Primary Care Information Governance

The NHS North West London Primary Care Information Governance committee (NW London PCIG) is made up of GPs from within NW London, Deputy Director: Primary Care System, Deputy Director of Business Intelligence and Data Management, Representatives from the Primary Care Systems Team, representatives for IM&T Program Team, NW London IT Security Manager, the NW LONDON General Practice Data Protection Officer (GP-DPO) and the NW LONDON Corporate DPO.  The committee help general practices out on such matters as GDPR, DSPT, data processing of clinical systems.

We meet monthly to discuss Information Governance issues within NW London General Practices.

The committee members also look after items such as SystmOne Sharing List (Also known as the whitelist) DSPT Updates and DCC updates.

These settings control how external organisations can access patient records from this organisation. This includes the ability to determine whether an organisation is required to complete an extra verification step, controlled by the patient, before a share in preference can be recorded.

We are currently on V2£ of the White List across NHS NW London.

To install the SystmOne White List, please click here to find instructions on how to do so.

If you need any support putting this into SystmOne, please contact the Primary Care Systems Facilitation Team via the NHS NW London Service Desk via🖥️ Self Serve |📱 020 3350 4050 | 📧 nhsnwl.servicedesk@nhs.net

NW London Information Sharing Agreement the ISS for Direct Care replaces the “MoU” for sharing data between primary secondary and acute care for organisations using SystmOne or EMIS clinical systems. Communications have been sent to GP practices confirming that the agreement has been ratified by the NW London IG Board (where there is also LMC representation). The ISS will be made available on the Data Controller Console and all practices across NW London are requested to sign, as will our community and acute trusts who use those clinical systems.

Click here for more information.

An honorary contract is prepared when an employee of another organisation is coming to do a period of work/research/training within the organisation, but will not be paid directly by the organisation.

Honorary contracts are required for Individuals who do not have any contractual arrangements with the NHS; but are undertaking research, training, or carrying out activities in the organisation - which could have a direct bearing on the quality of patient care or a direct bearing on the quality or extent of prevention, diagnosis or treatment of illness or foreseeably cause injury or loss to an individual, to whom the organisation has a duty of care. The Honorary Contract defines lines of responsibility and accountability.

Without an honorary contract the worker will not be covered by NHS indemnity. Therefore, no individual should be allowed to participate or observe in a department without an honorary contract in place.

The issue of an Honorary Contract does not imply the creation of an employer/employee relationship and is for the purpose of granting licence to an individual to use certain Trust facilities.

Holders of an Honorary Contract who undertake clinical practice are responsible for arranging personal medical indemnity, proof of which must be provided to the Head of Service prior to commencement of work. Those already employed by another organisation must check with their employer whether they are already covered by their employment arrangements. Individuals are responsible for the maintenance of current registration with the relevant statutory professional body and this must be checked prior to the commencement of the contract. A DBS check will also be required.

Honorary contracts will be issued for any pre-determined time period of up to three years.

An example of an honorary contract is attached.

Further information can be found here.

The DCC increases visibility of agreements between organisations that share information, it also gives real time access to Information Sharing Agreements (ISAs) and control over any changes made to the ISAs.

The Data Controller Console can also help to support organisations with their compliance of the General Data Protection Regulation (GDPR) that came into force on the 25^th May 2018 by:

• Increasing visibility and transparency of agreements and processes between organisations sharing information
• It allows organisations to track their information sharing arrangements and relationships
• Tracks, reports and monitors information sharing agreements
• Monitor compliance of sharing with regulations and therefore be confident to transfer on the basis of an adequate decision
• Standardise templates such as Data Privacy Impact Assessments (DPIAs) and information sharing agreements

Log on via https://app.datacontroller.org.uk/

The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

This system is subject to ongoing development, and the requirements may slightly change year on year.

This online resource is accessed via the webpage: Data Security and Protection Toolkit (dsptoolkit.nhs.uk)

The site contains useful material, including recent webinars to help guide you through the process of completing the toolkit annually. Submissions deadlines are usually 30^th June, unless otherwise stated.

The 10 data security standards are on the following topics:

1. Personal confidential data
2. Staff responsibilities
3. Training
4. Managing data access
5. Process reviews
6. Responding to incidents
7. Continuity planning
8. Unsupported systems
9. IT protection
10. Accountable suppliers

Completion should be a joint effort between a senior manager, your Caldicott Guardian, and your SIRO (or similar person with responsibility over data security processes).

An important mandatory domain is around an assertion that 95% of staff, directors, trustees and volunteers in your organisation have completed training on data security and protection, and cybersecurity in the 12 months before the submission deadline.

The link to access Data Security Awareness training can be found on the NWL Learning Management Service.

Please click here to the answers to some of the most asked for questions

We will add anything that you might need to this web page.

Click here to access the relevant sections

Future (prospective) records access means access to information and data added to the patient record from a set date onwards.

Please see the attached PDF document that NHS England has provided.  For more information and training guides, please visit www.nwlearnning.nhs.uk or contact the NHS NWLondon ICB Helpdesk on nhsnwl.servicedesk@nhs.net 

The NW London Information Governance team have produced a checklist of considerations for PCNs and Federations regarding Information Governance. This is not exhaustive, and we would welcome direct queries on specific IG issues you may be encountering. This document also covers the clinical and non-clinical process for the New Technical Evaluation Process and the check list, should you wish to request a new piece of software.

Please see the attached document for more information.

What is a Privacy Notice and how does it relate to the UKGDPR?

A Privacy Notice is a document or statement that explains how an organisation collects, uses, stores, and protects personal data. It's designed to inform individuals about their data rights and the measures in place to ensure their data is handled appropriately. Under the UK GDPR (General Data Protection Regulation), providing a Privacy Notice is a key requirement.

How It Relates to the UK GDPR:

1. Transparency: The UK GDPR emphasizes the importance of transparency, requiring organizations to clearly inform individuals about how their data is being processed. A Privacy Notice fulfils this requirement by detailing the types of data collected, the purposes of processing, and how individuals can exercise their rights.
2. Accountability: Organizations must demonstrate their compliance with data protection principles. Having a comprehensive Privacy Notice is part of this accountability, showing that the organization is committed to protecting personal data and respecting individuals' rights.
3. Information Provided: The UK GDPR specifies certain information that must be included in a Privacy Notice, such as:
   • The identity and contact details of the data controller.
   • The purposes and lawful basis for processing the data.
   • The recipients or categories of recipients of the data.
   • The retention period for the data.
   • The rights of the data subjects, including the right to access, rectify, and erase their data.
   • Information on data transfers to third countries and the safeguards in place.
4. Accessibility: The Privacy Notice must be easily accessible and presented in clear, plain language to ensure that individuals can understand how their data is being used.

Click here for the latest copy of the Template for a Privacy Notice.

It is the responsibility of every “Data Controller”, to ensure your practice privacy notice is kept up to date and is published at the practice and on your website.

We know that some surgeries manage the Practice websites, while others use private organisations such as Practice365 (who hosts this website on behalf of your GP practice), however the responsibility of updating the Privacy Notice is yours. If you need any advice or support, please email the DPO via email to nhsnwl.icb-dpo-gp@nhs.net

All IG enquiries from ICB Colleagues should be sent to nhsnwl.icb-dpo-corporate@nhs.net only.

All IG enquiries from GP Practices should be sent to nhsnwl.icb-dpo-gp@nhs.net only.  

ICB Colleagues requiring Subject Access Request support, please email us at nhsnwl.icb-dpo-corporate@nhs.net 

GP Practice colleagues requiring Subject Access Request support, please email us at nhsnwl.icb-dpo-gp@nhs.net 

For the NW London Service Desk, please contact: nhsnwl.servicedesk@nhs.net