Category: Uncategorised

Sharing Patient Records for Direct Care – No. 20

Sharing Patient Records for Direct Care – No. 20

A new NWL Information Sharing Agreement the ISS for Direct Care (in the new terminology) replaces the “MoU” for sharing data between primary secondary and acute care for organisations using SystmOne or EMIS clinical systems. We will shortly be sending out communications to GP practices to confirm when this has been ratified by the NWL IG Board (where there is also LMC representation). The ISS will be made available on the Data Controller Console and all practices across NWL are expected to sign up as will our community and acute trusts who use those clinical systems.

Allowing access to clinical records in Primary Care Networks

The emergence of PCNs and their inclusion within the GP contract has paved the way for them to become the organisations through which future primary care health services will be provided.  Increasingly PCN staff need to be able to access to clinical records to support the delivery of patient care.

The organisational unit of data controller-ship remains with General Practice. PCNs despite their pivotal nature have no legal status and are not data controllers.

The new ISS for direct care outlines the governance requirements for healthcare organisations using TPP or EMIS clinical systems when sharing data for direct care and now states that

Primary Care Networks (PCNs) are now a vehicle through which health care services are delivered. Trained staff from PCNs and their GP practices will now form part of each GP practice team and will have supervised and audited access to patient records when this is required to deliver patient care.”

and also, in relation to TPP (with equivalent arrangements in EMIS)

  • Only health care organisations who have a legitimate relationship to provide care obtained through a registration process can access the full patient record by ‘sharing in’ the full SystmOne patient record from the virtual pool.
  • At all new registrations, consent is required to ‘share in’ the full SystmOne patient record from the virtual pool. For existing registrations in Primary Care consent is not required.

This significant change will allow PCN staff to see the GP record without requiring consent and in effect this policy change provides them with a Legitimate Relationship where there is clinical need. Existing GP staff will also have a legitimate relationship to access the records of all patients within their PCN in the same way that they currently have access to patients in their own practice.

In order to access clinical records PCN staff must:

  • Have a Legitimate Relationship (LR) to provide care for the patient (or be working with or accountable to an organisation who has that LR)
  • Have completed training and be able to demonstrate that they understand their legal and professional responsibilities to protect patient confidence (IG training)
  • Have completed training and be able to demonstrate competence in the use of the clinical system
  • Have access to clinical records controlled with Role Based Access Control mediated through a smart card or similar method of authentication
  • Have a contractual link to a Caldicott Guardian whose role would be to oversee 1) 2) 3), sign an RA02 for 4) and provide accountability in the event of a breach in relation to data access or malpractice.

Informing Patients

The new ISS allowing sharing of records across PCNs is a significant change and practices can and should ensure that they have communicated these changes to their patients through a variety of media. There has already been public engagement via some PPG groups at practice, PCN and CCG level, also at the NWL IG board, and through other workshops. You should discuss the changes at your local Patient Participation Groups (PPGs) and direct them to a new section in your FPNs. You may wish to use the wording below as a basis for SMS, Email, website pages or practice noticeboards:

“We are working closely with neighbouring practices within our Primary Care Network (PCN) to support your care. PCNs and their constituent GP practices are now the organisations through which primary care health services will be delivered and when providing you with care their trained staff form part of our team and will have access to your NHS GP record. Please see our Privacy Notice [include url link to your FPN] for more details or discuss at your patient participation group”

Fair Process Notices should contain clauses explaining how their information is shared and below is the suggested wording to insert into the existing section under Local Information Sharing:

Local Information Sharing

Your GP electronic patient record is held securely and confidentially on an electronic system managed by your registered GP practice. In order to provide you with health and social care services Your GP practice works in close collaboration with [insert your CCG / PCN name] a group of  [Insert the number of local practices in your PCN] geographically local practices. The organisational boundary within which professionally trained staff can access your health record without consent has extended from your GP practice to this Primary Care Network. Staff are trained to understand their legal and professional responsibilities of confidence to their patients and will only access your records when they are required to do so to support you care. They will identify themselves and their role using a smart card and access to your PCN record is recorded, monitored, and audited.

As your local PCN functionality extends they are likely to provide GP HUB and Out of Hours services directly in which case your records would be available without consent. If you require attention from a local health or care professional outside of your usual PCN services, through an Emergency Department, Minor Injury Unit or other Out Of Hours service, the professionals treating you are better able to give you safe and effective care if some of the information from your GP record is available to them. If those services use a TPP clinical system your full SystmOne medical record will only be shared with your express consent. 

Where available, this information can be shared electronically with other local healthcare providers via a secure system designed for this purpose. Depending on the service you are using and your health needs, this may involve the healthcare professional accessing a secure system that enables them to view either parts of your GP electronic patient record (e.g. your Summary Care Record) or a secure system that enables them to view your full GP electronic patient record (e.g. TPP SystmOne medical records or EMIS remote consulting system).

In all cases, your information is only accessed and used by authorised staff who are involved in providing or supporting your direct care. Aside from your registered provider your permission will be asked before the information is accessed, other than in exceptional circumstances (e.g. emergencies) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).

The use of honorary contracts

These are not standard contracts of employment. They provide a contractual link to a primary care organisation and Caldicott Guardian with the intention of:

  1. Creating a legitimate relationship
  2. Establish accountability in the event of malpractice or a breach

Those links are already in place within GP practice staff and additional contracts will only be required for PCN staff who need to access identifiable patient data. Because of the change in the boundary allowing access to patient records, only one PCN practice needs an honorary contract to allow a PCN staff member to access patient records across the whole PCN. Because there is risk involved in taking on a contract it makes sense for them to be shared out between the practices in a PCN.

It is not possible to share medical records without risk and the balance is between keeping records in silos which are secure but have poor data sharing, as opposed to open access where there is a high risk of breach but effective sharing of information. It follows that more staff accessing a larger number of patient records poses a potential increase in risk. It is essential that staff understand that whilst they may be able to access many records, they should only do so when their job requires it.

Responsibility and liability in the event of malpractice or a breach could be shouldered by the practice who signs the contract, but this needs to be discussed and agreed between the constituent PCN practices. Practices and PCNs are strongly advised to take part in written risk sharing agreement, the nature of which is beyond the scope of this ISS.

Examples of Honorary Contracts

See attached documents

which are 1-2 pages only, which gives an indication of their intended scope. The variation in infrastructure between the 8 CCGs makes it an impractical proposition for us to provide a standard honorary contract across NWL.  For this reason we are providing PCNs principle-based advice about their IG requirements as detailed above. Each PCN will need to construct their contracts according to their specific needs.

Shared employment

PCNs may employment staff by themselves or may use staff employed by another organisations (e.g. a community trust). In one or other of those settings there needs to a standard employment contract which will also include registration on the ESR system to monitor and audit standards set by the NHS Litigation Authority and the CQC, including:

  • including maintenance of professional registration
  • pre-appointment clearances
  • DBS certification
  • induction and mandatory training

With shared employment a written agreement should detail which responsibilities lie with which organisation. For example, a community trust working with a PCN may be able to provide training.

Required Training

NWL IT services have developed module based clinical system and IG training which can be used by HCOs for their staff. GP practices who have signed honorary contracts may be happy to delegate the scheduling and documentation to their PCN.

To book your required training please access the NWL learning Hub

The Role of Federations

Federations/Confederations have different function across NWL. In a setting where they are providing services and in that role are data controllers in their own right and are hosting a clinical system, they may be able to take on the role of sharing records without the needs for honorary contracts. However, this is likely to be the exception rather than the rule.

COVID Data Sharing Measures – No. 19

COVID Data Sharing Measures – No. 19

Updated 09.06.20 with advice on:

  • Managing Shielded Patients and notification of suspected COVID cases


Notification of suspected COVID cases

COVID is a notifiable illness. Regulations state that clinicians should not wait for laboratory confirmation before notifying. Laboratory confirmed cases are notified centrally. However since Jan 2020 the low threashold for suspicion (anyone with cough or sore throat and symptoms of fever etc) has meant that there will be large numbers of suspected cases. Notifying this group whilst officially required is not likely to be a helpful process.

This has been discussed with senior clinicians at Public Health England (PHE) who understand and agree there is a dilemma. Because COVID is a notifiable illness they have no choice but to make the request – but accept that the information is of limited value and that this would not be best use of primary care time. A request to review this policy has been “passed up the chain”. In the meantime, practices can either wait until there has been a response, or if they wish to fulfil the legal obligations they can send PHE a spread sheet with the relevant details. (Our practice has collected the data, but has decided to wait for further information before notifying suspected COVID cases).


Updated 28.05.20 with advice on:

  • GP Connect (NWL considerations)
  • Summary Care Record (action needed on Fair Process Notifications)
  • COVID data managed by WSIC
  • Managing Shielded Patients and using COVID templates
  • Medopad App use int Respiratory Hubs


GP Connect

COVID measures have been taken to improve the access for health and care professionals to medical records and information. This will support safe treatment and advise to patients who have called NHS 111, or are receiving care in settings other than general practice.  The advice below has been précised from the letter sent to all GPs by HNSX and also includes information specific for NWL practices

GP Connect allows authorised clinical staff in general practice, NHS 111 and other care settings providing direct care, to view clinical information from a patient’s GP record by providing a read only HTLM view of the full GP record. It also supports the sharing of booked patient appointments. This functionality has been authorised by NHS Digital for all GP practices in England and will be enabled by GP system suppliers. Opt-outs where patients have made them will be respected

These changes will:

  • improve GPs ability to treat patients outside of their registered practice, giving patients easier access to a GP when they need one, regardless of demand or staffing levels in their own practice, for example within a network or a federation hub;
  • give authorised health and care professionals working in primary care, NHS 111 – including the COVID Clinical Assessment Service (CCAS) – and other appropriate direct care settings, access to the GP records of the patients they are treating, regardless of where they are registered; and
  • allow remote organisations such as NHS 111 to book appointments directly with the patient’s GP practice including the ability to manage referrals from the COVID Clinical Assessment Service (CCAS). This will enable healthcare professionals to provide more timely care and provide flexibility for the primary care system.


Actions which NWL GP Practices need to take

So as not to require practices to set up GP connect service individually NHS Digital have implemented a national roll out, which will be managed by the GP system suppliers for ALL GP Surgeries and GP led hubs. GP practices will still be required to implement some changes to allow the remote booking of appointments into their clinical systems and further details will be provided when this is required.

NWL already has a system for the allocation of remote bookings and in the short term this is fit for purpose and will remain the booking mechanism in place. We are piloting the GP Connect remote booking system in several practices and will inform GP when the GPC booking component will be widely rolled out. In the interim, practices do not need to make changes.

Legal basis for this action

This action is being taken in response to the Notice issued on 20th March 2020 under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 requiring confidential patient information to be shared in the circumstances set out in the Notice.

The changes will remain in force during the period of the COVID-19 emergency period as set out in the Notice (unless extended or reduced) at which point systems will return to their current state unless alternative arrangements have been put in place before then.

To remove uncertainty over the effect of the Notice, NSHX have written to the GP system suppliers to request them to enable these changes without further instruction from GP practices. Your GP system suppliers should inform you in advance of making these changes, so that their role in facilitating these changes is made clear to you.

Safeguards required to keep information safe have not been compromised. Practices do not need to change any existing Data Sharing Agreements in relation to COPI legislation. However, in consideration of the possible longer-term implementation of GP Connect we have written a DPIA for consider the risks and mitigations and are considering incorporating the use of GP connect in existing data sharing agreements. The BMA and RCGP are supportive of this work, as are the Information Commissioner’s Office and the National Data Guardian.

Further information including statements from those bodies is available on the following webpage

Questions can be directed to out NWL IG team or directly  NHSX:

Further plans for GP Connect

COPI legislation covers the use of the GP Connect data for COVID use until the 20th Sep 2020. We anticipate the possibility of continuing to use GP Connect beyond COVID and the NWL  DPIA which has been written to support this is below:


We are also writing up an information sharing agreement to accommodate that scenario, which will either be a separate ISA or will be incorporated into our existing sharing agreement for direct care 

Summary Care Record (SCR) changes:

As part of COVID measures to support patient care, the default SCR consent has changed from, implied consent to meds allergies and adverse reactions, to implied consent for meds, allergies, adverse reactions and additional information.

The current view in SystmOne can be found through the left sided admin menu tab under Spine Details and SCR Details

There is an equivalent process in EMIS (below):






















Patients can still give their express consent / dissent to any of the last three tick box options below. If patients choose “express consent for medication and allergies and adverse reactions only” this will trump the new implied consent settings. Patient choices can be mediated through their GP practice by verbal request, or via a form.

Action required:

To inform your patients about these measures please ensure that your FPNs contain a section under Summary Care Record which points to: Supplementary Privacy Notice for Summary Care Records

 COVID datasets for WSIC:

WSIC are working towards getting daily GP data from Discovery Data Services (DDS)

  • An email explaining that data will be flowing to DDS from which WSIC would extract data has been sent to all the Caldicott guardians/contacts for NWL practices registered on the Data Controller Console (DCC).
  • So far just 220/357 practices are signed up to the daily data processed extracted through DDS
  • WCSIC also continue to work with the fortnightly data feeds from Apollo to produce COVID dashboards for the sector


The specific COVID-19 datasets that WSIC have secured since the beginning of April are:

  • Full NWL population data from NHS digital with patient identifiable information – Frequency monthly
  • Direct admission data from all the acute trusts with confirmed/suspected COVID patients, this include the bed status i.e. critical care and ventilation details (fully patient identifiable)– Frequency daily
  • Full patient identifiable data from CMC with details of advanced care plan, resuscitation preference etc. – Frequency fortnightly
  • Direct pathology results data from all the pathology providers with full patient identifiable information – Frequency 3 times daily
  • The shielded patients list from NHS digital with patient identifiable information – Frequency weekly


The above datasets have been linked with the existing WSIC datasets to generate COVID dashboards. The dashboards allow the viewing of Personal Identifiable Data to NWL clinicians using Role Based Access Control who have a legitimate relationship with any identified patient. Healthcare professionals who do not have a legitimate relationship with patient can only see aggregate data.  WSIC have updated their website with the details – and have also included this information in the newsletter that has been sent to all users with a registered login to WSIC.

WSIC does not extract appointment data, but they do also have a separate BI function which undertakes sector analysis for the ‘gold command’ which has been established for COVID management support. This central BI team do not have the access to receive/view/process patient identifiable information, but they do see the output from TPP trust-wide reporting unit and EMIS search and report modules. This does not contain any PID and is at an aggregate level. That BI team does not have the direct control over Brent and Harrow EMIS search and report and has to get permission from the relevant CCG to run the searches if required.

GPES data collection

The General Practice Extraction Service (GPES) collects information for a wide range of purposes, including providing GP payments. It works with the Calculating Quality Reporting Service (CQRS) and GP clinical systems as part of the GP Collections service.

Coronavirus (COVID-19) has led to increased demand on general practices, including an increasing number of requests to provide patient data to inform planning and support vital research on the cause, effects, treatments and outcomes for patients of the virus.  To support the response to the coronavirus outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients, including from their GP record, for the duration of the coronavirus emergency period.

This General Practice Extraction Service (GPES) data will be extracted as a snapshot in time extract on the initial collection. A subsequent fortnightly extraction will then continue until the expiry of the COVID-19 Direction. This has been in place since 31 March 2020 but will be reviewed in September 2020 and every six months thereafter. The frequency of the data extraction may change in response to demand.

Action required:

GPs must sign up to this extraction, and this is not a request it is a legal requirement.

See the following NHS Digital Notice:

See also this helpful LMC article:

Managing Shielded patients:

There is a central register of patients who are at the the highest risk of serious health complication in the event of getting COVID. GPs have control over who is on this list and can add patients by coding them in to High, Moderate, or Low risk.

Once they have been entered into the GP clinical system, these codes will be extracted weekly to update the central register.

To add patient to the high-risk group enter the high risk code. For patients who are already in the high-risk group but their GP thinks they should not be, entering the moderate risk code will automatically remove them from the high risk group (when the weekly data extraction occurs). The moderate risk group should be identical to your flu vaccination cohort.  Patients not significantly at risk, and who do not need yearly flu jabs, can be coded as low risk.

Letters to patients.

Patients identified as high risk in the first assessment have been sent a standard letter by NHS digital (see below).  Patients can be added to the high risk group through two other mechanisms.

  • Recommendation by secondary care consultants
  • Self inclusion (patients may write to their GPs asking to be included on the high risk list).

In general there is an expectation that the list from secondary care will be considered and accurate (although lists received to date have not always specified the reason for inclusion). However in both cases GPs can exercise discretion and should make the final decision. Patients who have not previously been on the list and are added should be sent the standard letter:

  1. Standard inclusion on high risk list (updated May 2020)
  2. Removal from high risk group where not indicated
  3. Non-inclusion in high risk group after self-nomination

It is good practice to discuss in person with patients if you think they should not be on the list, or indeed with those patients who do not want to be included. Patients in groups 2) and 3)  who are being removed, or not included despite a request may also require a letter at their GP’s discretion.

Action required:

Aside from those written to by NHS digital, the responsibility of notifying patients about inclusion on the high risk list will rest with the GP practice.

Resources for managing shielded patients and COVID:

COVID templates

In addition, templates are available in your clinical systems which will allow you to enter the relevant clinical codes for COVID and to support and manage the follow up of high risk and shielded patients.

The description below covers use in SystmOne TPP (there are equivalent templates in EMIS). The COVID icon is a yellow triangle with an exclamation mark

and can be seen in the top right hand window below the patient demographics. It is also present on the patient home page.






Clicking this icon will bring up the COVID template which supports the recording of coded COVID information such as symptoms, findings and diagnosis.

There are other tabs which allow the documentation of management plans, the identification of useful resources, the recording information on other respiratory conditions etc. which will not be further detailed here.

Within the COVID template you will see another yellow triangle Icon labelled ‘Welfare template’. Clicking on this will bring up the following template.

This can be used by receptionist, HCAs or other trained staff to call patients in your high risk groups (or in those who you have identified as having moderate COVID related symptoms) for follow up. The main section is the central grey window which contains a number of simple tick box questions.  Once these have been completed the pink social assessment box can be ticked. If any needs have been identified your staff can forward this information by ‘tasking’ the relevant person (GP, Nurse, Link worker etc.). Note there are other potentially useful tabs  within the template which will not be detailed here.


Another NWL COVID measure has been to look at ways of managing people in their own home. NHSX is supporting a pilot which uses a Medopad App (a remote monitoring product) across ‘Respiratory Hubs’ in North West London.

The App has been developed to manage and remotely monitor patients with confirmed and suspected COVID-19 infections who are self-isolating. The aim is to keep them out of hospital and deliver their care in a home environment. Healthcare staff at respiratory hubs will identify suitable patients and give them instructions about how to download and use the app. They may also be provided with a pulse oximeter. At set intervals they will be asked to record specific clinical information such as:

  • Symptoms
  • Temperature
  • Heart rate
  • Respiratory Rate
  • Oxygen saturation

There may later be the potential for them to be monitored remotely via a ‘virtual ward’ and for this information to be available through patient dashboards. The pilots will run for 3-6 months after which an evaluation will review the impact of this intervention consider the benefits of a wider roll out.


Updated 17.04.20 with advice on Fair Process Notification

Sharing for Direct Care

To support routine and emergency care during the COVID-19 crisis we are taking measures across NWL to share access to GP patient records more widely. This will be done by extending smart card permissions to existing authorised and trained staff in a staged manner*:

  1. Sharing will extend initially from the registered GP to Primary Care Networks.
  2. This may later be further extended to allow CCG wide access or
  3. In the event of worsening crisis to allow access by trained staff across NWL


* with the exception of Brent where Harness have requested an earlier migration towards sharing at CCG level


Caldicott Guardians from each practice have been asked to:
  1. Sign a bulk RA02 process, allowing shared smartcard access to their clinical systems by suitably qualified staff.
  2. Nominate members of their practice to contribute to this pool of staff and to vouch that they:
  • have had clinical training and are competent to exercise the permissions on their smart cards
  • have had IG training and understand their professional and legal responsibilities of confidence to their patients**
  • have a contractual relationship with the nominating Caldicott Guardian.


** In particular that access to patient records requires the existence of a legitimate relationship (i.e. they must be providing that patient with care) and that inappropriate access to records is a serious and dismissible offence.


Sharing data to plan and provide care in the Covid pandemic

The Secretary of State for Health has issued a notice under the ‘Control of Patient Information’ regulations (COPI)1  authorising NHS Digital to disseminate information to approved organisations in order to help them to effectively tackle the pandemic. These measure will be in place until the 30th Sep 2020 and will be reviewed at that time. This legal purpose will be used within the WSIC when identifying data to support the planning and delivery of health care related to COVID-19

National shielding measures require a coded list of patients at highest clinical risk from COVID-19 (a subset of the flu jab cohort) to be extracted from GP clinical systems through GPES in the week starting 13th April. These patients will be written to by the NHS with specific advice. See update with a link to the original communication and FAQ sent on the 3rd April.


Fair Process Notification amendments

Because of the above changes we are advising all practices to amend their FPNs. You may choose to insert the paragraph below which covers patient information for COVID measures in hub and non-hub GP practices (or you may prefer a suitable alternative if your data sharing circumstances differ) :

 Data Sharing Measure in relation to the COVID pandemic

1)      The secretary of state has served notice under the Health Service COPI (Control of Patient Information) Regulations 2002 to require organisations to process confidential patient information during the COVID Pandemic and these measures will remain in place until September 2020. In addition, aggregate data which supports the planning and delivery of health care during the COVID pandemic will be processed securely through the Whole Systems Integrated Care database. Any such data will be formally identified as COVID related and used only for this purpose until Sep 2020.

2)      Primary care staff across each CCG will be able to access your full medical record without consent during the COVID-19 pandemic but will only do so when this is necessary to provide you with care. They will be required to use a smartcard which confirms their identity, and which limits their access and actions to those appropriate for their role. They will all have been trained to understand their professional and legal responsibilities in providing you with care. Access to records by trained clinicians will be made available for example when patients:

  • are asked to present to the Respiratory Hubs offering care for COVID related illness
  • are directed to other hubs based services for routine face to face, or telephone or video consultation
  • require community visiting services

3)      The extension to smart card permissions is currently limited to CCG wide sharing, but in the event of the pandemic escalating we have taken measures to implement NWL wide sharing and will notify patients through this Fair Processing Notice, should that need arise.

4)   The government have requested reinstatement of the “break glass” facility” previously available in TPP clinical systems so as to allow a declared access to patient records in the event of an emergency.


Questions about COVID and data sharing


Above table as a word document


Reinstated ‘Break Glass’ Functionality in TPP

TPP has received a direction from Dame Fiona Caldicott (National Data Guardian) to reinstate the consent override (break glass) function within SystmOne.

The key points are:

  • This is for direct care only
  • Anyone using it must take advice from their DPO and Caldicott Guardian
  • It should be use only by registered and regulated health and care professionals
  • Every effort must be made to keep patients informed
  • A monthly audit of use will be sent to the NDG, ICO, NHS D ad NHSX
  • This instruction will be in effect for 3 months from 30/3/2020


The NWL local policy is:

  • Use access as normal within our local EDSM allowed list
  • If access is required from outside this locality use the agreed EDSM process to obtain a validated password
  • If this does not work of if there is a reason that a clinician needs access to the notes in the absence of the patient then the break glass facility can be used (noting the above points)




National Data Optout – No. 18

National Data Optout – No. 18

National data opt-out (NDO) in Primary Care

GP practices must comply with the national data opt-out policy by March 2020.

What is the national data opt-out?

Patients can choose not to share their identifiable data when it is not related to the provision of direct care by requesting a national data op-out. This has replaced the type 2 opt-out which used to be managed in primary care. Patients requesting a national data opt-out should now be directed to

Where a patient had a type 2 opt-out registered on or before 11 October 2018, this was automatically converted to a national data opt-out and if they were aged 13 or over they were sent a personal letter explaining the change and a handout with more information about the national data opt-out.

Patients can be reassured that their choices will continue to be respected. If they want to change their choice, they can use the national data opt-out service to do this.

Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until 2020, when the Department of Health and Social Care will consult with the National Data Guardian on their removal.

What should my practice do to be compliant with NDO?

  • Ensure you have a record of all your existing data disclosures, as required under GDPR/DPA 2018. This will be one of the requirement in your Data Security and Protection Toolkit (DSPT) returns.
  • Assess those data disclosures against the national data opt-out policy to see if national data opt-outs should be applied and putting a process in place to consider any new data disclosure requests against the policy. Note: the national data opt-out applies to data disclosures that rely on section 251 approval, please see the “National Data Opt-out FAQs”

To help GP practices to become compliant and to apply national data opt-outs, the four principal GP IT system suppliers are implementing new functionality in the reporting and search modules within their clinical systems. The functionality will enable practices to easily remove the records of patients who have registered a national data opt-out from data disclosures when the practice decides the opt-out applies.

Specific considerations for NWL GP practices

In relation to NDO compliance you will have received, or will shortly receive correspondence from NWL CCGs which include:

The majority of practices in the NWL CCGs will not be processing PID for non-direct care processes. In making an assessment, the areas which you may wish to consider would be:

  1. Whole Systems Integrated Care (WSIC) data extractions
  2. Discover data extractions
  3. Research data extracted through the ResearchOne TPP based module
  4. Any other independent research data extractions.
  5. Old reports which are informing data extractions

In managing these we have provided generic DPIAs which can be used in relation to:

  1. WSIC data extraction
  2. Discover data extraction
  3.  TPP ResearchOne data extraction
  4. You must ensure any research data extractions not managed by TPP are excluding patients with NHS numbers where national data opt-outs have been applied (see Guidance and tools to achieve and declare compliance – below)
  5. Practices generating disclosures through existing older or bespoke reports (written before the new functionality) must ensure that their reports are edited to apply national data opt-outs. Likewise any new reports informing PID disclosure must apply national data opt-outs when created. If you are running external reports which you are unable to edit, you must contact the owner or publisher to apply national data opt-outs before data is disclosed.

The principle underpinning WSIC, Discovery and ResearchOne extractions is that any data used (for purposes other than direct care) is not identifiable and so the NDO does not apply in any of these examples. The DPIAs are attached for your information and to confirm this.

When your practice is compliant with the NDO you must declare this in your Fair Process Notification (FPN). You do not need to reprint your paper copies but should include a short statement (see below) in the published FPN which your website should point to.

“National Data Opt-Out

Our practice is compliant with the National Data Opt-out”

Practices should make sure staff are aware of the national data opt-out so they can support their patients and be aware of the patient support material (see below under Further Guidance)


FAQs on the National Data Opt Out

What type of data is involved?

The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England. It is applied to data that originates within the health and adult social care system in England by health and care organisations. It does not apply to data disclosed by providers of health and care services outside of England or to children’s social care services.

When the opt-out is applied, the entire record (or records) associated with that individual must be fully removed from the data being disclosed, whether that data is held electronically or on paper, regardless of whether it is structured or unstructured.

When does the national data opt-out apply and in what circumstances can it be overridden?

The national data opt-out is aligned with the common law duty of confidentiality (CLDC). It applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. It is obviated by individual patient consent, or where the data is anonymised in line with the (ICO) Code of Practice.

 Who can opt-out?

Any person registered on the Personal Demographic Services (PDS) who has an NHS number can set a national data opt-out, using online and non-digital channels. The opt-out is registered against their NHS number on the Spine (a central repository supporting IT infrastructure in England for health and social care).

 What proportion of patient have opted-out?

Opt-out rates by region can be obtained through the national data opt-out publication

 When should my practice be compliant?

All health and care organisations should be compliant with the opt-out by March 2020.

What are my responsibilities at a practice level?

Practices  should have procedures in place to review uses or disclosures of confidential patient information against the national dat opt-out operational policy guidance. The following general guidance on the national data opt-out policy will help you understand how it works and whether data uses or disclosures are in scope

Note: To help GP practices to become compliant with the national data opt-out, the four principal GP system suppliers have been commissioned to develop and embed the service into their clinical systems. Further information will be made available as the GP system suppliers confirm their delivery plans. See further information for GP practices.

If your practices is disclosing PID data outside of their current clinical systems, these should have should have national data opt-outs applied and you should implement the technical solution  to enable you to check lists of NHS numbers against those with national data opt-outs registered.

When you get the results back, you should have a process in place to ensure that you only use or disclose information for the returned list of NHS numbers, as any with national data opt-outs registered will have been removed.

If you have no uses or disclosures which need to have national data opt-outs applied, you must still put procedures in place to assess future uses or disclosures against the national data opt-out operational policy guidance, and can choose to either:

  • implement the technical solution in readiness, or
  • be ready to implement it if needed for future data uses or disclosures

Once compliant, confidential patient information must not be used or disclosed before it has been assessed and national data opt-outs applied if necessary.


Guidance and tools to achieve and declare compliance

The compliance implementation guide provides a step-by-step guide to help understand and plan the actions required to become compliant with national data opt-out policy. To configure a MESH tool which allows submission of a group of NHS numbers and returns a list with the NHS numbers removed for those patients that have opted out. Check for national data opt-outs service

Further guidance

DSPT Support 2019-2020 – No. 17

DSPT Support 2019-2020 – No. 17


Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 31st March 2020.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are TWO MAIN documents which will help you through your submission.

1) Data-Security-Policy-2019-2020

The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have used the Data Security Policy from last year to be the overarching document in your practice, where you can edit this for your practice if required. This has not changed from last year.

2) DSPT-Overview-2020-V6

We have put together an overview document which includes all of the questions within the DSPT and also highlighted in yellow which sections have changed slightly from last year. This contains comments and guidance related to all of the sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.

We have put together a document which includes answers to some technical terminology as well as some common DPO queries Tech talk – DPO

3) Anti Virus

This links to question 6.2.1 number of alerts recorded by AV tool in last three months:

For NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs:
Anti-Virus-Report 2020

For NHS Hillingdon, this information has been provided to each GP practice by the Head of IT security

For Harrow CCG:

Hillingdon Practice Alerts 3months

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Register your practice for the DSPT here

Notification of Emis cloud services – No. 16

Notification of Emis cloud services – No. 16

From 10 June 2019 EMIS Web started migrating practice patient data storage to Amazon Web Services (AWS).

Because this is a significant change to the way patient data is processed, in order to be compliant with GDPR, practices as ‘Data Controllers’ need to:

  • inform their patient through their usual methods of communication (for example their privacy notice)
  • carry out a Data Protection Impact Assessment (DPIA)
  • update their record of processing activities (ROPA) .


Updated  Detailed Privacy Notice

The latest version of the detailed Fair Processing Notice has been updated to cover the required communications and can be uploaded from here and should be pointed to from your practice website:

Updated FPN: privacy-notice-v110-1 (this also contains an update to the NWL DPO Service contact details which information should be in use by all practices whether EMIS or TPP)


Example DPIA

EMIS have provided an example DPIA which practices can download and use:

Sample DPIA: Data-Protection-Impact-Assessment-AWS-GP-perspective

The NWL DPO support offers an advisory service and does not have the resources to complete impact assessments on behalf of primary care. There is no central repository where a single form can be completed on behalf of 370 primary care data controllers. It is the responsibility for each data controller to keep their own records, relevant to the type of data and sharing in which they engage and for their individual organisation to be accountable in their own right and to be able to demonstrate GDPR compliance through their DSPT returns.  The DPO may however may recommend a Data Protection Impact Assessment (DPIA), support the process of practices completing it and approve the contents.

This sample DPIA provided by EMIS should be fairly straight forward and can be completed by filling in your practice details and the relevant entries in sections 5, 6 and 7. We recommend using the suggested entries already in place in sections 5 and 6. Where this is the case in section 6 and 7 the NWL CCGs DPO Service has approved both the recommended measures and the identified residual risks and agrees that processing may proceed.  The Caldicot Guardian or a signatory representing the practice’s data controllers should either accept (recommended) or overrule the DPO advice. There is no further consultation response required and the DPIA would be reviewed as part of routine practice process in your annual DSPT returns. See below:
 Practices should keep a copy of the completed DPIA with their practice’s data protection documentation/records.

Records Of Processing Activity

EMIS practices will need to also update their Records Of Processing Activity (ROPA) as described in GDPR Blog 6

If you have any questions please send them to


eDSM (Enhanced Data Sharing Model) – No. 15

eDSM (Enhanced Data Sharing Model) – No. 15

eDSM additional controls have been designed to ensure that GP’s and Patients have greater flexibility and control over which organisations have visibility of their SystmOne records. The new controls will allow GPs to decide if other SystmOne Organisations involved in the care of their patients can view their patient’s records (subject to patient consent).

In order to implement this change, we have now finalised the list of Organisations with whom North West London SystmOne practices currently share with. These are the Organisations who have signed the CWHHE MOU, Extended Hours Hubs and the practices within NWL CCG’s. These are listed within the ‘SHARED LIST’ that you will see attached. When Organisations are added to the ‘SHARED LIST’ this will ensure that patient records can be accessed, assuming consent has been given.

If you do not switch eDSM on then your practice will not be complying with the Data Protection Act 2018, which requires you to tell your patients with whom you share their data. The eDSM model allows you to do this.

Additional documentation:

Importing the ‘allowed list’


TPP eDSM enhancements_FAQs v.1.1

Allowed List Updates

Current Version – V11


Information sharing and the DCC – No. 14

Information sharing and the DCC – No. 14


The provision of an integrated healthcare service in North West London will require robust systems for creating and managing Information Sharing Agreements (ISAs) and Data Sharing Agreements (DSAs). As a result a NW London Digital Data Protection Framework has been designed which includes a template document which can be used to generate these agreements.

A Data Controller Consol will be used as an online repository where local data sharing agreements can be kept in one place. This will allow easier management by identifying the membership, the types of data being shared and the expiry dates of any agreements. It will also allow them to be distributed and signed electronically.

1) Information Sharing  Agreements (ISAs)

As we move towards providing integrated healthcare services in North West London the format and structure of DSAs has been reviewed because of the need to:

  • Manage more agreements between providers sharing health care data
  • Provide templates which simplify and standardise the process
  • Maintain GDPR compliance

As a result of GDPR, the complexity of ISAs and the amount of information they contain has increased. For this reason the information governance standards common to all of them have been distilled into a single overarching document call the Statement of Data Sharing (SDS) which will be signed by the members of any and all agreements. This will allow the pith of any information sharing agreement to be detailed in a smaller and easier to understand document called an Interoperability Service Specification (ISS). The combination of an ISS and the overarching SDS it points to will form the basis of all future ISAs in North West London.

More details about the structure and function of the NW London Digital Data Protection Framework can be found within the SDS document itself.

2) The Data Controller Console (DCC)

The DCC is an easy and efficient way for organisations to store, update and track the status of Information Sharing Agreements and is available to health and care organisation​s across London.

Why use the Data Controller Console?

The DCC increases visibility of agreements between organisations that share information, it also gives real time access to Information Sharing Agreements (ISAs) and control over any changes made to the ISAs.

The Data Controller Console can also help to support organisations with their compliance of the General Data Protection Regulation (GDPR) that came into force on the 25th May 2018 by:

  • Increasing visibility and transparency of agreements and processes between organisations sharing information
  • It allows organisations to track their information sharing arrangements and relationships
  • Tracks, reports and monitors information sharing agreements
  • Monitor compliance of sharing with regulations and therefore be confident to transfer on the basis of an adequate decision
  • Standardise templates such as Data Privacy Impact Assessments (DPIAs) and information sharing agreements

The Console also supports efficient Information & Data Sharing (ISA/DSA) between organisations by:

  • Decreasing paper in the system
  • Streamline data sharing processes
  • Creates a standard for sharing: ’Clubs’, data sharing agreements and Data Privacy Impact Assessments
  • Enables organisations to sign up to agreements on mass
  • Increases transparency between partner organisations
  • Reduces duplication in the system by encouraging and supporting transparency and collaboration between organisations

For further information about the DCC see:


DSPT Support Page – No. 13

DSPT Support Page – No. 13


Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 31st March 2019.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are TWO MAIN documents which will help you through your submission.

1) A Data Security Policy

The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have designed this Data Security Policy to be the overarching document in your practice, where you can see links to all of the required elements in one place.

2) DSPT Requirement & Evidence V1.2   **Updated 18-March 2019**

This contains comments and guidance related to all of the 10 sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.

Review of action points from last blog

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance

Please note that as further work on the DSPT is clearly linked to going through each of the 10 sections, there will be no further To Do list other than the requirement for your practice to submit your DSPT returns under each of those sections.

Work covered in this session

Data Security Policy

It will be worth familiarising yourself with this document, which you may wish to add to as you progress. Working through the GDPR blogs will have generated much of the information needed for the DSPT.  This document should enable you to pull together all of your existing policies, plus help you with some new ones. It is an overarching policy document to which you or your staff can refer. You can also use to it as a resource within DSPT and it may be helpful in responding to questions which arise at CQC inspections.

DSPT Requirements & Evidence

This will probably the most commonly used document in submitted your response to the question, assertions and evidence required under each of the 10 sections in the DSPT.

Some of the DSPT requirements need you to demonstrate the presence of robust cybersecurity measures. A number of those relate to the policies and practices provided through centrally provided IT services. Those elements have also been responded to and can be found under the relevant sections in this document.

Fair Process Notifications

The NWL Collaboration have designed two GDPR compliant fair process notices for your patients in poster form, which are on their way to you. We are required to present this information in tiered levels, simplest first, with the ability to drill down on progressive detail. The posters represent the simplest information. The most detailed information is found in your A4 fair processing notice which should be published on your practice website. The posters should be displayed in your surgery to inform you patients about how we use their data in NWL. The more details A3 posted has space for stickers which should be printed to show (as below):

  • Practice Address
  • Practice Website URL
  • Detailed FPN URL (from practice website)
  • DPO contact NWL CCGs DPO Service

There are electronic versions which can be uploaded to your NUMED/Call board screens.  NHS NWL Medical Information Sharing Poster

Please use the latest version 1.08 of the detailed A4 Fair Processing Notice which can be downloaded here:  **Updated 29-March 2019**

Data Flow Mapping

Please use the latest version 1.2 of the data flow mapping spreadsheetwhich can be downloaded here: **Updated 29-March 2019**

Email Policy

SAR requirements can become complex if clinical correspondence is sent by email and an email policy which addresses this has been produced. It requires staff to migrate clinical data to your clinical system and delete the original email. In this way when you respond to an SAR you only need to interrogate a single data source.

Staff training around data sharing

The Staff Training & Support document is for all staff to enable them to understand Data Sharing across NWL.  This also includes the read codes (CVT-3 and READ2) that are required to opt in or opt out of data sharing. Staff Information – Data Sharing . We have also included an IG spotcheck template which practices can use to record the spot checks on compliance with these policies as required in 1.5.1.

Practice Hardware Asset Template

Section 1.4.4 of the DSPT requires a list of the hardware assets that you have within your practice. See: Asset Template for GPs

Business Continuity Plan

Remember, to make sure that you have updated your business continuity plan. These will vary from area to area but we have attached a template which covers the required sections. You should ensure that copies of the plan are kept out of the business and that you know who to contact in an emergency. Make sure that you have the correct contact details for the IT team which is  Tel: 020 3350 4050 and email as is now provided by North West London Collaboration of Clinical Commissioning Groups.

Anti Virus

This links to question 6.3.2 – Number of alerts recorded by AV tool in last three months.  

190401 AV-Alerts BCWHHE   ⇐ for NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs This was last updated on 1st April 2019.

190319 – Harrow  ⇐ for NHS Harrow CCG This was last updated on 19th March 2019.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.


Learning Points

  • The two main documents which will support your DSPT submission are the Data Security Policy and the DSPT Requirement & Evidence
  • There is now just one main page for DSPT support (this one).
  • Please ask any questions by email using


Work planned for next session

There will be no new blogs, but in response to any incomplete sections and to the questions which you submit, we will continue to update the contents on this page. Any updated documents will be included in the relevant section of the DSPT Requirement & Evidence document. Any new discussion topics discuss will be added below the work covered in this session section.

We plan next to review your feedback and cover support for Subject Access Requests (SARs) and Staff Training for 2019/20.

DSPT Introduction – No. 12

DSPT Introduction – No. 12


This is a follow on from the GDPR blog which will look at the the Data Security and Protection Toolkit which all GP practices need to submit by the 31st March 2019. The DSPT is a sequel to the IG Toolkit and whilst many parts are similar, there are also new sections and the sum total is a more comprehensive undertaking.  There is a focus on cyber-security which will enable our IT systems to be more robust in response to malware such as virus infections, or the cryptoworm Wanncry ransomware which caused such disruption in May 2017. Much of the information needed for these sections will be common across NWL, for example specifying the type of antiviral software in use. Where these question are identified we will provide the information you need here. Some of the GDPR work outlined in prior blogs on this website will also support your submission and the DSPT action plan (see output documentation below) identifies where there are common areas and links to them.

Is there a pass fail process or a scoring system? When the IG Toolkit was first released, the idea was to encourage organisations to simply take part. Over time there was an aspiration to agreed levels of IG competence and our NWL IG sharing agreements asked all health care organisations to achieve level 2 of the IG toolkit before they could share electronic patient records. In a similar way the first step with the DSPT will be to register and complete those sections which are identified as compulsory. In time your organisation may want to document their IG competence in some of the non-compulsory sections.

Who will see our DSPT returns? As we learn to  share information in our health care communities in more integrated ways there will be sharing agreements which require mutually agreed standards. It will be possible to sign up to those agreements electronically on the Data Control Console DCC. In addition to being a repository for Information Sharing Agreements and Data Processing Agreements it will also be a place where you can share your standards of IG competence with other organisation who want to work with you.

When your practice is inspected by QCQ you may be expected to demonstrate that that your organisation is compliant with GDPR and to to show evidence to support this.  The DSPT is one way of benchmarking this and may be used for corroboration. Likewise if your practice is ever the subject of a complaint related to the management of personal data, the ICO may want to see evidence of the standards of IG which you are achieving. The results of the DSTP are also available to NHS Digital who may audit and analyse the scores in order to identify organisations who need further support.

Review of Action Points from the Previous Session

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019

Work covered this week

1) How to register with the DSPT?

If you have not already done so you can register your practice here:

You will need to provide an email address and also give a your practice code in the form E85074

2) What Sections should I complete?

There are a large number of sections, but in the first instance you should start with those items which are identified on the site as compulsory

3) Where can I find further support?

There are a number of different support options which include

  • Workshops
  • Webinars (to be advised)
  • This blog
  • NWL IG team
  • IT Team
  • DPO


A number of practices have started working through the DSPT sections. In the first instance we have agreed to put our head together to see which areas practices might need help with and which ones require specific input from the IT teams. We want to draw from the experience of those who have completed various sections or who have drawn up policy documents so that we can share good practice and avoid the need for many practices to ‘reinvent the wheel’. Once we have looked at the requirements in the compulsory sections we plan to hold a workshop, initially with some of the Ealing  practices to walk through the process. There will be an expert panel from the IG and IT teams and a question and answer session.  We are planning similar workshops across the other CCGs and as we develop a better understanding of the requirements we will use this blog to share:

  • learning points
  • policies, protocols or template documents which can be shared
  • webinars or other online learning resources

Over the next few months we plan to develop and add to a DSPT Support Page.

NWL IG and IT teams:

You can ask questions from the NWL IG team through the support email below and we will put these and the answers in a DSTP section into the FAQ. You can also get support from your IT team using the same email.

Data Protection Officers*:

Working through the DSPT and the final sign off of the DSPT will require input from your DPO. The current situation with a single interim DPO covering NWL will not allow that level of engagement at practice level. GPs need to take early action to appoint DPOs and as data controllers they are responsible for the costs of employing them and will need to budget something in the order of £1500 to £2500 per average practice to cover this. There has been some consensus among GPs that it would make little sense for individual practices to recruit their own DPOs and it will be better to deploy a shared DPO service at borough level or across NWL.

If either the federations or NWL were to undertake this role, they would levy their GPs for provision of the service.  This has been discussed in some of your networks and is also being debated in Federations and NWL CCGs who are looking into the most efficient and cost effective way of providing such a service.  We are also seeking further national guidance on this and are in contact with the LLMC and will update practices at Network level and on this blog as more information become available.

*[Update March 2019 – Since the details of the new GP contract have been released, the responsibility of providing and employing DPOs will rest with CCGs who are currently exploring ways to augment the current service]


Output Documentation

Learning Points

  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 2-3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level early in the New Year to support your work towards signing off the DSTP.

Practice Checklist

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance
Summary Blog – No. 11

Summary Blog – No. 11


The past 10 weeks have seen us work through the core aspects of good information governance, which will allow you to demonstrate that your GP practice is compliant with GDPR and the new Data Protection Act 2018. We have stressed that this is not a one-off exercise but a process which needs to be kept under constant review and that you need to have systems in place which monitor and maintain the standards you apply in managing your patient and staff data.

This week we looked at what we have covered, key timescales, and support you will have going forward.

Review of Action Points from the Previous Session

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it

Work covered this week

1) How will your compliance with GDPR be assessed?

As yet we do not know what exact form this will take but there are three scenarios where it may be put to the test.

  1. At your next CQC inspection, you will be asked to show evidence to support your compliance with GDPR.
  2. If you are the subject of a complaint related to how you manage personal data, the ICO (Information Commissioner’s Office) will want to look into your compliance with the GDPR.
  3. Your practice needs to complete the DSPT (Data and Security Protection Toolkit) by the 31st March 2019. This is the successor to the IG Toolkit.

Your next CQC inspection may not be imminent and you might never be the subject of a complaint as a result of a data breach. However, the DSPT deadline on this coming 31st March is a certainty for which you MUST ALLOW TIME AND RESOURCE TO PREPARE. See below.

2) Compliance with GDPR

As the GDPR came into effect on the 25th May 2018, the Information Commissioner’s Office (ICO) would expect organisations to already be putting policies and procedures in place to meet the requirements, however, they have stated they did not expect every organisation to be compliant as of the 25th May. If an incident did occur, however, they would take into account what your organisation has done and is pro-actively doing to ensure the protection of personal data. Evidence of the work undertaken within these blogs would, therefore, serve as a strong indicator to the ICO that you as an organisation takes data privacy seriously, and would take this into consideration when deciding any regulatory action.

3) Compliance with the new Data Security and Protection Toolkit

Whilst compliance with GDPR is not a set date or pass/fail monitoring system, the new Data Security and Protection Security Toolkit (DSPT) is a replacement for the old NHS Information Governance Toolkit. All organisations which process NHS data must complete this for 31 March 2019. The good news is that this follows many of the principles of GDPR, so the majority of what is covered in these blogs is what is required by the DPST. The two main areas which aren’t are IT security and compliance with the National Data Guardian reports, the former of which you will be able to gain evidence for from your IT supplier. In effect, the DPST will be the first tangible hurdle which will formally assess practices’ compliance with GDPR.

In order to assist you with this, we have put together a work plan for the Toolkit and matched the requirements against the relevant blog post. You should, therefore, be in a strong position once the work identified in this blog has been completed. This work plan can be found in the output documentation of this blog.

4) Allow a minimum of 3-months preparatory work to become GDPR compliant

The requirement may vary from practice to practice, but our two small practices (4000-5000 patients each) have required the following per practice:

These figures are not definitive and will vary depending on your practice set up. We have provided a more detailed spreadsheet listing specific tasks and personnel which can also be used to track and monitor allocated work to completion (below). The headline figure is that you should allow a bare minimum of 3 months to complete this work and so if you have not yet started, you must make plans to be underway by the New Year.

The other important requirement here will be to have a DPO in place who at the end of the year should be in a situation where he can assess and “sign off” the work you have done towards GDPR compliance and the DSPT. The DPO who is currently holding an interim post will not have the resource to cover all NWL practices and our advice is that you should also plan to appoint a DPO at CCG or Federation level by the New Year.

5) Support going forward

This will be our final blog in conjunction with our external IG experts, however, there is still support available to you going forward.

  • FAQ document which can be found in the resource area of this blog. This should be your first port of call in the event you have a question.
  • NWL Information Governance Blog, this will continue to be monitored and updated
  • email if you have any questions which are not answered in the blog or FAQ. The response will then be added to the FAQ.
  • The Data Protection Officer for all General Practices across NWL will continue in post and can be contacted at the email address above. You will be notified of any changes to this arrangement. It is important to recognise that this role will not provide the capacity to sign off all DSPTs at the end of March 2019, before which there will be a need for practices to appoint DPOs either at practice, federation or CCG level.

Finally, we have created a shortened summary version of the blog, and an action plan against each to-do requirement with the anticipated resource this will take.


Output Documentation

Learning Points

  • You should have systems in place which monitor and maintain the standards you apply in managing your patient and staff data
  • You will be required to show evidence of your GDPR compliance at your next QCQ inspection
  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level by the New Year to support your work towards signing off the DSTP

Practice Checklist

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019
Layered Fair Processing – No. 10

Layered Fair Processing – No. 10


Being transparent with individuals about how their personal data is used is a key aspect of privacy and confidentiality law. GDPR introduced transparency as a new requirement into the first data protection principle, it states that processing must be ‘fair, lawful and transparent’. Information communicated to individuals should be provided in a layered approach, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The first “layer” is an A3 notice containing the headline principles of sharing which then signposts documents which contain progressively detailed information on both your website and also CCG based sites.

To meet common law duty of confidentiality expectations, patients should also be aware and have a reasonable expectation that their information will be used for specified purposes if implied consent is to be used as the lawful basis.

Patients should have confidence about how their medical information is used, be aware of which purposes it’s used for, and understand the rights that they have in relation to their information. The NHS Constitution states that patients have the right to be informed about how their information is used. It is vital that patients trust how we use their data.

This week we looked at what information we need to provide our patients and the methods we can use. We have provided exemplars to help practices meet these requirements. We have updated the Fair Processing Notice (synonymous with ‘Privacy Notice’) in poster form and revised the more detailed document which can now replace your interim privacy notices on your websites. Where possible, when explaining how we use their data, we should use principles rather than specifics and try to give consistent advice, so that patients get the same message across a range of community healthcare settings. We have based the updated Privacy Notices on a detailed assessment of the data flows, information asset registers and records of processing in two local practices. We believe these will now cover most of the bases for how GPs in NWL share patient data. However, it is important, if you are sharing data in ways which are different from the norm, that your own Privacy Notices reflect this. Please let us know if you identify any omissions which you think should be included for yours or for other practices.

As with other GDPR undertakings, Fair Processing Notices are not just a tick box exercise. We need to be having a rolling “conversation” with our patients explaining how their personal data is used to support their healthcare and this can and should be delivered through a variety of different media which include but are not limited to:

  • Direct conversation
  • Paper and electronic documents
  • YouTube videos
  • Social media
  • Radio/TV and other ‘broadcasting’
  • Public engagement meetings

Meaningful and regular communication through various media and in different settings is one of the most important aspects of GDPR. Once our patients understand how their information is processed and know how to exercise choice, consent becomes almost academic. This remains an area we need to improve on and in addition to your input at the practice level, there are plans for a London wide campaign to promote better understanding of how we share records.

Talking about record sharing in our practice meetings will help improve staff understanding and enable them to better signpost and support patients.

Review of Action Points from the previous session

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required


Work covered this week


Where information is collected from the data subject, GDPR details the information that needs to be provided to data subjects in Article 13, including:

  • Contact details of the controller and the controller’s data protection officer
  • Purposes of processing
  • The lawful basis for processing
  • Recipients of personal data
  • Retention of data
  • Data subject rights

Much of this information should already be held in the organisation’s Information Asset Register and records of processing, which helps to inform the fair processing material. GDPR mandates that all this information is provided albeit in a manner of ways and varying levels of detail.  Therefore, all this information does not have to be provided in every single document, but it is essential that all this information is provided and easily accessible somewhere. How this can be presented is discussed below.

Content should be aimed at differing levels of understanding and capacity, especially when it relates to processing of children’s data. Therefore, consideration should be given not only to the content but the language used to provide the content. Fair processing information could be provided and discussed in patient engagement groups to ensure it is understood by patients with no NHS or privacy background.


Providing information to data subjects can take many forms and can no longer only be a statement on a website. In Practices, one of the most effective methods to provide high-level detail to patients is via easily readable posters in the waiting rooms or offices. This can include the basics which patients need to know, including the purposes their information is used for, who it may be shared with, and the key rights associated to their data, such as an objection to processing and access to their records. Such high-level materials can then provide information on where to get more information if required.

To ensure all information that is referred to in the Content section (above) is available, a larger document can then be produced which covers this. This can be made available on organisation websites as well as available in print form for those data subjects that do not have access to the internet. Given information must be provided to all, it would also be advantageous to have this available in different languages, either translated and provided in a separate document or via the use of a software on a browser such as google translate allowing the data subject to have it translated at the point of use.

These methods will primarily focus on those on who either actively visit Practices or Practice websites, so consideration should also be given to reaching those who may have limited contact but of whom their personal data is still processed. This could include taking out high-level advertisements in local media, use of local advertisements in public areas or postal campaigns. A simple way of informing patients of where to access such information could be a statement in the footer of all headed letter sent out by the Practice.


Output Documentation

A number of documents have been produced to give Practices a starting place to inform their patients of the processing taking place. These include:

PLEASE NOTE: These are based on information analysis from two GP Practice. You should review this to ensure that they include all data flows within your own practices, and check that all the purposes you use data for are covered. If you identify other data flows or other purposes which have not been included please let us know ( We will wait for a further 2 weeks to receive any feedback before finalising the content of the A4 Fair Processing Notice and printing (and formatting with updated links) the A3 posters for use across NWL GP practices.

Learning Points

  • Your Practice should have an up to date fair processing campaign
  • This information should be available to patients in both electronic and paper form
  • Fair processing information must be available at both high level and detailed level

Practice Checklist

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it
Right of Access – No. 9

Right of Access – No. 9


Obtaining access to their own information is one of the most exercised rights afforded to data subjects. Those rights have changed under the new data protection legislation, making it easier for them to access their medical records.  Controllers can no longer charge for providing data subjects with their personal data and have to respond within a month when previously they had 40 calendar days.

This week we look at how to manage these requests, how GP systems can be utilised to help compliance, and how to manage requests which aren’t always straightforward.

What would be the cost to your practice of a large number of patients requesting Subject Access Requests (SARs), to which you are obliged to respond without charge? Those costs will be minimised by not having to print out and post reams of paper records, and this can be achieved by allowing patients access to their full record – electronically. There remains a resource issue related to checking the records, but the effort of doing so would have other benefits. How much time would be freed at reception if your patients had instant access to their results without having to telephone first?  Could we train non-clinical staff to identify (and flag) third party or harmful data and might such a role be centralised?  Why not consider these issues at your practice and discuss ways of delivering solutions at scale in your network meetings and with your CCG and Federation? More below.

Review of action points from prior session

  • To do 26  Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27   Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28  Review the example information risk register and update for your practice
  • To do 29  Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30  Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31  Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32  Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33  Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.

Work covered this week

Right of Access

GDPR provides a right of access to individuals for a copy of their personal data held by a Data Controller. As Data Controllers, GP Practices must now supply a copy of all information they hold about an individual on request for no fee and within a month.

Since March 2016, it has been a contractual obligation to allow patients access to their medical records via the organisation’ Patient Online system (SystemOne or EMIS). Both clinical systems allow patients to register and access all information held about them, which will ensure they have up to date and timely information at hand. Many patients currently use Patient Online to book for appointments and obtain prescriptions through the Electronic Prescription Service (EPS), but a smaller proportion uses this system to access their medical record. Allowing access to electronic records is not a binary decision and there are significant resource implications. You should have a system in place for allowing patients to apply for access their records online and any system you have should take into account the resources required. The priority you place on this process will be decided by the practice partnership. If resources are limited, you can and should have a waiting list. However it is worth recognising that if a patient does request electronic access to their record, and if this is declined (put on a waiting list), they are entitled to request a SAR and practically speaking the quickest and easiest way of responding to this within one month will be to provide them with full access to their record through Patient Online. If your practice requires help in providing this service there is a wealth of useful information from the RCGP which is signposted below in the Resources section.

Where an adult patient is requesting access to their own records online, you should be assured that they are who they say they are. In most cases this will be by them providing two forms of ID, one photographic (such as a driving license or passport); and one showing their address (such as a recent utility bill). If you can vouch the person is who they say they are (for example they regularly come to the surgery) then this can also be a form of assurance before granting access.

Coded Data or Free Text?

SystemOne system allows the patient to have access to either only their read-code data or a copy of the full record including free text. Each Controller should make a decision regarding whether they want to patients to access just coded information or additionally the free text. As we have already noted, patients have a right to request the full record, and the coded information on its own would be insufficient to provide a response to a SAR.

Before access is granted, it is essential that the information on the record is reviewed to ensure that it is suitable to be disclosed to the patient. The right of access is not an absolute right, and information can be withheld in a number of limited scenarios, including where it is regarding third parties, or where it could be considered harmful or distressing to the patient to disclose. It is noted that this could cause resource issues, however, this is something that should be weighed up against the resource of handling requests for access in paper form now that no fee can be charged.

Specific data entries can be hidden from the patients’ view of online access, so it is important to ensure each query in a given consultation is recorded as a separate entity (a new section) so that if the information does need to be redacted later then this can be done at a more granular level.

Access by Proxy

Access to children’s records

It is important to note that the right of access always applies to the data subject, so there is no automatic right for a parent to access a child’s record. However, if an adult has parental responsibility of a child or is a legal guardian, a GP can make a decision about whether to allow the individual access to the child’s record if it is the child’s best interest. There is no statutory age in England and Wales where a child is considered to have sufficient knowledge to exercise their right of access, however, the new data protection legislation does stipulate that from the age of 13, a child will be deemed to have the capacity to consent to use ‘information society services’ which online access to records can be considered.

Therefore, any request for access to records by a parent or legal guardian where the child is under the age of 13 should be considered on a case by case basis, taking into account whether the child may have the capacity to understand the effects this may have and request their information is not shared with their parents.

Where a child is between the age of 13 and 18, again this should be on a case by case basis but it is generally assumed the child will have the capacity to decide whether the parent/legal guardian can access their record. Such requests should be granted and the parent’s consent only asked if the child is deemed to lack capacity or if the clinician feels that it is in the best interest of the child.

Access to elderly patients/adult lacking capacity

Where a request comes to access the records of an elderly individual (such as a mother or daughter requesting access to their elderly parents’ records) the individual should always be assessed as to whether they have the capacity to make such a decision themselves. If not, you should assure yourself the person requesting access to the record has either Power of Attorney, a court order, or it is in the patients best interest. It is important that you and your staff understand that these elderly patients are vulnerable and that on occasion such requests can be open to abuse and so where there is capacity you should ask direct questions to ensure there is no coercion and where there is not capacity, you should always be mindful of the possibility of coercion.

Real life case study

In 2016 a GP Practice was fined £40,000 for disclosing confidential information during a subject access request. The disclosure to a child’s father also included information relating to the mother (who had separated from the father and asked the Practice not to disclose her whereabouts), which included her contact details, information relating to her parents and another third party. The Information Commissioners Office found that the Practice had insufficient systems in place to manage such requests.

Therefore, in circumstances where they may be concerns regarding either safeguarding, domestic violence or other such situations which could cause harm to individuals, every effort should be made to ensure the disclosure is appropriate and lawful.

Do remember, before allowing a patient or guardian access to clinical records you must be certain that:

  • They are who they say they are
  • They are allowed access to the requested record
  • The record given to them does not contain harmful or third party data


There are a series of eLearning modules available via the RCGP eLearning website below. These include courses on coercion, identity verification, proxy access, children & young people, overview and benefits protecting patients and practice and online access for clinical care.

General Resources

Output Documentation

Learning Points

  • Your practice should have an up to date access to records policy
  • You should have a system in place for allowing patients to apply for access their records online
  • That system should take into account the resources required

Practice Checklist

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required

Next session on 04.09.18

(Blog No. 9 due 11.09.18)

Taking all of the patient data identified in earlier blogs which is being processed through the practice, and looking at the ways in which we use that information we can now draw up a final Fair Process Notification.


Managing Risk – No. 8

Managing Risk – No. 8

Introduction and comments

Information is valuable to primary care and the NHS as a whole as it allows us to treat and protect patients, as well as to design and provide them with the best possible services. It is important for practices to understand what information they hold, why they hold it and what safeguards are in place to protect the data. By doing so we can ensure that information is used in a secure and lawful manner to prevent information breaches, as well as keeping our patient’s trust.

This week we looked at information risk management and revisited the role of the Data Protection Officers (DPOs) and the reporting of breaches and serious incidents.

Review of action points from prior session

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Work covered this week

Information Risk Management

Information risk should not be treated differently to any other risk to the practice, whether it is financial or workforce risk. You will already have risk management processes set up. We need to check whether information risks have been recorded within your risk registers and that mitigating controls have been put in place.


Where will information risks arise prior to a breach happening?

From the activities noted in Blog No.2 – Information Asset and Data Flow Mapping and Blog No.3 – Data Protection Impact Assessments (DPIAs), we have added possible risks to the practice and / or have identified risks from the DPIAs undertaken.

You may also conduct a physical audit of the practice to test staff awareness and processes to establish whether there are any potential information risks or training needs. These activities will enable you to identify risks and also demonstrate good evidence for your Data Security and Protection Toolkit.

We have developed an information risk register. This lists the information risks we have identified at this practice and shows examples of the different types of risks. The Information Governance Staff Handbook should also be reviewed as this also details good practice for mitigating information risk to your Practice.


Data Protection Officer (DPO) in relation to GP Practices

To support the Information Risk Management process, there is a need to establish a structured framework and reporting mechanism. To meet the requirements of GDPR and the Data Security and Protection Toolkit, each Practice is required to appoint individuals to roles to support this framework and to deliver compliance.

GP Practices are considered Public Authorities under the provisions set out within schedule 1 Freedom of Information Act 2000. This is due to the processing of Personal Confidential data for the NHS. GDPR specifies that all Public Authorities are required to appoint a Data Protection Officer (DPO).

The activities of the DPO within General Practice are detailed within the Information Governance Alliance GDPR guidance note for GPs and also their GDPR: Guidance on the Data Protection Officer.

Primarily the DPO should deliver independent advice and monitor processing activities and practice. Due to the independent nature of the role, here are some activities the DPO can and can’t do:

It is a requirement for the DPO to monitor processing activities to ensure compliance with GDPR. The Practice is required to submit their DPIAs, Information Assets and Data Flow registers, risk registers and incident logs to the DPO on a regular basis so that the DPO can monitor compliance with the Data Protection legislation and prevent personal data breaches.

For the activities that the DPO cannot undertake, the Practice should ensure that there is a decision-making function and approval process in place. This is likely to be your Practice Caldicott Guardian.

As part of the Caldicott function, the Caldicott Guardian should be aware of processing activities, information risks to the Practice or any risks that would have any privacy implications to data subjects. The Caldicott Guardian can approve information sharing agreements, contracts and breach investigation reports. The Caldicott Guardian should be the Practice’s first point of contact on Information Governance/GDPR matters.

Your Practice’s DPO [Action point]

As you are aware NWL CCGs have appointed a single DPO as an interim measure to help meet this responsibility, until Practices decide on how they wish to provide this service themselves. This arrangement can only work in the short-term in conjunction with the provision of GDPR support through this blog and our ability to access subject matter expert opinion through an IG consultancy. This is a time-limited resource and one which will reduce after November 2018. Whilst further support will continue to be available, this will be limited. It is essential that practices understand that it is a legal requirement for them to appoint a DPO who will be able to provide the services outlined in this blog.

Practices may decide to provide a DPO themselves, or consider a shared role across a CCG or federation. We have reminded CCGs about the limited timescale for implementation of DPOs to cover their GP practices in 2019, and are canvassing them for further support. We encourage NWL primary care health care communities discuss this important issue at their CCG member meetings.

Information Governance Breaches and Serious Incidents

The Practice should ensure that robust mechanisms are in place for the reporting and monitoring of information breaches, whether they are serious or near misses. GDPR defines a breach:

Article 4(12) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Here are some examples of breaches or near misses:

In the event of a personal data breach, the individual should follow the Practices Incident Reporting policy. The policy should include the reporting mechanism and roles the breach is reported to. The Practice should also follow NHS Digital’s Incident Reporting guidance.

The table below details the severity of breach which is required to be reported to the ICO or whether it can be dealt with locally. This is the reporting detailed within the new NHS Digital Incident Reporting guidance. It is a requirement that all Practices follow NHS Digital’s guidance on incident reporting.


The reporting mechanism is through the Practice’s Data Security and Protection Toolkit.

Reporting Structure:

GP Practices are required to report breaches through several mechanisms/bodies.

All levels of breach are required to be logged within the Serious Incident to the Strategic Executive Information System (StEIS) as a learning portal for the NHS, and at the Practice-level through incident report forms/logs. Subsequent risks should also be included within the information risk register. These will need to be provided to the DPO on a regular basis to assess whether the mitigating actions are effective, and the risk minimised.

Should a potential or actual breach occur, please consult the Caldicott Guardian and the DPO.

Resources Used

Output Documentation


Learning points

  • The earlier data flow mapping exercise and DPIA should provide much of the information required for information risk management.
  • Your practice must appoint a DPO.
  • Be aware of what your DPO can and can’t do and ensure your Caldicott Guardian is aware of their responsibilities.
  • NHS Digital has issued a guide on incident reporting which must be followed.
  • All levels of breach are required to be logged on StEIS and on Practice incident report forms/logs.


Practice checklist

  • To do 26 Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27 Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28 Review the example information risk register and update for your practice
  • To do 29 Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30 Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31 Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32 Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33 Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.


Next session on 30.08.18

(Blog No. 9 due 04.09.18)

We will be looking at how we provide electronic access to patient records in routine circumstances and the issues around providing proxy access for children and patients who may lack capacity.


GDPR Accountability – No. 7

GDPR Accountability – No. 7

Introduction and comments

We made a change to our schedule this week, and instead of fair processing we have looked at the levels of accountability which we are required to demonstrate following GDPR:

  1. Practice accountability – the technical and organisation measures that need to be in place in order for us to be able to demonstrate this.
  2. 3rd party supplier accountability and contract management.

We will cover fair processing in a later blog and you can view the updated timetable here.

As an aside, we have continued to get many questions related to GDPR, and a recurring theme has been how to respond to various scenarios related to Subject Access Requests (SARs). I wanted to take this opportunity to clarify an important principle related to whether or not practices can levy a charge for SARs. We had previously, and in retrospect incorrectly, reflected an observation that it should be the purpose of the information which guides the decision to charge and if that purpose is the production of a medical report (regardless of who generates the report) then the practice can make a charge. We have now discussed this with the ICO and have had clarification that practices should only charge when they themselves are creating a medical report. In summary, then, we cannot charge a lawyer or insurance company who are requesting information on behalf of the patient even if that purpose is for the production of a medical report unless we have been asked to generate that report.

How to manage the significant resource which will fall to general practice as a result of SARs remains a thorny problem. We believe that the best way forward in the longer term will be to prepare our medical records and share them widely with our patients so that SARs can be responded to through this mechanism. Here is a thoughtful blog about that subject which we recommend you read, which recognises that this is not a straightforward process and highlights some of the challenges ahead.

Access to your Medical records online – It’s hard work for practices, even to do the right thing….

Review of action points from prior session

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create a Policy Document for each category of data

Work covered this week

1)   Measures to demonstrate Practice accountability

Accountability is one of the data protection principles of GDPR.  Not only are we responsible for complying with GDPR but we must also be able to demonstrate our compliance. Whilst this is not a new principle, it is now a legal requirement.

This week we looked at technical and organisational measures which allow us to do this over a range of activities including:

Data Protection Impact Assessments (DPIAs) which we covered in Blog no3 can be excellent examples for showing the controls we have in place within our organisation which demonstrate our compliance.

The old IG toolkit provided a way of evidencing accountability, and this will continue with the new Data Security and Protection Toolkit.  It is now a mandatory requirement for all organisations that process NHS data to complete the Data Security and Protection Toolkit, which has been updated to include GDPR and also contains new recommendations to increase cybersecurity.

The new toolkit can be found here and this must be completed and submitted by 31st March 2019. As before your IG lead will be required to sign your practice up to the toolkit. The difference this year is that instead of this being a process of self-declaration “Yes we have done it”, there will now need to be external validation “Show us how you are compliant with the following requirement”.

CCGs are required to ensure that GP Practices are compliant with the Data Security and Protection Toolkit, so will be monitoring GP Practice compliance on an annual basis (after 31st March of each year). The specific nature of the external validation processes is yet to be clarified, but CQC inspection will almost certainly require evidence that the IG toolkit has been assessed and validated by an external assessor. The toolkit itself will help practices to demonstrate the actions they have taken to meet GDPR requirements and will be a repository which will allow scrutiny of any supporting evidence.

We will be revisiting the IG toolkit in a later blog and will provide templates to help you collate evidence for your Data Security and Protection Toolkit submission, which will be shared on this website.

2)   3rd Party Supplier and Contract Monitoring

As part of the principle of accountability, there is a requirement for data controllers to show that they monitor the performance of their data processors. This links in with the work we have done on DPIAs (Blog No.3 DPIAs) and Contract Reviews (Blog No.5 ISA & DPA)

Where processing is taking place, you should ask the third-party supplier for the independent audit of their Data Protection and Security Toolkit (this should be in the contract Terms and Conditions). The Template Data Processing Terms and Conditions (Crown Commercial service templates) was provided in Blog No. 5.

Some of these data processing services may have been commissioned by the CCG and will have had contractual details as part of the commissioning process. In these circumstances, compliance should be monitored by the CCG as the organisation which has commissioned the service. You should ask the CCG for their validation/review of provider/supplier compliance.

When working on the contract reviews we stated that Practices should be using the Crown Commercial service templates which would include those Terms & Conditions.  Whilst there is a processing agreement between GPs and EMIS as their data processor, there is not a similar arrangement with TPP.  NHS digital has advised that in the case of TPP this has been covered by local call offs that are signed by CCGs, in addition to a signed deed of undertaking which protects individual GPs against supplier data protection breaches.

Most data processors will be using the Data Protection and Security Toolkit (previously IG Toolkit), and the monitoring should be a simple matter of them providing you with their Toolkit compliance report.

If they are not taking part in the Toolkit or have not done an audit and you need further assurance, you can use a Provider Assurance Monitoring Checklist.  We have included two checklists – one for NHS data and one for non-NHS data (employee). Note that most processors will be using Toolkit and the monitoring should be a simple matter of them providing their Toolkit compliance report. The checklist below is more detailed but should not be required in the majority of cases of processors dealing with NHS data.  We have also included a letter template for you to send to your third-party processors with the checklist.

Practices must monitor responses (you can use Contract Log), and if there is sufficient assurance set an annual review date. If the response is inadequate and shows a level of non-compliance, send a second letter detailing the specific requirements by a given date. State that if the requirements are not met that you will consider termination of contract, financial penalty (if included in TOCs) or reporting data security concerns to the ICO.

Resources Used

Output Documentation

Learning points

  • This weeks activity provides an opportunity to review any DPIAs to make sure they are comprehensive and meet the accountability requirements by detailing the technical and organisational measures in place in your practice.
  • The Data Security & Protection Toolkit must be submitted by 31 March 2019
  • Evidence of assurance must be obtained from third-party data processors either through a Data Security and Protection Toolkit assessment or from the response to the checklists stated above.

Practice checklist

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Next session on 23.08.18

(Blog No. 8 and No. 9 due 28.08.18)

We will be covering two topics next week – reporting mechanisms through the DPO and access to records by children. There will be two separate blogs covering these subjects.