Data Sharing Agreement

Purpose and objectives of the data sharing

  1. Obtain feedback from real time patients, build trust and maintain communication with reviewing patients through reply to ratings & reviews section.
  2. Use KPIs section in the dashboard for the customer to identify the departments or services that need to be improved.
  3. Increase ratings & reviews to customers GP practice to promote the quality of service provided.
  4. Access to digital marketing tools that allows feeding to the search engines to provide data displayed on the results for a patient search online for your GP practice.
  5. Supports to streamline the process of review collection, save time, and reduce administrative cost.
  6. Helps to increase patient engagement by allowing easy access to leave feedback and provide input on their care.
  7. Increases transparency and accountability by publicly shared verified patient experiences.

Data Controllers

Here in this agreement controllers are GP Ratings Ltd and the client/customer, to manage and direct the flow of the data.

Data Processors

GP Ratings Ltd, manage the data to provide services to the customer.

Amazon Web Services to store data in an encrypted format.

Voodoo SMS Services to digitally communicate for flow of information.

Data items to be processed

  • NHS Number
  • Name & Surname of patient
  • Mobile number of patients

Article 6 Condition: Personal Data

Consent: the patient & GP have given clear consent for GP Ratings Ltd to process related personal data for a specific purpose.

Contract: the processing is necessary for a business contract GP Ratings Ltd have with the customer.

Public task: the processing is necessary for GP Ratings platform to perform a task in the public interest.

Article 9 condition: Special categories of personal data

No conditions apply since GP Ratings Ltd do not process of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

GP Ratings platform user rights and preferences

The right to be informed: The patient using the platform will be informed via email or mobile SMS communication when the rating is published online.

The right of access: The patient can view the rating made online by visiting the website.

The right to rectification: The patient may contact GP Ratings Ltd to amend or rectify any rating and comments made and published online.

The right to erasure: The process of erasing a rating is provided to GPs for unverified ratings with no mobile verification process during the rating was made.

The right to restrict processing: The patients have right to review anonymously their GP providers which are not published online and not accessible by public.

The right to data portability: Not Applicable

The right to object: Reviewers tick the check box providing all the rights for publishing the data and sharing the information online therefore the right to object do not apply to the processing.

Rights in relation to automated decision-making profiling: Not Applicable

Please state here how you will manage any complaints raised regarding the proposed data sharing:

The patients may contact GP Ratings Ltd via email [email protected] regarding any concerns and complaints for their rights or preferences.

Does the National Data Opt-out apply to proposed purposes for data sharing?

No, not applicable

Compliance with duty of confidentiality or right to privacy

Consent: The users of the platform have to tick the displayed 'Consent checkbox' which states;

“I accept the terms and conditions.” With a link to the page with full terms and conditions listed at The consent box is not ticked by default at GP Ratings platform to ensure that user is given the consent freely.

Statutory Gateway (for example approval under section 251 of the NHS Act 2006): Not Applicable to the services of GP Ratings Platform.

Is there any interference with Human Rights Article 8?

Not applicable


All communications regarding the privacy notice, user agreement and terms & conditions, GDPR Statement or any announcement not covered by this list will be published online at website.

How will the data sharing be carried out?

GP Ratings Ltd encrypts the data in transit and at rest using keys managed by AWS. GP Ratings Ltd uses hypertext transfer protocol secure to communicate with sub-processors securely. Security of data sharing is under the responsibility of GP Ratings Ltd.

The share of outputs and analysis is accessible via username and password combination for the GPs to ensure the highest security.

No information is being transferred outside the EU by GP Ratings Ltd.

Accuracy of the data being shared

GP Ratings Ltd validates accuracy using 6 digit pin number sent to reviewing patient’s mobile phone to verify the rating process accuracy. Any updates in relation to ratings are informed to all parties via dashboard for the GPs and email for the patients.

Rectification of data that has been shared

GP Ratings Limited verifies the ratings received from patients using the pin number sent to mobile phone of the patient to validate accuracy of the information received. If a rating is not verified using the method of pin code entry then the GP may request further validation of the rating to investigate the accuracy of information.

If the rating is verified and still the accuracy has been claimed to be ambiguous the patient will be asked to prove their GP details via a letter or document to prove their registration for validation of the information provided by the patient.

Retention and disposal requirements for the information to be shared

We retain the information provided by GP or patients to present analytical KPIs to the GP practices and other parties such as CQC or NHS England where we offer the rating analysis free of charge to promote quality of service in the public health and as evidence for investigations carried out. In case of cancellation of membership the ratings of patients are being treated as public information hence never gets disposed neither deleted from the platform.

For all other credentials of users that have rated on the platform via direct invitation of the GP can be returned to the practice upon formal request and the information will be retained on our system for 12 months. At the end of 12 months retention period the credentials of the data (mobile number, email address and NHS number) will be disposed by triggering a delete function in our main database.

Breach management

Data protection breach management of GP Ratings Ltd is a process of continual review. Once the initial incident is contained, the Data Protection Officer of GP Ratings Ltd will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.

The actions taken following a data breach at GP Ratings Ltd:

1: Contain the data breach to prevent any further compromise of personal information.

2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.

3: Notify individuals and the Commissioner if required.

4: Review the incident and consider what actions can be taken to prevent future breaches.

At any time, GP Ratings Ltd will take remedial action, where possible, to limit the impact of the breach on affected individuals. If remedial action is successful in preventing a likely risk of serious harm to individuals, the notification obligations may not apply.

What each organisation will be responsible for the data protection terms of this agreement.

GP Ratings Ltd compliance manager has overall responsibility for this procedure but has delegated day-to-day responsibility for overseeing its implementation to the Data Protection Officer. All relevant members of staff have been made aware of the procedure and have received appropriate training.

All Employees/Staff are responsible for ensuring that any data protection complaints that are made are reported to the Data Protection Officer/Data Protection Team ([email protected]), and for cooperating with the Data Protection Officer in reviewing these complaints.

The Data Protection Officer and the Compliance Manager will review the complaint procedure from time to time (and at least every two years) to ensure that its provisions continue to meet our legal obligations and reflect best practice.

GP Ratings Ltd is responsible for Data Protection Impact Assessments that needs to be carried out to support the following: 

  • anticipate and address likely impacts of the software service and systems used by GP Ratings Platform.
  • identify privacy risks to patients and individuals using the platform.
  • foresee problems and negotiate solutions.
  • protect the reputation of GP Ratings platform and all users.



Information Governance (IG): Compliance Manager of GP Ratings Ltd

Caldicott Guardian: GP Practice (Customer)

Last Update: 11/05/2023 13:05