Month: August 2019

Notification of Emis cloud services – No. 16

Notification of Emis cloud services – No. 16

From 10 June 2019 EMIS Web started migrating practice patient data storage to Amazon Web Services (AWS).

Because this is a significant change to the way patient data is processed, in order to be compliant with GDPR, practices as ‘Data Controllers’ need to:

  • inform their patient through their usual methods of communication (for example their privacy notice)
  • carry out a Data Protection Impact Assessment (DPIA)
  • update their record of processing activities (ROPA) .


Updated  Detailed Privacy Notice

The latest version of the detailed Fair Processing Notice has been updated to cover the required communications and can be uploaded from here and should be pointed to from your practice website:

Updated FPN: privacy-notice-v110-1 (this also contains an update to the NWL DPO Service contact details which information should be in use by all practices whether EMIS or TPP)


Example DPIA

EMIS have provided an example DPIA which practices can download and use:

Sample DPIA: Data-Protection-Impact-Assessment-AWS-GP-perspective

The NWL DPO support offers an advisory service and does not have the resources to complete impact assessments on behalf of primary care. There is no central repository where a single form can be completed on behalf of 370 primary care data controllers. It is the responsibility for each data controller to keep their own records, relevant to the type of data and sharing in which they engage and for their individual organisation to be accountable in their own right and to be able to demonstrate GDPR compliance through their DSPT returns.  The DPO may however may recommend a Data Protection Impact Assessment (DPIA), support the process of practices completing it and approve the contents.

This sample DPIA provided by EMIS should be fairly straight forward and can be completed by filling in your practice details and the relevant entries in sections 5, 6 and 7. We recommend using the suggested entries already in place in sections 5 and 6. Where this is the case in section 6 and 7 the NWL CCGs DPO Service has approved both the recommended measures and the identified residual risks and agrees that processing may proceed.  The Caldicot Guardian or a signatory representing the practice’s data controllers should either accept (recommended) or overrule the DPO advice. There is no further consultation response required and the DPIA would be reviewed as part of routine practice process in your annual DSPT returns. See below:
 Practices should keep a copy of the completed DPIA with their practice’s data protection documentation/records.

Records Of Processing Activity

EMIS practices will need to also update their Records Of Processing Activity (ROPA) as described in GDPR Blog 6

If you have any questions please send them to