As part of agreed Collective Action, GPC England is urging GP partnerships and practices across England to act collectively to stay safe and sustainable in the face of the 2026/27 imposed GP contract.
GPC England is recommending that the first action practices take is around reviewing the GP patient data they are expected to share outside the practice, with the wider NHS and other organisations. Writing to your local ICB provides a “housekeeping” opportunity to ensure that the practice is fully up to date and that all active DSAs have all necessary Data Protection Impact Assessments (DPIAs) in place from an information governance perspective to support informed and safe decisions to be made if Collective Action progresses. The letter is to enable you to contact your local ICB Chief Clinical Information Officer (CCIO) requesting a comprehensive review of all DSAs across the system to which the ICB’s constituent NHS general practices are a signatory, including requesting information in writing.
Whilst not mandatory, our DSA audit guidance is intended to support this, should practices wish to use this as an opportunity to review their existing arrangements, demonstrate compliance with the UK GDPR accountability principle, and make sure the right documents are in place to support the practice’s approach to data sharing under data protection law.
Londonwide LMCs has produced this guide to help you:
- identify where your practice’s data sharing information is held,
- check whether each data sharing agreement is clear and justified,
- record whether data sharing is for direct care or secondary purposes, and
- record practice actions.
The guide starts with a quick checklist to help you identify the purpose of the data sharing in each DSA and check relevant data protection and information governance requirements are in place, then you can use the full audit template if more details or follow-up are needed. A downloadable excel workbook containing the quick checklist, the full audit checklist and the audit decision log can be accessed here. A downloadable PDF of the quick checklist, the full audit checklist and the DSA audit decision log can be accessed here.
There is a glossary of data protection terms at the end of the document for ease of reference.
Please note this guidance and checklist does not constitute legal advice and is guidance only. There may be other considerations/processes and documents that you may have to take into account or have in place to fully comply with all the requirements of the UK General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)/Data Protection Act 2018 (DPA 2018) and other data protection legislation.
You should liaise with your Data Protection Officer (DPO) and/or the ICB provided GP DPO and DPO support service, and other parties to the DSA, including taking legal advice where appropriate to ensure that you are compliant with UK GDPR/DPA 2018 and other data protection legislation.