Author: Hannah Greenwood

DSPT Support 2019-2020 – No. 17

DSPT Support 2019-2020 – No. 17


Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 31st March 2020.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are TWO MAIN documents which will help you through your submission.

1) Data-Security-Policy-2019-2020

The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have used the Data Security Policy from last year to be the overarching document in your practice, where you can edit this for your practice if required. This has not changed from last year.

2) DSPT-Overview-2020-V4 

We have put together an overview document which includes all of the questions within the DSPT and also highlighted in yellow which sections have changed slightly from last year. This contains comments and guidance related to all of the sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.

We have put together a document which includes answers to some technical terminology as well as some common DPO queries Tech talk – DPO

3) Anti Virus

This links to question 6.2.1 number of alerts recorded by AV tool in last three months:

For NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs:
Dec 2019-Feb 2020 Anti Virus Report

For NHS Hillingdon, this information has been provided to each GP practice by the Head of IT security

For Harrow CCG:
Anti Virus report Harrow CCG

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Register your practice for the DSPT here

Notification of Emis cloud services – No. 16

Notification of Emis cloud services – No. 16

From 10 June 2019 EMIS Web started migrating practice patient data storage to Amazon Web Services (AWS).

Because this is a significant change to the way patient data is processed, in order to be compliant with GDPR, practices as ‘Data Controllers’ need to:

  • inform their patient through their usual methods of communication (for example their privacy notice)
  • carry out a Data Protection Impact Assessment (DPIA)
  • update their record of processing activities (ROPA) .


Updated  Detailed Privacy Notice

The latest version of the detailed Fair Processing Notice has been updated to cover the required communications and can be uploaded from here and should be pointed to from your practice website:

Updated FPN: privacy-notice-v110-1 (this also contains an update to the NWL DPO Service contact details which information should be in use by all practices whether EMIS or TPP)


Example DPIA

EMIS have provided an example DPIA which practices can download and use:

Sample DPIA: Data-Protection-Impact-Assessment-AWS-GP-perspective

The NWL DPO support offers an advisory service and does not have the resources to complete impact assessments on behalf of primary care. There is no central repository where a single form can be completed on behalf of 370 primary care data controllers. It is the responsibility for each data controller to keep their own records, relevant to the type of data and sharing in which they engage and for their individual organisation to be accountable in their own right and to be able to demonstrate GDPR compliance through their DSPT returns.  The DPO may however may recommend a Data Protection Impact Assessment (DPIA), support the process of practices completing it and approve the contents.

This sample DPIA provided by EMIS should be fairly straight forward and can be completed by filling in your practice details and the relevant entries in sections 5, 6 and 7. We recommend using the suggested entries already in place in sections 5 and 6. Where this is the case in section 6 and 7 the NWL CCGs DPO Service has approved both the recommended measures and the identified residual risks and agrees that processing may proceed.  The Caldicot Guardian or a signatory representing the practice’s data controllers should either accept (recommended) or overrule the DPO advice. There is no further consultation response required and the DPIA would be reviewed as part of routine practice process in your annual DSPT returns. See below:
 Practices should keep a copy of the completed DPIA with their practice’s data protection documentation/records.

Records Of Processing Activity

EMIS practices will need to also update their Records Of Processing Activity (ROPA) as described in GDPR Blog 6

If you have any questions please send them to


eDSM (Enhanced Data Sharing Model) – No. 15

eDSM (Enhanced Data Sharing Model) – No. 15

eDSM additional controls have been designed to ensure that GP’s and Patients have greater flexibility and control over which organisations have visibility of their SystmOne records. The new controls will allow GPs to decide if other SystmOne Organisations involved in the care of their patients can view their patient’s records (subject to patient consent).

In order to implement this change, we have now finalised the list of Organisations with whom North West London SystmOne practices currently share with. These are the Organisations who have signed the CWHHE MOU, Extended Hours Hubs and the practices within NWL CCG’s. These are listed within the ‘SHARED LIST’ that you will see attached. When Organisations are added to the ‘SHARED LIST’ this will ensure that patient records can be accessed, assuming consent has been given.

If you do not switch eDSM on then your practice will not be complying with the Data Protection Act 2018, which requires you to tell your patients with whom you share their data. The eDSM model allows you to do this.

Additional documentation:

Importing the ‘allowed list’


TPP eDSM enhancements_FAQs v.1.1

Allowed List Updates

Current Version – V10