At this stage, you should identify the name and type of all organisations comprising your care system. GPs can be grouped together into primary care networks or similar, serving 30,000 - 50,000 people, which in turn will collaborate within the care system. 


Understanding and documenting your care system's structure and governance arrangements will enable you to ensure you have the appropriate representation from each organisation in your care system. It will also enable you to understand the organisation types within the care system, which will in turn help you to determine the legal basis on which data can be processed and the role of each organisation as a data controller or data processor.


You should now determine and record:

  • the organisations which make up your care system
  • appropriate senior leads responsible for data management and information governance within each organisation wishing to process personal data that has undergone pseudonymisation for integrated care purposes e.g. Data Protection Officers (DPOs) or Senior Information Risk Owners (SIROs)
  • an organisational structure diagram

This information can be recorded in the SUDGT input tool.


  • Organisations must be established, legal entities (e.g. providers, commissioners, local authorities, third party organisations), with whom binding contracts can be signed

  • Most new care system constructs e.g. Sustainability and Transformation Partnerships (STPs) and Integrated Care Systems (ICSs) are not formal entities and cannot assume legal responsibilities in their own right

  • Care systems must include organisations with statutory duties for secondary use activities as these will be the organisations with the overarching responsibility for commissioning the services in scope