Stage 2: Governance Assurance for NIR

Before any actual technical testing or integration work begins, this stage focuses on defining the organisation's mandatory Information Governance (IG) Clinical safety (DCB 0129 or DCB 0160) and data security prerequisites.

Help and tips for completing this section

Start Clinical Safety and IG Early: Do not treat governance as a final tick-box. Clinical safety standards (DCB 0129 or DCB 0160) require active review by a qualified Clinical Safety Officer (CSO), while Information Governance tasks (like the Data Sharing Agreement and DPIA) require your IG Lead, SIRO and Caldicott Guardian. Engage these key personnel at the very beginning of this stage to prevent bottlenecks.

Verify Your DSPT Status: Ensure your organisation's Data Security and Protection Toolkit (DSPT) publication is up to date for the current year and holds a status of at least ‘Standards Met’. A lapsed or failing DSPT will immediately pause your onboarding.

Distinguish Your Safety Standards: Remember, DCB 0129 applies to the product's technical safety (completed by the Supplier), while DCB 0160 applies to how the product is safely deployed into local clinical workflows (completed by the Healthcare Organisation).

Governance templates, such as DCB 0160 for NIR can be found here: National Imaging Registry Governance

Q.1

Are you onboarding as a Data Processor (Supplier) or a Data Controller (End User Organisation)?
Supporting information

Your selection determines the information required during digital onboarding. It directly reflects your clinical safety obligations, legal responsibilities for the NHSE integration, and the specific technical assurance steps you must complete.

Data Processor (Supplier): Typically a software vendor or IT provider. You process data strictly on behalf of the Data Controller. You sign the Connection Agreement with NHSE and assure your product and version are compliant with NHS standards. Your onboarding focuses on technical conformance, security, and product-level clinical safety (DCB0129).

Data Controller (End User Organisation): Typically a Trust, Healthcare Organisation, Imaging Network, or other entity that generates diagnostic data and makes clinical decisions on behalf of patients. You determine the purpose of the data, hold the direct relationship with the patient, and are responsible for local IG approvals (e.g., DPIA, signing the Data Sharing Arrangement). You are also responsible for organisation-level clinical safety (DCB0160).

Q.2

Information Security Management System (ISMS): Do you have a formal and documented Information Security Management System in place which covers the scope of the Consumer System?

Supporting information

An Information Security Management System (ISMS) is defined as that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.

This should be in line with ISO / IEC 27001 Information Security Management but does not require certification against this standard. Guidance is also provided within CIS 20.

Q.3
Q.4

Provide the date your organisation's DSPT status was published.
For example, 26 05 2026
Q.5

When integrated with NIR does your product or service collect, store or process ‘personal data’ only in the UK?
Please note that if you select 'No' your response will be subject to further scrutiny
Supporting information

Find out more about personal data.
Yes, Excludes Special Category Data
Yes, Includes Special Category Data
No, Excludes Special Category Data
No, includes Special Category Data

Find out more about personal data

Q.6
Supporting information

A Clinical Safety Officer must:

  • be a suitably qualified and experienced clinician
  • hold a current registration with an appropriate professional body relevant to their training and experience
  • be knowledgeable in risk management and its application to clinical domains
  • make sure that the processes defined by the clinical risk management process are followed
You can enter up to 2000 characters
Q.7

Is your Product/Service a medical device?
Supporting information

If No 'NOT A MEDICAL DEVICE' please provide justification in the additional comments section in line with the Medicines and Healthcare (products) Regulatory Agency (MHRA) interactive guidance available here

If Yes please indicate the classification from the list below to confirm that MHRA requirements have been fully complied with:

  • Class I
  • Class IIa
  • Class IIb
  • Class III
You can enter up to 2000 characters
Q.8

Confirm that your manufacturer and product are compliant with the requirements of DCB0129?
Supporting information

The Manufacturer/Supplier MUST make available each Clinical Safety Case Report to a receiving organisation, which may be a Health Organisation or another Manufacturer

As a manufacturer/supplier of healthcare software, you must have a clinical risk management process that conforms to the DCB0129 standard. You must confirm and ensure that your CSCR and current Hazard Log are made available to all receiving organisations so they can complete their mandatory local DCB0160 assessments or another manufacturer for their clinical safety compliance. Additionally, NHSE reserves the right to request your CSCR and current Hazard Log at any time. By onboarding, you agree to make these documents available to NHSE upon request for compliance and auditing purposes.

Find out more about the DCB0129 standard for clinical risk management and its application in the manufacture of health IT systems.

Q.9

Do you have a hazard log in place (clinical risk analysis) with appropriate mitigations?
Supporting information

As part of your clinical risk analysis and evaluation, you must evidence potential:

  • causes (contributory conditions)
  • patient harm outcomes
  • mitigation plans against those harms

These must be described to determine severity, likelihood and an overall risk classification.

NHSE reserves the right to request your current Hazard Log at any time. By onboarding, you agree to make this document available upon request for compliance and auditing purposes.

Q.10

Confirm that your clinical training materials have been updated to include the use of NIR
Supporting information

We require this confirmation to ensure that end-users at your connected organisations are fully equipped to use the National Imaging Registry safely and effectively from Day 1. Updating your training documentation is a critical component of clinical risk management (aligning with DCB0129) and helps drive beneficial, real-world utilisation of the service.

Q.11

Confirm that your company adheres to strict PKI controls for certificate management, and that you actively monitor renewals to prevent the immediate loss of access caused by expired or revoked certificates.
Supporting information

Secure connection to the NIR relies on mutual TLS (mTLS) authentication. It is the supplier's responsibility to manage the entire lifecycle of these security certificates.

Because the NIR enforces strict zero-trust security controls, there is no grace period for expired or revoked certificates. If your certificate lapses, your system will be immediately disconnected, causing a hard outage that prevents local clinicians from querying or retrieving patient data. You must have proactive monitoring and renewal processes in place to prevent these clinical disruptions.

Q.2
Supporting information

Your organisation must reach a standards met or standards exceeded status.
The DSPT allows organisations to measure performance against the National Data Guardians data security standards. It is a prerequisite for Live deployment.

Further guidance can be found: https://www.dsptoolkit.nhs.uk

Q.3

Provide the date your organisation's DSPT status was published.
For example, 26 05 2026
Q.4

Please confirm you appropriately defined and implemented the processes and responsibilities for managing and storing data?
Supporting information

We require this confirmation to ensure that your organisation, acting as a Data Controller, maintains robust Information Governance (IG) and data management controls over any patient data interacting with the National Imaging Registry (NIR).

While the NIR facilitates the national exchange of diagnostic data, your organisation remains legally and operationally responsible for how that data is handled by your local systems (such as your local PACS, RIS or VNA).

Q.5

Please confirm your organisation has completed Data Protection Impact Assessment (DPIA) for this integration, formally approved by your Senior Information Risk Owner (SIRO).
Supporting information

We require this confirmation to verify that your organisation has thoroughly assessed and mitigated any privacy or Information Governance (IG) risks associated with connecting your local systems to the National Imaging Registry (NIR). Your DPIA must specifically evaluate the data flows, processing activities, and data sharing arrangements related to your chosen NIR integration scope (whether acting as a Provider, Consumer, or Both). To ensure executive accountability for information risk, this assessment must be fully signed off by your Trust's Senior Information Risk Owner (SIRO) or your Caldicott Guardian prior to submission.

To assist your Information Governance team with this submission, you can utilise the standard NIR DPIA template, which outlines the core national data flows and baseline risks. Furthermore, your local assessment and processing activities should be reviewed in conjunction with the overarching Data Sharing Agreement (DSA) under the DIP directive, which governs the legal basis and terms for sharing diagnostic data for direct care.

Q.6

Please confirm your organisation has local Standard Operating Procedures (SOPs) in place to manage and extract system audit logs to support Subject Access Requests (SARs) and Freedom of Information (FOI) requests.
Supporting information

Under UK GDPR and data protection laws, patients have the right to know who has accessed their medical records. Your Trust must have processes in place to audit local user activity and extract these logs if a patient submits a Subject Access Request (SAR) regarding their NIR data. Confirming this ensures your Information Governance (IG) team is prepared to handle these legal requests using your local system's auditing capabilities.

Q.7

Please confirm that either:

  • your Clinical Safety Officer (suitably qualified and experienced clinician); or
  • your Social Care Professional registered by the HCPC
  • Medical Director

has reviewed and approved the deployment and use of the NIR integration within your local system, and has received formal internal clinical sign-off from your organisation's Clinical Safety Officer (CSO) or Medical Director.
Supporting information

We require this confirmation to ensure that your local clinical leadership is fully aware of how the NIR will alter existing diagnostic pathways. Formal clinical sign-off ensures that any workflow changes, user interface updates, or new clinical risks (identified under your DCB0160 assessment) have been reviewed, mitigated, and accepted by your organisation's clinical authorities prior to Go-Live.

Q.8
Supporting information

This may be more than one person. You must list all relevant persons.

A Clinical Safety Officer must:

  • be a suitably qualified and experienced clinician
  • hold a current registration with an appropriate professional body relevant to their training and experience
  • be knowledgeable in risk management and its application to clinical domains
  • make sure that the processes defined by the clinical risk management process are followed
You can enter up to 2000 characters
Q.9

Please confirm your organisation has completed DCB0160 for this integration, formally approved by your Clinical Safety Officer.
Supporting information

This standard applies to the Healthcare Organisation that implements and uses the software to deliver patient care. They must complete a DCB0160 assessment to prove that the way the system is set up, configured, integrated, and used within their specific local clinical workflows is safe. We require this confirmation to ensure your Trust has formally assessed, mitigated, and accepted the clinical risks associated with deploying and using the National Imaging Registry (NIR) within your local clinical workflows.

NHS England reserves the right to request copies of your DCB0160 documentation (Clinical Safety Case Report or Hazard Log) at any time to verify ongoing compliance and support national safety assurance activities.

Q.10

Please confirm your organisation has completed clinical safety hazard log for this integration, formally approved by your Clinical Safety Officer.
Supporting information

We require confirmation that your Trust has completed a comprehensive Clinical Safety Hazard Log that identifies potential risks (e.g., misidentification of patients, delayed retrieval of external images, or system downtime) and details the local mitigations your Trust has put in place.

NHS England reserves the right to request copies of your Hazard Log at any time to verify ongoing compliance and support national safety assurance activities.

Q.11

Do you have an incident management process in place for your organisation that is consistent with the NHS England Incident Management process?
Supporting information

This question focuses on Incident Management process and is separate from your formal Clinical Safety (DCB0160) risk management, though the two must closely interact.

Because your system will be connected to a national infrastructure, your local incident management must align with the broader NHS England framework. We require this information to ensure that any service disruptions, technical faults, or clinical safety incidents related to the NIR integration are managed safely and transparently. Because your system will be connected to a national infrastructure, your local incident management must align with the broader NHS England framework.

We require the incident management process to cover:

Categorisation & SLAs: How you classify incidents (e.g., Severity/Priority 1 to 4) and your target response/resolution times.

Communication: Your process for notifying connected End User Organisations (EUOs) about planned maintenance, degraded service, or unexpected outages.

National Escalation: How your support team will escalate critical API connectivity issues to the NHS England National Service Desk (e.g., via ServiceNow).

Clinical Safety: How technical incidents that pose a potential risk to patient care are flagged, triaged, and managed in alignment with your DCB0129 obligations.

You do not need to include a full policy here. However, NHS England reserves the right to request copies of your policy documentation at any time to verify ongoing compliance and support national safety assurance activities.

You can enter up to 2000 characters
Q.12
Supporting information

We require this information to ensure that any service disruptions or technical faults related to the NIR integration are managed swiftly, safely, and transparently. Please provide the names of all your accountable incident management leads.

You can enter up to 2000 characters
Q.13

Have you updated your privacy notice to meet the requirements of the NHS England services you are using?
Supporting information

To use the National Imaging Registry (NIR), your organisation should have a publicly available privacy notice. It is recommended that the content of your privacy notice follows the guidance provided by the Information Commissioner's Office on what should be included.

Please ensure that you update your privacy notice to include reference to the NIR. You may wish to add the following suggested text to your privacy notice, or you may draft your own if you prefer.

You can find the NIR Privacy Notice here

Q.14

Please confirm that your organisation has documented Standard Operating Procedures (SOPs) in place for the ongoing service and support of this integration, including clinical incidents.
Supporting information

We require this confirmation to ensure that once your connection to the NIR goes live, your organisation is fully prepared to manage and support it operationally on a day-to-day basis.

While incident management covers unexpected outages, your Standard Operating Procedures (SOPs) should cover your 'Business As Usual' (BAU) activities.

Q.15
Supporting information

The Acceptable Usage Policy (AUP) outlines the mandatory rules, legal responsibilities, and expected behaviours for organisations connecting to the national infrastructure. This document forms a core part of your legal onboarding agreements. Please ensure this document is reviewed and signed by a formally authorised signatory within your Trust (such as your SIRO, Caldicott Guardian, or Chief Information Officer)

This must be completed before you can proceed to Home Community ID integration.

You can upload one file that is smaller than 250MB. If you need to provide multiple files you should zip them up and upload them as a single .zip file.
Q.16

It is your responsibility to ensure that the data provided to NIR has been approriately validated before sending data.

I acknowledge that it is my organisations responsibility to ensure that the data provided to NIR has been appropriately validated before sending data.
Supporting information

Sending incorrect data to the NIR introduces severe clinical risk. You must ensure that all patient demographics (such as NHS numbers), clinical metadata, and technical payloads are strictly validated locally before they are exposed to the national network. This prevents patient misidentification, maintains national data integrity, and minimises API rejections.

Q.17

Confirm your organisation is aware of the requirement to use validated NHS numbers on patient records when interacting with the National Imaging Registry and has put appropriate mechanisms in place to ensure that this has been completed.
Supporting information

The National Imaging Registry (NIR) is architected entirely around the NHS Number as the sole unique identifier to securely locate, link, and retrieve patient diagnostic records across different healthcare organisations. The NIR can only retrieve data via the NHS number.

Using unvalidated, temporary, or missing NHS numbers introduces clinical safety risk, such as failing to discover critical diagnostic history. By confirming this, you assure that your organisation has robust processes in place to verify patient identities locally. You must ensure that only officially validated NHS numbers are used when querying the NIR or exposing local data to the national network. Local hospital numbers or temporary IDs are not permitted for NIR transactions.

Back to NIR API