STD006 - Anonymisation Standard for Publishing Health and Social Care Data

STD016 - Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems

STD017 - Clinical Risk Management: its Application in the Manufacture of Health IT Systems

STD050 - ISO 8000-1: Data Quality

STD051 - ISO 9000-1: Quality Management

STD077 - Service Standard

STD082 - Standard Of Good Practice For Information Security 2020

STD092 - OAuth 2.0

STD093 - OpenID Connect

STD096 - ISO13485 - Medical Devices

STD101 - Unique Property Reference Number

STD102 - Medicine and Allergy/Intolerance Data Transfer

STD103 - Digital Technology Assessment Criteria (DTAC)

STD104 - UK GDPR

STD106 - ISO/IEEE 11073 Personal Health Data Standards

STD107 - Mental Health Services Data Set

STD006-1 (Section 2.1)

All Health and Social Care bodies choosing or obliged by law to publish (electronically or on paper) information/data relating to, or derived from, personal identifiable records MUST anonymise information so that information published does not identify individuals.

MUST

STD006-1

Health and Social Care bodies choosing or obliged by law to publish information/data relating to, or derived from, personal identifiable records MUST have regard to this process standard.

MUST

STD006-2

2 When publishing information after 1 April 2013, affected organisations MUST either: a) follow this standard; or b) follow alternative guidance of a similar standing.

MUST

STD06-3

3 If alternative guidance of a similar standing is used, affected organisations MUST record their reasons for choosing the alternative, and make their reasons available on request.

MUST

STD006-4

4 Whether this standard or alternative guidance is used, affected organisations MUST conduct, record, and make subsequently available on request, a risk assessment regarding the possibility that specific individuals might be identified from the published material either directly or indirectly through association of the published material with other information/data in or likely to be placed in the public domain.

MUST

STD006-5

5 Whether this standard or alternative guidance is used, affected organisations MUST record, carry out, and make subsequently available on request, an anonymisation plan, and SHOULD record their reasoning for choosing that plan. A spreadsheet for this purpose is provided and Anonymisation Standard for Publishing Health and Social Care Data Specification 21/02/2013 Final v1.0 © Crown Copyright 2013 Page 15 of 41 MAY be used.

MUST/SHOULD

STD006-6

6 Whether this standard or alternative guidance is used, affected organisations MUST, prior to publishing, confirm with the organisation's Caldicott Guardian or other responsible officer that the information to be published does not identify individuals, and this confirmation MUST be recorded and be available subsequently on request.

MUST

STD006-7

7 Where data previously published by the affected organisation are found to have led to confidential information about an individual being revealed, organisations SHOULD carry out an investigation into the incident and review their procedures for anonymising and publishing health and social care data. Any concerns, or suggested improvements, relating to this standard SHOULD be notified to the Health and Social Care Information Centre at: enquiries@ic.nhs.uk.

SHOULD

STD006-8

8 Organisations using the standard may wish to conduct a periodic audit to check the process is being followed and that appropriate judgements are being made by staff using the standard..

SHOULD

STD016-1

Organisations / Suppliers of IT systems that deploy and modify IT Systems used in a healthcare setting MUST ensure that effective clinical risk management is carried out.

Within this standard the term ‘clinical risk’ is used to emphasise that the scope is limited to the management of risks related to patient safety as distinct from other types of risk such as financial.

MUST

STD017-1

The suppliers of IT Systems used in a healthcare setting MUST ensure that effective clinical risk management is carried out.

MUST

STD050-1

The supplier of IT Systems used in a healthcare setting SHOULD comply with the principles set out in ISO8000-1:2022

SHOULD

STD051-1

Healthcare provides SHOULD comply with the principles set out in ISO9000-1

SHOULD

STD077-1

IT system suppliers/Providers of digital services SHOULD adhere to the principles below:

1. Understand users and their needs

2. Solve a whole problem for users

3. Provide a joined up experience across all channels

4. .Make the service simple to use

5. Make sure everyone can use the service

6. Have a multidisciplinary team

7. Use agile ways of working

8. Iterate and improve frequently

9. Create a secure service which protects users’ privacy

10. Define what success looks like and publish performance data

11. Choose the right tools and technology

12. Make new source code open

13. Use and contribute to open standards, common components and patterns

14. Operate a reliable services

Full details can be found here

SHOULD

STD082-1

Healthcare providers SHOULD comply with the guidance set out in the Standard of Good Practice for Information Security 2020 (SOGP 2020)

SHOULD

STD092-1

Software suppliers who wish to access user-restricted RESTful API. In particular, the NHS Care Identity Service 2 (NHS CIS2) combined authentication and authorisation pattern, which uses our OAuth 2.0 authorisation server.

MUST

STD093-1

Authorization Code Flow
OpenID Connect defines three types of authentication flow to cater for different client types: the Authorization Code Flow, the Implicit Flow and the Hybrid Flow. The Authorization Code Flow is the most commonly used flow and is designed for use with web applications. It is the only flow currently supported by the Care Identity Authentication.

The diagram below depicts the Authorization Code Flow at a high level:

SHOULD

STD096-1

Suppliers should have Certification to ISO 13485
Like other ISO management system standards, certification to ISO 13485 is not a requirement of the standard, and organizations can reap many benefits from implementing the standard without undergoing the certification process. However, third-party certification can demonstrate to regulators that you have met the requirements of the standard. ISO does not perform certification.

Read more about certification to ISO’s management system standards.

SHOULD

STD101-1

IT Suppliers systems, services and applications that store or publish data sets containing property and street information must use the UPRN and USRN identifiers.

MUST

STD102-1

Users, specifically those in charge of their organisation’s IT (Information Technology) systems, must assess their IT systems to identify any electronic transfers of medication and allergy/intolerance to or from other systems, and if any are found determine whether they comply with this Standard, against which compliance is needed by 31 March 2023.

MUST

STD102-2

Where non-compliant message transfers are identified, users must make use of contracts they have signed with their IT system suppliers to develop new or update existing products to provide compliance. Alternatively, users might decide to change to a supplier which already offers a compliant system.

MUST

STD102-3

NHS Digital, with the support of users, IT system suppliers, and professional bodies, has produced API (Application Programming Interface) specifications and APIs which enable each system supplier to develop products to send and receive conformant electronic messages:

o FHIR (Fast Healthcare Interoperability Resources) message standards transfer the data between systems and locations.

o NHS IT system suppliers must use NHS Digital APIs or API specifications to develop for each use case an API to send, receive, and integrate this data regardless of differences between the sending and receiving systems.

MUST

STD102-4

IT system suppliers MUST ensure;

Integration (machine readability) of the data is achieved by:

• using dm+d (dictionary of medicines and devices) codes for medicines • using SNOMED CT (Systemized Nomenclature of Medicine – Clinical Terms) codes for the elements of the dosage instruction, when there are appropriate concepts available in the FHIR UK standard

• using dm+d and SNOMED CT codes for allergies/intolerances when there is a suitable coded entry in these terminologies.

MUST

STD103-1

1. Clinical safety

IT system suppliers products are assessed to ensure that baseline clinical safety measures are in place and that organisations undertake clinical risk management activities to manage this risk.

MUST

STD103-2

2. Data protection

IT system suppliers products are assessed to ensure that data protection and privacy is ‘by design’ and the rights of individuals are protected.

MUST

STD103-3

3. Technical assurance

IT system suppliers products are assessed to ensure that products are secure and stable

MUST

STD103-4

4. Interoperability

IT system suppliers products are assessed to ensure that data is communicated accurately and quickly whilst staying safe and secure.

MUST

STD103-5

5. Usability and accessibility

IT system suppliers products are allocated a conformity rating having been benchmarked against good practice and the NHS service standard.

MUST

STD104-1

Any organisation that collects personal data on an individual (with the exception of personal, family or household purposes MUST comply with GDPR

MUST

STD106-1

IT suppliers EPR systems SHOULD be compliant with the details set out in ISO 11073-91064:2009 to enable electronic data transfer between devices and EPR systems

SHOULD

STD107-1

From 1 October 2021 MHSDS services MUST ensure their IT systems are able to capture the information locally that is intended for use to produce the monthly MHSDS v5.0 extract, as defined in the TOS. This includes information required to derive data items as defined within the standard.

MUST

STD107-2

From 1 October 2021 MHSDS services MUST ensure their IT systems are able to derive the data items defined within this standard, where they are not collected directly. This includes mapping of local codes to national codes, and the ability to extract this information as envisaged within this standard, e.g., without interim workarounds.

MUST

STD107-3

IT systems suppliers SHOULD review all related documents to fully understand the background, objectives and scope of this information standard.

SHOULD

STD107-4

Providers of MHSDS services SHOULD ensure that their IT system suppliers review the TOS and User Guidance to understand the scope and definition of each data item.

SHOULD

STD107-5

Providers of MHSDS services SHOULD ensure that their IT system suppliers familiarise themselves with the IDB to understand how data items are grouped for the data submission file.

SHOULD

STD107-6

Providers of MHSDS services SHOULD ensure that their IT system suppliers provide tools to enable a ‘data mapping exercise’ to be carried out and where possible complete the mappings to the national codes on behalf of the MHSDS providers. A self assessment System Conformance Checklist tool is available on the NHS Digital website to support this mapping exercise.

SHOULD

STD107-7

The MHSDS Data Set v5.0 TOS is a specification for a secondary uses data set. It does not define patient systems. Whilst providers of MHSDS services SHOULD ensure that their IT system suppliers use this data set to support their system development, they SHOULD NOT use the data set exclusively and SHOULD also consider the full requirements of the care setting where it is used.

SHOULD

STD107-8

Increase in burden for providers in capturing and extracting the information defined in the TOS as a result of system changes in support of the mandated standard SHOULD be proportionate.

SHOULD

STD107-9

When considering potential developments, supporting good data quality MUST be prioritised, in conjunction with minimising the burden on providers.

MUST

STD107-10

Providers of MHSDS services MUST ensure that their IT system suppliers include a mechanism to allow providers to identify records where there is a legal requirement to restrict the flow of identifiable information for a patient.

MUST

STD107-11

Providers of MHSDS services SHOULD remind their IT system suppliers to ensure that any changes resulting from the implementation of v5.0 are compliant with the safety standards DCB0129 and DCB0160.

SHOULD

STD107-12

The SDCS Cloud web page provides guidance relating to data submission. Providers of MHSDS services SHOULD review this web page and the requirements for health and care organisations above.

SHOULD

STD107-13

Providers of MHSDS services SHOULD ensure that their IT system suppliers review the Technical Guidance and TOS on the NHS Digital website to understand the data validation rules that will be applied at the data landing platform to all incoming data submission files. Validation rules that are not adhered to may result in appropriate groups or the entire data submission file being rejected, depending on the particular validation rule.

SHOULD

STD107-14

From 1 April 2021, providers of MHSDS services MUST ensure that their IT systems have the ability to produce data quality reports to support production of their submission files in line with the TOS.

MUST