The NW London Primary Care Information Governance website pages have been developed to provide information primary care information governance and provide advice and support on a range of issues including GDPR, DSPT, data processing of clinical systems.
This advice and support has been developed through the NW London Primary Care Information Governance committee (NW London PCIG). Further advice and support will be added as this work progresses.
The NHS North West London Primary Care Information Governance committee (NW London PCIG) is made up of GPs from within NW London, Deputy Director: Primary Care System, Deputy Director of Business Intelligence and Data Management, Representatives from the Primary Care Systems Team, representatives for IM&T Program Team, NW London IT Security Manager, the NW LONDON General Practice Data Protection Officer (GP-DPO) and the NW LONDON Corporate DPO. The committee help general practices out on such matters as GDPR, DSPT, data processing of clinical systems.
We meet monthly to discuss Information Governance issues within NW London General Practices.
The committee members also look after items such as SystmOne Sharing List (Also known as the whitelist) DSPT Updates and DCC updates.
These settings control how external organisations can access patient records from this organisation. This includes the ability to determine whether an organisation is required to complete an extra verification step, controlled by the patient, before a share in preference can be recorded.
We are currently on V19 of the White List across NHS NW London which was updated on the 6th October 2022.
To install the SystmOne White list, please click here to find instructions on how to do so.
If you need any support putting this in to SystmOne, please contact the Primary Care Systems Facilitation Team via the NHS NW London Service Desk email@example.com
NW London Information Sharing Agreement the ISS for Direct Care replaces the “MoU” for sharing data between primary secondary and acute care for organisations using SystmOne or EMIS clinical systems. Communications have been sent to GP practices confirming that the agreement has been ratified by the NW London IG Board (where there is also LMC representation). The ISS will be made available on the Data Controller Console and all practices across NW London are requested to sign, as will our community and acute trusts who use those clinical systems.
An honorary contract is prepared when an employee of another organisation is coming to do a period of work/research/training within the organisation, but will not be paid directly by the organisation.
Honorary contracts are required for Individuals who do not have any contractual arrangements with the NHS; but are undertaking research, training, or carrying out activities in the organisation - which could have a direct bearing on the quality of patient care or a direct bearing on the quality or extent of prevention, diagnosis or treatment of illness or foreseeably cause injury or loss to an individual, to whom the organisation has a duty of care. The Honorary Contract defines lines of responsibility and accountability.
Without an honorary contract the worker will not be covered by NHS indemnity. Therefore, no individual should be allowed to participate or observe in a department without an honorary contract in place.
The issue of an Honorary Contract does not imply the creation of an employer/employee relationship and is for the purpose of granting licence to an individual to use certain Trust facilities.
Holders of an Honorary Contract who undertake clinical practice are responsible for arranging personal medical indemnity, proof of which must be provided to the Head of Service prior to commencement of work. Those already employed by another organisation must check with their employer whether they are already covered by their employment arrangements. Individuals are responsible for the maintenance of current registration with the relevant statutory professional body and this must be checked prior to the commencement of the contract. A DBS check will also be required.
Honorary contracts will be issued for any pre-determined time period of up to three years.
The DCC increases visibility of agreements between organisations that share information, it also gives real time access to Information Sharing Agreements (ISAs) and control over any changes made to the ISAs.
The Data Controller Console can also help to support organisations with their compliance of the General Data Protection Regulation (GDPR) that came into force on the 25th May 2018 by:
- Increasing visibility and transparency of agreements and processes between organisations sharing information
- It allows organisations to track their information sharing arrangements and relationships
- Tracks, reports and monitors information sharing agreements
- Monitor compliance of sharing with regulations and therefore be confident to transfer on the basis of an adequate decision
- Standardise templates such as Data Privacy Impact Assessments (DPIAs) and information sharing agreements
Log on via https://app.datacontroller.org.uk/
The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
This system is subject to ongoing development, and the requirements may slightly change year on year.
This online resource is accessed via the webpage: Data Security and Protection Toolkit (dsptoolkit.nhs.uk)
The site contains useful material, including recent webinars to help guide you through the process of completing the toolkit annually. Submissions deadlines are usually 30th June, unless otherwise stated.
The 10 data security standards are on the following topics:
- Personal confidential data
- Staff responsibilities
- Managing data access
- Process reviews
- Responding to incidents
- Continuity planning
- Unsupported systems
- IT protection
- Accountable suppliers
Completion should be a joint effort between a senior manager, your Caldicott Guardian, and your SIRO (or similar person with responsibility over data security processes).
An important mandatory domain is around an assertion that 95% of staff, directors, trustees and volunteers in your organisation have completed training on data security and protection, and cybersecurity in the 12 months before the submission deadline.
We will add anything that you might need to this web page.
Future (prospective) records access means access to information and data added to the patient record from a set date onwards.
Please see the attached PDF document that NHS England has provided. For more information and training guides, please visit www.nwlearnning.nhs.uk or contact the NHS NWLondon ICB Helpdesk on firstname.lastname@example.org
All IG enquiries from ICB Colleagues should be sent to email@example.com only.
All IG enquiries from GP Practices should be sent to firstname.lastname@example.org only.
ICB Colleagues requiring Subject Access Request support, please email us at email@example.com
GP Practice colleagues requiring Subject Access Request support, please email us at firstname.lastname@example.org
For the NW London Service Desk, please contact: email@example.com