Author: laurie

General Practice Data for Planning and Research – No.23

General Practice Data for Planning and Research – No.23

General Practice Data for Planning and Research (GPDPR)

Update 19th July 2021

GPs have been sent an update on GPDPR by the undersecretary of state for Primary Care and Health Promotion saying that NHSD is working with in collaboration with partners including the RCGP and the BMA and that a specific start date for the collection of data will not take place until:

  • Patients have the ability to delete data if they to opt-out of sharing their GP data with NHS Digital (even if this is after their data has been uploaded)
  • The backlog of opt-outs has been fully cleared
  • A Trusted Research Environment has been developed and implemented in NHS Digital
  • Patients have been made more aware of the scheme through a campaign of engagement and communication.


  • Patients do not need to register a Type 1 opt-out by 1st Septemberto ensure their GP data will not be uploaded
  • NHS Digital will allow GP data that has previously been uploaded to the system viathe GPDPR collection to be deleted when someone registers a Type 1 opt-out
  • The plan to retire Type 1 opt-outs will be deferred for at least 12 months

Administrative workload:

  • NHSD are looking into ways of reducing this
  • There is now no urgency to process Type 1 opt-outs specifically for GPDPR in order to get people opted out before September.
  • A template DPIA for practice use will be made available in good time to allow practices to complete it.

Data Security and Governance:

  • Trusted Research Environment (TRE) standards are being defined
  • Data collection will only start once the TRE is in place and when the BMA, RCGP and the National Data Guardian are satisfied with the standards
  • Once the data is collected, it will only be used for the purposes of improving health and care. Patient data is not for sale and will never be for sale

Transparency, communications and engagement

Because of concern about the lack of awareness amongst the healthcare system and patients, an engagement and communications campaign is underway to promote better understanding and informed choices.

Further information can be obtained here

Summary (Original Post 9th June 2021)

Practices have been asked to comply with a Data Provision Notice for GPDPR. Signing this will allow NHSD to extract structured coded data from their clinical system to be used for research and planning. There is a statutory obligation for GPs to sign up to the Data Provision Notice, although there is no mechanism for enforcing this. The BMA have asked for an extension to the deadline to allow time for further assessment and NHSD have now extended this to the 1st to September.

GP practices may wish to wait for further advice from their professional bodies or they may be happy to sign up now. Those practices signing up should add a paragraph to their Fair Processing Notice:

 “This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research.”

 In the interim, because of the publicity, practices may be receiving an increased number of type 1 opt-out requests from patients. On receipt of these requests the patient medical records should have the following code inserted :

 9Nu0 (827241000000103 |Dissent from secondary use of general practitioner patient identifiable data (finding)

 Or in the event of wishing to opt in after an opt-out:

 9Nu1 (827261000000102 |Dissent withdrawn for secondary use of general practitioner patient identifiable data (finding)



The General Practice Extraction Service (GPES) has been extracting much of this data from GP practices for some years. This programme had not been fit for purpose, but has now been redesigned to work as intended. The focus is on data for research and planning and at first glance there is little new here.


What Data will be extracted

  • data on sex, ethnicity and sexual orientation
  • clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
  • data about staff who have treated you


What data will not be extracted

  • name and address (except postcode in unique coded form)
  • written notes (free text), such as the details of conversations with doctors and nurses
  • images, letters and documents
  • coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
  • coded data that cannot be share by law – for example certain codes about IVF treatment, and certain information about gender reassignment


Opt-out choices for patient remain unchanged

  • Type 1 opt-outs when coded into the GP record will prevent that data being extracted from the GP record.
  • National data opt-outs (formerly referred to as Type 2) managed through a central website will prevent the data being used after it has been extracted from the GP practice.


What’s New?

Because this is a new system, GPs do need to formally sign up to the data extract. NHSD have published information for GP practices advising them that they should comply with the Data Provision Notice.


Identifiable Data?

The data is described as pseudonymised or depersonalised which means to all intents and purposes it will not contain Personally Identifiable Data (PID), however it will be possible in specific circumstances to link back to PID. Beyond its use for planning and research the NHSD patient information page also says that the data may be used:

  • in exceptional circumstances, providing you with individual care

This short reference is significant as it shows that NHSD will be able to provide Personally Identifiable Data to health and care organisations (for example Local Authorities) for the provision of direct care. The data would be stored in secure NHS databases with robust access control mechanisms and only made available to organisations who can show that they have a valid need (i.e. a Legitimate Relationship to provide care) as well as having appropriate standards of Information Governance in place.


Who is responsible for the extracted data?

Once the data has been taken from GP systems the data controller for the extracted data will no longer be the GP but will be NHSD. (Note that this differs from data extracted into the local WSIC database where GP data controller rights and responsibilities are maintained and are pivotal to the use of the data, in this case for the provision of direct care).


Professional Bodies

See the LLMC statement which also contains links to an  explanation of patient opt-out choices and also the current BMA stance. The BMA have previously supported this programme but because of rising public awareness and increasing patient requests for their GPs to code them as type 1 op-outs, they will be reviewing and reconsidering the issues before the September deadline. The NHS need this data to plan and provide healthcare services and so it seems unlikely they will back down, rather that there will be be significant government pressure for the BMA to maintain their support.



If you have any questions please contact NWL Infogovernance Support

Data sharing for COVID vaccination – No. 22

Data sharing for COVID vaccination – No. 22

Data sharing for COVID vaccination

In a Primary Care Network setting we are relying on the new ISS information sharing agreement, using COPI legislation as the legal basis for sharing. For TPP practices, until such time as separate instances of TPP are provided to PCN units this is being mediated through RA extension to access permissions on smartcards.

Many vaccination centres are currently using Accubooks to support vaccine administration. There is a helpful Youtube presentation on how this works here:



It is important to recognise that because this is a new way of sharing, that each locality is required to undertake a DPIA to look at the way the data is being shared, as well as to assess and mitigate any identified risks. Accubooks has produced a template DPIA which covers most of the requirements:

accuRx DPIA Template Covid-19 Vaccine booking and recording

Whilst this will cover most of your bases you must make the DPIA specific to you own data sharing and ensure that it addresses considerations related to your locality.

If you have any questions please email NWL Infogovernance Support


Sharing Vaccination Data with Local Authorities


You will be aware of the data sharing recently undertaken in response to the low COVID vaccination uptake levels in NWL. A limited amount of patient data has been provided to Local Authorities through WSIC, using COPI as the legal basis to provide care. A Memorandum of Understanding (MoU) outlining the principles was endorsed by the NWLCCG and ICS accountable officers. Evidence to date suggests that where patients have been contacted through this route, vaccination rates have risen in the order of 27% and that this has been life-saving action.

We have since been working closely with the LLMC to ensure that GP data controller responsibilities can be exercised. As a result, GPs are now being asked to sign up to an information sharing agreement with LAs to share this limited dataset. Practices wishing to share will be provided with an information sharing agreement, a template DPIA and a clause to insert in your practice FPNs with information about further communications with your patients.

The proposed data sharing agreement is:

  • Appropriate: We believe that this data sharing exercise will save lives (above)
  • Proportionate: The data is limited to the contact details of a subset of NWL patients over 50 years old, who do not live in the Grenfell area, who are eligible for but have not received COVID vaccination
  • Time limited: valid only for the duration of COPI legislation
  • Safe: We have separately approached the LAs signing this agreement who have provided assurances that the appropriate security measures are in place through the use of access control mechanism, secure data transmission, storage, management and duration/expiry of this sensitive data.
  • Legally sound: COPI is used as the legal basis but the sharing agreement is GDPR compliant, consistent with the agreed NWL structure of information sharing agreements and has been approved by the NWL Primary Care IG group.
  • Agreed: We have discussed the pros and cons of this matter in some detail with individual GPs, the vaccination programme, the NWL IG Board (where there is patient representation), Primary Care IG group, NWL CCGs and with the LLMC. Individual GP data controller will be able to decide about how to implement this sharing.

GP data controllers are expected to sign this sharing agreement which is recommended by the NWL Primary Care IG group, the NWL vaccination programme and the Accountable officers of the NWLCCGs and ICS, who have been working closely with the LLMC. It is recognised that a small number of practices, depending on their geography, may have higher numbers of potentially vulnerable or other groups of patients not happy to share their data with LAs. These practices do not have to sign up but will be asked to provide evidence that they have promoted COVID vaccination uptake by engaging in collaborative work with their LAs.

The data has already been shared (although it is time limited by the duration of COPI legislation). For the anticipated small proportion of practices who decide not to sign, no further data flows will take place.

Required actions:

Your registered data controller lead or PM will shortly be contacted by the Data Controller Console (DCC) and invited to sign the LA information sharing agreement. All practices should respond, in most cases this will be to sign up, but practices who prefer to use other ways of increasing vaccination uptake, must let us know that they dissent (which will inform the cessation of existing data flows).

Respond to the DCC controller invitation.

A) If you are happy to proceed you should:

  1. Sign the sharing agreement on the DCC
  2. Check you are happy with the DPIA
  3. Add the FPN clause to the existing notice published on your website (see below under FPN / patient communications).

Everything else will be managed through WSIC.


B) If you do not wish to share data with the LAs:

  1. Log on the DCC and register your dissent to share the information agreement.
  2. Liaise with your local authority to work collaboratively with them and consider using honorary contracts as a mechanism of doing so (see below under Working with Local Authorities)


FPN / patient communications

Your responsibility as data controllers is to inform your patients about what data you are sharing, with whom and why. This can be done in a number of ways, first and foremost  through the Fair Process Notices (FPN) which should be published on your practice website. This is a new form of sharing and if you are signing the sharing agreement you should insert the following paragraph in your FPN (you may wish to reword as you see fit).

“Sharing Vaccination Data during the COVID Pandemic:

During the COVID pandemic we have signed an agreement with our Local Authorities to allow trained Public Health personnel access to a limited amount of patient information. This has been restricted to the contact details of North West London patients over 50 years old, who do not live in the Grenfell area, who are eligible for but have not received COVID vaccination. The purpose is to provide those patients with direct care and to save lives by increasing the update of COVID vaccination. The legal basis for sharing is the short term COPI legislation (introduced by the secretary of state for health for just this purpose) and when the COPI legislation expires the data will be deleted. We have taken measures to ensure this data is safely transmitted and managed securely and that PH personnel are trained to understand their professional responsibilities of confidence.”

Patient Participation Groups. You should mention this sharing in your patient participation groups and may choose to let them know that the NWL vaccination uptake has been amongst the lowest in the country and that these measures has been taken to provide care for our patients by increasing vaccination uptake and in doing so, saving lives.

Working with Local Authorities

A minority of practices have higher proportions of patients (for example BAME and other groups)  who may have a mistrust in the system, where the sharing of that data might further widen the mistrust.  If they decide not to sign up to this recommended information sharing agreement, they will be expected to demonstrate that they are working towards increasing their vaccine uptake figures in other ways. One mechanism for doing so would be to undertake collaborative work with their Local Authority (see the presentation recently shown by the vaccination team which gives an exemplar of this sort of outreach work).

Practices working in this way may wish to allow limited access to data to trained LA personnel taken on at the practice under an honorary contract which outlines their roles and responsibilities and which documents accountability. See template document

Practices wishing to explore these options further should contact their LA vaccination leads and we are currently drawing up a list of contact details and will shortly publish them below:








If you have queries, please email us on


We hope you will sign up to this data sharing agreement. Local Authorities are part of our ICS and we need to learn how to share data with them appropriately, proportionately, and securely to support patient care. This is a potentially sensitive area, and this first step is a measured and well worked-up agreement which we believe will save live and which we strongly recommend to you.


Sharing Patient Records for Direct Care – No. 20

Sharing Patient Records for Direct Care – No. 20

A new NWL Information Sharing Agreement the ISS for Direct Care (in the new terminology) replaces the “MoU” for sharing data between primary secondary and acute care for organisations using SystmOne or EMIS clinical systems. Communications have been sent to GP practices confirming that the agreement has been ratified by the NWL IG Board (where there is also LMC representation). The ISS will be made available on the Data Controller Console and all practices across NWL are requested to sign, as will our community and acute trusts who use those clinical systems.

Allowing access to clinical records in Primary Care Networks

The emergence of PCNs and their inclusion within the GP contract has paved the way for them to become the organisations through which future primary care health services will be provided.  Increasingly PCN staff need to be able to access to clinical records to support the delivery of patient care.

The organisational unit of data controller-ship remains with General Practice. PCNs despite their pivotal nature have no legal status and are not data controllers.

The new ISS for direct care outlines the governance requirements for healthcare organisations using TPP and EMIS clinical systems when sharing data for direct care and now states that

Primary Care Networks (PCNs) are now a vehicle through which health care services are delivered. Trained staff from PCNs and their GP practices will now form part of each GP practice team and will have supervised and audited access to patient records when this is required to deliver patient care.”

and also, in relation to TPP (with equivalent arrangements in EMIS)

  • Only health care organisations who have a legitimate relationship to provide care obtained through a registration process can access the full patient record by ‘sharing in’ the full SystmOne patient record from the virtual pool.
  • At all new registrations, consent is required to ‘share in’ the full SystmOne patient record from the virtual pool. For existing registrations in Primary Care consent is not required.

This significant change will allow PCN staff to see the GP record without requiring consent and in effect this policy change provides them with a Legitimate Relationship where there is clinical need. Existing GP staff will also have a legitimate relationship to access the records of all patients within their PCN in the same way that they currently have access to patients in their own practice.

In order to access clinical records PCN staff must:

  • Have a Legitimate Relationship (LR) to provide care for the patient (or be working with or accountable to an organisation who has that LR)
  • Have completed training and be able to demonstrate that they understand their legal and professional responsibilities to protect patient confidence (IG training)
  • Have completed training and be able to demonstrate competence in the use of the clinical system
  • Have access to clinical records controlled with Role Based Access Control mediated through a smart card or similar method of authentication
  • Have a contractual link to a Caldicott Guardian whose role would be to oversee 1) 2) 3), sign an RA02 for 4) and provide accountability in the event of a breach in relation to data access or malpractice.

Informing Patients

The new ISS allowing sharing of records across PCNs is a significant change and practices can and should ensure that they have communicated these changes to their patients through a variety of media. There has already been public engagement via some PPG groups at practice, PCN and CCG level, also at the NWL IG board, and through other workshops. You should discuss the changes at your local Patient Participation Groups (PPGs) and direct them to a new section in your FPNs. You may wish to use the wording below as a basis for SMS, Email, website pages or practice noticeboards:

“We are working closely with neighbouring practices within our Primary Care Network (PCN) to support your care. PCNs and their constituent GP practices are now the organisations through which primary care health services will be delivered and when providing you with care their trained staff form part of our team and will have access to your NHS GP record. Please see our Privacy Notice [include url link to your FPN] for more details or discuss at your patient participation group”

Fair Process Notices should contain clauses explaining how their information is shared and below is the suggested wording to insert into the existing section under Local Information Sharing:

Local Information Sharing

Your GP electronic patient record is held securely and confidentially on an electronic system managed by your registered GP practice. In order to provide you with health and social care services Your GP practice works in close collaboration with [insert your CCG / PCN name] a group of  [Insert the number of local practices in your PCN] geographically local practices.

Trained staff from PCNs and their GP practices will now form part of each GP practice team and will have supervised and audited access to patient records when this is required to deliver patient care.  Staff are trained to understand their legal and professional responsibilities of confidence to their patients and will only access your records when they are required to do so to support you care. They will identify themselves and their role using a smart card and access to your PCN record is recorded, monitored, and audited.

As your local PCN functionality extends they are likely to provide GP HUB and Out of Hours services directly in which case your records would be available without consent. If you require attention from a local health or care professional outside of your usual PCN services, through an Emergency Department, Minor Injury Unit or other Out Of Hours service, the professionals treating you are better able to give you safe and effective care if some of the information from your GP record is available to them. If those services use a TPP clinical system your full SystmOne medical record will only be shared with your express consent. 

Where available, this information can be shared electronically with other local healthcare providers via a secure system designed for this purpose. Depending on the service you are using and your health needs, this may involve the healthcare professional accessing a secure system that enables them to view either parts of your GP electronic patient record (e.g. your Summary Care Record) or a secure system that enables them to view your full GP electronic patient record (e.g. TPP SystmOne medical records or EMIS remote consulting system).

In all cases, your information is only accessed and used by authorised staff who are involved in providing or supporting your direct care. Aside from your registered provider your permission will be asked before the information is accessed, other than in exceptional circumstances (e.g. emergencies) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).

How to manage patient concerns:

Patient who register an objection can be responded to with measures to limit access to their record in certain situations  e.g:

 “My next door neighbour (with whom I have an ongoing boundary dispute) is a receptionist at a practice in your PCN and I would not want her to access my records


It is possible to configure both S1 and EMIS clinical systems to limit access to a ring fenced group of staff which would exclude the receptionist neighbour and practices can contact their IT teams to implement these changes

Patients who decline to share their records shared with the PCN  e.g:

I understand the potential benefit of sharing my record within the PCN staff and even though this might make it more difficult to provide me with care or cause potential delay, I do not want to share my record with the PCN unless I give specific permission

… we anticipate very small numbers of these patients

Solution: There are two considerations here:

  1. During short term emergency measures:  Mid COVID pandemic we have introduced short term measures allowing extended access to patient records on the basis of COPI legislation implemented in the face of urgent or life-saving clinical need (e.g. Shielded lists for vulnerable COVID patients, implementation of COVID vaccination programme at short notice, the provision of central hub based services for urgent care or out of hours care during the pandemic). In these circumstances clinically trained staff have had their smartcard permissions extended to cover access to patient records in their PCN. The controls in place here are: 
    1. Request for access will in the vast majority of cases originate from your own GP practice
    2. In the case of hub based or extended hour services patient will be able to give or decline permission at the point of care
    3. Practice staff with extended permissions have been fully trained to understand their legal and professional responsibilities to protect their patient’s confidence. They will not access patient records unless doing so is needed to provide them with care. All accesses are registered and subject to audit trails and inappropriate access is a serious and dismissible offence.
    4. PCN staff not employed by practices will have appropriate training in the use of the clinical system and their IG responsibilities. They will have a contractual relationship with a Caldicott guardian or data controller who will oversee and be accountable for their actions. Likewise they will not access records unless required to do so to provide care.
    5. The above measure restricting access in specific setting (see 1) above) will also apply
    6. Notwithstanding these controls, other than declining the provision of care (which would usually be an untenable option) there is no mechanism for preventing access to patient records whilst these COPI legislation measure are in place (until 31st March 2021) OR until the planned implementation of local instances of PCN clinical units (see below)

2. Medium term ability to honour opt- out requests. EMIS and S1 clinical systems have organisational codes and identification of these codes allows clinicians and patients to make choices about which local organisations can access patient data. PCNs are new organisations without legal status and currently they do not have their own ring fenced clinical systems with PCN codes. We are planning to implement these as soon as funds are available to do so and from that point in time (which may predate the end of COPI legislation) patients would be able to request that PCNs do not access their records, which would remain unseen in the absence of consent.

The use of honorary contracts

These are not standard contracts of employment. They provide a contractual link to a primary care organisation and Caldicott Guardian with the intention of:

  1. Creating a legitimate relationship
  2. Establish accountability in the event of malpractice or a breach

Those links are already in place within GP practice staff and additional contracts will only be required for PCN staff who need to access identifiable patient data. Because of the change in the boundary allowing access to patient records, only one PCN practice needs an honorary contract to allow a PCN staff member to access patient records across the whole PCN. Because there is risk involved in taking on a contract it makes sense for them to be shared out between the practices in a PCN.

It is not possible to share medical records without risk and the balance is between keeping records in silos which are secure but have poor data sharing, as opposed to open access where there is a high risk of breach but effective sharing of information. It follows that more staff accessing a larger number of patient records poses a potential increase in risk. It is essential that staff understand that whilst they may be able to access many records, they should only do so when their job requires it.

Responsibility and liability in the event of malpractice or a breach could be shouldered by the practice who signs the contract, but this needs to be discussed and agreed between the constituent PCN practices. Practices and PCNs are strongly advised to take part in written risk sharing agreement, the nature of which is beyond the scope of this ISS.

Example Honorary Contract

See attached document

which is short and gives an indication of the intended scope. The variation in infrastructure between the 8 CCGs makes it an impractical proposition for us to provide a standard honorary contract across NWL.  For this reason we are providing PCNs principle-based advice about their IG requirements as detailed above. Each PCN will need to construct their contracts according to their specific needs.

Shared employment

PCNs may employment staff by themselves or may use staff employed by another organisations (e.g. a community trust). In one or other of those settings there needs to a standard employment contract which will also include registration on the ESR system to monitor and audit standards set by the NHS Litigation Authority and the CQC, including:

  • including maintenance of professional registration
  • pre-appointment clearances
  • DBS certification
  • induction and mandatory training

With shared employment a written agreement should detail which responsibilities lie with which organisation. For example, a community trust working with a PCN may be able to provide training.

Required Training

NWL IT services have developed module based clinical system and IG training which can be used by HCOs for their staff. GP practices who have signed honorary contracts may be happy to delegate the scheduling and documentation to their PCN.

To book your required training please access the NWL learning Hub

The Role of Federations

Federations/Confederations exercise different functions across NWL. Where they are organising PCN services, the same arrangements (requiring honorary contracts between staff working in PCN and a constituent GP practice)  can apply. In a setting where Federations and Confederations are providing services and in that role are data controllers in their own right and are hosting an EMIS or S1  clinical system, they may also be able to take on the role of sharing records without the need for honorary contracts.

COVID Data Sharing Measures – No. 19

COVID Data Sharing Measures – No. 19

Updated 09.06.20 with advice on:

  • Managing Shielded Patients and notification of suspected COVID cases


Notification of suspected COVID cases

COVID is a notifiable illness. Regulations state that clinicians should not wait for laboratory confirmation before notifying. Laboratory confirmed cases are notified centrally. However since Jan 2020 the low threashold for suspicion (anyone with cough or sore throat and symptoms of fever etc) has meant that there will be large numbers of suspected cases. Notifying this group whilst officially required is not likely to be a helpful process.

This has been discussed with senior clinicians at Public Health England (PHE) who understand and agree there is a dilemma. Because COVID is a notifiable illness they have no choice but to make the request – but accept that the information is of limited value and that this would not be best use of primary care time. A request to review this policy has been “passed up the chain”. In the meantime, practices can either wait until there has been a response, or if they wish to fulfil the legal obligations they can send PHE a spread sheet with the relevant details. (Our practice has collected the data, but has decided to wait for further information before notifying suspected COVID cases).


Updated 28.05.20 with advice on:

  • GP Connect (NWL considerations)
  • Summary Care Record (action needed on Fair Process Notifications)
  • COVID data managed by WSIC
  • Managing Shielded Patients and using COVID templates
  • Medopad App use int Respiratory Hubs


GP Connect

COVID measures have been taken to improve the access for health and care professionals to medical records and information. This will support safe treatment and advise to patients who have called NHS 111, or are receiving care in settings other than general practice.  The advice below has been précised from the letter sent to all GPs by HNSX and also includes information specific for NWL practices

GP Connect allows authorised clinical staff in general practice, NHS 111 and other care settings providing direct care, to view clinical information from a patient’s GP record by providing a read only HTLM view of the full GP record. It also supports the sharing of booked patient appointments. This functionality has been authorised by NHS Digital for all GP practices in England and will be enabled by GP system suppliers. Opt-outs where patients have made them will be respected

These changes will:

  • improve GPs ability to treat patients outside of their registered practice, giving patients easier access to a GP when they need one, regardless of demand or staffing levels in their own practice, for example within a network or a federation hub;
  • give authorised health and care professionals working in primary care, NHS 111 – including the COVID Clinical Assessment Service (CCAS) – and other appropriate direct care settings, access to the GP records of the patients they are treating, regardless of where they are registered; and
  • allow remote organisations such as NHS 111 to book appointments directly with the patient’s GP practice including the ability to manage referrals from the COVID Clinical Assessment Service (CCAS). This will enable healthcare professionals to provide more timely care and provide flexibility for the primary care system.


Actions which NWL GP Practices need to take

So as not to require practices to set up GP connect service individually NHS Digital have implemented a national roll out, which will be managed by the GP system suppliers for ALL GP Surgeries and GP led hubs. GP practices will still be required to implement some changes to allow the remote booking of appointments into their clinical systems and further details will be provided when this is required.

NWL already has a system for the allocation of remote bookings and in the short term this is fit for purpose and will remain the booking mechanism in place. We are piloting the GP Connect remote booking system in several practices and will inform GP when the GPC booking component will be widely rolled out. In the interim, practices do not need to make changes.

Legal basis for this action

This action is being taken in response to the Notice issued on 20th March 2020 under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 requiring confidential patient information to be shared in the circumstances set out in the Notice.

The changes will remain in force during the period of the COVID-19 emergency period as set out in the Notice (unless extended or reduced) at which point systems will return to their current state unless alternative arrangements have been put in place before then.

To remove uncertainty over the effect of the Notice, NSHX have written to the GP system suppliers to request them to enable these changes without further instruction from GP practices. Your GP system suppliers should inform you in advance of making these changes, so that their role in facilitating these changes is made clear to you.

Safeguards required to keep information safe have not been compromised. Practices do not need to change any existing Data Sharing Agreements in relation to COPI legislation. However, in consideration of the possible longer-term implementation of GP Connect we have written a DPIA for consider the risks and mitigations and are considering incorporating the use of GP connect in existing data sharing agreements. The BMA and RCGP are supportive of this work, as are the Information Commissioner’s Office and the National Data Guardian.

Further information including statements from those bodies is available on the following webpage

Questions can be directed to out NWL IG team or directly  NHSX:

Further plans for GP Connect

COPI legislation covers the use of the GP Connect data for COVID use until the 20th Sep 2020. We anticipate the possibility of continuing to use GP Connect beyond COVID and the NWL  DPIA which has been written to support this is below:


We are also writing up an information sharing agreement to accommodate that scenario, which will either be a separate ISA or will be incorporated into our existing sharing agreement for direct care 

Summary Care Record (SCR) changes:

As part of COVID measures to support patient care, the default SCR consent has changed from, implied consent to meds allergies and adverse reactions, to implied consent for meds, allergies, adverse reactions and additional information.

The current view in SystmOne can be found through the left sided admin menu tab under Spine Details and SCR Details

There is an equivalent process in EMIS (below):






















Patients can still give their express consent / dissent to any of the last three tick box options below. If patients choose “express consent for medication and allergies and adverse reactions only” this will trump the new implied consent settings. Patient choices can be mediated through their GP practice by verbal request, or via a form.

Action required:

To inform your patients about these measures please ensure that your FPNs contain a section under Summary Care Record which points to: Supplementary Privacy Notice for Summary Care Records

 COVID datasets for WSIC:

WSIC are working towards getting daily GP data from Discovery Data Services (DDS)

  • An email explaining that data will be flowing to DDS from which WSIC would extract data has been sent to all the Caldicott guardians/contacts for NWL practices registered on the Data Controller Console (DCC).
  • So far just 220/357 practices are signed up to the daily data processed extracted through DDS
  • WCSIC also continue to work with the fortnightly data feeds from Apollo to produce COVID dashboards for the sector


The specific COVID-19 datasets that WSIC have secured since the beginning of April are:

  • Full NWL population data from NHS digital with patient identifiable information – Frequency monthly
  • Direct admission data from all the acute trusts with confirmed/suspected COVID patients, this include the bed status i.e. critical care and ventilation details (fully patient identifiable)– Frequency daily
  • Full patient identifiable data from CMC with details of advanced care plan, resuscitation preference etc. – Frequency fortnightly
  • Direct pathology results data from all the pathology providers with full patient identifiable information – Frequency 3 times daily
  • The shielded patients list from NHS digital with patient identifiable information – Frequency weekly


The above datasets have been linked with the existing WSIC datasets to generate COVID dashboards. The dashboards allow the viewing of Personal Identifiable Data to NWL clinicians using Role Based Access Control who have a legitimate relationship with any identified patient. Healthcare professionals who do not have a legitimate relationship with patient can only see aggregate data.  WSIC have updated their website with the details – and have also included this information in the newsletter that has been sent to all users with a registered login to WSIC.

WSIC does not extract appointment data, but they do also have a separate BI function which undertakes sector analysis for the ‘gold command’ which has been established for COVID management support. This central BI team do not have the access to receive/view/process patient identifiable information, but they do see the output from TPP trust-wide reporting unit and EMIS search and report modules. This does not contain any PID and is at an aggregate level. That BI team does not have the direct control over Brent and Harrow EMIS search and report and has to get permission from the relevant CCG to run the searches if required.

GPES data collection

The General Practice Extraction Service (GPES) collects information for a wide range of purposes, including providing GP payments. It works with the Calculating Quality Reporting Service (CQRS) and GP clinical systems as part of the GP Collections service.

Coronavirus (COVID-19) has led to increased demand on general practices, including an increasing number of requests to provide patient data to inform planning and support vital research on the cause, effects, treatments and outcomes for patients of the virus.  To support the response to the coronavirus outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients, including from their GP record, for the duration of the coronavirus emergency period.

This General Practice Extraction Service (GPES) data will be extracted as a snapshot in time extract on the initial collection. A subsequent fortnightly extraction will then continue until the expiry of the COVID-19 Direction. This has been in place since 31 March 2020 but will be reviewed in September 2020 and every six months thereafter. The frequency of the data extraction may change in response to demand.

Action required:

GPs must sign up to this extraction, and this is not a request it is a legal requirement.

See the following NHS Digital Notice:

See also this helpful LMC article:

Managing Shielded patients:

There is a central register of patients who are at the the highest risk of serious health complication in the event of getting COVID. GPs have control over who is on this list and can add patients by coding them in to High, Moderate, or Low risk.

Once they have been entered into the GP clinical system, these codes will be extracted weekly to update the central register.

To add patient to the high-risk group enter the high risk code. For patients who are already in the high-risk group but their GP thinks they should not be, entering the moderate risk code will automatically remove them from the high risk group (when the weekly data extraction occurs). The moderate risk group should be identical to your flu vaccination cohort.  Patients not significantly at risk, and who do not need yearly flu jabs, can be coded as low risk.

Letters to patients.

Patients identified as high risk in the first assessment have been sent a standard letter by NHS digital (see below).  Patients can be added to the high risk group through two other mechanisms.

  • Recommendation by secondary care consultants
  • Self inclusion (patients may write to their GPs asking to be included on the high risk list).

In general there is an expectation that the list from secondary care will be considered and accurate (although lists received to date have not always specified the reason for inclusion). However in both cases GPs can exercise discretion and should make the final decision. Patients who have not previously been on the list and are added should be sent the standard letter:

  1. Standard inclusion on high risk list (updated May 2020)
  2. Removal from high risk group where not indicated
  3. Non-inclusion in high risk group after self-nomination

It is good practice to discuss in person with patients if you think they should not be on the list, or indeed with those patients who do not want to be included. Patients in groups 2) and 3)  who are being removed, or not included despite a request may also require a letter at their GP’s discretion.

Action required:

Aside from those written to by NHS digital, the responsibility of notifying patients about inclusion on the high risk list will rest with the GP practice.

Resources for managing shielded patients and COVID:

COVID templates

In addition, templates are available in your clinical systems which will allow you to enter the relevant clinical codes for COVID and to support and manage the follow up of high risk and shielded patients.

The description below covers use in SystmOne TPP (there are equivalent templates in EMIS). The COVID icon is a yellow triangle with an exclamation mark

and can be seen in the top right hand window below the patient demographics. It is also present on the patient home page.






Clicking this icon will bring up the COVID template which supports the recording of coded COVID information such as symptoms, findings and diagnosis.

There are other tabs which allow the documentation of management plans, the identification of useful resources, the recording information on other respiratory conditions etc. which will not be further detailed here.

Within the COVID template you will see another yellow triangle Icon labelled ‘Welfare template’. Clicking on this will bring up the following template.

This can be used by receptionist, HCAs or other trained staff to call patients in your high risk groups (or in those who you have identified as having moderate COVID related symptoms) for follow up. The main section is the central grey window which contains a number of simple tick box questions.  Once these have been completed the pink social assessment box can be ticked. If any needs have been identified your staff can forward this information by ‘tasking’ the relevant person (GP, Nurse, Link worker etc.). Note there are other potentially useful tabs  within the template which will not be detailed here.


Another NWL COVID measure has been to look at ways of managing people in their own home. NHSX is supporting a pilot which uses a Medopad App (a remote monitoring product) across ‘Respiratory Hubs’ in North West London.

The App has been developed to manage and remotely monitor patients with confirmed and suspected COVID-19 infections who are self-isolating. The aim is to keep them out of hospital and deliver their care in a home environment. Healthcare staff at respiratory hubs will identify suitable patients and give them instructions about how to download and use the app. They may also be provided with a pulse oximeter. At set intervals they will be asked to record specific clinical information such as:

  • Symptoms
  • Temperature
  • Heart rate
  • Respiratory Rate
  • Oxygen saturation

There may later be the potential for them to be monitored remotely via a ‘virtual ward’ and for this information to be available through patient dashboards. The pilots will run for 3-6 months after which an evaluation will review the impact of this intervention consider the benefits of a wider roll out.


Updated 17.04.20 with advice on Fair Process Notification

Sharing for Direct Care

To support routine and emergency care during the COVID-19 crisis we are taking measures across NWL to share access to GP patient records more widely. This will be done by extending smart card permissions to existing authorised and trained staff in a staged manner*:

  1. Sharing will extend initially from the registered GP to Primary Care Networks.
  2. This may later be further extended to allow CCG wide access or
  3. In the event of worsening crisis to allow access by trained staff across NWL


* with the exception of Brent where Harness have requested an earlier migration towards sharing at CCG level


Caldicott Guardians from each practice have been asked to:
  1. Sign a bulk RA02 process, allowing shared smartcard access to their clinical systems by suitably qualified staff.
  2. Nominate members of their practice to contribute to this pool of staff and to vouch that they:
  • have had clinical training and are competent to exercise the permissions on their smart cards
  • have had IG training and understand their professional and legal responsibilities of confidence to their patients**
  • have a contractual relationship with the nominating Caldicott Guardian.


** In particular that access to patient records requires the existence of a legitimate relationship (i.e. they must be providing that patient with care) and that inappropriate access to records is a serious and dismissible offence.


Sharing data to plan and provide care in the Covid pandemic

The Secretary of State for Health has issued a notice under the ‘Control of Patient Information’ regulations (COPI)1  authorising NHS Digital to disseminate information to approved organisations in order to help them to effectively tackle the pandemic. These measure will be in place until the 30th Sep 2020 and will be reviewed at that time. This legal purpose will be used within the WSIC when identifying data to support the planning and delivery of health care related to COVID-19

National shielding measures require a coded list of patients at highest clinical risk from COVID-19 (a subset of the flu jab cohort) to be extracted from GP clinical systems through GPES in the week starting 13th April. These patients will be written to by the NHS with specific advice. See update with a link to the original communication and FAQ sent on the 3rd April.


Fair Process Notification amendments

Because of the above changes we are advising all practices to amend their FPNs. You may choose to insert the paragraph below which covers patient information for COVID measures in hub and non-hub GP practices (or you may prefer a suitable alternative if your data sharing circumstances differ) :

 Data Sharing Measure in relation to the COVID pandemic

1)      The secretary of state has served notice under the Health Service COPI (Control of Patient Information) Regulations 2002 to require organisations to process confidential patient information during the COVID Pandemic and these measures will remain in place until September 2020. In addition, aggregate data which supports the planning and delivery of health care during the COVID pandemic will be processed securely through the Whole Systems Integrated Care database. Any such data will be formally identified as COVID related and used only for this purpose until Sep 2020.

2)      Primary care staff across each CCG will be able to access your full medical record without consent during the COVID-19 pandemic but will only do so when this is necessary to provide you with care. They will be required to use a smartcard which confirms their identity, and which limits their access and actions to those appropriate for their role. They will all have been trained to understand their professional and legal responsibilities in providing you with care. Access to records by trained clinicians will be made available for example when patients:

  • are asked to present to the Respiratory Hubs offering care for COVID related illness
  • are directed to other hubs based services for routine face to face, or telephone or video consultation
  • require community visiting services

3)      The extension to smart card permissions is currently limited to CCG wide sharing, but in the event of the pandemic escalating we have taken measures to implement NWL wide sharing and will notify patients through this Fair Processing Notice, should that need arise.

4)   The government have requested reinstatement of the “break glass” facility” previously available in TPP clinical systems so as to allow a declared access to patient records in the event of an emergency.


Questions about COVID and data sharing


Above table as a word document


Reinstated ‘Break Glass’ Functionality in TPP

TPP has received a direction from Dame Fiona Caldicott (National Data Guardian) to reinstate the consent override (break glass) function within SystmOne.

The key points are:

  • This is for direct care only
  • Anyone using it must take advice from their DPO and Caldicott Guardian
  • It should be use only by registered and regulated health and care professionals
  • Every effort must be made to keep patients informed
  • A monthly audit of use will be sent to the NDG, ICO, NHS D ad NHSX
  • This instruction will be in effect for 3 months from 30/3/2020


The NWL local policy is:

  • Use access as normal within our local EDSM allowed list
  • If access is required from outside this locality use the agreed EDSM process to obtain a validated password
  • If this does not work of if there is a reason that a clinician needs access to the notes in the absence of the patient then the break glass facility can be used (noting the above points)




National Data Optout – No. 18

National Data Optout – No. 18

National data opt-out (NDO) in Primary Care

GP practices must comply with the national data opt-out policy by March 2020.

What is the national data opt-out?

Patients can choose not to share their identifiable data when it is not related to the provision of direct care by requesting a national data op-out. This has replaced the type 2 opt-out which used to be managed in primary care. Patients requesting a national data opt-out should now be directed to

Where a patient had a type 2 opt-out registered on or before 11 October 2018, this was automatically converted to a national data opt-out and if they were aged 13 or over they were sent a personal letter explaining the change and a handout with more information about the national data opt-out.

Patients can be reassured that their choices will continue to be respected. If they want to change their choice, they can use the national data opt-out service to do this.

Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until 2020, when the Department of Health and Social Care will consult with the National Data Guardian on their removal.

What should my practice do to be compliant with NDO?

  • Ensure you have a record of all your existing data disclosures, as required under GDPR/DPA 2018. This will be one of the requirement in your Data Security and Protection Toolkit (DSPT) returns.
  • Assess those data disclosures against the national data opt-out policy to see if national data opt-outs should be applied and putting a process in place to consider any new data disclosure requests against the policy. Note: the national data opt-out applies to data disclosures that rely on section 251 approval, please see the “National Data Opt-out FAQs”

To help GP practices to become compliant and to apply national data opt-outs, the four principal GP IT system suppliers are implementing new functionality in the reporting and search modules within their clinical systems. The functionality will enable practices to easily remove the records of patients who have registered a national data opt-out from data disclosures when the practice decides the opt-out applies.

Specific considerations for NWL GP practices

In relation to NDO compliance you will have received, or will shortly receive correspondence from NWL CCGs which include:

The majority of practices in the NWL CCGs will not be processing PID for non-direct care processes. In making an assessment, the areas which you may wish to consider would be:

  1. Whole Systems Integrated Care (WSIC) data extractions
  2. Discover data extractions
  3. Research data extracted through the ResearchOne TPP based module
  4. Any other independent research data extractions.
  5. Old reports which are informing data extractions

In managing these we have provided generic DPIAs which can be used in relation to:

  1. WSIC data extraction
  2. Discover data extraction
  3.  TPP ResearchOne data extraction
  4. You must ensure any research data extractions not managed by TPP are excluding patients with NHS numbers where national data opt-outs have been applied (see Guidance and tools to achieve and declare compliance – below)
  5. Practices generating disclosures through existing older or bespoke reports (written before the new functionality) must ensure that their reports are edited to apply national data opt-outs. Likewise any new reports informing PID disclosure must apply national data opt-outs when created. If you are running external reports which you are unable to edit, you must contact the owner or publisher to apply national data opt-outs before data is disclosed.

The principle underpinning WSIC, Discovery and ResearchOne extractions is that any data used (for purposes other than direct care) is not identifiable and so the NDO does not apply in any of these examples. The DPIAs are attached for your information and to confirm this.

When your practice is compliant with the NDO you must declare this in your Fair Process Notification (FPN). You do not need to reprint your paper copies but should include a short statement (see below) in the published FPN which your website should point to.

“National Data Opt-Out

Our practice is compliant with the National Data Opt-out”

Practices should make sure staff are aware of the national data opt-out so they can support their patients and be aware of the patient support material (see below under Further Guidance)


FAQs on the National Data Opt Out

What type of data is involved?

The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England. It is applied to data that originates within the health and adult social care system in England by health and care organisations. It does not apply to data disclosed by providers of health and care services outside of England or to children’s social care services.

When the opt-out is applied, the entire record (or records) associated with that individual must be fully removed from the data being disclosed, whether that data is held electronically or on paper, regardless of whether it is structured or unstructured.

When does the national data opt-out apply and in what circumstances can it be overridden?

The national data opt-out is aligned with the common law duty of confidentiality (CLDC). It applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. It is obviated by individual patient consent, or where the data is anonymised in line with the (ICO) Code of Practice.

 Who can opt-out?

Any person registered on the Personal Demographic Services (PDS) who has an NHS number can set a national data opt-out, using online and non-digital channels. The opt-out is registered against their NHS number on the Spine (a central repository supporting IT infrastructure in England for health and social care).

 What proportion of patient have opted-out?

Opt-out rates by region can be obtained through the national data opt-out publication

 When should my practice be compliant?

All health and care organisations should be compliant with the opt-out by March 2020.

What are my responsibilities at a practice level?

Practices  should have procedures in place to review uses or disclosures of confidential patient information against the national dat opt-out operational policy guidance. The following general guidance on the national data opt-out policy will help you understand how it works and whether data uses or disclosures are in scope

Note: To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.

If your practices is disclosing PID data outside of their current clinical systems, these should have should have national data opt-outs applied and you should implement the technical solution  to enable you to check lists of NHS numbers against those with national data opt-outs registered.

When you get the results back, you should have a process in place to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed.

If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:

  • implement the technical solution in readiness, or
  • be ready to implement it if needed for future data uses or disclosures

Once compliant, confidential patient information must not be used or disclosed before it has been assessed and national data opt-outs applied if necessary.


Guidance and tools to achieve and declare compliance

The compliance implementation guide provides a step-by-step guide to help understand and plan the actions required to become compliant with national data opt-out policy. To configure a MESH tool which allows submission of a group of NHS numbers and returns a list with the NHS numbers removed for those patients that have opted out. Check for national data opt-outs service

Further guidance

Information sharing and the DCC – No. 14

Information sharing and the DCC – No. 14


The provision of an integrated healthcare service in North West London will require robust systems for creating and managing Information Sharing Agreements (ISAs) and Data Sharing Agreements (DSAs). As a result a NW London Digital Data Protection Framework has been designed which includes a template document which can be used to generate these agreements.

A Data Controller Consol will be used as an online repository where local data sharing agreements can be kept in one place. This will allow easier management by identifying the membership, the types of data being shared and the expiry dates of any agreements. It will also allow them to be distributed and signed electronically.

1) Information Sharing  Agreements (ISAs)

As we move towards providing integrated healthcare services in North West London the format and structure of DSAs has been reviewed because of the need to:

  • Manage more agreements between providers sharing health care data
  • Provide templates which simplify and standardise the process
  • Maintain GDPR compliance

As a result of GDPR, the complexity of ISAs and the amount of information they contain has increased. For this reason the information governance standards common to all of them have been distilled into a single overarching document call the Statement of Data Sharing (SDS) which will be signed by the members of any and all agreements. This will allow the pith of any information sharing agreement to be detailed in a smaller and easier to understand document called an Interoperability Service Specification (ISS). The combination of an ISS and the overarching SDS it points to will form the basis of all future ISAs in North West London.

More details about the structure and function of the NW London Digital Data Protection Framework can be found within the SDS document itself.

2) The Data Controller Console (DCC)

The DCC is an easy and efficient way for organisations to store, update and track the status of Information Sharing Agreements and is available to health and care organisation​s across London.

Why use the Data Controller Console?

The DCC increases visibility of agreements between organisations that share information, it also gives real time access to Information Sharing Agreements (ISAs) and control over any changes made to the ISAs.

The Data Controller Console can also help to support organisations with their compliance of the General Data Protection Regulation (GDPR) that came into force on the 25th May 2018 by:

  • Increasing visibility and transparency of agreements and processes between organisations sharing information
  • It allows organisations to track their information sharing arrangements and relationships
  • Tracks, reports and monitors information sharing agreements
  • Monitor compliance of sharing with regulations and therefore be confident to transfer on the basis of an adequate decision
  • Standardise templates such as Data Privacy Impact Assessments (DPIAs) and information sharing agreements

The Console also supports efficient Information & Data Sharing (ISA/DSA) between organisations by:

  • Decreasing paper in the system
  • Streamline data sharing processes
  • Creates a standard for sharing: ’Clubs’, data sharing agreements and Data Privacy Impact Assessments
  • Enables organisations to sign up to agreements on mass
  • Increases transparency between partner organisations
  • Reduces duplication in the system by encouraging and supporting transparency and collaboration between organisations

For further information about the DCC see:


DSPT Introduction – No. 12

DSPT Introduction – No. 12


This is a follow on from the GDPR blog which will look at the the Data Security and Protection Toolkit which all GP practices need to submit by the 31st March 2019. The DSPT is a sequel to the IG Toolkit and whilst many parts are similar, there are also new sections and the sum total is a more comprehensive undertaking.  There is a focus on cyber-security which will enable our IT systems to be more robust in response to malware such as virus infections, or the cryptoworm Wanncry ransomware which caused such disruption in May 2017. Much of the information needed for these sections will be common across NWL, for example specifying the type of antiviral software in use. Where these question are identified we will provide the information you need here. Some of the GDPR work outlined in prior blogs on this website will also support your submission and the DSPT action plan (see output documentation below) identifies where there are common areas and links to them.

Is there a pass fail process or a scoring system? When the IG Toolkit was first released, the idea was to encourage organisations to simply take part. Over time there was an aspiration to agreed levels of IG competence and our NWL IG sharing agreements asked all health care organisations to achieve level 2 of the IG toolkit before they could share electronic patient records. In a similar way the first step with the DSPT will be to register and complete those sections which are identified as compulsory. In time your organisation may want to document their IG competence in some of the non-compulsory sections.

Who will see our DSPT returns? As we learn to  share information in our health care communities in more integrated ways there will be sharing agreements which require mutually agreed standards. It will be possible to sign up to those agreements electronically on the Data Control Console DCC. In addition to being a repository for Information Sharing Agreements and Data Processing Agreements it will also be a place where you can share your standards of IG competence with other organisation who want to work with you.

When your practice is inspected by QCQ you may be expected to demonstrate that that your organisation is compliant with GDPR and to to show evidence to support this.  The DSPT is one way of benchmarking this and may be used for corroboration. Likewise if your practice is ever the subject of a complaint related to the management of personal data, the ICO may want to see evidence of the standards of IG which you are achieving. The results of the DSTP are also available to NHS Digital who may audit and analyse the scores in order to identify organisations who need further support.

Review of Action Points from the Previous Session

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019

Work covered this week

1) How to register with the DSPT?

If you have not already done so you can register your practice here:

You will need to provide an email address and also give a your practice code in the form E85074

2) What Sections should I complete?

There are a large number of sections, but in the first instance you should start with those items which are identified on the site as compulsory

3) Where can I find further support?

There are a number of different support options which include

  • Workshops
  • Webinars (to be advised)
  • This blog
  • NWL IG team
  • IT Team
  • DPO


A number of practices have started working through the DSPT sections. In the first instance we have agreed to put our head together to see which areas practices might need help with and which ones require specific input from the IT teams. We want to draw from the experience of those who have completed various sections or who have drawn up policy documents so that we can share good practice and avoid the need for many practices to ‘reinvent the wheel’. Once we have looked at the requirements in the compulsory sections we plan to hold a workshop, initially with some of the Ealing  practices to walk through the process. There will be an expert panel from the IG and IT teams and a question and answer session.  We are planning similar workshops across the other CCGs and as we develop a better understanding of the requirements we will use this blog to share:

  • learning points
  • policies, protocols or template documents which can be shared
  • webinars or other online learning resources

Over the next few months we plan to develop and add to a DSPT Support Page.

NWL IG and IT teams:

You can ask questions from the NWL IG team through the support email below and we will put these and the answers in a DSTP section into the FAQ. You can also get support from your IT team using the same email.

Data Protection Officers*:

Working through the DSPT and the final sign off of the DSPT will require input from your DPO. The current situation with a single interim DPO covering NWL will not allow that level of engagement at practice level. GPs need to take early action to appoint DPOs and as data controllers they are responsible for the costs of employing them and will need to budget something in the order of £1500 to £2500 per average practice to cover this. There has been some consensus among GPs that it would make little sense for individual practices to recruit their own DPOs and it will be better to deploy a shared DPO service at borough level or across NWL.

If either the federations or NWL were to undertake this role, they would levy their GPs for provision of the service.  This has been discussed in some of your networks and is also being debated in Federations and NWL CCGs who are looking into the most efficient and cost effective way of providing such a service.  We are also seeking further national guidance on this and are in contact with the LLMC and will update practices at Network level and on this blog as more information become available.

*[Update March 2019 – Since the details of the new GP contract have been released, the responsibility of providing and employing DPOs will rest with CCGs who are currently exploring ways to augment the current service]


Output Documentation

Learning Points

  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 2-3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level early in the New Year to support your work towards signing off the DSTP.

Practice Checklist

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance
Summary Blog – No. 11

Summary Blog – No. 11


The past 10 weeks have seen us work through the core aspects of good information governance, which will allow you to demonstrate that your GP practice is compliant with GDPR and the new Data Protection Act 2018. We have stressed that this is not a one-off exercise but a process which needs to be kept under constant review and that you need to have systems in place which monitor and maintain the standards you apply in managing your patient and staff data.

This week we looked at what we have covered, key timescales, and support you will have going forward.

Review of Action Points from the Previous Session

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it

Work covered this week

1) How will your compliance with GDPR be assessed?

As yet we do not know what exact form this will take but there are three scenarios where it may be put to the test.

  1. At your next CQC inspection, you will be asked to show evidence to support your compliance with GDPR.
  2. If you are the subject of a complaint related to how you manage personal data, the ICO (Information Commissioner’s Office) will want to look into your compliance with the GDPR.
  3. Your practice needs to complete the DSPT (Data and Security Protection Toolkit) by the 31st March 2019. This is the successor to the IG Toolkit.

Your next CQC inspection may not be imminent and you might never be the subject of a complaint as a result of a data breach. However, the DSPT deadline on this coming 31st March is a certainty for which you MUST ALLOW TIME AND RESOURCE TO PREPARE. See below.

2) Compliance with GDPR

As the GDPR came into effect on the 25th May 2018, the Information Commissioner’s Office (ICO) would expect organisations to already be putting policies and procedures in place to meet the requirements, however, they have stated they did not expect every organisation to be compliant as of the 25th May. If an incident did occur, however, they would take into account what your organisation has done and is pro-actively doing to ensure the protection of personal data. Evidence of the work undertaken within these blogs would, therefore, serve as a strong indicator to the ICO that you as an organisation takes data privacy seriously, and would take this into consideration when deciding any regulatory action.

3) Compliance with the new Data Security and Protection Toolkit

Whilst compliance with GDPR is not a set date or pass/fail monitoring system, the new Data Security and Protection Security Toolkit (DSPT) is a replacement for the old NHS Information Governance Toolkit. All organisations which process NHS data must complete this for 31 March 2019. The good news is that this follows many of the principles of GDPR, so the majority of what is covered in these blogs is what is required by the DPST. The two main areas which aren’t are IT security and compliance with the National Data Guardian reports, the former of which you will be able to gain evidence for from your IT supplier. In effect, the DPST will be the first tangible hurdle which will formally assess practices’ compliance with GDPR.

In order to assist you with this, we have put together a work plan for the Toolkit and matched the requirements against the relevant blog post. You should, therefore, be in a strong position once the work identified in this blog has been completed. This work plan can be found in the output documentation of this blog.

4) Allow a minimum of 3-months preparatory work to become GDPR compliant

The requirement may vary from practice to practice, but our two small practices (4000-5000 patients each) have required the following per practice:

These figures are not definitive and will vary depending on your practice set up. We have provided a more detailed spreadsheet listing specific tasks and personnel which can also be used to track and monitor allocated work to completion (below). The headline figure is that you should allow a bare minimum of 3 months to complete this work and so if you have not yet started, you must make plans to be underway by the New Year.

The other important requirement here will be to have a DPO in place who at the end of the year should be in a situation where he can assess and “sign off” the work you have done towards GDPR compliance and the DSPT. The DPO who is currently holding an interim post will not have the resource to cover all NWL practices and our advice is that you should also plan to appoint a DPO at CCG or Federation level by the New Year.

5) Support going forward

This will be our final blog in conjunction with our external IG experts, however, there is still support available to you going forward.

  • FAQ document which can be found in the resource area of this blog. This should be your first port of call in the event you have a question.
  • NWL Information Governance Blog, this will continue to be monitored and updated
  • email if you have any questions which are not answered in the blog or FAQ. The response will then be added to the FAQ.
  • The Data Protection Officer for all General Practices across NWL will continue in post and can be contacted at the email address above. You will be notified of any changes to this arrangement. It is important to recognise that this role will not provide the capacity to sign off all DSPTs at the end of March 2019, before which there will be a need for practices to appoint DPOs either at practice, federation or CCG level.

Finally, we have created a shortened summary version of the blog, and an action plan against each to-do requirement with the anticipated resource this will take.


Output Documentation

Learning Points

  • You should have systems in place which monitor and maintain the standards you apply in managing your patient and staff data
  • You will be required to show evidence of your GDPR compliance at your next QCQ inspection
  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level by the New Year to support your work towards signing off the DSTP

Practice Checklist

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019
Layered Fair Processing – No. 10

Layered Fair Processing – No. 10


Being transparent with individuals about how their personal data is used is a key aspect of privacy and confidentiality law. GDPR introduced transparency as a new requirement into the first data protection principle, it states that processing must be ‘fair, lawful and transparent’. Information communicated to individuals should be provided in a layered approach, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The first “layer” is an A3 notice containing the headline principles of sharing which then signposts documents which contain progressively detailed information on both your website and also CCG based sites.

To meet common law duty of confidentiality expectations, patients should also be aware and have a reasonable expectation that their information will be used for specified purposes if implied consent is to be used as the lawful basis.

Patients should have confidence about how their medical information is used, be aware of which purposes it’s used for, and understand the rights that they have in relation to their information. The NHS Constitution states that patients have the right to be informed about how their information is used. It is vital that patients trust how we use their data.

This week we looked at what information we need to provide our patients and the methods we can use. We have provided exemplars to help practices meet these requirements. We have updated the Fair Processing Notice (synonymous with ‘Privacy Notice’) in poster form and revised the more detailed document which can now replace your interim privacy notices on your websites. Where possible, when explaining how we use their data, we should use principles rather than specifics and try to give consistent advice, so that patients get the same message across a range of community healthcare settings. We have based the updated Privacy Notices on a detailed assessment of the data flows, information asset registers and records of processing in two local practices. We believe these will now cover most of the bases for how GPs in NWL share patient data. However, it is important, if you are sharing data in ways which are different from the norm, that your own Privacy Notices reflect this. Please let us know if you identify any omissions which you think should be included for yours or for other practices.

As with other GDPR undertakings, Fair Processing Notices are not just a tick box exercise. We need to be having a rolling “conversation” with our patients explaining how their personal data is used to support their healthcare and this can and should be delivered through a variety of different media which include but are not limited to:

  • Direct conversation
  • Paper and electronic documents
  • YouTube videos
  • Social media
  • Radio/TV and other ‘broadcasting’
  • Public engagement meetings

Meaningful and regular communication through various media and in different settings is one of the most important aspects of GDPR. Once our patients understand how their information is processed and know how to exercise choice, consent becomes almost academic. This remains an area we need to improve on and in addition to your input at the practice level, there are plans for a London wide campaign to promote better understanding of how we share records.

Talking about record sharing in our practice meetings will help improve staff understanding and enable them to better signpost and support patients.

Review of Action Points from the previous session

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required


Work covered this week


Where information is collected from the data subject, GDPR details the information that needs to be provided to data subjects in Article 13, including:

  • Contact details of the controller and the controller’s data protection officer
  • Purposes of processing
  • The lawful basis for processing
  • Recipients of personal data
  • Retention of data
  • Data subject rights

Much of this information should already be held in the organisation’s Information Asset Register and records of processing, which helps to inform the fair processing material. GDPR mandates that all this information is provided albeit in a manner of ways and varying levels of detail.  Therefore, all this information does not have to be provided in every single document, but it is essential that all this information is provided and easily accessible somewhere. How this can be presented is discussed below.

Content should be aimed at differing levels of understanding and capacity, especially when it relates to processing of children’s data. Therefore, consideration should be given not only to the content but the language used to provide the content. Fair processing information could be provided and discussed in patient engagement groups to ensure it is understood by patients with no NHS or privacy background.


Providing information to data subjects can take many forms and can no longer only be a statement on a website. In Practices, one of the most effective methods to provide high-level detail to patients is via easily readable posters in the waiting rooms or offices. This can include the basics which patients need to know, including the purposes their information is used for, who it may be shared with, and the key rights associated to their data, such as an objection to processing and access to their records. Such high-level materials can then provide information on where to get more information if required.

To ensure all information that is referred to in the Content section (above) is available, a larger document can then be produced which covers this. This can be made available on organisation websites as well as available in print form for those data subjects that do not have access to the internet. Given information must be provided to all, it would also be advantageous to have this available in different languages, either translated and provided in a separate document or via the use of a software on a browser such as google translate allowing the data subject to have it translated at the point of use.

These methods will primarily focus on those on who either actively visit Practices or Practice websites, so consideration should also be given to reaching those who may have limited contact but of whom their personal data is still processed. This could include taking out high-level advertisements in local media, use of local advertisements in public areas or postal campaigns. A simple way of informing patients of where to access such information could be a statement in the footer of all headed letter sent out by the Practice.


Output Documentation

A number of documents have been produced to give Practices a starting place to inform their patients of the processing taking place. These include:

PLEASE NOTE: These are based on information analysis from two GP Practice. You should review this to ensure that they include all data flows within your own practices, and check that all the purposes you use data for are covered. If you identify other data flows or other purposes which have not been included please let us know ( We will wait for a further 2 weeks to receive any feedback before finalising the content of the A4 Fair Processing Notice and printing (and formatting with updated links) the A3 posters for use across NWL GP practices.

Learning Points

  • Your Practice should have an up to date fair processing campaign
  • This information should be available to patients in both electronic and paper form
  • Fair processing information must be available at both high level and detailed level

Practice Checklist

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it
Right of Access – No. 9

Right of Access – No. 9


Obtaining access to their own information is one of the most exercised rights afforded to data subjects. Those rights have changed under the new data protection legislation, making it easier for them to access their medical records.  Controllers can no longer charge for providing data subjects with their personal data and have to respond within a month when previously they had 40 calendar days.

This week we look at how to manage these requests, how GP systems can be utilised to help compliance, and how to manage requests which aren’t always straightforward.

What would be the cost to your practice of a large number of patients requesting Subject Access Requests (SARs), to which you are obliged to respond without charge? Those costs will be minimised by not having to print out and post reams of paper records, and this can be achieved by allowing patients access to their full record – electronically. There remains a resource issue related to checking the records, but the effort of doing so would have other benefits. How much time would be freed at reception if your patients had instant access to their results without having to telephone first?  Could we train non-clinical staff to identify (and flag) third party or harmful data and might such a role be centralised?  Why not consider these issues at your practice and discuss ways of delivering solutions at scale in your network meetings and with your CCG and Federation? More below.

Review of action points from prior session

  • To do 26  Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27   Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28  Review the example information risk register and update for your practice
  • To do 29  Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30  Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31  Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32  Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33  Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.

Work covered this week

Right of Access

GDPR provides a right of access to individuals for a copy of their personal data held by a Data Controller. As Data Controllers, GP Practices must now supply a copy of all information they hold about an individual on request for no fee and within a month.

Since March 2016, it has been a contractual obligation to allow patients access to their medical records via the organisation’ Patient Online system (SystemOne or EMIS). Both clinical systems allow patients to register and access all information held about them, which will ensure they have up to date and timely information at hand. Many patients currently use Patient Online to book for appointments and obtain prescriptions through the Electronic Prescription Service (EPS), but a smaller proportion uses this system to access their medical record. Allowing access to electronic records is not a binary decision and there are significant resource implications. You should have a system in place for allowing patients to apply for access their records online and any system you have should take into account the resources required. The priority you place on this process will be decided by the practice partnership. If resources are limited, you can and should have a waiting list. However it is worth recognising that if a patient does request electronic access to their record, and if this is declined (put on a waiting list), they are entitled to request a SAR and practically speaking the quickest and easiest way of responding to this within one month will be to provide them with full access to their record through Patient Online. If your practice requires help in providing this service there is a wealth of useful information from the RCGP which is signposted below in the Resources section.

Where an adult patient is requesting access to their own records online, you should be assured that they are who they say they are. In most cases this will be by them providing two forms of ID, one photographic (such as a driving license or passport); and one showing their address (such as a recent utility bill). If you can vouch the person is who they say they are (for example they regularly come to the surgery) then this can also be a form of assurance before granting access.

Coded Data or Free Text?

SystemOne system allows the patient to have access to either only their read-code data or a copy of the full record including free text. Each Controller should make a decision regarding whether they want to patients to access just coded information or additionally the free text. As we have already noted, patients have a right to request the full record, and the coded information on its own would be insufficient to provide a response to a SAR.

Before access is granted, it is essential that the information on the record is reviewed to ensure that it is suitable to be disclosed to the patient. The right of access is not an absolute right, and information can be withheld in a number of limited scenarios, including where it is regarding third parties, or where it could be considered harmful or distressing to the patient to disclose. It is noted that this could cause resource issues, however, this is something that should be weighed up against the resource of handling requests for access in paper form now that no fee can be charged.

Specific data entries can be hidden from the patients’ view of online access, so it is important to ensure each query in a given consultation is recorded as a separate entity (a new section) so that if the information does need to be redacted later then this can be done at a more granular level.

Access by Proxy

Access to children’s records

It is important to note that the right of access always applies to the data subject, so there is no automatic right for a parent to access a child’s record. However, if an adult has parental responsibility of a child or is a legal guardian, a GP can make a decision about whether to allow the individual access to the child’s record if it is the child’s best interest. There is no statutory age in England and Wales where a child is considered to have sufficient knowledge to exercise their right of access, however, the new data protection legislation does stipulate that from the age of 13, a child will be deemed to have the capacity to consent to use ‘information society services’ which online access to records can be considered.

Therefore, any request for access to records by a parent or legal guardian where the child is under the age of 13 should be considered on a case by case basis, taking into account whether the child may have the capacity to understand the effects this may have and request their information is not shared with their parents.

Where a child is between the age of 13 and 18, again this should be on a case by case basis but it is generally assumed the child will have the capacity to decide whether the parent/legal guardian can access their record. Such requests should be granted and the parent’s consent only asked if the child is deemed to lack capacity or if the clinician feels that it is in the best interest of the child.

Access to elderly patients/adult lacking capacity

Where a request comes to access the records of an elderly individual (such as a mother or daughter requesting access to their elderly parents’ records) the individual should always be assessed as to whether they have the capacity to make such a decision themselves. If not, you should assure yourself the person requesting access to the record has either Power of Attorney, a court order, or it is in the patients best interest. It is important that you and your staff understand that these elderly patients are vulnerable and that on occasion such requests can be open to abuse and so where there is capacity you should ask direct questions to ensure there is no coercion and where there is not capacity, you should always be mindful of the possibility of coercion.

Real life case study

In 2016 a GP Practice was fined £40,000 for disclosing confidential information during a subject access request. The disclosure to a child’s father also included information relating to the mother (who had separated from the father and asked the Practice not to disclose her whereabouts), which included her contact details, information relating to her parents and another third party. The Information Commissioners Office found that the Practice had insufficient systems in place to manage such requests.

Therefore, in circumstances where they may be concerns regarding either safeguarding, domestic violence or other such situations which could cause harm to individuals, every effort should be made to ensure the disclosure is appropriate and lawful.

Do remember, before allowing a patient or guardian access to clinical records you must be certain that:

  • They are who they say they are
  • They are allowed access to the requested record
  • The record given to them does not contain harmful or third party data


There are a series of eLearning modules available via the RCGP eLearning website below. These include courses on coercion, identity verification, proxy access, children & young people, overview and benefits protecting patients and practice and online access for clinical care.

General Resources

Output Documentation

Learning Points

  • Your practice should have an up to date access to records policy
  • You should have a system in place for allowing patients to apply for access their records online
  • That system should take into account the resources required

Practice Checklist

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required

Next session on 04.09.18

(Blog No. 9 due 11.09.18)

Taking all of the patient data identified in earlier blogs which is being processed through the practice, and looking at the ways in which we use that information we can now draw up a final Fair Process Notification.


Managing Risk – No. 8

Managing Risk – No. 8

Introduction and comments

Information is valuable to primary care and the NHS as a whole as it allows us to treat and protect patients, as well as to design and provide them with the best possible services. It is important for practices to understand what information they hold, why they hold it and what safeguards are in place to protect the data. By doing so we can ensure that information is used in a secure and lawful manner to prevent information breaches, as well as keeping our patient’s trust.

This week we looked at information risk management and revisited the role of the Data Protection Officers (DPOs) and the reporting of breaches and serious incidents.

Review of action points from prior session

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Work covered this week

Information Risk Management

Information risk should not be treated differently to any other risk to the practice, whether it is financial or workforce risk. You will already have risk management processes set up. We need to check whether information risks have been recorded within your risk registers and that mitigating controls have been put in place.


Where will information risks arise prior to a breach happening?

From the activities noted in Blog No.2 – Information Asset and Data Flow Mapping and Blog No.3 – Data Protection Impact Assessments (DPIAs), we have added possible risks to the practice and / or have identified risks from the DPIAs undertaken.

You may also conduct a physical audit of the practice to test staff awareness and processes to establish whether there are any potential information risks or training needs. These activities will enable you to identify risks and also demonstrate good evidence for your Data Security and Protection Toolkit.

We have developed an information risk register. This lists the information risks we have identified at this practice and shows examples of the different types of risks. The Information Governance Staff Handbook should also be reviewed as this also details good practice for mitigating information risk to your Practice.


Data Protection Officer (DPO) in relation to GP Practices

To support the Information Risk Management process, there is a need to establish a structured framework and reporting mechanism. To meet the requirements of GDPR and the Data Security and Protection Toolkit, each Practice is required to appoint individuals to roles to support this framework and to deliver compliance.

GP Practices are considered Public Authorities under the provisions set out within schedule 1 Freedom of Information Act 2000. This is due to the processing of Personal Confidential data for the NHS. GDPR specifies that all Public Authorities are required to appoint a Data Protection Officer (DPO).

The activities of the DPO within General Practice are detailed within the Information Governance Alliance GDPR guidance note for GPs and also their GDPR: Guidance on the Data Protection Officer.

Primarily the DPO should deliver independent advice and monitor processing activities and practice. Due to the independent nature of the role, here are some activities the DPO can and can’t do:

It is a requirement for the DPO to monitor processing activities to ensure compliance with GDPR. The Practice is required to submit their DPIAs, Information Assets and Data Flow registers, risk registers and incident logs to the DPO on a regular basis so that the DPO can monitor compliance with the Data Protection legislation and prevent personal data breaches.

For the activities that the DPO cannot undertake, the Practice should ensure that there is a decision-making function and approval process in place. This is likely to be your Practice Caldicott Guardian.

As part of the Caldicott function, the Caldicott Guardian should be aware of processing activities, information risks to the Practice or any risks that would have any privacy implications to data subjects. The Caldicott Guardian can approve information sharing agreements, contracts and breach investigation reports. The Caldicott Guardian should be the Practice’s first point of contact on Information Governance/GDPR matters.

Your Practice’s DPO [Action point]

As you are aware NWL CCGs have appointed a single DPO as an interim measure to help meet this responsibility, until Practices decide on how they wish to provide this service themselves. This arrangement can only work in the short-term in conjunction with the provision of GDPR support through this blog and our ability to access subject matter expert opinion through an IG consultancy. This is a time-limited resource and one which will reduce after November 2018. Whilst further support will continue to be available, this will be limited. It is essential that practices understand that it is a legal requirement for them to appoint a DPO who will be able to provide the services outlined in this blog.

Practices may decide to provide a DPO themselves, or consider a shared role across a CCG or federation. We have reminded CCGs about the limited timescale for implementation of DPOs to cover their GP practices in 2019, and are canvassing them for further support. We encourage NWL primary care health care communities discuss this important issue at their CCG member meetings.

Information Governance Breaches and Serious Incidents

The Practice should ensure that robust mechanisms are in place for the reporting and monitoring of information breaches, whether they are serious or near misses. GDPR defines a breach:

Article 4(12) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Here are some examples of breaches or near misses:

In the event of a personal data breach, the individual should follow the Practices Incident Reporting policy. The policy should include the reporting mechanism and roles the breach is reported to. The Practice should also follow NHS Digital’s Incident Reporting guidance.

The table below details the severity of breach which is required to be reported to the ICO or whether it can be dealt with locally. This is the reporting detailed within the new NHS Digital Incident Reporting guidance. It is a requirement that all Practices follow NHS Digital’s guidance on incident reporting.


The reporting mechanism is through the Practice’s Data Security and Protection Toolkit.

Reporting Structure:

GP Practices are required to report breaches through several mechanisms/bodies.

All levels of breach are required to be logged within the Serious Incident to the Strategic Executive Information System (StEIS) as a learning portal for the NHS, and at the Practice-level through incident report forms/logs. Subsequent risks should also be included within the information risk register. These will need to be provided to the DPO on a regular basis to assess whether the mitigating actions are effective, and the risk minimised.

Should a potential or actual breach occur, please consult the Caldicott Guardian and the DPO.

Resources Used

Output Documentation


Learning points

  • The earlier data flow mapping exercise and DPIA should provide much of the information required for information risk management.
  • Your practice must appoint a DPO.
  • Be aware of what your DPO can and can’t do and ensure your Caldicott Guardian is aware of their responsibilities.
  • NHS Digital has issued a guide on incident reporting which must be followed.
  • All levels of breach are required to be logged on StEIS and on Practice incident report forms/logs.


Practice checklist

  • To do 26 Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27 Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28 Review the example information risk register and update for your practice
  • To do 29 Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30 Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31 Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32 Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33 Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.


Next session on 30.08.18

(Blog No. 9 due 04.09.18)

We will be looking at how we provide electronic access to patient records in routine circumstances and the issues around providing proxy access for children and patients who may lack capacity.


GDPR Accountability – No. 7

GDPR Accountability – No. 7

Introduction and comments

We made a change to our schedule this week, and instead of fair processing we have looked at the levels of accountability which we are required to demonstrate following GDPR:

  1. Practice accountability – the technical and organisation measures that need to be in place in order for us to be able to demonstrate this.
  2. 3rd party supplier accountability and contract management.

We will cover fair processing in a later blog and you can view the updated timetable here.

As an aside, we have continued to get many questions related to GDPR, and a recurring theme has been how to respond to various scenarios related to Subject Access Requests (SARs). I wanted to take this opportunity to clarify an important principle related to whether or not practices can levy a charge for SARs. We had previously, and in retrospect incorrectly, reflected an observation that it should be the purpose of the information which guides the decision to charge and if that purpose is the production of a medical report (regardless of who generates the report) then the practice can make a charge. We have now discussed this with the ICO and have had clarification that practices should only charge when they themselves are creating a medical report. In summary, then, we cannot charge a lawyer or insurance company who are requesting information on behalf of the patient even if that purpose is for the production of a medical report unless we have been asked to generate that report.

How to manage the significant resource which will fall to general practice as a result of SARs remains a thorny problem. We believe that the best way forward in the longer term will be to prepare our medical records and share them widely with our patients so that SARs can be responded to through this mechanism. Here is a thoughtful blog about that subject which we recommend you read, which recognises that this is not a straightforward process and highlights some of the challenges ahead.

Access to your Medical records online – It’s hard work for practices, even to do the right thing….

Review of action points from prior session

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create a Policy Document for each category of data

Work covered this week

1)   Measures to demonstrate Practice accountability

Accountability is one of the data protection principles of GDPR.  Not only are we responsible for complying with GDPR but we must also be able to demonstrate our compliance. Whilst this is not a new principle, it is now a legal requirement.

This week we looked at technical and organisational measures which allow us to do this over a range of activities including:

Data Protection Impact Assessments (DPIAs) which we covered in Blog no3 can be excellent examples for showing the controls we have in place within our organisation which demonstrate our compliance.

The old IG toolkit provided a way of evidencing accountability, and this will continue with the new Data Security and Protection Toolkit.  It is now a mandatory requirement for all organisations that process NHS data to complete the Data Security and Protection Toolkit, which has been updated to include GDPR and also contains new recommendations to increase cybersecurity.

The new toolkit can be found here and this must be completed and submitted by 31st March 2019. As before your IG lead will be required to sign your practice up to the toolkit. The difference this year is that instead of this being a process of self-declaration “Yes we have done it”, there will now need to be external validation “Show us how you are compliant with the following requirement”.

CCGs are required to ensure that GP Practices are compliant with the Data Security and Protection Toolkit, so will be monitoring GP Practice compliance on an annual basis (after 31st March of each year). The specific nature of the external validation processes is yet to be clarified, but CQC inspection will almost certainly require evidence that the IG toolkit has been assessed and validated by an external assessor. The toolkit itself will help practices to demonstrate the actions they have taken to meet GDPR requirements and will be a repository which will allow scrutiny of any supporting evidence.

We will be revisiting the IG toolkit in a later blog and will provide templates to help you collate evidence for your Data Security and Protection Toolkit submission, which will be shared on this website.

2)   3rd Party Supplier and Contract Monitoring

As part of the principle of accountability, there is a requirement for data controllers to show that they monitor the performance of their data processors. This links in with the work we have done on DPIAs (Blog No.3 DPIAs) and Contract Reviews (Blog No.5 ISA & DPA)

Where processing is taking place, you should ask the third-party supplier for the independent audit of their Data Protection and Security Toolkit (this should be in the contract Terms and Conditions). The Template Data Processing Terms and Conditions (Crown Commercial service templates) was provided in Blog No. 5.

Some of these data processing services may have been commissioned by the CCG and will have had contractual details as part of the commissioning process. In these circumstances, compliance should be monitored by the CCG as the organisation which has commissioned the service. You should ask the CCG for their validation/review of provider/supplier compliance.

When working on the contract reviews we stated that Practices should be using the Crown Commercial service templates which would include those Terms & Conditions.  Whilst there is a processing agreement between GPs and EMIS as their data processor, there is not a similar arrangement with TPP.  NHS digital has advised that in the case of TPP this has been covered by local call offs that are signed by CCGs, in addition to a signed deed of undertaking which protects individual GPs against supplier data protection breaches.

Most data processors will be using the Data Protection and Security Toolkit (previously IG Toolkit), and the monitoring should be a simple matter of them providing you with their Toolkit compliance report.

If they are not taking part in the Toolkit or have not done an audit and you need further assurance, you can use a Provider Assurance Monitoring Checklist.  We have included two checklists – one for NHS data and one for non-NHS data (employee). Note that most processors will be using Toolkit and the monitoring should be a simple matter of them providing their Toolkit compliance report. The checklist below is more detailed but should not be required in the majority of cases of processors dealing with NHS data.  We have also included a letter template for you to send to your third-party processors with the checklist.

Practices must monitor responses (you can use Contract Log), and if there is sufficient assurance set an annual review date. If the response is inadequate and shows a level of non-compliance, send a second letter detailing the specific requirements by a given date. State that if the requirements are not met that you will consider termination of contract, financial penalty (if included in TOCs) or reporting data security concerns to the ICO.

Resources Used

Output Documentation

Learning points

  • This weeks activity provides an opportunity to review any DPIAs to make sure they are comprehensive and meet the accountability requirements by detailing the technical and organisational measures in place in your practice.
  • The Data Security & Protection Toolkit must be submitted by 31 March 2019
  • Evidence of assurance must be obtained from third-party data processors either through a Data Security and Protection Toolkit assessment or from the response to the checklists stated above.

Practice checklist

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Next session on 23.08.18

(Blog No. 8 and No. 9 due 28.08.18)

We will be covering two topics next week – reporting mechanisms through the DPO and access to records by children. There will be two separate blogs covering these subjects.


Record of Processing – No. 6

Record of Processing – No. 6

Introduction and comments

This week we looked at ‘record of processing’ which is a new requirement under the latest data privacy legislation. We also looked at the production of a Policy Document for the special categories of personal data (Data Protection Act 2018).

In case anyone is wondering where the timetable posting in “What, When and How” has gone, as it slipped off the list of recent blogs it has now been put as a menu item at the top of each page.


Review of action points from prior session

  • To do 14  Using the Information Asset Register you made in Blog No. 2, draw up a table identifying the contracts/DSAs/ISAs required for review.
  • To do 15  Review the contracts you have in the practice to ensure they are GDPR compliant using the exemplars and the checklist (see resources used).
  • To do 16  Where contracts should be in place but have not been found use the template letter to write to the contracted organisation requesting a GDPR compliant contract.
  • To do 17  Check the returned contracts from any external organisations you have contacted against the checklist provided.

Work covered this week


1) Record of Processing

What is a ‘record of processing’?

Under the new data protection regime, data controllers must now pay the Information Commissioner’s Office (ICO) a data protection fee. This fee replaces the need to ‘ notify’ or register (what was the case in the DPA 1998).  For further information on data protection fees, please visit the Information Commissioner’s website:

There is a new requirement for Data Controllers to retain records of processing. This includes the purpose of processing, data sharing and retention. The Record of Processing must be made available to the Information Commissioner if required.

What information needs to go into a record of processing?

The following items must be included in your record of processing:

  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

You can also use the record of processing to document your compliance with other aspects of GDPR and Data Protection Act 2018.

How do we complete a record of processing?

Your Information Asset and Data Flow registers (see Blog No.2) contain the information needed to complete the Record of Processing.

Use the template provided.

If you add a new information asset or flow, you will also need to update your record of processing at the same time.

You can publish your record of processing on your website. It can support your transparency requirements (Fair Processing/Privacy information to data subjects).

What do you need to consider?

Public authorities (including GP practices) cannot use ‘legitimate interest’ as a legal basis for processing.

You must identify the legal basis (Article 6 GDPR) for processing personal data from the list below.

You will need to consider lawful bases in relation to the assets and flows and this needs to be incorporated within the record of processing.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Special categories of data

For processing special categories of data (such as racial or ethnic origin, data concerning health etc) you also need one of the following legal bases (Article 9 GDPR).  The legal bases in bold are the ones which you are most likely to use.

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. processing relates to personal data which are manifestly made public by the data subject;
  6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards
  9. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.


For certain other types of data e.g. DBS checks for employment and Health Data, you require another legal basis under the Data Protection Act 2018. These are detailed in Schedule 1 of the Data Protection Act 2018. Most likely it will be one of the following, but it is important to check when carrying out this exercise.

Employment, social security and social protection

1.1 This condition is met if —

(a) the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b) when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule

Health or social care purposes

2.1  This condition is met if the processing is necessary for health or social care purposes.

2.2  In this paragraph “health or social care purposes” means the purposes of

(a) preventive or occupational medicine,
(b) the assessment of the working capacity of an employee,
(c) medical diagnosis,
(d) the provision of health care or treatment,
(e) the provision of social care, or
(f) the management of health care systems or services or social care systems or services.

Template Record of Processing

2) Policy Document

There is a legal requirement for you to have a policy document for the special category of data listed within Schedule 1, DPA 2018 that you process.  This policy document must be referred to within your Record of Processing. This policy document demonstrates that you meet the requirements of the Data Protection Act 2018 and must be retained according to the data retention period plus six months.

What is needed within the Policy Document?

  1. Explain how the Data Controller’s procedures (for this asset) complies with the six GDPR principles (see the Policy Document Template for the list of six principles); and
  2. Retention and erasure information.

If it is decided that you will not comply with the retention and erasure processes, you will need to record the reason why within the record of processing.

 Policy Document Template


Resources Used

Output Documentation

Learning points

  • There is no longer any need to notify/register with ICO, but on renewal, you will still need to pay a fee as a Data Controller.
  • There is a legal requirement to keep a record of processing.
  • Legal bases for processing must be documented in the record of processing.
  • New data assets and flows must be updated in the record of processing.
  • There is a legal requirement to have a policy document for each category of data processed.

Practice checklist

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create Policy Document for each category of data

Next session on 16.08.18

(Blog No.7 due 21.08.18)

We have a three-week break, and the next session will be mid-August when we will be looking at our fair processing notices (privacy notices).


The ISA and DPA – No. 5

The ISA and DPA – No. 5

Introduction and comments

This week we looked at Information Sharing Agreements (ISAs) and Data Processing Agreements (DPAs). A note first on definitions and terminology. Whilst information is often considered processed data, in this context they mean the same thing: so, an ISA might also be referred to as a Data Sharing Agreement (DSA) or a Data Sharing Protocol (DSP).

Under the section “work covered this week” we are discussing the basic difference between ISAs and DPAs in general practice. We consider when processing is done on our behalf directly – which requires an agreement or contract – and when it is done indirectly where a deed may be needed.

The main thrust of this week’s work is: to know when we need agreements or contracts in place for sharing or processing data; and to develop a checklist which identifies those agreements and ensures they are up-to-date and compliant with data protection legalisation (DPA2018 and GDPR). Creating the checklist can be done easily as part of this week’s work. Identifying the necessary contracts and agreements may involve contacting external organisations and reviewing existing documentation and is more likely to be a process which happens over a period of months. We will revisit this task in one of the later sessions to ensure that it is ‘closed’.

This week we cover a lot of information and work and there are two sections:

  • Theory; and
  • Practical.

Please read the theory section, but if you are keen to identify the work ahead, this is in the practical section.

Review of action points from prior session

  • To do 12  Review your Individual Rights Policy and procedures and update using advice and examples provided.
  • To do 13  Review and update your SAR policies and procedures.

Work covered this week (the theory)

Information Sharing Agreements

Information Sharing Agreements are used when two or more data controllers share data. For example, shared care records where GP Practices and Trusts share the data they have collected to use either for a joint purpose or for their sole benefit.

ISAs facilitate the sharing of personal confidential data by setting out good governance mechanisms and each party’s expectations of each other. They are not usually legally binding unless incorporated within a contract but are intended to define good practice. The Information Commissioner’s Office (ICO) has published a Data Sharing: Code of Practice which includes details on what is required within an ISA. Wherever possible, be guided by these codes of practice. They show that you have considered all the necessary elements, and in the worst-case scenario of managing a complaint, you get the additional assurance that the ICO will support your approach.

From a DPA/GDPR perspective, little has changed with regard to ISAs, as they are not a statutory requirement. However, they should be considered a useful technical mechanism, which enables organisations to have secure and lawful controls to share and process data. It is important to update current ISAs to reflect the changes within GDPR and the 2018 Data Protection Act (DPA 2018). For example, organisations which previously documented ‘legitimate interests’ as a legal basis within their ISA will now need to use ‘processing as necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. This is because public authorities are no longer permitted to use the legitimate interest legal basis for their core functions.

GDPR also removes the term ‘Data Controllers in Common’ as defined within the Data Protection Act 1998. Under GDPR, the definition of Data Controller only includes ‘sole’ or ‘joint’. You may need to change these terms, depending on which is more appropriate for a given situation. For an integrated care record, the parties will share their data but may allow each other to read and write into the system. In this system, it is likely that the parties would be joint data controllers. If you search ‘In Common’ in your DSA that should bring up the term you need to review each time.

Data Processing Agreement or Contract

What is processing?

Processing includes a wide range of activity: creating, handling, storing, conducting analytics, retaining and destruction of data and it doesn’t matter whether it is electronic or paper records.

Data Processing Agreement/Contract

Data Processing Contracts are used when the Data Controller asks another party to process data on their behalf. For example, the GP Practice is a Controller, but a contracted-out IT team provide technical services to GPs e.g. implement systems to hold personal confidential data. Another example would be where a GP Practice wishes to write to their patients about a new service. The GP Practice may want to outsource this activity and ask an external company to write to them on their behalf. In order to do this, the external company, perhaps their Federation, will have access to patient names and address details. In this case, the external company is processing the GP Practice’s personal data and a data processing agreement or contract is required by law to detail the parties and processing activity. Note, that the GP Practice isn’t sharing the data with GP Federation, they are asking the GP Federation to process on their behalf – under their instruction. These examples are Data Controller to Data Processor relationships. Data Processing Contracts or Agreements (DPCs/DPAs) are legally binding and these types of contract have always been a requirement of privacy legislation. GDPR stipulates what needs to be included within such contracts, and these requirements are listed in Article 28.

To be valid, contracts require the following three elements:

  • Offer
  • Acceptance
  • Consideration (usually payment for services – see below)

What happens when you do not have consideration?

There may be a scenario where there is no monetary exchange (‘consideration’), e.g. a CCG purchases a service or software which processes personal confidential data on behalf of the GP Practice. There is no exchange of payment between the GP (the Data Controller) with the Data Processor. In this case, a Data Processing Deed will need to be put in place between the Data Controller and the Data Processor (making a formal link between them even though the contract and consideration are handled by another party). A Data Processing Deed is a legal document and binding on both parties. The deed needs to be explicitly ‘executed as a deed’ within the document and signatures on the deed must be witnessed.

From a GDPR perspective, processors may only process personal data on behalf of a controller where a written contract is in place which imposes a number of mandatory terms on the data processor, as set out in the GDPR. The Data Processor is not permitted to deviate from this instruction.

Contract reviews

Dame Fiona Caldicott, in her Information Governance Review, noted that the contract mechanism is key in providing protection and must be legally enforceable, and so practices should undertake a contract review. This will allow you as Data Controllers to see if there are adequate data protection and confidentiality within any given contract for the type of processing which is being undertaken.

The contracts should be reviewed, and the risks assessed, based on the organisational context. For example, a cleaner who inadvertently sees personal confidential data for an individual would have a different level of risk than that of a software provider which processes personal confidential data like SystmOne. So, the cleaning contract would not necessarily have the same terms and conditions when compared to a contract with SystmOne.

You only need to undertake a contract review when a processor has provided you with a contract, or you have contracts in place which will need updating in order to comply with the UK’s data protection legislation and the requirements of GDPR.

Work covered this week (practical)

  1. Identify the ISAs and DPAs required for review from our Information Asset Register.
  2. The contracts in our possession are being reviewed as exemplars and when this work has been done they will be published in the ‘Output Documentation’ section.
  3. Draft letters have been sent to companies to provide us with the contracts where the need has been identified.
  4. Once the contracts have been received we will review them against the checklist provided and they will be published under ‘Output Documentation’ in due course
  5. When these activities have been completed, we will have an up to date Contracts register and/or Data Sharing Agreement register.

We focussed on contracts where the data processor is processing personal confidential data on behalf of a GP Practice. Our first port of call was to review our Information Asset Register which was drawn up in Data Mapping Blog No.2. This shows whether the assets which have been listed require a contract/Data Sharing Agreement and also possibly a Data Protection Impact Assessment (DPIA) as explained in The DPIA Blog No. 3.  The table below lists the circumstances where we need either a GDPR compliant Data Sharing Agreement or an Information Processing Agreement.

DPA/ISA list exemplar

Not every item on this spreadsheet will apply, and each practice will have to check their own asset register. We have included this table as an exemplar (as completed to date by us) in the ‘output documentation’ section and also as a blank template in the ‘resources used’ section. We will need to revisit this document over the coming months as the information becomes available and each contract is confirmed as GDPR compliant. The responsibility for doing so will always rest with the practice, but you can expect services commissioned through the CCG to have a GDPR compliant Data Sharing Protocol (DSP) provided. When looking at contracts between the local provider and your surgery, many of these providers will have their own GDPR compliant contract for you to sign. If your contract is with a small cleaning company, for example, the practice would be required to provide the contract. In this event, the Caldicott contract checklist will detail those sections which are required.

Note: NHS Contracts is more than likely to have NHS Standard Contract clauses, and these will not need to be reviewed.

You will only need to review external contracts if there are any variations or changes to the law (as now in the case of DPA2018/GDPR) or when you undertake a new contract. When a service/product is commissioned by the CCG or other parties, you should ask them for the review they have completed on the contract by way of assuring GDPR compliance.

To assess whether the contracts are GDPR compliant, we have used the checklist recommended by Dame Fiona Caldicott in conjunction with the Template Data Processing Terms and Conditions document (see below under Resources Used).

A significant amount of work has been identified in this week’s blog and that this will take some months to complete. As we update our contracts we will publish them for information. Whilst you cannot use these as is, if you are using the same service or company it will inform you that the contract is available and GDPR compliant and can be signed in your name.

Resources Used


Specific to this blog:

Output Documentation

Learning points

  • ISAs are used when there are two or more Data Controllers sharing data jointly or as a sole data controller.
  • ISAs a usually not legally binding. They are good practice and demonstrate the controls you have in place to secure and lawfully process personal confidential data.
  • GDPR does not change how we use ISAs as they are not a statutory requirement under the law. However, GDPR does change the legal basis for sharing data used by public authorities and also removes the ‘data controllers in common’ definition from the law.
  • GDPR places stricter statutory requirements on Data Processors and all processing undertaken by a Data processor requires a Data Processing Contract.
  • Data Processing Contracts are used when the Data Processor is processing personal confidential data on behalf of and with instruction from the Data Controller. These types of scenarios are more likely when one party provides services to another.
  • Data Processing Contracts are legally binding and if there is no consideration, a deed may be used and is legally binding if ‘executed as a deed’ and witnessed.

Practice checklist

  • To do 14  Using the Information Asset Register you made in Blog No. 2, draw up a table identifying the contracts/DSAs/ISAs required for review.
  • To do 15  Review the contracts you have in the practice to ensure they are GDPR compliant using the exemplars and the checklist (see resources used).
  • To do 16  Where contracts should be in place but have not been found use the template letter to write to the contracted organisation requesting a GDPR compliant contract.
  • To do 17  Check the returned contracts from any external organisations you have contacted against the checklist provided.

Next session on 19.07.18

(Blog No.6 due 24.07.18)

Next week we will be looking at records of processing and how data controller and their representatives need to maintain a record of the activities they undertake in managing the data which they are responsible for.