GP Access Ltd


Online consultations (also known as econsultations or econsults) enable patients to seek help online and from their GP practice more easily, and the practice to respond more efficiently. Changing channel brings convenience for patients, and a reduction in workload for GPs which in turn cuts the wait for patients.


  • Patients can seek help at any time on any device
  • Searching on any medical problem, patients get NHS self help
  • Any patient, parent or carer can seek help, any problem
  • Information is sent securely from patient to GP via N3
  • GP practice staff operate their own secure portal within N3
  • Reception staff identify the patient and assign to a clinician
  • The GP decides how to help each patient.
  • Full two way secure messaging, telephone, appointment as needed.
  • Feedback is collected from both patients and staff
  • Performance is measured automatically and reported to users


  • Patients get help faster (80% same day), can choose GP
  • No need for patients to wait for an answered telephone
  • Clinically useful information is gathered from the patient before consultation
  • Reception staff have better information to act as care navigators
  • Data from 70,000 episodes show 60-70% are completed remotely
  • GPs see patients only as needed, typically saving 3 minutes
  • Patient demands can be routed appropriately to the right clinician
  • DNAs (Did Not Attends) drop by 80%
  • The whole primary care team is involved in change
  • The burden of overwork is lifted from GPs


£0.25 to £1.90 per person per year

Service documents

G-Cloud 9


GP Access Ltd

Harry Longman

01509 816293

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Patients can access on any internet connected device.
GP practice staff can access the portal only on a secure NHS compliant network (N3)
System requirements
  • Must have access to N3 network
  • Require standard internet browser devices.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Typical email response is within 60 minutes in working hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Usually remote training is adequate. We can run training on site or for maximum benefit a 12 week intervention with intensive support.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide comprehensive training for users through a person to person online meeting (our trainer and each practice administrator), coupled with video training for all users to undertake in their own time.
We remotely configure links for patients to access help from their own GP practice and set these up on the practice website, if they wish.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction There is no need to extract data at the end of contract, as all data is transferred from the system to the customer in the normal course of business, day by day. If any remains, it is transferred by the normal route (portal in the GP practice) after the patient facing service is removed, within a 30 day period (or less if completed)
End-of-contract process No extra charges apply: the practice is informed in writing that the contract ends with 28 days notice. On the end date, the askmyGP link in the practice website becomes inactive and a notice informs patients that the service is inactive. The GP practice then removes the link from the website and no longer needs to access the portal. 30 days after contract end the portal becomes inactive.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Patients may use a mobile device (52% do so), tablet or PC.
GP practice staff would normally use a PC. There is no restriction on using smaller devices, if they have the correct network security, but this is not usually advised.
Accessibility standards None or don’t know
Description of accessibility Interaction is text based, and designed to be responsive on all platforms. Data shows that 52% of usage is from smartphones, 39% from PCs and 9% from tablets.
Accessibility testing Formal testing has been with standard devices.
Customisation available Yes
Description of customisation The GP practice can customise the questions asked to patients. They can set messages and hours of operation specific to the practice. They list clinicians at the practice, and can indicate in real time whether each one is available or not, to allow patients to choose if they wish. Customisation would normally be done by an admin person.


Independence of resources Our hosting providers offer scalable options so we purchase capacity in line with user volumes. Note that scaling is around peak hour usage (8-9am, Mondays), not average usage.


Service usage metrics Yes
Metrics types Patient demand, runcharts by month/day/week.

Hourly demand pattern

User demographics by age/sex

Clinical symptoms entered, histogram

Patient feedback analysis

Staff feedback analysis
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Each time a patient uses the askmyGP service, an episode is created. The data concerning the episode is copied into the practice clinical system every time, so that data export in bulk is not required.
Data export formats CSV
Data import formats Other
Other data import formats Text, all that is needed as input by the patient.

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Private network or public sector network
Data protection within supplier network Other
Other protection within supplier network All communications and data storage are within N3.

Availability and resilience

Availability and resilience
Guaranteed availability The service level guarantee is 99.99%. Users are refunded pro rata for any full day when service is unavailable through the supplier's fault. This has never been necessary.
Approach to resilience Our hosting is with an industry leading N3 supplier (Xicon Ltd).
More details are available on request.
Outage reporting Email alerts report any outage of more than 2 hours.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels Users must create a login and password (validated 8 char minimum, lowercase, uppercase and numeric).
Access is controlled to be within N3.
Access restriction testing frequency At least once a year
Management access authentication
  • Limited access network (for example PSN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • NHS IG Toolkit
  • ISB 0129 Clinical Systems Development

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards Other
Other security governance standards NHS IG Toolkit, organisation code 8JH09, completed and satisfactory.
Information security policies and processes The IG Lead Connie Lord reports directly to Chief Executive Harry Longman and ensures that the policies listed below are complete, up to date, accessible via the private website pages to all staff, and that new staff are trained in their application.

GP Access Information Security Policy
GP Access IG and You Guideline
GP Access – Mobile Computing and Teleworking Policy & Guideline
GP Access Incident Management
GP Access – IG Improvement Plan
GP Access Network Security Policy
GP Access data flow mapping plan
GP Access Data Flow Mapping Report
GP Access Managing change which involves personal data – Procedure
GP Access Confidentiality Monitoring and Audit Procedure
GP access PIA Procedure

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Our software is designed and managed in accordance with ISB 0129 for the safety of clinical systems. The process is managed by Dr Adrian Stavert Dobson our Clinical Safety Officer. He wrote the Hazard Register and Safety Case and involves the management and development teams, along with feedback from users, in actively maintaining these documents and processess.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our lead developer John Beasley runs the Acunetix vulnerability test suite on all new versions of the askmyGP software and has managed all risks to below Critical and Major levels.
Any change in threat level we address immediately, normally same day, and as the software is hosted it can be simply updated in one instance after regression testing the new version.
In addition to Acunetix, we solicit feedback directly from users with a simple webform, submissions from which are emailed to the lead developer, CSO and Chief Executive.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Every authorised user has an admin webpage with a feedback form. This can be sent at any time, highlighting a problem (or suggestion) and is normally responded to within 60 minutes during working hours. A telephone number is also provided, operating office hours with an alert process to the operations manager and chief executive.
Escalation can be carried out within 60 minutes to the hosting provider if necessary. In addition, daily reporting highlights unusual conditions.
Incident management type Supplier-defined controls
Incident management approach Users can report from their admin page via online form or phone. Within 60 minutes a test is run to verify the problem, and appropriate action is then taken to alert that part of the system which has failed.
Where the loss is practice access to the system, as soon as possible and within 60 minutes at most tests are run to establish the cause, and then if necessary an email alert is sent to all users if it cannot be fixed within 2 hours. Reports are recorded and documented within 48 hours.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £0.25 to £1.90 per person per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑