Category: Uncategorised

General Practice Data for Planning and Research – No.23

General Practice Data for Planning and Research – No.23

General Practice Data for Planning and Research (GPDPR)

Update 19th July 2021

GPs have been sent an update on GPDPR by the undersecretary of state for Primary Care and Health Promotion saying that NHSD is working with in collaboration with partners including the RCGP and the BMA and that a specific start date for the collection of data will not take place until:

  • Patients have the ability to delete data if they to opt-out of sharing their GP data with NHS Digital (even if this is after their data has been uploaded)
  • The backlog of opt-outs has been fully cleared
  • A Trusted Research Environment has been developed and implemented in NHS Digital
  • Patients have been made more aware of the scheme through a campaign of engagement and communication.


  • Patients do not need to register a Type 1 opt-out by 1st Septemberto ensure their GP data will not be uploaded
  • NHS Digital will allow GP data that has previously been uploaded to the system viathe GPDPR collection to be deleted when someone registers a Type 1 opt-out
  • The plan to retire Type 1 opt-outs will be deferred for at least 12 months

Administrative workload:

  • NHSD are looking into ways of reducing this
  • There is now no urgency to process Type 1 opt-outs specifically for GPDPR in order to get people opted out before September.
  • A template DPIA for practice use will be made available in good time to allow practices to complete it.

Data Security and Governance:

  • Trusted Research Environment (TRE) standards are being defined
  • Data collection will only start once the TRE is in place and when the BMA, RCGP and the National Data Guardian are satisfied with the standards
  • Once the data is collected, it will only be used for the purposes of improving health and care. Patient data is not for sale and will never be for sale

Transparency, communications and engagement

Because of concern about the lack of awareness amongst the healthcare system and patients, an engagement and communications campaign is underway to promote better understanding and informed choices.

Further information can be obtained here

Summary (Original Post 9th June 2021)

Practices have been asked to comply with a Data Provision Notice for GPDPR. Signing this will allow NHSD to extract structured coded data from their clinical system to be used for research and planning. There is a statutory obligation for GPs to sign up to the Data Provision Notice, although there is no mechanism for enforcing this. The BMA have asked for an extension to the deadline to allow time for further assessment and NHSD have now extended this to the 1st to September.

GP practices may wish to wait for further advice from their professional bodies or they may be happy to sign up now. Those practices signing up should add a paragraph to their Fair Processing Notice:

 “This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research.”

 In the interim, because of the publicity, practices may be receiving an increased number of type 1 opt-out requests from patients. On receipt of these requests the patient medical records should have the following code inserted :

 9Nu0 (827241000000103 |Dissent from secondary use of general practitioner patient identifiable data (finding)

 Or in the event of wishing to opt in after an opt-out:

 9Nu1 (827261000000102 |Dissent withdrawn for secondary use of general practitioner patient identifiable data (finding)



The General Practice Extraction Service (GPES) has been extracting much of this data from GP practices for some years. This programme had not been fit for purpose, but has now been redesigned to work as intended. The focus is on data for research and planning and at first glance there is little new here.


What Data will be extracted

  • data on sex, ethnicity and sexual orientation
  • clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments, including information about physical, mental and sexual health
  • data about staff who have treated you


What data will not be extracted

  • name and address (except postcode in unique coded form)
  • written notes (free text), such as the details of conversations with doctors and nurses
  • images, letters and documents
  • coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
  • coded data that cannot be share by law – for example certain codes about IVF treatment, and certain information about gender reassignment


Opt-out choices for patient remain unchanged

  • Type 1 opt-outs when coded into the GP record will prevent that data being extracted from the GP record.
  • National data opt-outs (formerly referred to as Type 2) managed through a central website will prevent the data being used after it has been extracted from the GP practice.


What’s New?

Because this is a new system, GPs do need to formally sign up to the data extract. NHSD have published information for GP practices advising them that they should comply with the Data Provision Notice.


Identifiable Data?

The data is described as pseudonymised or depersonalised which means to all intents and purposes it will not contain Personally Identifiable Data (PID), however it will be possible in specific circumstances to link back to PID. Beyond its use for planning and research the NHSD patient information page also says that the data may be used:

  • in exceptional circumstances, providing you with individual care

This short reference is significant as it shows that NHSD will be able to provide Personally Identifiable Data to health and care organisations (for example Local Authorities) for the provision of direct care. The data would be stored in secure NHS databases with robust access control mechanisms and only made available to organisations who can show that they have a valid need (i.e. a Legitimate Relationship to provide care) as well as having appropriate standards of Information Governance in place.


Who is responsible for the extracted data?

Once the data has been taken from GP systems the data controller for the extracted data will no longer be the GP but will be NHSD. (Note that this differs from data extracted into the local WSIC database where GP data controller rights and responsibilities are maintained and are pivotal to the use of the data, in this case for the provision of direct care).


Professional Bodies

See the LLMC statement which also contains links to an  explanation of patient opt-out choices and also the current BMA stance. The BMA have previously supported this programme but because of rising public awareness and increasing patient requests for their GPs to code them as type 1 op-outs, they will be reviewing and reconsidering the issues before the September deadline. The NHS need this data to plan and provide healthcare services and so it seems unlikely they will back down, rather that there will be be significant government pressure for the BMA to maintain their support.



If you have any questions please contact NWL Infogovernance Support

Data sharing for COVID vaccination – No. 22

Data sharing for COVID vaccination – No. 22

Data sharing for COVID vaccination

In a Primary Care Network setting we are relying on the new ISS information sharing agreement, using COPI legislation as the legal basis for sharing. For TPP practices, until such time as separate instances of TPP are provided to PCN units this is being mediated through RA extension to access permissions on smartcards.

Many vaccination centres are currently using Accubooks to support vaccine administration. There is a helpful Youtube presentation on how this works here:



It is important to recognise that because this is a new way of sharing, that each locality is required to undertake a DPIA to look at the way the data is being shared, as well as to assess and mitigate any identified risks. Accubooks has produced a template DPIA which covers most of the requirements:

accuRx DPIA Template Covid-19 Vaccine booking and recording

Whilst this will cover most of your bases you must make the DPIA specific to you own data sharing and ensure that it addresses considerations related to your locality.

If you have any questions please email NWL Infogovernance Support


Sharing Vaccination Data with Local Authorities


You will be aware of the data sharing recently undertaken in response to the low COVID vaccination uptake levels in NWL. A limited amount of patient data has been provided to Local Authorities through WSIC, using COPI as the legal basis to provide care. A Memorandum of Understanding (MoU) outlining the principles was endorsed by the NWLCCG and ICS accountable officers. Evidence to date suggests that where patients have been contacted through this route, vaccination rates have risen in the order of 27% and that this has been life-saving action.

We have since been working closely with the LLMC to ensure that GP data controller responsibilities can be exercised. As a result, GPs are now being asked to sign up to an information sharing agreement with LAs to share this limited dataset. Practices wishing to share will be provided with an information sharing agreement, a template DPIA and a clause to insert in your practice FPNs with information about further communications with your patients.

The proposed data sharing agreement is:

  • Appropriate: We believe that this data sharing exercise will save lives (above)
  • Proportionate: The data is limited to the contact details of a subset of NWL patients over 50 years old, who do not live in the Grenfell area, who are eligible for but have not received COVID vaccination
  • Time limited: valid only for the duration of COPI legislation
  • Safe: We have separately approached the LAs signing this agreement who have provided assurances that the appropriate security measures are in place through the use of access control mechanism, secure data transmission, storage, management and duration/expiry of this sensitive data.
  • Legally sound: COPI is used as the legal basis but the sharing agreement is GDPR compliant, consistent with the agreed NWL structure of information sharing agreements and has been approved by the NWL Primary Care IG group.
  • Agreed: We have discussed the pros and cons of this matter in some detail with individual GPs, the vaccination programme, the NWL IG Board (where there is patient representation), Primary Care IG group, NWL CCGs and with the LLMC. Individual GP data controller will be able to decide about how to implement this sharing.

GP data controllers are expected to sign this sharing agreement which is recommended by the NWL Primary Care IG group, the NWL vaccination programme and the Accountable officers of the NWLCCGs and ICS, who have been working closely with the LLMC. It is recognised that a small number of practices, depending on their geography, may have higher numbers of potentially vulnerable or other groups of patients not happy to share their data with LAs. These practices do not have to sign up but will be asked to provide evidence that they have promoted COVID vaccination uptake by engaging in collaborative work with their LAs.

The data has already been shared (although it is time limited by the duration of COPI legislation). For the anticipated small proportion of practices who decide not to sign, no further data flows will take place.

Required actions:

Your registered data controller lead or PM will shortly be contacted by the Data Controller Console (DCC) and invited to sign the LA information sharing agreement. All practices should respond, in most cases this will be to sign up, but practices who prefer to use other ways of increasing vaccination uptake, must let us know that they dissent (which will inform the cessation of existing data flows).

Respond to the DCC controller invitation.

A) If you are happy to proceed you should:

  1. Sign the sharing agreement on the DCC
  2. Check you are happy with the DPIA
  3. Add the FPN clause to the existing notice published on your website (see below under FPN / patient communications).

Everything else will be managed through WSIC.


B) If you do not wish to share data with the LAs:

  1. Log on the DCC and register your dissent to share the information agreement.
  2. Liaise with your local authority to work collaboratively with them and consider using honorary contracts as a mechanism of doing so (see below under Working with Local Authorities)


FPN / patient communications

Your responsibility as data controllers is to inform your patients about what data you are sharing, with whom and why. This can be done in a number of ways, first and foremost  through the Fair Process Notices (FPN) which should be published on your practice website. This is a new form of sharing and if you are signing the sharing agreement you should insert the following paragraph in your FPN (you may wish to reword as you see fit).

“Sharing Vaccination Data during the COVID Pandemic:

During the COVID pandemic we have signed an agreement with our Local Authorities to allow trained Public Health personnel access to a limited amount of patient information. This has been restricted to the contact details of North West London patients over 50 years old, who do not live in the Grenfell area, who are eligible for but have not received COVID vaccination. The purpose is to provide those patients with direct care and to save lives by increasing the update of COVID vaccination. The legal basis for sharing is the short term COPI legislation (introduced by the secretary of state for health for just this purpose) and when the COPI legislation expires the data will be deleted. We have taken measures to ensure this data is safely transmitted and managed securely and that PH personnel are trained to understand their professional responsibilities of confidence.”

Patient Participation Groups. You should mention this sharing in your patient participation groups and may choose to let them know that the NWL vaccination uptake has been amongst the lowest in the country and that these measures has been taken to provide care for our patients by increasing vaccination uptake and in doing so, saving lives.

Working with Local Authorities

A minority of practices have higher proportions of patients (for example BAME and other groups)  who may have a mistrust in the system, where the sharing of that data might further widen the mistrust.  If they decide not to sign up to this recommended information sharing agreement, they will be expected to demonstrate that they are working towards increasing their vaccine uptake figures in other ways. One mechanism for doing so would be to undertake collaborative work with their Local Authority (see the presentation recently shown by the vaccination team which gives an exemplar of this sort of outreach work).

Practices working in this way may wish to allow limited access to data to trained LA personnel taken on at the practice under an honorary contract which outlines their roles and responsibilities and which documents accountability. See template document

Practices wishing to explore these options further should contact their LA vaccination leads and we are currently drawing up a list of contact details and will shortly publish them below:








If you have queries, please email us on


We hope you will sign up to this data sharing agreement. Local Authorities are part of our ICS and we need to learn how to share data with them appropriately, proportionately, and securely to support patient care. This is a potentially sensitive area, and this first step is a measured and well worked-up agreement which we believe will save live and which we strongly recommend to you.


DSPT Support 2020-2021 No.21

DSPT Support 2020-2021 No.21


Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 30th June 2021.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are THREE MAIN documents which will help you through your submission


The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have used the Data Security Policy from last year to be the overarching document in your practice, where you can edit this for your practice if required.


We have put together an overview document which includes all of the questions within the DSPT and also highlighted in yellow which sections have changed slightly from last year. This contains comments and guidance related to all of the sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.


This links to question 6.2.2 number of alerts recorded by AV tool in last three months, please filter for your practice appropriately via ODS code, if your practice is not listed please enter 0:

For NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs: Antivirus Alerts 6 months

For Harrow: Please contact Egton Directly

For Hillingdon: Hillingon GP Malware

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Here is the web address for the DSPT submissions:

Sharing Patient Records for Direct Care – No. 20

Sharing Patient Records for Direct Care – No. 20

A new NWL Information Sharing Agreement the ISS for Direct Care (in the new terminology) replaces the “MoU” for sharing data between primary secondary and acute care for organisations using SystmOne or EMIS clinical systems. Communications have been sent to GP practices confirming that the agreement has been ratified by the NWL IG Board (where there is also LMC representation). The ISS will be made available on the Data Controller Console and all practices across NWL are requested to sign, as will our community and acute trusts who use those clinical systems.

Allowing access to clinical records in Primary Care Networks

The emergence of PCNs and their inclusion within the GP contract has paved the way for them to become the organisations through which future primary care health services will be provided.  Increasingly PCN staff need to be able to access to clinical records to support the delivery of patient care.

The organisational unit of data controller-ship remains with General Practice. PCNs despite their pivotal nature have no legal status and are not data controllers.

The new ISS for direct care outlines the governance requirements for healthcare organisations using TPP and EMIS clinical systems when sharing data for direct care and now states that

Primary Care Networks (PCNs) are now a vehicle through which health care services are delivered. Trained staff from PCNs and their GP practices will now form part of each GP practice team and will have supervised and audited access to patient records when this is required to deliver patient care.”

and also, in relation to TPP (with equivalent arrangements in EMIS)

  • Only health care organisations who have a legitimate relationship to provide care obtained through a registration process can access the full patient record by ‘sharing in’ the full SystmOne patient record from the virtual pool.
  • At all new registrations, consent is required to ‘share in’ the full SystmOne patient record from the virtual pool. For existing registrations in Primary Care consent is not required.

This significant change will allow PCN staff to see the GP record without requiring consent and in effect this policy change provides them with a Legitimate Relationship where there is clinical need. Existing GP staff will also have a legitimate relationship to access the records of all patients within their PCN in the same way that they currently have access to patients in their own practice.

In order to access clinical records PCN staff must:

  • Have a Legitimate Relationship (LR) to provide care for the patient (or be working with or accountable to an organisation who has that LR)
  • Have completed training and be able to demonstrate that they understand their legal and professional responsibilities to protect patient confidence (IG training)
  • Have completed training and be able to demonstrate competence in the use of the clinical system
  • Have access to clinical records controlled with Role Based Access Control mediated through a smart card or similar method of authentication
  • Have a contractual link to a Caldicott Guardian whose role would be to oversee 1) 2) 3), sign an RA02 for 4) and provide accountability in the event of a breach in relation to data access or malpractice.

Informing Patients

The new ISS allowing sharing of records across PCNs is a significant change and practices can and should ensure that they have communicated these changes to their patients through a variety of media. There has already been public engagement via some PPG groups at practice, PCN and CCG level, also at the NWL IG board, and through other workshops. You should discuss the changes at your local Patient Participation Groups (PPGs) and direct them to a new section in your FPNs. You may wish to use the wording below as a basis for SMS, Email, website pages or practice noticeboards:

“We are working closely with neighbouring practices within our Primary Care Network (PCN) to support your care. PCNs and their constituent GP practices are now the organisations through which primary care health services will be delivered and when providing you with care their trained staff form part of our team and will have access to your NHS GP record. Please see our Privacy Notice [include url link to your FPN] for more details or discuss at your patient participation group”

Fair Process Notices should contain clauses explaining how their information is shared and below is the suggested wording to insert into the existing section under Local Information Sharing:

Local Information Sharing

Your GP electronic patient record is held securely and confidentially on an electronic system managed by your registered GP practice. In order to provide you with health and social care services Your GP practice works in close collaboration with [insert your CCG / PCN name] a group of  [Insert the number of local practices in your PCN] geographically local practices.

Trained staff from PCNs and their GP practices will now form part of each GP practice team and will have supervised and audited access to patient records when this is required to deliver patient care.  Staff are trained to understand their legal and professional responsibilities of confidence to their patients and will only access your records when they are required to do so to support you care. They will identify themselves and their role using a smart card and access to your PCN record is recorded, monitored, and audited.

As your local PCN functionality extends they are likely to provide GP HUB and Out of Hours services directly in which case your records would be available without consent. If you require attention from a local health or care professional outside of your usual PCN services, through an Emergency Department, Minor Injury Unit or other Out Of Hours service, the professionals treating you are better able to give you safe and effective care if some of the information from your GP record is available to them. If those services use a TPP clinical system your full SystmOne medical record will only be shared with your express consent. 

Where available, this information can be shared electronically with other local healthcare providers via a secure system designed for this purpose. Depending on the service you are using and your health needs, this may involve the healthcare professional accessing a secure system that enables them to view either parts of your GP electronic patient record (e.g. your Summary Care Record) or a secure system that enables them to view your full GP electronic patient record (e.g. TPP SystmOne medical records or EMIS remote consulting system).

In all cases, your information is only accessed and used by authorised staff who are involved in providing or supporting your direct care. Aside from your registered provider your permission will be asked before the information is accessed, other than in exceptional circumstances (e.g. emergencies) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).

How to manage patient concerns:

Patient who register an objection can be responded to with measures to limit access to their record in certain situations  e.g:

 “My next door neighbour (with whom I have an ongoing boundary dispute) is a receptionist at a practice in your PCN and I would not want her to access my records


It is possible to configure both S1 and EMIS clinical systems to limit access to a ring fenced group of staff which would exclude the receptionist neighbour and practices can contact their IT teams to implement these changes

Patients who decline to share their records shared with the PCN  e.g:

I understand the potential benefit of sharing my record within the PCN staff and even though this might make it more difficult to provide me with care or cause potential delay, I do not want to share my record with the PCN unless I give specific permission

… we anticipate very small numbers of these patients

Solution: There are two considerations here:

  1. During short term emergency measures:  Mid COVID pandemic we have introduced short term measures allowing extended access to patient records on the basis of COPI legislation implemented in the face of urgent or life-saving clinical need (e.g. Shielded lists for vulnerable COVID patients, implementation of COVID vaccination programme at short notice, the provision of central hub based services for urgent care or out of hours care during the pandemic). In these circumstances clinically trained staff have had their smartcard permissions extended to cover access to patient records in their PCN. The controls in place here are: 
    1. Request for access will in the vast majority of cases originate from your own GP practice
    2. In the case of hub based or extended hour services patient will be able to give or decline permission at the point of care
    3. Practice staff with extended permissions have been fully trained to understand their legal and professional responsibilities to protect their patient’s confidence. They will not access patient records unless doing so is needed to provide them with care. All accesses are registered and subject to audit trails and inappropriate access is a serious and dismissible offence.
    4. PCN staff not employed by practices will have appropriate training in the use of the clinical system and their IG responsibilities. They will have a contractual relationship with a Caldicott guardian or data controller who will oversee and be accountable for their actions. Likewise they will not access records unless required to do so to provide care.
    5. The above measure restricting access in specific setting (see 1) above) will also apply
    6. Notwithstanding these controls, other than declining the provision of care (which would usually be an untenable option) there is no mechanism for preventing access to patient records whilst these COPI legislation measure are in place (until 31st March 2021) OR until the planned implementation of local instances of PCN clinical units (see below)

2. Medium term ability to honour opt- out requests. EMIS and S1 clinical systems have organisational codes and identification of these codes allows clinicians and patients to make choices about which local organisations can access patient data. PCNs are new organisations without legal status and currently they do not have their own ring fenced clinical systems with PCN codes. We are planning to implement these as soon as funds are available to do so and from that point in time (which may predate the end of COPI legislation) patients would be able to request that PCNs do not access their records, which would remain unseen in the absence of consent.

The use of honorary contracts

These are not standard contracts of employment. They provide a contractual link to a primary care organisation and Caldicott Guardian with the intention of:

  1. Creating a legitimate relationship
  2. Establish accountability in the event of malpractice or a breach

Those links are already in place within GP practice staff and additional contracts will only be required for PCN staff who need to access identifiable patient data. Because of the change in the boundary allowing access to patient records, only one PCN practice needs an honorary contract to allow a PCN staff member to access patient records across the whole PCN. Because there is risk involved in taking on a contract it makes sense for them to be shared out between the practices in a PCN.

It is not possible to share medical records without risk and the balance is between keeping records in silos which are secure but have poor data sharing, as opposed to open access where there is a high risk of breach but effective sharing of information. It follows that more staff accessing a larger number of patient records poses a potential increase in risk. It is essential that staff understand that whilst they may be able to access many records, they should only do so when their job requires it.

Responsibility and liability in the event of malpractice or a breach could be shouldered by the practice who signs the contract, but this needs to be discussed and agreed between the constituent PCN practices. Practices and PCNs are strongly advised to take part in written risk sharing agreement, the nature of which is beyond the scope of this ISS.

Example Honorary Contract

See attached document

which is short and gives an indication of the intended scope. The variation in infrastructure between the 8 CCGs makes it an impractical proposition for us to provide a standard honorary contract across NWL.  For this reason we are providing PCNs principle-based advice about their IG requirements as detailed above. Each PCN will need to construct their contracts according to their specific needs.

Shared employment

PCNs may employment staff by themselves or may use staff employed by another organisations (e.g. a community trust). In one or other of those settings there needs to a standard employment contract which will also include registration on the ESR system to monitor and audit standards set by the NHS Litigation Authority and the CQC, including:

  • including maintenance of professional registration
  • pre-appointment clearances
  • DBS certification
  • induction and mandatory training

With shared employment a written agreement should detail which responsibilities lie with which organisation. For example, a community trust working with a PCN may be able to provide training.

Required Training

NWL IT services have developed module based clinical system and IG training which can be used by HCOs for their staff. GP practices who have signed honorary contracts may be happy to delegate the scheduling and documentation to their PCN.

To book your required training please access the NWL learning Hub

The Role of Federations

Federations/Confederations exercise different functions across NWL. Where they are organising PCN services, the same arrangements (requiring honorary contracts between staff working in PCN and a constituent GP practice)  can apply. In a setting where Federations and Confederations are providing services and in that role are data controllers in their own right and are hosting an EMIS or S1  clinical system, they may also be able to take on the role of sharing records without the need for honorary contracts.

COVID Data Sharing Measures – No. 19

COVID Data Sharing Measures – No. 19

Updated 09.06.20 with advice on:

  • Managing Shielded Patients and notification of suspected COVID cases


Notification of suspected COVID cases

COVID is a notifiable illness. Regulations state that clinicians should not wait for laboratory confirmation before notifying. Laboratory confirmed cases are notified centrally. However since Jan 2020 the low threashold for suspicion (anyone with cough or sore throat and symptoms of fever etc) has meant that there will be large numbers of suspected cases. Notifying this group whilst officially required is not likely to be a helpful process.

This has been discussed with senior clinicians at Public Health England (PHE) who understand and agree there is a dilemma. Because COVID is a notifiable illness they have no choice but to make the request – but accept that the information is of limited value and that this would not be best use of primary care time. A request to review this policy has been “passed up the chain”. In the meantime, practices can either wait until there has been a response, or if they wish to fulfil the legal obligations they can send PHE a spread sheet with the relevant details. (Our practice has collected the data, but has decided to wait for further information before notifying suspected COVID cases).


Updated 28.05.20 with advice on:

  • GP Connect (NWL considerations)
  • Summary Care Record (action needed on Fair Process Notifications)
  • COVID data managed by WSIC
  • Managing Shielded Patients and using COVID templates
  • Medopad App use int Respiratory Hubs


GP Connect

COVID measures have been taken to improve the access for health and care professionals to medical records and information. This will support safe treatment and advise to patients who have called NHS 111, or are receiving care in settings other than general practice.  The advice below has been précised from the letter sent to all GPs by HNSX and also includes information specific for NWL practices

GP Connect allows authorised clinical staff in general practice, NHS 111 and other care settings providing direct care, to view clinical information from a patient’s GP record by providing a read only HTLM view of the full GP record. It also supports the sharing of booked patient appointments. This functionality has been authorised by NHS Digital for all GP practices in England and will be enabled by GP system suppliers. Opt-outs where patients have made them will be respected

These changes will:

  • improve GPs ability to treat patients outside of their registered practice, giving patients easier access to a GP when they need one, regardless of demand or staffing levels in their own practice, for example within a network or a federation hub;
  • give authorised health and care professionals working in primary care, NHS 111 – including the COVID Clinical Assessment Service (CCAS) – and other appropriate direct care settings, access to the GP records of the patients they are treating, regardless of where they are registered; and
  • allow remote organisations such as NHS 111 to book appointments directly with the patient’s GP practice including the ability to manage referrals from the COVID Clinical Assessment Service (CCAS). This will enable healthcare professionals to provide more timely care and provide flexibility for the primary care system.


Actions which NWL GP Practices need to take

So as not to require practices to set up GP connect service individually NHS Digital have implemented a national roll out, which will be managed by the GP system suppliers for ALL GP Surgeries and GP led hubs. GP practices will still be required to implement some changes to allow the remote booking of appointments into their clinical systems and further details will be provided when this is required.

NWL already has a system for the allocation of remote bookings and in the short term this is fit for purpose and will remain the booking mechanism in place. We are piloting the GP Connect remote booking system in several practices and will inform GP when the GPC booking component will be widely rolled out. In the interim, practices do not need to make changes.

Legal basis for this action

This action is being taken in response to the Notice issued on 20th March 2020 under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 requiring confidential patient information to be shared in the circumstances set out in the Notice.

The changes will remain in force during the period of the COVID-19 emergency period as set out in the Notice (unless extended or reduced) at which point systems will return to their current state unless alternative arrangements have been put in place before then.

To remove uncertainty over the effect of the Notice, NSHX have written to the GP system suppliers to request them to enable these changes without further instruction from GP practices. Your GP system suppliers should inform you in advance of making these changes, so that their role in facilitating these changes is made clear to you.

Safeguards required to keep information safe have not been compromised. Practices do not need to change any existing Data Sharing Agreements in relation to COPI legislation. However, in consideration of the possible longer-term implementation of GP Connect we have written a DPIA for consider the risks and mitigations and are considering incorporating the use of GP connect in existing data sharing agreements. The BMA and RCGP are supportive of this work, as are the Information Commissioner’s Office and the National Data Guardian.

Further information including statements from those bodies is available on the following webpage

Questions can be directed to out NWL IG team or directly  NHSX:

Further plans for GP Connect

COPI legislation covers the use of the GP Connect data for COVID use until the 20th Sep 2020. We anticipate the possibility of continuing to use GP Connect beyond COVID and the NWL  DPIA which has been written to support this is below:


We are also writing up an information sharing agreement to accommodate that scenario, which will either be a separate ISA or will be incorporated into our existing sharing agreement for direct care 

Summary Care Record (SCR) changes:

As part of COVID measures to support patient care, the default SCR consent has changed from, implied consent to meds allergies and adverse reactions, to implied consent for meds, allergies, adverse reactions and additional information.

The current view in SystmOne can be found through the left sided admin menu tab under Spine Details and SCR Details

There is an equivalent process in EMIS (below):






















Patients can still give their express consent / dissent to any of the last three tick box options below. If patients choose “express consent for medication and allergies and adverse reactions only” this will trump the new implied consent settings. Patient choices can be mediated through their GP practice by verbal request, or via a form.

Action required:

To inform your patients about these measures please ensure that your FPNs contain a section under Summary Care Record which points to: Supplementary Privacy Notice for Summary Care Records

 COVID datasets for WSIC:

WSIC are working towards getting daily GP data from Discovery Data Services (DDS)

  • An email explaining that data will be flowing to DDS from which WSIC would extract data has been sent to all the Caldicott guardians/contacts for NWL practices registered on the Data Controller Console (DCC).
  • So far just 220/357 practices are signed up to the daily data processed extracted through DDS
  • WCSIC also continue to work with the fortnightly data feeds from Apollo to produce COVID dashboards for the sector


The specific COVID-19 datasets that WSIC have secured since the beginning of April are:

  • Full NWL population data from NHS digital with patient identifiable information – Frequency monthly
  • Direct admission data from all the acute trusts with confirmed/suspected COVID patients, this include the bed status i.e. critical care and ventilation details (fully patient identifiable)– Frequency daily
  • Full patient identifiable data from CMC with details of advanced care plan, resuscitation preference etc. – Frequency fortnightly
  • Direct pathology results data from all the pathology providers with full patient identifiable information – Frequency 3 times daily
  • The shielded patients list from NHS digital with patient identifiable information – Frequency weekly


The above datasets have been linked with the existing WSIC datasets to generate COVID dashboards. The dashboards allow the viewing of Personal Identifiable Data to NWL clinicians using Role Based Access Control who have a legitimate relationship with any identified patient. Healthcare professionals who do not have a legitimate relationship with patient can only see aggregate data.  WSIC have updated their website with the details – and have also included this information in the newsletter that has been sent to all users with a registered login to WSIC.

WSIC does not extract appointment data, but they do also have a separate BI function which undertakes sector analysis for the ‘gold command’ which has been established for COVID management support. This central BI team do not have the access to receive/view/process patient identifiable information, but they do see the output from TPP trust-wide reporting unit and EMIS search and report modules. This does not contain any PID and is at an aggregate level. That BI team does not have the direct control over Brent and Harrow EMIS search and report and has to get permission from the relevant CCG to run the searches if required.

GPES data collection

The General Practice Extraction Service (GPES) collects information for a wide range of purposes, including providing GP payments. It works with the Calculating Quality Reporting Service (CQRS) and GP clinical systems as part of the GP Collections service.

Coronavirus (COVID-19) has led to increased demand on general practices, including an increasing number of requests to provide patient data to inform planning and support vital research on the cause, effects, treatments and outcomes for patients of the virus.  To support the response to the coronavirus outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients, including from their GP record, for the duration of the coronavirus emergency period.

This General Practice Extraction Service (GPES) data will be extracted as a snapshot in time extract on the initial collection. A subsequent fortnightly extraction will then continue until the expiry of the COVID-19 Direction. This has been in place since 31 March 2020 but will be reviewed in September 2020 and every six months thereafter. The frequency of the data extraction may change in response to demand.

Action required:

GPs must sign up to this extraction, and this is not a request it is a legal requirement.

See the following NHS Digital Notice:

See also this helpful LMC article:

Managing Shielded patients:

There is a central register of patients who are at the the highest risk of serious health complication in the event of getting COVID. GPs have control over who is on this list and can add patients by coding them in to High, Moderate, or Low risk.

Once they have been entered into the GP clinical system, these codes will be extracted weekly to update the central register.

To add patient to the high-risk group enter the high risk code. For patients who are already in the high-risk group but their GP thinks they should not be, entering the moderate risk code will automatically remove them from the high risk group (when the weekly data extraction occurs). The moderate risk group should be identical to your flu vaccination cohort.  Patients not significantly at risk, and who do not need yearly flu jabs, can be coded as low risk.

Letters to patients.

Patients identified as high risk in the first assessment have been sent a standard letter by NHS digital (see below).  Patients can be added to the high risk group through two other mechanisms.

  • Recommendation by secondary care consultants
  • Self inclusion (patients may write to their GPs asking to be included on the high risk list).

In general there is an expectation that the list from secondary care will be considered and accurate (although lists received to date have not always specified the reason for inclusion). However in both cases GPs can exercise discretion and should make the final decision. Patients who have not previously been on the list and are added should be sent the standard letter:

  1. Standard inclusion on high risk list (updated May 2020)
  2. Removal from high risk group where not indicated
  3. Non-inclusion in high risk group after self-nomination

It is good practice to discuss in person with patients if you think they should not be on the list, or indeed with those patients who do not want to be included. Patients in groups 2) and 3)  who are being removed, or not included despite a request may also require a letter at their GP’s discretion.

Action required:

Aside from those written to by NHS digital, the responsibility of notifying patients about inclusion on the high risk list will rest with the GP practice.

Resources for managing shielded patients and COVID:

COVID templates

In addition, templates are available in your clinical systems which will allow you to enter the relevant clinical codes for COVID and to support and manage the follow up of high risk and shielded patients.

The description below covers use in SystmOne TPP (there are equivalent templates in EMIS). The COVID icon is a yellow triangle with an exclamation mark

and can be seen in the top right hand window below the patient demographics. It is also present on the patient home page.






Clicking this icon will bring up the COVID template which supports the recording of coded COVID information such as symptoms, findings and diagnosis.

There are other tabs which allow the documentation of management plans, the identification of useful resources, the recording information on other respiratory conditions etc. which will not be further detailed here.

Within the COVID template you will see another yellow triangle Icon labelled ‘Welfare template’. Clicking on this will bring up the following template.

This can be used by receptionist, HCAs or other trained staff to call patients in your high risk groups (or in those who you have identified as having moderate COVID related symptoms) for follow up. The main section is the central grey window which contains a number of simple tick box questions.  Once these have been completed the pink social assessment box can be ticked. If any needs have been identified your staff can forward this information by ‘tasking’ the relevant person (GP, Nurse, Link worker etc.). Note there are other potentially useful tabs  within the template which will not be detailed here.


Another NWL COVID measure has been to look at ways of managing people in their own home. NHSX is supporting a pilot which uses a Medopad App (a remote monitoring product) across ‘Respiratory Hubs’ in North West London.

The App has been developed to manage and remotely monitor patients with confirmed and suspected COVID-19 infections who are self-isolating. The aim is to keep them out of hospital and deliver their care in a home environment. Healthcare staff at respiratory hubs will identify suitable patients and give them instructions about how to download and use the app. They may also be provided with a pulse oximeter. At set intervals they will be asked to record specific clinical information such as:

  • Symptoms
  • Temperature
  • Heart rate
  • Respiratory Rate
  • Oxygen saturation

There may later be the potential for them to be monitored remotely via a ‘virtual ward’ and for this information to be available through patient dashboards. The pilots will run for 3-6 months after which an evaluation will review the impact of this intervention consider the benefits of a wider roll out.


Updated 17.04.20 with advice on Fair Process Notification

Sharing for Direct Care

To support routine and emergency care during the COVID-19 crisis we are taking measures across NWL to share access to GP patient records more widely. This will be done by extending smart card permissions to existing authorised and trained staff in a staged manner*:

  1. Sharing will extend initially from the registered GP to Primary Care Networks.
  2. This may later be further extended to allow CCG wide access or
  3. In the event of worsening crisis to allow access by trained staff across NWL


* with the exception of Brent where Harness have requested an earlier migration towards sharing at CCG level


Caldicott Guardians from each practice have been asked to:
  1. Sign a bulk RA02 process, allowing shared smartcard access to their clinical systems by suitably qualified staff.
  2. Nominate members of their practice to contribute to this pool of staff and to vouch that they:
  • have had clinical training and are competent to exercise the permissions on their smart cards
  • have had IG training and understand their professional and legal responsibilities of confidence to their patients**
  • have a contractual relationship with the nominating Caldicott Guardian.


** In particular that access to patient records requires the existence of a legitimate relationship (i.e. they must be providing that patient with care) and that inappropriate access to records is a serious and dismissible offence.


Sharing data to plan and provide care in the Covid pandemic

The Secretary of State for Health has issued a notice under the ‘Control of Patient Information’ regulations (COPI)1  authorising NHS Digital to disseminate information to approved organisations in order to help them to effectively tackle the pandemic. These measure will be in place until the 30th Sep 2020 and will be reviewed at that time. This legal purpose will be used within the WSIC when identifying data to support the planning and delivery of health care related to COVID-19

National shielding measures require a coded list of patients at highest clinical risk from COVID-19 (a subset of the flu jab cohort) to be extracted from GP clinical systems through GPES in the week starting 13th April. These patients will be written to by the NHS with specific advice. See update with a link to the original communication and FAQ sent on the 3rd April.


Fair Process Notification amendments

Because of the above changes we are advising all practices to amend their FPNs. You may choose to insert the paragraph below which covers patient information for COVID measures in hub and non-hub GP practices (or you may prefer a suitable alternative if your data sharing circumstances differ) :

 Data Sharing Measure in relation to the COVID pandemic

1)      The secretary of state has served notice under the Health Service COPI (Control of Patient Information) Regulations 2002 to require organisations to process confidential patient information during the COVID Pandemic and these measures will remain in place until September 2020. In addition, aggregate data which supports the planning and delivery of health care during the COVID pandemic will be processed securely through the Whole Systems Integrated Care database. Any such data will be formally identified as COVID related and used only for this purpose until Sep 2020.

2)      Primary care staff across each CCG will be able to access your full medical record without consent during the COVID-19 pandemic but will only do so when this is necessary to provide you with care. They will be required to use a smartcard which confirms their identity, and which limits their access and actions to those appropriate for their role. They will all have been trained to understand their professional and legal responsibilities in providing you with care. Access to records by trained clinicians will be made available for example when patients:

  • are asked to present to the Respiratory Hubs offering care for COVID related illness
  • are directed to other hubs based services for routine face to face, or telephone or video consultation
  • require community visiting services

3)      The extension to smart card permissions is currently limited to CCG wide sharing, but in the event of the pandemic escalating we have taken measures to implement NWL wide sharing and will notify patients through this Fair Processing Notice, should that need arise.

4)   The government have requested reinstatement of the “break glass” facility” previously available in TPP clinical systems so as to allow a declared access to patient records in the event of an emergency.


Questions about COVID and data sharing


Above table as a word document


Reinstated ‘Break Glass’ Functionality in TPP

TPP has received a direction from Dame Fiona Caldicott (National Data Guardian) to reinstate the consent override (break glass) function within SystmOne.

The key points are:

  • This is for direct care only
  • Anyone using it must take advice from their DPO and Caldicott Guardian
  • It should be use only by registered and regulated health and care professionals
  • Every effort must be made to keep patients informed
  • A monthly audit of use will be sent to the NDG, ICO, NHS D ad NHSX
  • This instruction will be in effect for 3 months from 30/3/2020


The NWL local policy is:

  • Use access as normal within our local EDSM allowed list
  • If access is required from outside this locality use the agreed EDSM process to obtain a validated password
  • If this does not work of if there is a reason that a clinician needs access to the notes in the absence of the patient then the break glass facility can be used (noting the above points)




National Data Optout – No. 18

National Data Optout – No. 18

National data opt-out (NDO) in Primary Care

GP practices must comply with the national data opt-out policy by March 2020.

What is the national data opt-out?

Patients can choose not to share their identifiable data when it is not related to the provision of direct care by requesting a national data op-out. This has replaced the type 2 opt-out which used to be managed in primary care. Patients requesting a national data opt-out should now be directed to

Where a patient had a type 2 opt-out registered on or before 11 October 2018, this was automatically converted to a national data opt-out and if they were aged 13 or over they were sent a personal letter explaining the change and a handout with more information about the national data opt-out.

Patients can be reassured that their choices will continue to be respected. If they want to change their choice, they can use the national data opt-out service to do this.

Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until 2020, when the Department of Health and Social Care will consult with the National Data Guardian on their removal.

What should my practice do to be compliant with NDO?

  • Ensure you have a record of all your existing data disclosures, as required under GDPR/DPA 2018. This will be one of the requirement in your Data Security and Protection Toolkit (DSPT) returns.
  • Assess those data disclosures against the national data opt-out policy to see if national data opt-outs should be applied and putting a process in place to consider any new data disclosure requests against the policy. Note: the national data opt-out applies to data disclosures that rely on section 251 approval, please see the “National Data Opt-out FAQs”

To help GP practices to become compliant and to apply national data opt-outs, the four principal GP IT system suppliers are implementing new functionality in the reporting and search modules within their clinical systems. The functionality will enable practices to easily remove the records of patients who have registered a national data opt-out from data disclosures when the practice decides the opt-out applies.

Specific considerations for NWL GP practices

In relation to NDO compliance you will have received, or will shortly receive correspondence from NWL CCGs which include:

The majority of practices in the NWL CCGs will not be processing PID for non-direct care processes. In making an assessment, the areas which you may wish to consider would be:

  1. Whole Systems Integrated Care (WSIC) data extractions
  2. Discover data extractions
  3. Research data extracted through the ResearchOne TPP based module
  4. Any other independent research data extractions.
  5. Old reports which are informing data extractions

In managing these we have provided generic DPIAs which can be used in relation to:

  1. WSIC data extraction
  2. Discover data extraction
  3.  TPP ResearchOne data extraction
  4. You must ensure any research data extractions not managed by TPP are excluding patients with NHS numbers where national data opt-outs have been applied (see Guidance and tools to achieve and declare compliance – below)
  5. Practices generating disclosures through existing older or bespoke reports (written before the new functionality) must ensure that their reports are edited to apply national data opt-outs. Likewise any new reports informing PID disclosure must apply national data opt-outs when created. If you are running external reports which you are unable to edit, you must contact the owner or publisher to apply national data opt-outs before data is disclosed.

The principle underpinning WSIC, Discovery and ResearchOne extractions is that any data used (for purposes other than direct care) is not identifiable and so the NDO does not apply in any of these examples. The DPIAs are attached for your information and to confirm this.

When your practice is compliant with the NDO you must declare this in your Fair Process Notification (FPN). You do not need to reprint your paper copies but should include a short statement (see below) in the published FPN which your website should point to.

“National Data Opt-Out

Our practice is compliant with the National Data Opt-out”

Practices should make sure staff are aware of the national data opt-out so they can support their patients and be aware of the patient support material (see below under Further Guidance)


FAQs on the National Data Opt Out

What type of data is involved?

The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England. It is applied to data that originates within the health and adult social care system in England by health and care organisations. It does not apply to data disclosed by providers of health and care services outside of England or to children’s social care services.

When the opt-out is applied, the entire record (or records) associated with that individual must be fully removed from the data being disclosed, whether that data is held electronically or on paper, regardless of whether it is structured or unstructured.

When does the national data opt-out apply and in what circumstances can it be overridden?

The national data opt-out is aligned with the common law duty of confidentiality (CLDC). It applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. It is obviated by individual patient consent, or where the data is anonymised in line with the (ICO) Code of Practice.

 Who can opt-out?

Any person registered on the Personal Demographic Services (PDS) who has an NHS number can set a national data opt-out, using online and non-digital channels. The opt-out is registered against their NHS number on the Spine (a central repository supporting IT infrastructure in England for health and social care).

 What proportion of patient have opted-out?

Opt-out rates by region can be obtained through the national data opt-out publication

 When should my practice be compliant?

All health and care organisations should be compliant with the opt-out by March 2020.

What are my responsibilities at a practice level?

Practices  should have procedures in place to review uses or disclosures of confidential patient information against the national dat opt-out operational policy guidance. The following general guidance on the national data opt-out policy will help you understand how it works and whether data uses or disclosures are in scope

Note: To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.

If your practices is disclosing PID data outside of their current clinical systems, these should have should have national data opt-outs applied and you should implement the technical solution  to enable you to check lists of NHS numbers against those with national data opt-outs registered.

When you get the results back, you should have a process in place to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed.

If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:

  • implement the technical solution in readiness, or
  • be ready to implement it if needed for future data uses or disclosures

Once compliant, confidential patient information must not be used or disclosed before it has been assessed and national data opt-outs applied if necessary.


Guidance and tools to achieve and declare compliance

The compliance implementation guide provides a step-by-step guide to help understand and plan the actions required to become compliant with national data opt-out policy. To configure a MESH tool which allows submission of a group of NHS numbers and returns a list with the NHS numbers removed for those patients that have opted out. Check for national data opt-outs service

Further guidance

DSPT Support 2019-2020 – No. 17

DSPT Support 2019-2020 – No. 17


Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 31st March 2020.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are TWO MAIN documents which will help you through your submission.

1) Data-Security-Policy-2019-2020

The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have used the Data Security Policy from last year to be the overarching document in your practice, where you can edit this for your practice if required. This has not changed from last year.

2) DSPT-Overview-2020-V6

We have put together an overview document which includes all of the questions within the DSPT and also highlighted in yellow which sections have changed slightly from last year. This contains comments and guidance related to all of the sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.

We have put together a document which includes answers to some technical terminology as well as some common DPO queries Tech talk – DPO

3) Anti Virus

This links to question 6.2.1 number of alerts recorded by AV tool in last three months:

For NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs:
Anti-Virus-Report 2020

For NHS Hillingdon, this information has been provided to each GP practice by the Head of IT security

For Harrow CCG:

Hillingdon Practice Alerts 3months

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Register your practice for the DSPT here

Notification of Emis cloud services – No. 16

Notification of Emis cloud services – No. 16

From 10 June 2019 EMIS Web started migrating practice patient data storage to Amazon Web Services (AWS).

Because this is a significant change to the way patient data is processed, in order to be compliant with GDPR, practices as ‘Data Controllers’ need to:

  • inform their patient through their usual methods of communication (for example their privacy notice)
  • carry out a Data Protection Impact Assessment (DPIA)
  • update their record of processing activities (ROPA) .


Updated  Detailed Privacy Notice

The latest version of the detailed Fair Processing Notice has been updated to cover the required communications and can be uploaded from here and should be pointed to from your practice website:

Updated FPN: privacy-notice-v110-1 (this also contains an update to the NWL DPO Service contact details which information should be in use by all practices whether EMIS or TPP)


Example DPIA

EMIS have provided an example DPIA which practices can download and use:

Sample DPIA: Data-Protection-Impact-Assessment-AWS-GP-perspective

The NWL DPO support offers an advisory service and does not have the resources to complete impact assessments on behalf of primary care. There is no central repository where a single form can be completed on behalf of 370 primary care data controllers. It is the responsibility for each data controller to keep their own records, relevant to the type of data and sharing in which they engage and for their individual organisation to be accountable in their own right and to be able to demonstrate GDPR compliance through their DSPT returns.  The DPO may however may recommend a Data Protection Impact Assessment (DPIA), support the process of practices completing it and approve the contents.

This sample DPIA provided by EMIS should be fairly straight forward and can be completed by filling in your practice details and the relevant entries in sections 5, 6 and 7. We recommend using the suggested entries already in place in sections 5 and 6. Where this is the case in section 6 and 7 the NWL CCGs DPO Service has approved both the recommended measures and the identified residual risks and agrees that processing may proceed.  The Caldicot Guardian or a signatory representing the practice’s data controllers should either accept (recommended) or overrule the DPO advice. There is no further consultation response required and the DPIA would be reviewed as part of routine practice process in your annual DSPT returns. See below:
 Practices should keep a copy of the completed DPIA with their practice’s data protection documentation/records.

Records Of Processing Activity

EMIS practices will need to also update their Records Of Processing Activity (ROPA) as described in GDPR Blog 6

If you have any questions please send them to


eDSM (Enhanced Data Sharing Model) – No. 15

eDSM (Enhanced Data Sharing Model) – No. 15

eDSM additional controls have been designed to ensure that GP’s and Patients have greater flexibility and control over which organisations have visibility of their SystmOne records. The new controls will allow GPs to decide if other SystmOne Organisations involved in the care of their patients can view their patient’s records (subject to patient consent).

In order to implement this change, we have now finalised the list of Organisations with whom North West London SystmOne practices currently share with. These are the Organisations who have signed the CWHHE MOU, Extended Hours Hubs and the practices within NWL CCG’s. These are listed within the ‘SHARED LIST’ that you will see attached. When Organisations are added to the ‘SHARED LIST’ this will ensure that patient records can be accessed, assuming consent has been given.

If you do not switch eDSM on then your practice will not be complying with the Data Protection Act 2018, which requires you to tell your patients with whom you share their data. The eDSM model allows you to do this.

Additional documentation:

Importing the ‘allowed list’


TPP eDSM enhancements_FAQs v.1.1

Allowed List Updates

Current Version – V11


Information sharing and the DCC – No. 14

Information sharing and the DCC – No. 14


The provision of an integrated healthcare service in North West London will require robust systems for creating and managing Information Sharing Agreements (ISAs) and Data Sharing Agreements (DSAs). As a result a NW London Digital Data Protection Framework has been designed which includes a template document which can be used to generate these agreements.

A Data Controller Consol will be used as an online repository where local data sharing agreements can be kept in one place. This will allow easier management by identifying the membership, the types of data being shared and the expiry dates of any agreements. It will also allow them to be distributed and signed electronically.

1) Information Sharing  Agreements (ISAs)

As we move towards providing integrated healthcare services in North West London the format and structure of DSAs has been reviewed because of the need to:

  • Manage more agreements between providers sharing health care data
  • Provide templates which simplify and standardise the process
  • Maintain GDPR compliance

As a result of GDPR, the complexity of ISAs and the amount of information they contain has increased. For this reason the information governance standards common to all of them have been distilled into a single overarching document call the Statement of Data Sharing (SDS) which will be signed by the members of any and all agreements. This will allow the pith of any information sharing agreement to be detailed in a smaller and easier to understand document called an Interoperability Service Specification (ISS). The combination of an ISS and the overarching SDS it points to will form the basis of all future ISAs in North West London.

More details about the structure and function of the NW London Digital Data Protection Framework can be found within the SDS document itself.

2) The Data Controller Console (DCC)

The DCC is an easy and efficient way for organisations to store, update and track the status of Information Sharing Agreements and is available to health and care organisation​s across London.

Why use the Data Controller Console?

The DCC increases visibility of agreements between organisations that share information, it also gives real time access to Information Sharing Agreements (ISAs) and control over any changes made to the ISAs.

The Data Controller Console can also help to support organisations with their compliance of the General Data Protection Regulation (GDPR) that came into force on the 25th May 2018 by:

  • Increasing visibility and transparency of agreements and processes between organisations sharing information
  • It allows organisations to track their information sharing arrangements and relationships
  • Tracks, reports and monitors information sharing agreements
  • Monitor compliance of sharing with regulations and therefore be confident to transfer on the basis of an adequate decision
  • Standardise templates such as Data Privacy Impact Assessments (DPIAs) and information sharing agreements

The Console also supports efficient Information & Data Sharing (ISA/DSA) between organisations by:

  • Decreasing paper in the system
  • Streamline data sharing processes
  • Creates a standard for sharing: ’Clubs’, data sharing agreements and Data Privacy Impact Assessments
  • Enables organisations to sign up to agreements on mass
  • Increases transparency between partner organisations
  • Reduces duplication in the system by encouraging and supporting transparency and collaboration between organisations

For further information about the DCC see:


DSPT Support Page – No. 13

DSPT Support Page – No. 13


Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 31st March 2019.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are TWO MAIN documents which will help you through your submission.

1) A Data Security Policy

The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have designed this Data Security Policy to be the overarching document in your practice, where you can see links to all of the required elements in one place.

2) DSPT Requirement & Evidence V1.2   **Updated 18-March 2019**

This contains comments and guidance related to all of the 10 sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.

Review of action points from last blog

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance

Please note that as further work on the DSPT is clearly linked to going through each of the 10 sections, there will be no further To Do list other than the requirement for your practice to submit your DSPT returns under each of those sections.

Work covered in this session

Data Security Policy

It will be worth familiarising yourself with this document, which you may wish to add to as you progress. Working through the GDPR blogs will have generated much of the information needed for the DSPT.  This document should enable you to pull together all of your existing policies, plus help you with some new ones. It is an overarching policy document to which you or your staff can refer. You can also use to it as a resource within DSPT and it may be helpful in responding to questions which arise at CQC inspections.

DSPT Requirements & Evidence

This will probably the most commonly used document in submitted your response to the question, assertions and evidence required under each of the 10 sections in the DSPT.

Some of the DSPT requirements need you to demonstrate the presence of robust cybersecurity measures. A number of those relate to the policies and practices provided through centrally provided IT services. Those elements have also been responded to and can be found under the relevant sections in this document.

Fair Process Notifications

The NWL Collaboration have designed two GDPR compliant fair process notices for your patients in poster form, which are on their way to you. We are required to present this information in tiered levels, simplest first, with the ability to drill down on progressive detail. The posters represent the simplest information. The most detailed information is found in your A4 fair processing notice which should be published on your practice website. The posters should be displayed in your surgery to inform you patients about how we use their data in NWL. The more details A3 posted has space for stickers which should be printed to show (as below):

  • Practice Address
  • Practice Website URL
  • Detailed FPN URL (from practice website)
  • DPO contact NWL CCGs DPO Service

There are electronic versions which can be uploaded to your NUMED/Call board screens.  NHS NWL Medical Information Sharing Poster

Please use the latest version 1.08 of the detailed A4 Fair Processing Notice which can be downloaded here:  **Updated 29-March 2019**

Data Flow Mapping

Please use the latest version 1.2 of the data flow mapping spreadsheetwhich can be downloaded here: **Updated 29-March 2019**

Email Policy

SAR requirements can become complex if clinical correspondence is sent by email and an email policy which addresses this has been produced. It requires staff to migrate clinical data to your clinical system and delete the original email. In this way when you respond to an SAR you only need to interrogate a single data source.

Staff training around data sharing

The Staff Training & Support document is for all staff to enable them to understand Data Sharing across NWL.  This also includes the read codes (CVT-3 and READ2) that are required to opt in or opt out of data sharing. Staff Information – Data Sharing . We have also included an IG spotcheck template which practices can use to record the spot checks on compliance with these policies as required in 1.5.1.

Practice Hardware Asset Template

Section 1.4.4 of the DSPT requires a list of the hardware assets that you have within your practice. See: Asset Template for GPs

Business Continuity Plan

Remember, to make sure that you have updated your business continuity plan. These will vary from area to area but we have attached a template which covers the required sections. You should ensure that copies of the plan are kept out of the business and that you know who to contact in an emergency. Make sure that you have the correct contact details for the IT team which is  Tel: 020 3350 4050 and email as is now provided by North West London Collaboration of Clinical Commissioning Groups.

Anti Virus

This links to question 6.3.2 – Number of alerts recorded by AV tool in last three months.  

190401 AV-Alerts BCWHHE   ⇐ for NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs This was last updated on 1st April 2019.

190319 – Harrow  ⇐ for NHS Harrow CCG This was last updated on 19th March 2019.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.


Learning Points

  • The two main documents which will support your DSPT submission are the Data Security Policy and the DSPT Requirement & Evidence
  • There is now just one main page for DSPT support (this one).
  • Please ask any questions by email using


Work planned for next session

There will be no new blogs, but in response to any incomplete sections and to the questions which you submit, we will continue to update the contents on this page. Any updated documents will be included in the relevant section of the DSPT Requirement & Evidence document. Any new discussion topics discuss will be added below the work covered in this session section.

We plan next to review your feedback and cover support for Subject Access Requests (SARs) and Staff Training for 2019/20.

DSPT Introduction – No. 12

DSPT Introduction – No. 12


This is a follow on from the GDPR blog which will look at the the Data Security and Protection Toolkit which all GP practices need to submit by the 31st March 2019. The DSPT is a sequel to the IG Toolkit and whilst many parts are similar, there are also new sections and the sum total is a more comprehensive undertaking.  There is a focus on cyber-security which will enable our IT systems to be more robust in response to malware such as virus infections, or the cryptoworm Wanncry ransomware which caused such disruption in May 2017. Much of the information needed for these sections will be common across NWL, for example specifying the type of antiviral software in use. Where these question are identified we will provide the information you need here. Some of the GDPR work outlined in prior blogs on this website will also support your submission and the DSPT action plan (see output documentation below) identifies where there are common areas and links to them.

Is there a pass fail process or a scoring system? When the IG Toolkit was first released, the idea was to encourage organisations to simply take part. Over time there was an aspiration to agreed levels of IG competence and our NWL IG sharing agreements asked all health care organisations to achieve level 2 of the IG toolkit before they could share electronic patient records. In a similar way the first step with the DSPT will be to register and complete those sections which are identified as compulsory. In time your organisation may want to document their IG competence in some of the non-compulsory sections.

Who will see our DSPT returns? As we learn to  share information in our health care communities in more integrated ways there will be sharing agreements which require mutually agreed standards. It will be possible to sign up to those agreements electronically on the Data Control Console DCC. In addition to being a repository for Information Sharing Agreements and Data Processing Agreements it will also be a place where you can share your standards of IG competence with other organisation who want to work with you.

When your practice is inspected by QCQ you may be expected to demonstrate that that your organisation is compliant with GDPR and to to show evidence to support this.  The DSPT is one way of benchmarking this and may be used for corroboration. Likewise if your practice is ever the subject of a complaint related to the management of personal data, the ICO may want to see evidence of the standards of IG which you are achieving. The results of the DSTP are also available to NHS Digital who may audit and analyse the scores in order to identify organisations who need further support.

Review of Action Points from the Previous Session

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019

Work covered this week

1) How to register with the DSPT?

If you have not already done so you can register your practice here:

You will need to provide an email address and also give a your practice code in the form E85074

2) What Sections should I complete?

There are a large number of sections, but in the first instance you should start with those items which are identified on the site as compulsory

3) Where can I find further support?

There are a number of different support options which include

  • Workshops
  • Webinars (to be advised)
  • This blog
  • NWL IG team
  • IT Team
  • DPO


A number of practices have started working through the DSPT sections. In the first instance we have agreed to put our head together to see which areas practices might need help with and which ones require specific input from the IT teams. We want to draw from the experience of those who have completed various sections or who have drawn up policy documents so that we can share good practice and avoid the need for many practices to ‘reinvent the wheel’. Once we have looked at the requirements in the compulsory sections we plan to hold a workshop, initially with some of the Ealing  practices to walk through the process. There will be an expert panel from the IG and IT teams and a question and answer session.  We are planning similar workshops across the other CCGs and as we develop a better understanding of the requirements we will use this blog to share:

  • learning points
  • policies, protocols or template documents which can be shared
  • webinars or other online learning resources

Over the next few months we plan to develop and add to a DSPT Support Page.

NWL IG and IT teams:

You can ask questions from the NWL IG team through the support email below and we will put these and the answers in a DSTP section into the FAQ. You can also get support from your IT team using the same email.

Data Protection Officers*:

Working through the DSPT and the final sign off of the DSPT will require input from your DPO. The current situation with a single interim DPO covering NWL will not allow that level of engagement at practice level. GPs need to take early action to appoint DPOs and as data controllers they are responsible for the costs of employing them and will need to budget something in the order of £1500 to £2500 per average practice to cover this. There has been some consensus among GPs that it would make little sense for individual practices to recruit their own DPOs and it will be better to deploy a shared DPO service at borough level or across NWL.

If either the federations or NWL were to undertake this role, they would levy their GPs for provision of the service.  This has been discussed in some of your networks and is also being debated in Federations and NWL CCGs who are looking into the most efficient and cost effective way of providing such a service.  We are also seeking further national guidance on this and are in contact with the LLMC and will update practices at Network level and on this blog as more information become available.

*[Update March 2019 – Since the details of the new GP contract have been released, the responsibility of providing and employing DPOs will rest with CCGs who are currently exploring ways to augment the current service]


Output Documentation

Learning Points

  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 2-3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level early in the New Year to support your work towards signing off the DSTP.

Practice Checklist

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance
Summary Blog – No. 11

Summary Blog – No. 11


The past 10 weeks have seen us work through the core aspects of good information governance, which will allow you to demonstrate that your GP practice is compliant with GDPR and the new Data Protection Act 2018. We have stressed that this is not a one-off exercise but a process which needs to be kept under constant review and that you need to have systems in place which monitor and maintain the standards you apply in managing your patient and staff data.

This week we looked at what we have covered, key timescales, and support you will have going forward.

Review of Action Points from the Previous Session

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it

Work covered this week

1) How will your compliance with GDPR be assessed?

As yet we do not know what exact form this will take but there are three scenarios where it may be put to the test.

  1. At your next CQC inspection, you will be asked to show evidence to support your compliance with GDPR.
  2. If you are the subject of a complaint related to how you manage personal data, the ICO (Information Commissioner’s Office) will want to look into your compliance with the GDPR.
  3. Your practice needs to complete the DSPT (Data and Security Protection Toolkit) by the 31st March 2019. This is the successor to the IG Toolkit.

Your next CQC inspection may not be imminent and you might never be the subject of a complaint as a result of a data breach. However, the DSPT deadline on this coming 31st March is a certainty for which you MUST ALLOW TIME AND RESOURCE TO PREPARE. See below.

2) Compliance with GDPR

As the GDPR came into effect on the 25th May 2018, the Information Commissioner’s Office (ICO) would expect organisations to already be putting policies and procedures in place to meet the requirements, however, they have stated they did not expect every organisation to be compliant as of the 25th May. If an incident did occur, however, they would take into account what your organisation has done and is pro-actively doing to ensure the protection of personal data. Evidence of the work undertaken within these blogs would, therefore, serve as a strong indicator to the ICO that you as an organisation takes data privacy seriously, and would take this into consideration when deciding any regulatory action.

3) Compliance with the new Data Security and Protection Toolkit

Whilst compliance with GDPR is not a set date or pass/fail monitoring system, the new Data Security and Protection Security Toolkit (DSPT) is a replacement for the old NHS Information Governance Toolkit. All organisations which process NHS data must complete this for 31 March 2019. The good news is that this follows many of the principles of GDPR, so the majority of what is covered in these blogs is what is required by the DPST. The two main areas which aren’t are IT security and compliance with the National Data Guardian reports, the former of which you will be able to gain evidence for from your IT supplier. In effect, the DPST will be the first tangible hurdle which will formally assess practices’ compliance with GDPR.

In order to assist you with this, we have put together a work plan for the Toolkit and matched the requirements against the relevant blog post. You should, therefore, be in a strong position once the work identified in this blog has been completed. This work plan can be found in the output documentation of this blog.

4) Allow a minimum of 3-months preparatory work to become GDPR compliant

The requirement may vary from practice to practice, but our two small practices (4000-5000 patients each) have required the following per practice:

These figures are not definitive and will vary depending on your practice set up. We have provided a more detailed spreadsheet listing specific tasks and personnel which can also be used to track and monitor allocated work to completion (below). The headline figure is that you should allow a bare minimum of 3 months to complete this work and so if you have not yet started, you must make plans to be underway by the New Year.

The other important requirement here will be to have a DPO in place who at the end of the year should be in a situation where he can assess and “sign off” the work you have done towards GDPR compliance and the DSPT. The DPO who is currently holding an interim post will not have the resource to cover all NWL practices and our advice is that you should also plan to appoint a DPO at CCG or Federation level by the New Year.

5) Support going forward

This will be our final blog in conjunction with our external IG experts, however, there is still support available to you going forward.

  • FAQ document which can be found in the resource area of this blog. This should be your first port of call in the event you have a question.
  • NWL Information Governance Blog, this will continue to be monitored and updated
  • email if you have any questions which are not answered in the blog or FAQ. The response will then be added to the FAQ.
  • The Data Protection Officer for all General Practices across NWL will continue in post and can be contacted at the email address above. You will be notified of any changes to this arrangement. It is important to recognise that this role will not provide the capacity to sign off all DSPTs at the end of March 2019, before which there will be a need for practices to appoint DPOs either at practice, federation or CCG level.

Finally, we have created a shortened summary version of the blog, and an action plan against each to-do requirement with the anticipated resource this will take.


Output Documentation

Learning Points

  • You should have systems in place which monitor and maintain the standards you apply in managing your patient and staff data
  • You will be required to show evidence of your GDPR compliance at your next QCQ inspection
  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level by the New Year to support your work towards signing off the DSTP

Practice Checklist

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019
Layered Fair Processing – No. 10

Layered Fair Processing – No. 10


Being transparent with individuals about how their personal data is used is a key aspect of privacy and confidentiality law. GDPR introduced transparency as a new requirement into the first data protection principle, it states that processing must be ‘fair, lawful and transparent’. Information communicated to individuals should be provided in a layered approach, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The first “layer” is an A3 notice containing the headline principles of sharing which then signposts documents which contain progressively detailed information on both your website and also CCG based sites.

To meet common law duty of confidentiality expectations, patients should also be aware and have a reasonable expectation that their information will be used for specified purposes if implied consent is to be used as the lawful basis.

Patients should have confidence about how their medical information is used, be aware of which purposes it’s used for, and understand the rights that they have in relation to their information. The NHS Constitution states that patients have the right to be informed about how their information is used. It is vital that patients trust how we use their data.

This week we looked at what information we need to provide our patients and the methods we can use. We have provided exemplars to help practices meet these requirements. We have updated the Fair Processing Notice (synonymous with ‘Privacy Notice’) in poster form and revised the more detailed document which can now replace your interim privacy notices on your websites. Where possible, when explaining how we use their data, we should use principles rather than specifics and try to give consistent advice, so that patients get the same message across a range of community healthcare settings. We have based the updated Privacy Notices on a detailed assessment of the data flows, information asset registers and records of processing in two local practices. We believe these will now cover most of the bases for how GPs in NWL share patient data. However, it is important, if you are sharing data in ways which are different from the norm, that your own Privacy Notices reflect this. Please let us know if you identify any omissions which you think should be included for yours or for other practices.

As with other GDPR undertakings, Fair Processing Notices are not just a tick box exercise. We need to be having a rolling “conversation” with our patients explaining how their personal data is used to support their healthcare and this can and should be delivered through a variety of different media which include but are not limited to:

  • Direct conversation
  • Paper and electronic documents
  • YouTube videos
  • Social media
  • Radio/TV and other ‘broadcasting’
  • Public engagement meetings

Meaningful and regular communication through various media and in different settings is one of the most important aspects of GDPR. Once our patients understand how their information is processed and know how to exercise choice, consent becomes almost academic. This remains an area we need to improve on and in addition to your input at the practice level, there are plans for a London wide campaign to promote better understanding of how we share records.

Talking about record sharing in our practice meetings will help improve staff understanding and enable them to better signpost and support patients.

Review of Action Points from the previous session

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required


Work covered this week


Where information is collected from the data subject, GDPR details the information that needs to be provided to data subjects in Article 13, including:

  • Contact details of the controller and the controller’s data protection officer
  • Purposes of processing
  • The lawful basis for processing
  • Recipients of personal data
  • Retention of data
  • Data subject rights

Much of this information should already be held in the organisation’s Information Asset Register and records of processing, which helps to inform the fair processing material. GDPR mandates that all this information is provided albeit in a manner of ways and varying levels of detail.  Therefore, all this information does not have to be provided in every single document, but it is essential that all this information is provided and easily accessible somewhere. How this can be presented is discussed below.

Content should be aimed at differing levels of understanding and capacity, especially when it relates to processing of children’s data. Therefore, consideration should be given not only to the content but the language used to provide the content. Fair processing information could be provided and discussed in patient engagement groups to ensure it is understood by patients with no NHS or privacy background.


Providing information to data subjects can take many forms and can no longer only be a statement on a website. In Practices, one of the most effective methods to provide high-level detail to patients is via easily readable posters in the waiting rooms or offices. This can include the basics which patients need to know, including the purposes their information is used for, who it may be shared with, and the key rights associated to their data, such as an objection to processing and access to their records. Such high-level materials can then provide information on where to get more information if required.

To ensure all information that is referred to in the Content section (above) is available, a larger document can then be produced which covers this. This can be made available on organisation websites as well as available in print form for those data subjects that do not have access to the internet. Given information must be provided to all, it would also be advantageous to have this available in different languages, either translated and provided in a separate document or via the use of a software on a browser such as google translate allowing the data subject to have it translated at the point of use.

These methods will primarily focus on those on who either actively visit Practices or Practice websites, so consideration should also be given to reaching those who may have limited contact but of whom their personal data is still processed. This could include taking out high-level advertisements in local media, use of local advertisements in public areas or postal campaigns. A simple way of informing patients of where to access such information could be a statement in the footer of all headed letter sent out by the Practice.


Output Documentation

A number of documents have been produced to give Practices a starting place to inform their patients of the processing taking place. These include:

PLEASE NOTE: These are based on information analysis from two GP Practice. You should review this to ensure that they include all data flows within your own practices, and check that all the purposes you use data for are covered. If you identify other data flows or other purposes which have not been included please let us know ( We will wait for a further 2 weeks to receive any feedback before finalising the content of the A4 Fair Processing Notice and printing (and formatting with updated links) the A3 posters for use across NWL GP practices.

Learning Points

  • Your Practice should have an up to date fair processing campaign
  • This information should be available to patients in both electronic and paper form
  • Fair processing information must be available at both high level and detailed level

Practice Checklist

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it