Data Sharing Agreement for the National Record Locator

The current version of the DSA for the NRL is dated April 2026. The previous version was dated May 2025. The current version includes the following changes:

If you have any queries about the NRL or how data is shared via the NRL, email [email protected].

The National Record Locator (NRL) is one of a number of services that was set up under the NHS Digital Establishment of Systems: Digital Interoperability Platform (DIP) Directions 2019 The purpose of the DIP was to 'develop and operate such IT applications, IT infrastructure and IT systems as are necessary to deliver the digital interoperability platform', The Secretary of State considered (in accordance with Section 254(2)(b) of the Health and Social Care Act 2012), that it was 'in the interests of the health service in England or of the recipients or providers of adult social care in England' that these Directions be given. Since NHS Digital has merged with NHS England, all services set up under this Direction are now managed by NHS England.

The aim of the NRL is to enable relevant patient information (as defined by the Controller Catalogue) to be accessed by health and social care organisations and shared for the Agreed Purpose (as set out below).

The NRL is a national index of pointers to the location of Patient Records of patients who live in England and/or who are registered with a GP in England. Providers that hold a relevant Patient Record will create a Pointer to the record, which can then be accessed by Consumers for the Agreed Purpose.

The NRL is an evolving service. Annex 1 (NRL Providers and Consumers) lists the types of Providers and Consumer organisations who currently share information through the NRL, and Annex 2 (Information Available on the NRL) lists the types of documents and information currently available on the NRL. Additional Users and Types of Patient Records may be added to Annexes 1 and 2 in accordance with the Change Control Process. Parties should visit the National Record Locator website to view the current NRL Technical Specification and latest versions of the Annexes.

This Agreement sets out the purposes, the processes, and the lawful bases upon which Personal Data may be processed through the NRL.

The terms set out in this Agreement apply to all parties to this Agreement and to organisations where another responsible body (such as an Integrated Care Board or another NHS body who hosts the Connected Care Record) has accepted the Data Sharing Agreement on behalf of the providers in their region.

For Connected Care Records, this Agreement may be supplemented by the NRL Acceptable Use Policy (AUP) at Annex 3. Host bodies for the Connected Care Record and their end user organisations may optionally utilise this AUP, adapting it as required, to help care roviders in their region and their staff understand their responsibilities for information security.

The Parties to this Agreement are Users of the NRL. 

Providers are Controllers of the Patient Record which they share through the NRL. Consumers become Controllers for any Shared Personal Data which they receive via the NRL and which is incorporated into their care record system(s).

NHS England is not party to this Agreement as a User, however it is understood by the Parties that NHS England has been directed under the Digital Operability Platform Directions 2019 to establish and operate the NRL, and it is acknowledged by the Parties that NHS England has certain rights in relation to the NRL, as set out in the NRL Technical Specification and this Agreement, including (but not limited to) clauses 6c (Audit), 8 (Termination), 9 (Enforcement) and 10 (Variation) of this Agreement.

Notwithstanding the above, the Parties acknowledge that NHS England is responsible for the secure operation and functionality of the NRL, including management and maintenance of the register of Pointers, the security of the content of the messages traversed on the NRL service and collection of audit data about the message transactions for operational support purposes. The content of the messages is not collected or stored by NHS England.

Agreed Purposes means the sharing of Personal Data by a Provider to a Consumer for the purposes of enabling the Consumer to view appropriate Patient Record(s) where it is deemed by the Consumer to be 'in the interests of health service in England or of the recipients or providers of adult social care in England' (as defined by the DIP) and within the scope of the NRL Technical Specification.

Change Control Process means the process set out in the NRL Technical Specification and which includes:

1. consultation with the relevant health and social care professionals to ensure access to the proposed Patient Record is necessary for the Agreed Purpose; and
2. agreement and approval by the Interoperability Working Group (IWG) or any group, board or committee (within NHS England) with equivalent responsibility, that the Patient Record falls within scope of the Digital Interoperability Platform Directions 2019 and NRL Technical Specification.

Consumer means a health and care organisation set out at Annex 1, who accesses the Shared Personal Data through the NRL, and which has been approved and assured for access by NHS England as having demonstrated that such access is lawful and necessary for the Agreed Purpose.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, Special Categories of Personal Data shall have the meanings as set out in Data Protection Legislation;

Controller Catalogue means the database which identifies which organisations are approved as Providers, the Type of Patient Records to which the Provider’s Pointers relate, and which Consuming organisations are approved to view information contained within the Pointers; 

Direct Care means 'A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.'¹

Data Protection Legislation means (i) the UK GDPR, (ii) the Data Protection Act 2018, and (iii) any other laws and regulations which may apply to the Processing of Personal Data;

Law means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, byelaw, enforceable right within the meaning of, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements in force in England and Wales with which the Parties are bound to comply;

NRL Technical Specification means the current NRL Technical Specification; 

Patient Record means the types of records as set out in Annex 2, (as may be updated in accordance with the Change Control Process);

Provider means a health and care organisation set out in Annex 1 who publishes a 'Pointer' on the NRL and which has been approved by NHS England as having Personal Data relevant to the Agreed Purpose and that the sharing of such data is lawful and necessary for the Agreed Purpose.

Pointer means the pointer that is published by a Provider on the NRL that identifies the existence and location of a Patient Record within a specified Type;

Shared Personal Data means the Patient Record which has been made accessible by the 'Pointer', in line with the Agreed Purpose;

Type means the type of document or information available to a Consumer via the NRL Pointer, for example Mental Health Crisis Plan.

UK GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation) as transposed into the national law of the United Kingdom by operation of section 3 of the European Union (Withdrawal) Act 2018, as modified by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and as may be further modified from time to time;

User means either a Provider or Consumer depending on the capacity in which they are acting. A User can be both a Provider and a Consumer if they both publish Pointers and access Shared Personal Data through Pointers published by other Users.

NRL Pointers can point to documents, structured records, or an ‘in-context’ launch. An in-context launch allows a clinician to access a patient’s record in a separate but linked IT system (a Connected Care Record) with a single click from the Provider’s own EPR.

The Provider will publish ‘Pointers’ on the NRL via their Electronic Patient Record (EPR). The Pointer confirms that a Patient Record is available and what Pointer types are available to the Consumer.

The Pointer includes a URL, either to directly access the information (in-context) or to retrieve the information via the NHS England provisioned proxy authentication service.

Some Providers choose to upload their organisation’s contact details as well, or sometimes only the organisation’s contact details.

1. A Consumer can request access to a Patient Record that is available within the NRL pointer types that it is authorised to access, by clicking on the retrieval URL. The request to the Provider will include the Consumer’s ODS code and, in the case of in-context the user's role, but does not identify the member of staff making the request.  
2. For documents and structured records, the requested information is then collated by the Provider’s EPR and sent via the NHSE proxy authentication service to the Consumer. As explained above, in-context launches do not go via the proxy.

Consumers can request information from the NRL either via their EPR's/Connected Care record's direct integration with the NRL or through the National Care Records Service (NCRS).

Consumers who are not also Providers can only access the NRL via NCRS.

If a Provider has any concerns about who from a Consumer organisation has accessed their records, they should make contact with the Consumer organisation via their ODS code, providing the patient NHS Number, the date and time of access and (in the case of in-context) the staff RBAC role.

Each Provider and Consumer shall Process Personal Data through the NRL as an independent Controller and shall comply with the applicable Data Protection Legislation. For the avoidance of doubt, no Party acts as a Processor on behalf of any other Party.

Each Party shall Process the Personal Data only as set out in this Agreement and in accordance with the Agreed Purposes only.

Each Party acknowledges that: 

1. when acting as a Provider they are confirming that organisations acting as Consumers may access the Shared Personal Data upon request, subject to the terms of this Agreement and as per the Controller Catalogue;
2. when acting as a Consumer, they are requesting access to the Shared Personal Data to help make informed decisions about a patient’s care and wellbeing at the point of care, and (where relevant) to prioritise available resources most effectively at that time, to the extent such prioritisation is required for the provision of Direct Care to the patient whose Personal Data is being Processed;
3. they may be subject to audits from NHS England to ensure that they are meeting their obligations under this Agreement; 
4. their privacy notice(s) and/or other relevant communication materials must explain what Personal Data is Processed through the NRL, when and who it may be shared with and why, and how Data Subjects may object to their information being shared through the NRL; 
5. they must have appropriate role-based access controls in place to ensure staff members (or classes of staff members) access the Shared Personal Data appropriately;
6. it shall be responsible for its own compliance with Articles 12, 13 and 14 (“Transparency”) of the UK GDPR. 
7. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, each Party shall, with respect to its processing of personal data as Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the UK GDPR.
8. it must ensure that staff who have access to the Shared Personal Data have undergone training in the Data Protection Legislation and confidentiality, in line with each Controller's mandatory training programme;
9. it has a current NHS Data Security & Protection (DSPT) submission at ‘Standards Met’ or at ‘Approaching Standards’ with an NHS England validated improvement plan. 
10. it shall provide reasonable assistance to another Party to this Agreement or to NHS England regarding any communications from the ICO, or other regulatory or competent authority concerning compliance with Data Protection Legislation;
11. it shall maintain a record of its Processing activities in accordance with Data Protection Legislation and shall provide evidence to the other Party upon reasonable request; 
12. any actions requested by a Data Subject in relation to information rights (including access to their records), will be dealt with by the receiving organisation in accordance with their processes for handling subject access requests. 
13. it shall promptly notify the other Party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other Party for the Agreed Purposes and shall: 
    1. do all such things as reasonably necessary to assist the other Party in mitigating the effects of the Personal Data Breach; 
    2. implement any measures necessary to restore the security of any compromised Personal Data; 
    3. work with the other Party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and
    4. not do anything which may damage the reputation of the other Party or that Party’s relationship with the relevant Data Subjects, save as required by Law.
14. it can demonstrate compliance with its obligations under this Agreement; 

6.1. Additional obligations on the part of the Providers

In addition to the obligations listed above, Providers shall:

1. ensure that, where relevant, any electronic patient record (EPR) suppliers (acting as their data processors) have successfully completed NHS England’s live service onboarding process for NRL and accepted the conditions upon which they may connect to the NRL;
2. take reasonable steps to ensure that Shared Personal Data is accurate and up to date at the point of sharing.
3. populate the data contained in the Pointer using the template provided by NHS England;
4. provide a link on the Pointer to allow Consumers to retrieve the record, or a link to up-to-date contact details, or both;
5. ensure accuracy of the Pointer, i.e., that it refers to the correct patient and that the Patient Record contains the correct information;
6. validate the patient’s NHS number on the Personal Demographics Service (PDS) and maintain the Pointer to reflect any changes to a patient’s PDS data;
7. maintain the Pointer to reflect any changes to the Patient Record that the Pointer refers to;
8. audit Pointer publication (including any subsequent amendments or deletions); 
9. ensure the Personal Data made accessible is limited only to the Types as agreed by NHS England (as detailed in the Controller Catalogue) and which is necessary for the Agreed Purposes;
10. remove the Pointer where an objection to the Processing has been received from the Data Subject (or their authorised representative) and the objection has been upheld by their clinician or designated care worker;
11. remove the Pointer upon receipt of a death notification for a patient;

12. notify the relevant Consumer organisation if it has any concerns about access to a patient record through the NRL.*

*The Provider should supply to the Consumer (employing organisation) the relevant patient NHS Number(s), staff CIS2 UUID and RBAC, date(s) and time(s) of access, and reasons for their concern. The Consumer will then investigate the concerns raised and report back to the Provider. The Provider should not attempt to identify the member of staff or initiate any investigation. Identification of staff by non-employing organisations will be deemed a breach of use of the NRL.

Connected Care Records may have a regional arrangement for disclosure of staff details from organisations within their Connected Care Record. You should ensure that your staff are aware of what details about them may be disclosed and under what circumstances.

6.2. Additional obligations on the part of Consumers

In addition to the obligations listed above, Consumers shall:

1. use information obtained from the NRL only for the Agreed Purpose and not for any other purpose(s); 
2. inform the Provider in a timely manner if they become aware that Shared Personal Data is inaccurate or incomplete
3. ensure that they have a legal basis for processing if they onward share patient identifiable information from the NRL. Any information passed on must be relevant and proportionate to the agreed purpose
4. not retain the Shared Personal Data for longer than is necessary for the Agreed Purpose unless, as part of Direct Care, the Shared Personal Data is added to the Consumer’s own care records.

a. The Parties recognises that information shared under this Agreement is by its nature subject to a duty of confidentiality and has been provided in circumstances where it is expected that a duty of confidence applies. 

 b. For the purposes of this Agreement 'Confidential Information' refers to:

1. Personal Data including Special Category Personal Data (as defined in the UK GDPR)
2. Confidential Patient Data (as defined by the NHS Act 2006)

c. Subject to clause 7d, the Consumer agrees: 

1. not to disclose Confidential Information to any third party or to use it to the detriment of the Provider or the patient
2. to maintain the confidentiality of the Confidential Information
3. to not access, or attempt to access, Confidential Information except under the Agreed Purposes

d. The Consumer may disclose Confidential Information: 

1. to comply with the Law; 9)
2. to their staff, who will be under a duty of confidentiality
3. to NHS Bodies for the purposes of carrying out their duties
4. as permitted or required for any NHS Counter-Fraud or Security Management processes

a. A Party may withdraw from this Agreement by terminating its access to the NRL.

b. The Parties agree that NHS England may issue written notice to terminate a Party’s access to the NRL if the Party commits a material breach of the Data Protection Legislation or the terms of this Agreement. For the avoidance of doubt, NHS England has the right to terminate access with immediate effect.

c. Any data protection or confidentiality obligation imposed on a Party under this Agreement will survive any termination or expiration of this Agreement.

a. The Parties acknowledge and understand that NHS England has been directed under the Digital Operability Platform Directions 2019 to establish and operate the NRL.

b. Each Party to this Agreement grants NHS England the right to enforce any of its rights under this Agreement against any other Party, which may include NHS England revoking a Party’s access to the NRL. For the avoidance of doubt, this right is granted in addition to the rights a Party has to enforce its own rights under this Agreement against another Party, and the grant of such right to NHS England does not affect such Party’s rights or ability to pursue any action independently of NHS England (recognising that only NHS England has the technical means to revoke a Party’s access to the NRL).

a. The parties acknowledge that this Agreement may be updated only by NHS England.

b. Any change to the terms of this Agreement will be notified to the Parties, which may be by email and/or by written notification on NHS England’s website. Continued use of the NRL by a Party shall constitute that Party’s acceptance of the terms of such revised Data Sharing Agreement.

Except where expressly stated otherwise in relation to NHS England, this Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

This Agreement and any dispute or claim arising out of or in connection with this Agreement, or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

April 2026

Information permitted to share on the NRL (where the document type exists for the patient) is as follows:

• Care plans*
• NEWS2 Report – National Early Warning Scores
• Connected Care Record
• International Patient Summary

* Care plans:

• mental health crisis plan
• end of life plans
• emergency health care plan
• ReSPECT forms
• advance care plans
• treatment escalation plans 
• personalised care and support plans
• contingency plans 

The Pointer is limited to:

• patient NHS Number
• ODS code for the Holder
• the name of the care setting
• what type of information is held
• a URL to contact details for the Holder (optional)
• a URL to retrieve the information (this is a spine secure proxy for the patient record)
• a location for the record which allows the information to be retrieved via a link or up to date contact details

For details about what organisations can access what record types, see the NRL Controller Catalogue

Access by Consumers is currently view only. Once the Consumer closes the PDF, the Shared Personal Data is no longer accessible to them and if still required must be requested again through the same process.

For queries, email [email protected].

1. About the NRL

The National Record Locator (NRL) is a service that was set up under the NHS Digital Establishment of Systems: Digital Interoperability Platform (DIP) Directions 2019. The NRL is an Application Programme Interface (API). An API enables different systems to integrate with each other remotely.

The NRL is a national index of pointers to the location of health records for patients who live in England and/or who are registered with a GP in England. Providers that hold a patient record which they feel would be beneficial to share with other providers will create a Pointer to the record, which can then be accessed by other providers who are involved in the patient’s direct care.

Organisations who publish pointers on the NRL are called ‘Providers’ and organisations who access patient records via the Pointers are called ‘Consumers’. Your organisation may be a Provider or a Consumer or both. Providers and Consumers together are referred to as ‘End user organisations’.

The primary purpose of the NRL is to enable Consumers to make informed decisions about an individual patient’s care and wellbeing at the point of care. NHSE recognises that resources may need to be prioritised according to immediate patient need, for example, in urgent and emergency care. The NRL may be utilised for such prioritisation to the extent that this is necessary for the Consumer’s overall responsibility for the delivery of direct care.

There are different ways to access the NRL, one of which is via the Connected Care Record (ConCR).

2. Who is this acceptable use policy for?

This Acceptable Use Policy (AUP) is for End user organisations who access the National Record Locator (NRL) via their Connected Care Record (ConCR), their organisational Electronic Patient Record (EPR) or the National Care Records Service (NCRS).

We recommend that Integrated Care Boards (ICBs) or other ConCR host bodies make this AUP available to their end user organisations and that end user organisations share it with their clinical staff who use the NRL, so they are aware of their organisation’s obligations. You may adapt this AUP as needed. End user organisations may wish to add clinical related guidance in relation to the NRL to this AUP.

Larger providers who onboard to the NRL directly with NHS England are required to accept the NRL Data Sharing Agreement (DSA) and cascade key requirements from the DSA to their staff. These larger providers may utilise this AUP (adapted as required) as another way to disseminate NRL information governance requirements to their staff.

3. Controllership

End user organisations who share patient identifiable information via the NRL, either as a ‘Provider’ or ‘Consumer’ are data controllers for the purposes of direct care.

Under the DIP Directions 2019, NHSE is the data controller for NRL system management purposes.

ConCR IT system suppliers are assumed to be data processors accountable to the data controller(s) and/or the NHS body who has overall responsibility for the ConCR IT system contract with the supplier.

Data controllers should ensure they have a valid legal basis for processing and that this is documented in their Privacy Notice(s). Data controllers are responsible for their own compliance with Articles 12, 13 and 14 of the UK GDPR.

4. Your obligations as an end user organisation

1. You have appropriate role-based access controls in place to ensure your staff access the NRL only as necessary to fulfil their role.
2. Your privacy notice(s) and/or other relevant patient communication materials explain what personal data may be shared through the NRL, when and who it may be shared with and why, and how patients may object to their information being shared via the NRL.
3. You should inform your staff how their data may be shared via the NRL and who may access their information. You should not disclose any identifiable information (including the CIS2 UUID) about staff employed by another organisation (except if your Connected Care Record has an arrangement between partner organisations, for example, if you share a Registration Authority service).
4. You have technical and organisational controls in place to protect the information and systems you use to access the NRL and that are appropriate to the assessed risk(s), as described under Article 32 of the UK GDPR.
5. You have a current NHS Data Security and Protection (DSPT) submission at ‘Standards Met’ or at ‘Approaching Standards’ with an NHS England validated improvement plan.
6. Your staff who have access to the NRL have received appropriate level training in privacy legislation, including the UK GDPR/Data Protection Act 2018, and understand their duty of confidentiality to patients.
7. Subject access requests are handled by the receiving organisation. However, where the request requires identification of staff working for a different Consumer (for example, accessing the NRL under a different organisation’s ODS code), only the member of staff’s RBAC and organisational ODS code should be disclosed. For any other data, the applicant should be referred to the relevant Consumer organisation for this aspect of their request (except where a Connected Care Record has an arrangement between partner organisations as at iii) above).
8. Incidents - you must promptly notify the relevant Provider upon becoming aware of any incident relating to personal data provided by them via the NRL and provide reasonable assistance to the Provider in mitigating the effects of any personal data breach, including providing information as necessary for statutory reporting purposes.

Select the button below to complete our acceptance form.