Data security

It depends what has been discussed and agreed locally with the GP practice, which acts as the data controller.

There is a template in the NHSX guidance for the data sharing agreement (DSA) and the data protection impact assessment (DPIA).  Both have been signed off by NHSX Information Governance (IG) team for local use and adaptation.

DPIAs for direct care need to be completed locally.



Yes, this is recommended best practice.  Before proxy access can be set up, care homes must have an NHSmail account or a secure email system that meets NHS standards.

To get an NHSmail account (which is recommended) you first need to complete the DSPT assessment. There is a guide to getting a secure email service that you can download.

Care home managers sign a proxy access request form which includes a statement to say they have verified the identity of the staff member concerned.  If a GP practice has any concerns about an individual’s identity, they can follow their usual ID verification procedures.  Most practices will accept the care home manager’s confirmation.


Yes, any further sharing of information needs a review of the data sharing agreement and written consent from the resident. It must be discussed and agreed locally between the resident/patient, the GP practice, and the care home.

The templates provided can be adapted for local use.



Risks from a resident perspective are around information in their GP record being seen by a non-authorised person or being shared or used inappropriately (i.e. not for their direct care). The same risks apply to paper-based records. Online records track access and use with an automatic audit trail and all staff have signed to say they will keep the information they access secure and confidential. There are procedures in place to deal with anyone who does not keep patient information safe or use is in an inappropriate way.