Changes to Hosting & Infrastructure Standard requirements
- Sobia Malik (Unlicensed)
- Seema Hickmott
- Chloe Gibson
ID | RM181 |
|---|---|
Version | 1.0.1 |
Type | Roadmap Item |
Frameworks |
Title | Changes to Hosting & Infrastructure Standard requirements |
|---|---|
Description | Reworded requirement ES1.0 & removal requirement ES2.0 |
Date Added | Oct 3, 2023 |
Standards and Capabilities | Hosting & Infrastructure |
Change Route | Managed Capacity - Other |
Change Type | Uplift |
Status | Closed |
Publication Date | TBC |
Effective Date | TBC |
Incentives / Funding | No |
Incentive / Funding Dates | N/A |
Background
The Subject Matters Expects (SMEs) have reworded requirement ES1.0 by tightening its parameters and therefore have decided to remove requirement ES2.0 due to it no longer being required.
Outline Plan
Suppliers to be compliant after 3 months of the Roadmap Item Publication date.
Summary of Change
Hosting & Infrastructure: Requirement ES1.0 updated and requirement ES2.0 removed |
Applicable Framework(s) | Req. ID | Standard | Name | Description | Level | Evidence |
All | ES1.0 | NHS and social care data: off-shoring and the use of public cloud services guidance | NHS and social care data: off-shoring and the use of public cloud services guidance | The geographical location (or specific range of locations) of the clinical data at rest and service management activities at any given time are to be known and communicated to NHS Digital. Operating the Solution or elements of the Solution outside of England will be with the permission of NHS Digital, the data controllers and their representative organisations.. Note: There are no absolute barriers to the off-shoring of data or services, although the requirements of UK Government IA policy must be able to be met in the overseas location. See Data Protection Act and Offshoring for statements on the offshoring of information. The geographical location (or specific range of locations) of the Clinical/Personal data at rest and service management activities at any given time are to be known and communicated to the Authority. Note: All the components of the Solution must be operated within the United Kingdom (UK), in line with the Deed of Processing (S2.5.16). | must | Provide formal confirmation of compliance to requirement. |
All | ES2.0 | Sanctions. embargoes and restrictions | Sanctions, embargoes and restrictions | The supplier will require approval from NHS Digital of any part of the Solution that is hosted or communicates with services outside of England. The communication between systems will not be made to those countries or states prohibited by Government Policy. | MUST | Provide formal confirmation of compliance to requirement. |
Full Specification
The updated Hosting & Infrastructure Standard will be added at a later date. Proposed changes can be viewed in the Summary of Change above.
Assurance Approach
Suppliers will be asked to demonstrate their mitigations against the pre-identified risks through completion of the NHS England Solution Assurance Risk log submission, supported with the requested messaging based test evidence and online demonstration by the Supplier to a group of NHS England representatives.
The successful conclusion of the NHS England assurance for the risk mitigations implemented by the Supplier in relation to these requirements will be required before the changes can be deployed in the production environment.