Provider systems MUST resist unauthorised, accidental or unintended usage and provide access only to legitimate users.
Please refer to the Security guidance page for technical details.
Volume and performance
Provider systems MUST meet the agreed volumetric performance targets.
Please refer to the Volumetric guidance page for technical details.
Provider systems MUST meet the agreed response time performance targets.
Please refer to the Performance guidance page for technical details.
Provider systems MUST meet the agreed capacity requirements.
Provider systems MUST be designed to accommodate increased volumes, workloads and users.
Provider systems MUST meet the agreed availability targets (service time and/or hours and planned downtime) as defined in the operational level agreement (OLA).
Provider systems MUST meet the agreed recoverability targets as documented in the Operational Level Agreement (OLA).
Audit and provenance
Provider systems MUST audit all API access and actions.
Please refer to the cross organisation audit and provenance page for technical details.
Provider systems MUST record audit and provenance data in line with existing GPSoC framework agreements, including relevant IM1 requirements for interfacing mechanisms.
Provider systems MUST be designed to optimise the ability of maintenance personnel to revise or enhance it.
Provider systems MUST be designed so that technical support personnel are able to monitor and manage it in operation.
Provider systems MUST retain data in line with existing GPSoC framework agreements.
Please refer to the ‘GPSoC Technical Standards’ for details.
MUST Please refer to the ‘GPSoC Technical Standards’ for details.
Provider systems MUST release a new major version of their GP Connect API alongside a previous major version, until such time as consumers have migrated to the new major version.
Provider systems SHOULD release a new minor or patch version, replacing the previous minor or patch version.
Provider systems MUST be deployed with the provider APIs enabled by default.
Provider systems MAY provide a mechanism for a data controller at an organisation to choose to globally disable/enable the provider APIs (that is, turn on/off the overall GP Connect technical capability).
Provider systems MAY allow each assured capability to be globally disabled/enabled independently of each other (Access Record HTML vs. Appointments vs Access Record Structured).