they can follow their usual ID verification procedures. Most practices will accept the care home manager’s confirmation.
Yes. Residents need to agree to proxy access to the online system and sign a form, which should be filed in their GP clinical record.
- D3 Template – care home – letter to residents
- D4 Template – care home – resident information leaflet
- D5 Form – care home – resident consent form
Yes, any further sharing of information needs a review of the data sharing agreement and written consent from the resident. It must be discussed and agreed locally between the resident/patient, the GP practice, and the care home.
The templates provided can be adapted for local use.
- D1 Template – GDPR data sharing agreement template for care homes/practice
- D1a Template – Data protection impact assessment template
- D5 Form – care home – resident consent form
Risks from a resident perspective are around information in their GP record being seen by a non-authorised person or being shared or used inappropriately (i.e. not for their direct care). The same risks apply to paper-based records. Online records track access and use with an automatic audit trail and all staff have signed to say they will keep the information they access secure and confidential. There are procedures in place to deal with anyone who does not keep patient information safe or use is in an inappropriate way.