National Imaging Registry (NIR) Governance
Governance for the National Imaging Registry is in place to make sure the service is safe, secure, lawful and clinically appropriate to use.
Overview
Governance for the National Imaging Registry (NIR) is in place to make sure the service is safe, secure, lawful and clinically appropriate to use.
NIR does not remove or replace the data controller responsibilities of participating healthcare organisations. Each organisation remains responsible for the patient information it makes available, retrieves, stores or uses through NIR, and for ensuring this is managed in line with its local information governance, data protection and clinical safety arrangements. The NIR data sharing agreement that all NIR users must sign up to clearly sets out roles and responsibilities.
Suppliers or health IT vendors supporting the connection to NIR must continue to meet their responsibilities as data processors, or in any other role agreed through local contracts and governance arrangements. This includes maintaining appropriate security controls, supporting safe integration, protecting patient data, managing incidents appropriately, and ensuring their products and services continue to operate safely and effectively. The NIR connection agreement that all suppliers must sign up to clearly sets out roles and responsibilities.
Therefore, NIR governance operates at two levels:
- Governance of the NIR product
NHS England in its system delivery function assures the NIR product through national product governance, including the DCB0129 clinical safety approval process, information governance review, data protection, cyber security, service management and technical assurance. - Governance of organisations and suppliers connecting to NIR
Assurance is sought by NHSE as part of the onboarding governance process for the NIR. Healthcare organisations and suppliers connecting to NIR must have appropriate local governance in place before live access is enabled.
Together, these controls provide assurance that NIR can support the secure sharing of diagnostic imaging information for direct patient care.
Keeping patient data secure
NIR is one of the services established under the Secretary of State’s Digital Interoperability Platform (DIP) Directions 2019. These directions gave NHS England the authority to develop and operate the IT applications, infrastructure and systems required to deliver direct care platforms to enable systems to query and retrieve patient information for agreed direct care purpose.
The legal framework for sharing personal confidential data in health and care includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act 2018, UK GDPR and the Human Rights Act. The law allows personal data to be shared between those providing direct care and also supports patient rights to confidentiality and opt-out.
NIR does not replace local systems or create a new shared care record. It provides a secure way for authorised systems to access imaging information from participating organisations and their clinical teams, where there is a valid care reason to do so.
These controls help make sure patient imaging and report information is shared safely, appropriately and only with the people who need it to support care.
Clinical safety
NIR follows national NHS clinical safety standards.
The NIR API is assured by NHS England under DCB0129, which applies to the manufacture, design and development of health IT systems. This includes the NIR clinical safety case, hazard management and the controls required for the NIR product.
Suppliers connecting to the NIR must also complete their DCB0129 prior to connection, to ensure their product is clinically safe and meets the standards for a clinical IT system.
Healthcare organisations deploying and using NIR locally are responsible for their DCB0160. This standard applies to the local deployment and use of health IT systems in a care setting. Local organisations must make sure NIR is implemented safely within their own workflows, governance arrangements and operating model.
What NHS England is responsible for
NHS England is responsible for the national clinical safety assurance of the NIR API product. This includes:
- maintaining the NIR DCB0129 clinical safety case
- managing the national NIR hazard log
- identifying and managing product-level clinical risks
- providing clinical safety documentation to support local deployment
- maintaining service-level controls, including incident and escalation processes
- assuring changes to the NIR product through appropriate clinical safety governance
Documentation evidencing this activity is provided below and should be used to assist in completing local clinical safety documentation.
Deployment safety responsibilities
NHS England provides national clinical safety assurance for the NIR product under DCB0129.
In turn, suppliers and participating healthcare organisations must use this national assurance to support their own NIR deployment activity.
This means suppliers and organisations should review the relevant NIR safety information and consider how it applies to their local organisations and companies.
This includes making sure that:
- users are appropriately trained
- role-based access control is mapped to local clinical roles
- standard operating procedures are in place
- local workflows have been validated
- business continuity and fallback arrangements are understood
- partial, failed or unavailable results are handled safely
- metadata and patient identification processes are checked
- incidents and clinical safety concerns can be reported and escalated
- supplier integrations have been tested and shown to behave safely
Information governance
NIR’s information governance approach is designed to support lawful, secure and appropriate sharing of diagnostic imaging information for direct patient care.
NIR is one of the services established under the Secretary of State’s Digital Interoperability Platform (DIP) Directions 2019. These directions gave NHS England the authority to develop and operate the IT applications, infrastructure and systems required to deliver direct care platforms to enable systems to query and retrieve patient information for agreed direct care purpose.
The legal framework for sharing personal confidential data in health and care includes the NHS Act 2006, the Health and Social Care Act 2012, the Data Protection Act 2018, UK GDPR and the Human Rights Act. The law allows personal data to be shared between those providing direct care and also supports patient rights to confidentiality and opt-out.
Further information on NHS England’s approach to information governance is available on the NHS England Information Governance page.
Audit
NIR activity is auditable through PARS, which records when patient imaging information is queried or retrieved, who requested access, and whether the request succeeded or failed allowing authorised teams to monitor appropriate use and investigate access queries.
Data Sharing Arrangement
The Data Sharing Arrangement (DSA) or Agreement, sets out the legal, governance and operational rules for sharing diagnostic imaging information through NIR.
It confirms that NIR may only be used for direct patient care. It must not be used for secondary purposes such as planning, research or other non-direct care activity.
Data security
NIR is designed to support secure access to diagnostic imaging information.
Before connecting to NIR, organisations and suppliers must provide assurance that they meet relevant information governance, cyber security and data protection requirements, including:
- Data Security and Protection Toolkit (DSPT) standard of met or exceeded
- Local healthcare organisation Data Protection Impact Assessment (DPIA)
- Acceptable Use Policy, set out within the Data Sharing Agreement (DSA)
- NHS England Supplier Connection Agreement (applicable to suppliers and IT healthcare vendors)
The NIR product-level DPIA is not published externally because it contains information about NIR architecture and security controls which could increase cyber security risk if disclosed.
To support local governance, NIR will provide DPIA template material for onboarding organisations to use as part of their local assessment and approval processes.
Patient Audit Record Service (PARS)
The Patient Audit Record Service (PARS) is a national reporting service that shows how patient data has been accessed using modern FHIR-based audit standards. PARS is a product within NHSE that records audit events for NIR activity. It helps show when patient imaging information has been queried or retrieved, which organisation or system requested access, and whether the request was successful or failed.
Why this matters
PARS supports information governance by helping authorised teams review how patient information has been accessed through NIR. This helps healthcare organisations monitor appropriate use, investigate access queries, and provide assurance that diagnostic imaging information is being accessed safely and for legitimate direct care purposes.
PARS can capture key audit details such as:
- the type of activity, such as a query, export or image retrieval
- the time the activity took place
- the patient identifier, such as NHS number
- the requesting organisation, practitioner or system
- transaction and endpoint details
- relevant imaging or document identifiers
- whether the activity succeeded, failed or partially succeeded
For NIR, this means audit events can be recorded for activities such as checking whether imaging information is available, retrieving reports, or retrieving imaging studies.
How to access PARS
Access to PARS reporting is managed through the existing Spine Reporting Service (SRS) interface.
Data security
NIR is designed to support secure access to diagnostic imaging information.
Before connecting to NIR, organisations and suppliers must be able to show that they can meet the relevant security and data protection requirements.
This includes:
- maintaining appropriate cyber security controls
- protecting access credentials, certificates and connection keys
- using secure network configurations
- maintaining appropriate access controls
- ensuring staff are trained in the handling of patient information
- reporting actual or suspected security issues
- managing incidents in line with NHS England requirements
- maintaining compliance with the DSPT where applicable
Data Security Protection Toolkit (DSPT)
Suppliers and participating healthcare organisations connected NIR must have an in-year acceptable Data Security and Protection Toolkit (DSPT) standard.
The DSPT provides assurance that an organisation has the right cyber security, data protection and information governance controls in place. This includes how the organisation protects systems, manages access, trains staff, handles incidents and keeps patient information secure.
An organisation may not be able to onboard to NIR if it does not meet the required DSPT standard. Continued compliance is also checked after onboarding.
You must have an active ODS Code to be able to complete and be assessed under DSPT.
Data Protection Impact Assessment (DPIA)
A DPIA helps organisations identify and reduce data protection risks before using or sharing personal data. For NIR, this is important because participating organisations will be using identifiable health and care information, including diagnostic imaging information, to support direct patient care.
NHS England has completed a DPIA for the NIR product and national service. This supports the information governance and data protection assurance for the platform.
The national NIR DPIA cannot be published or shared as it contains sensitive information about the NIR product.
The NIR DPIA describes:
- what diagnostic imaging information is being shared
- why the sharing is necessary for direct care
- who the information may be shared with
- the lawful basis for processing
- how patients are informed
- how access is controlled
- how data security risks are managed
- how any residual risks are reviewed and approved
To support participating organisations, NHS England provides a template NIR DPIA for local use. This will help organisations complete their own DPIA by setting out the key areas they need to consider.
However, each healthcare organisation remains responsible for completing and approving its own DPIA before connecting to NIR, based on its local systems, suppliers, workflows and governance arrangements.
Ongoing assurance
Governance does not stop once a healthcare organisation or supplier has connected to NIR.
NHS England may request evidence of continued compliance. Suppliers and organisations must also notify NHS England of relevant changes, incidents, security issues or clinical safety concerns via the National IT Service Desk.
Where requirements are not met, NHS England may require remediation, suspend access, restrict access, prevent onboarding of further organisations, or terminate access where necessary.
This ongoing assurance helps make sure NIR remains safe, secure and appropriate as the service evolves.
Offboarding responsibilities
Healthcare organisations remain responsible for the patient information they make available, retrieve, store or use through NIR.
If an organisation stops using NIR, or if a supplier connection is removed, the organisation must make sure that any offboarding activity is managed safely and in line with local information governance, records management and clinical safety processes.
This includes confirming:
- who needs to be notified before access is removed
- when NIR access should be disabled
- whether any local system changes are required
- how audit information will be retained or accessed if needed
- how any temporary data is removed or managed
- whether local records, ROPA, DPIA, privacy notices or information asset records need to be updated
- how business continuity or alternative image-sharing arrangements will work after offboarding
NIR does not remove the organisation’s responsibilities as a Data Controller. Each participating organisation remains responsible for the personal data it holds, makes available or retrieves through NIR, including how that information is used in the local care setting and how it is managed after use.
Suppliers must also meet the offboarding obligations set out in their Connection Agreement. This includes supporting organisations to confirm what happens during offboarding, including access removal, certificate or key management, audit log access, deletion of temporary data, and any changes to local system configuration.
Contact us
For further information about information governance or clinical safety for NIR, contact the NIR Delivery Team at:
Further information
The National Imaging Registry (NIR) allows for the sharing of imaging data across clinical organisations.
Use this API to access patient imaging records across NHS and private healthcare networks. The National Imaging Registry (NIR) API allows authorised systems to view a patient’s imaging history, including examinations, diagnostic reports, and imaging studies.
Last edited: 17 July 2026 10:45 am