National Imaging Registry (NIR) Governance

Governance resources and templates to support completion of the NIR Service onboarding requirements, including key information on data sharing, information governance and clinical safety.

These resources, templates and assurance documents explain the governance arrangements that support safe, lawful and consistent use of NIR. They set out the responsibilities, requirements and controls that organisations need to understand before participating in the service.

They cover key areas including data sharing, information governance, data protection, clinical safety and supplier assurance, helping organisations understand what is required and apply the right controls consistently.

Clinical safety (DCB0129 and DCB0160)

The National Imaging Registry (NIR) follows NHS digital clinical safety standards.

DCB0129 applies to the manufacture (design and development) of health IT systems.
DCB0160 applies to the deployment and use of systems within health and care organisations.

What trusts and imaging networks need to do

Trusts and imaging networks remain responsible for DCB0160 for how NIR is deployed and used locally. This includes:

local configuration and workflows
training and standard operating procedures (SOPs)
operational governance and incident management

Local DCB0160 must be signed off by your Clinical Safety Officer (CSO).

NIR’s national clinical safety work under DCB0129 provides a baseline, but local DCB0160 is still required to address deployment risks and ensure safe use in your setting.

What suppliers provide (to support local DCB0160)

Suppliers remain responsible for DCB0129 for their own products.

Suppliers are expected to provide deployment‑level safety assurance for their NIR integration to support local DCB0160 activities, including:

interoperability and configuration
degraded modes and fallback behaviour
incident and escalation processes

Clinical safety documents

You can download the following documents to support clinical safety assurance:

NIR Clinical Safety Guidance Document (DCB0160)
Guidance for suppliers and deploying organisations on how DCB0160 applies to NIR integrations and what a compliant safety submission should cover.
NIR CSCR DCB0160 Template (v0.1)
Template for a supplier deployment Clinical Safety Case Report (CSCR), including expected content, hazard log expectations, go‑live controls, and monitoring and incident management considerations.
NIR hazard log (DCB0129 including DCB0160 hazards)
The NIR hazard log covering DCB0129 design hazards and including DCB0160 deployment hazards that must be managed locally (for example incorrect local configuration, fallback failure, misinterpretation of metadata, certificate expiry, and audit or escalation failures).

Patient Audit Record Service (PARS)

PARS is an NHS England reporting service that records and manages audit events showing how patient data has been accessed. It supports accountability, transparency, and traceability.

PARS uses FHIR AuditEvent records to provide an auditable trail of access activity for governance and reporting purposes.

Access and reporting

Audit access and reporting follows the standard Spine Reporting Service (SRS) process.

Privacy officers can query the SRS database to produce:

User Access Reports (UARs)
Patient Access Reports (PARs)

What NIR sends to PARS

NIR sends audit events to PARS for key transactions. For these transactions, the request is audited; the response is not logged.

ITI‑38 – Cross‑Gateway Query

Event type: Query
Action: R (Read)
Captures: timestamp, patient identifier (for example NHS number), requester identity (organisation, practitioner or system), transaction ID, endpoint details
Outcome: success, failure (with error details), or partial success

ITI‑39 – Cross‑Gateway Retrieve

Event type: Export
Action: E (Export)
Captures: timestamp, patient identifier, requester identity, transaction ID, endpoint details
Includes document metadata such as document unique ID, repository unique ID, and home community ID
Outcome: success, failure, or partial success

RAD‑75 – Cross‑Gateway Retrieve Imaging Document Set ('Study‑Used')

Event type: Study‑Used
Action: R (Read)
Captures: timestamp, patient identifier, requesting system or gateway, transaction ID, endpoint details
Includes imaging metadata such as Study Instance UID, Series Instance UID(s), and relevant document or repository identifiers
Outcome: success, failure, or partial success

Keeping patient data secure

The National Imaging Registry (NIR) is designed to support the safe and secure sharing of diagnostic imaging information for direct patient care.

Participating organisations must have appropriate data security, information governance and data protection arrangements in place before they can use the service.

Data Sharing Arrangement

The Data Sharing Arrangement (DSA) sets out the legal, governance and operational rules for sharing diagnostic imaging information through NIR.

It confirms that NIR may only be used for direct patient care. It must not be used for secondary purposes such as planning, research or other non-direct care activity.

By signing the DSA, participating organisations agree to:

share data with approved onboarded consumers nationally
maintain appropriate information governance controls
maintain a secure outbound network configuration
use NIR only for acceptable direct care purposes
provide clear transparency information for patients
maintain accurate privacy notices aligned to the NIR Privacy Notice
apply appropriate role-based access controls
make sure staff are trained in data protection and confidentiality
manage breaches in line with data protection requirements
support audit, monitoring and assurance activity
follow retention requirements
uphold patient rights

The DSA must be agreed and signed before live access to NIR is enabled.

Data Protection Impact Assessment

Participating organisations must also have a Data Protection Impact Assessment (DPIA) in place.

A DPIA sets out how personal data is processed, why the processing is necessary, what risks may affect patients’ rights and freedoms, and what controls are in place to reduce those risks.

For NIR, the DPIA should describe:

what diagnostic imaging information is being shared
why the sharing is necessary for direct care
who the information may be shared with
the lawful basis for processing
how patients are informed
how access is controlled
how data security risks are managed
how any residual risks are reviewed and approved

Further guidance on information governance is available from the NHS Digital Information Governance webpage.

A template NIR DPIA will be available in July 2026.

Data Security and Protection Toolkit

Organisations participating in NIR must have an in-year acceptable Data Security and Protection Toolkit (DSPT) standard.

The DSPT provides assurance that an organisation has the right cyber security, data protection and information governance controls in place. This includes how the organisation protects systems, manages access, trains staff, handles incidents and keeps patient information secure.

An organisation may not be able to onboard to NIR if it does not meet the required DSPT standard. Continued compliance may also be checked after onboarding.

Further guidance on the Data Security and Protection Toolkit (DSPT), including how to search for an organisation’s published results, is available on the NHS DSPT website.

Further information

National Imaging Registry (NIR)

The National Imaging Registry (NIR) allows for the sharing of imaging data across clinical organisations.

National Imaging Registry API

Use this API to access patient imaging records across NHS and private healthcare networks. The National Imaging Registry (NIR) API allows authorised systems to view a patient’s imaging history, including examinations, diagnostic reports, and imaging studies.

Last edited: 27 May 2026 8:57 am