Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

STD006 - Anonymisation Standard for Publishing Health and Social Care Data

STD016 - Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems

STD017 - Clinical Risk Management: its Application in the Manufacture of Health IT Systems

STD050 - ISO 8000-1: Data Quality

STD051 - ISO 9000-1: Quality Management

STD077 - Service Standard

STD082 - Standard Of Good Practice For Information Security 2020

STD092 - OAuth 2.0

STD093 - OpenID Connect

STD096 - ISO13485 - Medical Devices

STD101 - Unique Property Reference Number

STD103 - Digital Technology Assessment Criteria (DTAC)

STD104 - UK GDPR

STD106 - ISO/IEEE 11073 Personal Health Data Standards

STD111 - Community Services Data Set

ID

STD006

External ID

N/A

Version

1.0

Link to standard

ISB1523: Anonymisation Standard for Publishing Health and Social Care Data

Standard Type

Data Standard (NHS)

Status

Alpha

Effective Date

TBC

Description

This process standard provides an agreed and standardised approach, grounded in the law, enabling organisations to: distinguish between identifying and non-identifying information, and deploy a standard approach and a set of standard tools to anonymise information to ensure that, as far as it is reasonably practicable to do so, information published does not identify individuals.

...

e. any person registered as described in s20A of the Health & Social Care Act 2008.

Requirements 

Requirement ID

Requirement Text

Level

STD006-1 (Section 2.1)

All Health and Social Care bodies choosing or obliged by law to publish (electronically or on paper) information/data relating to, or derived from, personal identifiable records MUST anonymise information so that information published does not identify individuals.

MUST

STD006-1

Health and Social Care bodies choosing or obliged by law to publish information/data relating to, or derived from, personal identifiable records MUST have regard to this process standard.

MUST

STD006-2

2 When publishing information after 1 April 2013, affected organisations MUST either: a) follow this standard; or b) follow alternative guidance of a similar standing.

MUST

STD06-3

3 If alternative guidance of a similar standing is used, affected organisations MUST record their reasons for choosing the alternative, and make their reasons available on request.

MUST

STD006-4

4 Whether this standard or alternative guidance is used, affected organisations MUST conduct, record, and make subsequently available on request, a risk assessment regarding the possibility that specific individuals might be identified from the published material either directly or indirectly through association of the published material with other information/data in or likely to be placed in the public domain.

MUST

STD006-5

5 Whether this standard or alternative guidance is used, affected organisations MUST record, carry out, and make subsequently available on request, an anonymisation plan, and SHOULD record their reasoning for choosing that plan. A spreadsheet for this purpose is provided and Anonymisation Standard for Publishing Health and Social Care Data Specification 21/02/2013 Final v1.0 © Crown Copyright 2013 Page 15 of 41 MAY be used.

MUST/SHOULD

STD006-6

6 Whether this standard or alternative guidance is used, affected organisations MUST, prior to publishing, confirm with the organisation's Caldicott Guardian or other responsible officer that the information to be published does not identify individuals, and this confirmation MUST be recorded and be available subsequently on request.

MUST

STD006-7

7 Where data previously published by the affected organisation are found to have led to confidential information about an individual being revealed, organisations SHOULD carry out an investigation into the incident and review their procedures for anonymising and publishing health and social care data. Any concerns, or suggested improvements, relating to this standard SHOULD be notified to the Health and Social Care Information Centre at: enquiries@ic.nhs.uk.

SHOULD

STD006-8

8 Organisations using the standard may wish to conduct a periodic audit to check the process is being followed and that appropriate judgements are being made by staff using the standard..

SHOULD

ID

STD016

External ID

N/A

Version

1.0

Link to standard

DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems

Standard Type

Data Standard (NHS)

Status

Alpha

Effective Date

TBC

Description

This standard provides a set of requirements suitably structured to promote and ensure the effective application of clinical risk management by those health organisations that are responsible for the deployment, use, maintenance or decommissioning of Health IT Systems within the health and care environment.

...

This standard is addressed to Manufacturer personnel who are responsible for ensuring clinical safety in the development and modification of Health IT Systems through the application of clinical risk management. This standard applies to all Health IT Systems including those that are also controlled by medical device regulations , though the requirements defined in this standard are broadly consistent with the requirements of ISO 14971.

Requirements 

Requirement ID

Requirement Text

Level

STD016-1

Organisations / Suppliers of IT systems that deploy and modify IT Systems used in a healthcare setting MUST ensure that effective clinical risk management is carried out. Full details of the required specifications is detailed Specification (Amd 25/2018)

Within this standard the term ‘clinical risk’ is used to emphasise that the scope is limited to the management of risks related to patient safety as distinct from other types of risk such as financial.

MUST

ID

STD017

External ID

N/A

Version

1.0

Link to standard

DCB0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems

Standard Type

Data Standard (NHS)

Status

Alpha

Effective Date

TBC

Description

This standard provides a set of requirements suitably structured to promote and ensure the effective application of clinical risk management by those organisations that are responsible for the development and maintenance of Health IT Systems for use within the health and care environment.

...

This standard is addressed to Manufacturer personnel who are responsible for ensuring clinical safety in the development and modification of Health IT Systems through the application of clinical risk management. This standard applies to all Health IT Systems including those that are also controlled by medical device regulations , though the requirements defined in this standard are broadly consistent with the requirements of ISO 14971.

Requirements 

Requirement ID

Requirement Text

Level

STD017-1

The suppliers of IT Systems used in a healthcare setting MUST ensure that effective clinical risk management is carried out. Full details of the required specifications is detailed in Specification (Amd 24/2018)

MUST

ID

STD050

External ID

N/A

Version

1.0

Link to standard

ISO8000-1 Data Quality

Standard Type

Guidance

Status

Alpha

Effective Date

TBC

Description

ISO8000-1 is the global standards for data quality and enterprise master data. It provides assurance that data management and architecture controls are the highest standard

Applicability

Requirements 

Requirement ID

Requirement Text

Level

STD050-1

The supplier of IT Systems used in a healthcare setting SHOULD comply with the principles set out in ISO8000-1:2022

SHOULD

ID

STD051

External ID

N/A

Version

1.0

Link to standard

ISO9000-1 Data Quality

Standard Type

Data Standard (External)

Status

Alpha

Effective Date

TBC

Description

ISO9000-1 sets out the criteria for a quality management system and is a standard that can be complied with.

...

 The standards provide guidance and tools for companies and organisations which want to ensure that their products and services consistently meet customers’ requirements, and that quality is consistently improved.

Requirements 

Requirement ID

Requirement Text

Level

STD051-1

Healthcare provides SHOULD comply with the principles set out in ISO9000-1

SHOULD

ID

STD077

External ID

N/A

Version

1.0

Link to standard

Government Service Standard

Standard Type

Guidance

Status

Alpha

Effective Date

TBC

Description

The Government Service Standard helps teams to create and run great public services.

...

Providers of digital services within the UK government sector

Requirements 

Requirement ID

Requirement Text

Level

STD077-1

IT system suppliers/Providers of digital services SHOULD adhere to the principles below:

  1. Understand users and their needs

  2. Solve a whole problem for users

  3. Provide a joined up experience across all channels

  4. .Make the service simple to use

  5. Make sure everyone can use the service

  6. Have a multidisciplinary team

  7. Use agile ways of working

  8. Iterate and improve frequently

  9. Create a secure service which protects users’ privacy

  10. Define what success looks like and publish performance data

  11. Choose the right tools and technology

  12. Make new source code open

  13. Use and contribute to open standards, common components and patterns

  14. Operate a reliable services

Full details can be found here

SHOULD

ID

STD082

External ID

N/A

Version

1.0

Link to standard

Standard of Good Practice for Information Security

Standard Type

Guidance

Status

Alpha

Effective Date

TBC

Description

The Standard of Good Practice for Information Security 2020 (SOGP 2020) provides a business-orientated focus on current and emerging information security issues and helps organisations develop an effective framework for information security policies, standards and procedures.

...

 The standards provide guidance and tools for companies and organisations which want to ensure that their products and services consistently meet customers’ requirements, and that quality is consistently improved.

Requirements 

Requirement ID

Requirement Text

Level

STD082-1

Healthcare providers SHOULD comply with the guidance set out in the Standard of Good Practice for Information Security 2020 (SOGP 2020)

SHOULD

ID

STD092

External ID

N/A

Version

1.0

Link to standard

OAuth 2.0

Standard Type

Data Standard (External)

Status

Alpha

Effective Date

TBC

Description

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.

...

  • accessing a user-restricted RESTful API

  • the end user is a healthcare worker

  • you want a simpler integration

  • you do not need the healthcare worker's identity information

Requirements 

Requirement ID

Requirement Text

Level

STD092-1

Software suppliers who wish to access user-restricted RESTful API. In particular, the NHS Care Identity Service 2 (NHS CIS2) combined authentication and authorisation pattern, which uses our OAuth 2.0 authorisation server.

Image Modified

MUST

ID

STD093

External ID

N/A

Version

1.0

Link to standard

OpenID Connect

Standard Type

Data Standard (External)

Status

Alpha

Effective Date

TBC

Description

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

...

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and logout, when it makes sense for them.

Requirements 

Requirement ID

Requirement Text

Level

STD093-1

Authorization Code Flow
OpenID Connect defines three types of authentication flow to cater for different client types: the Authorization Code Flow, the Implicit Flow and the Hybrid Flow. The Authorization Code Flow is the most commonly used flow and is designed for use with web applications. It is the only flow currently supported by the Care Identity Authentication.

The diagram below depicts the Authorization Code Flow at a high level:

Image Modified

SHOULD

ID

STD096

External ID

N/A

Version

1.0

Link to standard

ISO13485 - Medical Devices

Standard Type

Data Standard (External)

Status

Alpha

Effective Date

TBC

Description

A medical device is a product, such as an instrument, machine, implant or in vitro reagent, that is intended for use in the diagnosis, prevention and treatment of diseases or other medical conditions.

...

ISO 13485 is designed to be used by organizations involved in the design, production, installation and servicing of medical devices and related services. It can also be used by internal and external parties, such as certification bodies, to help them with their auditing processes.

Requirements 

Requirement ID

Requirement Text

Level

STD096-1

Suppliers should have Certification to ISO 13485
Like other ISO management system standards, certification to ISO 13485 is not a requirement of the standard, and organizations can reap many benefits from implementing the standard without undergoing the certification process. However, third-party certification can demonstrate to regulators that you have met the requirements of the standard. ISO does not perform certification.

Read more about certification to ISO’s management system standards.

SHOULD

ID

STD101

External ID

N/A

Version

1.0

Link to standard

Unique Property Reference Number

Standard Type

Data Standard (External)

Status

Alpha

Effective Date

T

Description

  • UPRNs are the unique identifiers for every addressable location in Great Britain

  • USRNs are the unique identifiers for every street in Great Britain

...

Systems, services and applications that store or publish data sets containing property and street information must use the UPRN and USRN identifiers.

Requirements 

Requirement ID

Requirement Text

Level

STD101-1

IT Suppliers systems, services and applications that store or publish data sets containing property and street information must use the UPRN and USRN identifiers.

MUST

ID

STD103

External ID

N/A

Version

1.0

Link to standard

Digital Technology Assessment Criteria (DTAC)

Standard Type

Guidance

Status

Alpha

Effective Date

T

Description

The DTAC provides a consistent question set and enables you to present the same consistent and proportionate set of evidence to organisations buying your digital health technologies. It sets out the standards expected for entry into the NHS and social care.

...

Digital tech already in use does not need to be retrospectively assessed but may need to be assessed at the point of a contract renewal or if commissioned by a different organisation.

Requirements 

Requirement ID

Requirement Text

Level

STD103-1

1. Clinical safety

IT system suppliers products are assessed to ensure that baseline clinical safety measures are in place and that organisations undertake clinical risk management activities to manage this risk.

MUST

STD103-2

2. Data protection

IT system suppliers products are assessed to ensure that data protection and privacy is ‘by design’ and the rights of individuals are protected.

MUST

STD103-3

3. Technical assurance

IT system suppliers products are assessed to ensure that products are secure and stable

MUST

STD103-4

4. Interoperability

IT system suppliers products are assessed to ensure that data is communicated accurately and quickly whilst staying safe and secure.

MUST

STD103-5

5. Usability and accessibility

IT system suppliers products are allocated a conformity rating having been benchmarked against good practice and the NHS service standard.

MUST

ID

STD104

External ID

N/A

Version

1.0

Link to standard

UK General Data Protections Regulations

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/

Standard Type

Data Standard (External)

Status

Alpha

Effective Date

T

Description

  • Data protection is about ensuring people can trust you to use their data fairly and responsibly.

  • The UK data protection regime is set out in the DPA 2018, along with the UK GDPR. It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.

  • The ICO regulates data protection in the UK. We offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.

...

  • If an organisation collects information about individuals for any reason other than your own personal, family or household purposes, you need to comply with GDPR

Requirements 

Requirement ID

Requirement Text

Level

STD104-1

Any organisation that collects personal data on an individual (with the exception of personal, family or household purposes MUST comply with GDPR

MUST

ID

STD106

External ID

N/A

Version

1.0

Link to standard

ISO/IEEE 11073 Personal Health Data Standards

Standard Type

Data Standard (External)

Status

Alpha

Effective Date

T

Description

ISO 11073 enable communication between medical, health care and wellness devices and external computer systems. They provide automatic and detailed electronic data capture of client-related and vital signs information, and of device operational data.

...

ISO 11073-91064:2009 specifies the content and structure of the information that is to be interchanged between digital ECG carts and computer ECG management systems, as well as other computer systems where ECG data can be stored.

Requirements 

Requirement ID

Requirement Text

Level

STD106-1

IT suppliers EPR systems SHOULD be compliant with the details set out in ISO 11073-91064:2009 to enable electronic data transfer between devices and EPR systems

SHOULD

ID

STD111

External ID

DAPB1069

Version

1.0

Link to standard

DAPB1069 - Community Services Data Set

Standard Type

Data Standard

Status

Alpha

Effective Date

TBC

Description

The Community Services Data Set (CSDS) is a patient level, output based, secondary uses data set which will deliver robust, comprehensive, nationally consistent and comparable person-centred information for people who are in contact with publicly funded Community Services.

...

 The data collected in the CSDS covers all publicly funded Community Services provided by Health Care Providers in England. This includes (but is not limited to) Community Health Trusts, acute organisations, Independent Sector Healthcare Providers and Local Authorities that provide Community Services.

Requirements 

Requirement ID

Requirement Text

Level

STD111-1

From 1 July 2022 systems used by Community Services MUST be able to capture and/or derive the data items defined within this standard. This includes mapping of local codes to national codes, and the ability to extract this information as envisaged within this standard, e.g., without interim workarounds. Suppliers MAY assess this against the System Conformance Checklist which can be found on the NHS Digital website.

MUST

STD111-2

Changes made to systems MUST result in minimal increase on burden for providers in capturing and extracting the information defined in the CSDS TOS and ETOS, and any additional burden MUST be proportionate.

MUST

STD111-3

When considering potential developments, maximising good data quality MUST be prioritised.

MUST

STD111-4

IT Systems Suppliers SHOULD review all related documentation to fully understand the background, objectives and scope of this information standard.

SHOULD

STD111-5

IT Systems Suppliers SHOULD review the CSDS TOS and CSDS User Guidance to understand the scope and definition of each data item.

SHOULD

STD111-6

As an Output Data Set, the CSDS is intended to only define “what should be extracted” from local IT systems, not “what should be captured”. A clinical data set will need data items beyond what the CSDS specifies.

SHOULD

STD111-7

While IT Systems Suppliers SHOULD use this data set to support their system development, they SHOULD NOT use the data set exclusively and SHOULD also consider the full requirements of the care setting where it is used. The whole ethos around the CSDS is to only re-use clinical data, not specify standards for capturing clinical data.

SHOULD

STD111-8

IT Systems Suppliers SHOULD familiarise themselves with the CSDS v1.6 XML schema (and Intermediate Database (IDB) if used) to understand how data items are grouped for the data submission file.

SHOULD

STD111-9

IT Systems Suppliers SHOULD provide tools to enable a ‘data mapping exercise’ to be carried out and where possible complete the mappings to the national codes on behalf of the CSDS providers. A self-assessment ‘System Conformance Checklist’ is a tool available on the NHS Digital website to support this mapping exercise.

SHOULD

STD111-10

IT Systems MUST provide a mechanism to allow providers to identify records where patients have objected to the use of their data for secondary purposes or where there is a legal requirement to restrict the flow of identifiable information for a patient.

MUST

STD111-11

IT System suppliers SHOULD always ensure that any changes resulting from the implementation of the CSDS are compliant with the safety standards DCB0129 and DCB0160.

SHOULD

STD111-12

The SDCS Cloud webpage provides information on how to create a monthly submission file. IT Systems Suppliers SHOULD review this webpage and the steps outlined in Section 2.1 (Health and Care Organisations - Requirements) above.

SHOULD

STD111-13

IT Systems Suppliers SHOULD review the SDCS Cloud webpage and ETOS to understand the data validation rules that will be applied at the central data repository to all incoming data submission files. Any validation rules not adhered to will result in appropriate groups or the entire data submission file being rejected, depending on the particular validation rule.

SHOULD

STD111-14

IT Systems Suppliers SHOULD review the CSDS TOS and ETOS to understand the data quality rules that will be applied to each data group on arrival at the central data repository

SHOULD

STD111-15

From 1 July 2022, all systems used by Community Services MUST have the ability to produce data quality reports to support providers in producing their submission files in line with the CSDS TOS and ETOS.

MUST