Overview and process for satisfying compliance and approvals requirements
Overview of the NHS Digital compliance process
Connecting to PDS via SMSP is achieved by following the NHS Digital compliance process, comprising two NHS Digital approvals for Usage and Settings and Technical Conformance, along with an End User approval; depending on the scenario. If the Client is to be deployed in an End User organisation the End User organisation must provide a final approval and confirm its readiness to accept the deployment.
The compliance process centres upon completion of a workbook known as the ‘TOM’ (Target Operating Model). Further information about this is provided here.
The compliance process and approval gateways are summarised in the following diagram:
NHS Digital approvals
The NHS Digital approval steps are as follows.
1) All End Users wishing to connect must undergo PDS Access Request scrutiny to establish whether the purpose for which the data is required represents a legal basis for NHS Digital sharing that data with the organisation. The system and setting in which the data will be used are also assessed to ensure that Information Security and business process requirements are complied with.
- These assessments together represent the Usage and Settings approval process that is owned by NHS Digital Information Asset Owner for PDS. There are clear escalation points to Senior Information Responsible Owner (SIRO) and IGARD (Independent Group Advising on the Release of Data) if needed. If there is a need for a Data Sharing Framework Contract (DSFC) and Data Sharing Agreement (DSA) between NHS Digital and the requesting organisation, these will also be established in this stage.
2) Suppliers (or developers) must undergo the Technical Conformance process to achieve Interoperability Toolkit (ITK) Conformance for their product. The purpose of ITK Conformance is for NHS Digital to validate that the specifications and technical guidance have been adhered to and that the developed product (Client) is both compliant and fit for purpose. Developers will have access to a Toolkit Workbench and a Path to Live test environment through which simple tests are carried out, to provide the required evidence to NHS Digital.
- Successful testing results in an ITK Conformance certificate that authorises the supplier to provide (End User) access to the SMS Client. Once ITK Conformance is complete, the Supplier is listed in the catalogue against their ITK conformant product (Client). A Supplier can obtain the certificate without deploying the Client to an End User. When a new End User is identified, the Usage and Settings approval must be obtained but as long as there have been no changes to the Client, the certificate remains valid for subsequent deployments.
Was this article useful?3