The University of Nottingham - PRIMIS

Primary Care Data Quality Assurance

Data extracted from one GP IT supplier is compared to data from all system suppliers; a set of reference queries and the agreed specification. Anomalies are identified and highlighted in a report for distribution to the system suppliers for remedial action.


  • Comprehensive report outlining deviations from specification
  • Graphical presentation of level of agreement between data sources
  • Recommendations for action by practices and system suppliers
  • Reference queries developed to match specification
  • Reference data obtained independent of system suppliers
  • Analysis by experienced clinical informaticians


  • Improve accuracy of national primary care data collections
  • Independent assessment of data from GP system suppliers against specification
  • Identify implementation errors in GP system supplier data extraction
  • Highlight systematic problems with coded patient data
  • Provide feedback to practices and system suppliers


£25000 per instance

  • Education pricing available

Service documents


G-Cloud 11

Service ID

6 0 7 0 5 2 9 7 4 3 3 5 8 9 1


The University of Nottingham - PRIMIS

Kevin Cooper

0115 846 6420

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Primary Care Clinical Data Specification
Cloud deployment model
Private cloud
Service constraints
Service is dependent on the cooperation of the GP IT system suppliers to provide data
System requirements
Users have to be employed by the NHS

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 24 hours (Monday to Friday except Public Holidays and University of Nottingham closure days)
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
We provide a daily helpdesk service which can consist of phone, email and the use of remote dial-in facility. We provide customised training and consultancy services.

The service will have a nominated project manager who will coordinate the input from PRIMIS clinical and technical teams. The project manager will agree a reporting schedule with each customer and will involve the appropriate members from the clinical and technical teams as required.

All costs are dependent upon requirements and charged according to the Rate Card.
Support available to third parties

Onboarding and offboarding

Getting started
The service scope is agreed with the customer in advance and can be adjusted subject to appropriate change control.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
PRIMIS retains data beyond the end of the contract unless requested in writing to remove it. Any practice contributing data to PRIMIS has the right to request a copy and the removal and destruction of their data if technically feasible.
End-of-contract process
All contracts are dependent upon the requirements of the customer and are agreed and priced accordingly (as per the Rate Card).

Using the service

Web browser interface
Application to install
Designed for use on mobile devices
Service interface
Customisation available
Description of customisation
The service scope is agreed with the customer in advance and can be adjusted subject to appropriate change control.


Independence of resources
Demand on this service has not been volatile and is monitored on a regular basis to ensure continuity, availability and the integrity of the service.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
Less than once a year
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Practices export their data from their GP IT systems using a variety of data extraction methods (MIQUEST, GP IT system reports and searches and others). The data is exported to PRIMIS as a CSV file using SSL.

GP IT Suppliers supply aggregate data to PRIMIS as a CSV file.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Availability will be agreed at project mobilisation with the customer. We will use reasonable endeavours to notify users of any scheduled maintenance or downtime and to limit the frequency and duration of any suspension or restriction.
Approach to resilience
This is managed by The University of Nottingham. Further details are available upon request.
Outage reporting
Email alerts and via the PRIMIS website

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Access is limited to nominated members of the PRIMIS Information and Software Development Team only.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
PRIMIS's Information Security Management System is certified to ISO/IEC 27001: 2013 certified . We also adhere to the University of Nottingham's Information Security Policy

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
PRIMIS uses the University of Nottingham's change request form template which sets out the title, description and level of the proposed change, interruption to services, risk level and impact, start/end dates, communications and testing required, back-out plan, approvals and sign off.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
This is managed by the Risk Management aspect of PRIMIS's ISO/IEC 27001 certified Information Security Management System
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The PRIMIS Information Security Management System (certified to ISO/IEC 27001:2013) includes documented approaches to both Risk Management and Incident Response. Risks are routinely monitored with incidents responded to immediately upon identification through a formal Incident Reporting process involving both PRIMIS Senior Management Team and the University of Nottingham's Information Service team as applicable.
Incident management type
Supplier-defined controls
Incident management approach
Anticipated information security/ IT infrastructure events are managed through the ISMS risk Management process. The PRIMIS ISMS Manual sets out the process for reporting of incidents and an Incident Report template is available to PRIMIS team members to report incidents to nominated staff. As well as security incident reporting, a list of automatic nonconformities is communicated to the PRIMIS team and any issue identified from this triggers well-established nonconformity/ corrective action process operating across both the ISMS and the BS EN ISO 9001 certified Quality Management System.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
NHS Network (N3)


£25000 per instance
Discount for educational organisations
Free trial available

Service documents

Return to top ↑