Primary Care Information Governance

The NW London Primary Care Information Governance website pages have been developed to provide information primary care information governance and provide advice and support on a range of issues including GDPR, DSPT, data processing of clinical systems.

This advice and support has been developed through the NW London Primary Care Information Governance committee (NW London PCIG). Further advice and support will be added as this work progresses.

The NHS North West London Primary Care Information Governance committee (NW London PCIG) is made up of GPs from within NW London, Deputy Director: Primary Care System, Deputy Director of Business Intelligence and Data Management, Representatives from the Primary Care Systems Team, representatives for IM&T Program Team, NW London IT Security Manager, the NW LONDON General Practice Data Protection Officer (GP-DPO) and the NW LONDON Corporate DPO.  The committee help general practices out on such matters as GDPR, DSPT, data processing of clinical systems.

We meet monthly to discuss Information Governance issues within NW London General Practices.

The committee members also look after items such as SystmOne Sharing List (Also known as the whitelist) DSPT Updates and DCC updates.

These settings control how external organisations can access patient records from this organisation. This includes the ability to determine whether an organisation is required to complete an extra verification step, controlled by the patient, before a share in preference can be recorded.

We are currently on V20 of the White List across NHS NW London which was updated on the 31 January 2024

To install the SystmOne White list, please click here to find instructions on how to do so.

If you need any support putting this in to SystmOne, please contact the Primary Care Systems Facilitation Team via the NHS NW London Service Desk

NW London Information Sharing Agreement the ISS for Direct Care replaces the “MoU” for sharing data between primary secondary and acute care for organisations using SystmOne or EMIS clinical systems. Communications have been sent to GP practices confirming that the agreement has been ratified by the NW London IG Board (where there is also LMC representation). The ISS will be made available on the Data Controller Console and all practices across NW London are requested to sign, as will our community and acute trusts who use those clinical systems.

Click here for more information.

An honorary contract is prepared when an employee of another organisation is coming to do a period of work/research/training within the organisation, but will not be paid directly by the organisation.

Honorary contracts are required for Individuals who do not have any contractual arrangements with the NHS; but are undertaking research, training, or carrying out activities in the organisation - which could have a direct bearing on the quality of patient care or a direct bearing on the quality or extent of prevention, diagnosis or treatment of illness or foreseeably cause injury or loss to an individual, to whom the organisation has a duty of care. The Honorary Contract defines lines of responsibility and accountability.

Without an honorary contract the worker will not be covered by NHS indemnity. Therefore, no individual should be allowed to participate or observe in a department without an honorary contract in place.

The issue of an Honorary Contract does not imply the creation of an employer/employee relationship and is for the purpose of granting licence to an individual to use certain Trust facilities.

Holders of an Honorary Contract who undertake clinical practice are responsible for arranging personal medical indemnity, proof of which must be provided to the Head of Service prior to commencement of work. Those already employed by another organisation must check with their employer whether they are already covered by their employment arrangements. Individuals are responsible for the maintenance of current registration with the relevant statutory professional body and this must be checked prior to the commencement of the contract. A DBS check will also be required.

Honorary contracts will be issued for any pre-determined time period of up to three years.

An example of an honorary contract is attached.

Further information can be found here.


The DCC increases visibility of agreements between organisations that share information, it also gives real time access to Information Sharing Agreements (ISAs) and control over any changes made to the ISAs.

The Data Controller Console can also help to support organisations with their compliance of the General Data Protection Regulation (GDPR) that came into force on the 25th May 2018 by:

  • Increasing visibility and transparency of agreements and processes between organisations sharing information
  • It allows organisations to track their information sharing arrangements and relationships
  • Tracks, reports and monitors information sharing agreements
  • Monitor compliance of sharing with regulations and therefore be confident to transfer on the basis of an adequate decision
  • Standardise templates such as Data Privacy Impact Assessments (DPIAs) and information sharing agreements

Log on via

The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

This system is subject to ongoing development, and the requirements may slightly change year on year.

This online resource is accessed via the webpage: Data Security and Protection Toolkit (

The site contains useful material, including recent webinars to help guide you through the process of completing the toolkit annually. Submissions deadlines are usually 30th June, unless otherwise stated.

The 10 data security standards are on the following topics:

  1. Personal confidential data
  2. Staff responsibilities
  3. Training
  4. Managing data access
  5. Process reviews
  6. Responding to incidents
  7. Continuity planning
  8. Unsupported systems
  9. IT protection
  10. Accountable suppliers

Completion should be a joint effort between a senior manager, your Caldicott Guardian, and your SIRO (or similar person with responsibility over data security processes).

An important mandatory domain is around an assertion that 95% of staff, directors, trustees and volunteers in your organisation have completed training on data security and protection, and cybersecurity in the 12 months before the submission deadline.

The link to access Data Security Awareness training can be found on the NWL Learning Management Service.

Please click here to the answers to some of the most asked for questions

We will add anything that you might need to this web page.

Future (prospective) records access means access to information and data added to the patient record from a set date onwards.

Please see the attached PDF document that NHS England has provided.  For more information and training guides, please visit or contact the NHS NWLondon ICB Helpdesk on 

The NW London Information Governance team have produced a checklist of considerations for PCNs and Federations regarding Information Governance. This is not exhaustive, and we would welcome direct queries on specific IG issues you may be encountering. This document also covers the clinical and non-clinical process for the New Technical Evaluation Process and the check list, should you wish to request a new piece of software.

Please see the attached document for more information.

All IG enquiries from ICB Colleagues should be sent to only.

All IG enquiries from GP Practices should be sent to only.  


ICB Colleagues requiring Subject Access Request support, please email us at 

GP Practice colleagues requiring Subject Access Request support, please email us at 

For the NW London Service Desk, please contact:


Accessibility tools

Return to header