[Archived] Mental Health Standards Implementation - Overarching Standards
This page has been superseded and archived.
ID | STD006 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | ISB1523: Anonymisation Standard for Publishing Health and Social Care Data |
Standard Type | Data Standard (NHS) |
Status | Alpha |
Effective Date | TBC |
Description
This process standard provides an agreed and standardised approach, grounded in the law, enabling organisations to: distinguish between identifying and non-identifying information, and deploy a standard approach and a set of standard tools to anonymise information to ensure that, as far as it is reasonably practicable to do so, information published does not identify individuals.
Applicability
The following persons or bodies must comply with this process standard:
a. The Secretary of State (DH)
b. The NHS Commissioning Board (once established)
c. any public body which seeks to publish information relating to the provision of health services or of adult social care in England;
d. any person commissioned (by a public body) to provide such health services or adult social care who seeks to publish information relating to them;
e. any person registered as described in s20A of the Health & Social Care Act 2008.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD006-1 (Section 2.1)
| All Health and Social Care bodies choosing or obliged by law to publish (electronically or on paper) information/data relating to, or derived from, personal identifiable records MUST anonymise information so that information published does not identify individuals. | MUST |
STD006-1 | Health and Social Care bodies choosing or obliged by law to publish information/data relating to, or derived from, personal identifiable records MUST have regard to this process standard. | MUST |
STD006-2 | 2 When publishing information after 1 April 2013, affected organisations MUST either: a) follow this standard; or b) follow alternative guidance of a similar standing. | MUST |
STD06-3 | 3 If alternative guidance of a similar standing is used, affected organisations MUST record their reasons for choosing the alternative, and make their reasons available on request. | MUST |
STD006-4 | 4 Whether this standard or alternative guidance is used, affected organisations MUST conduct, record, and make subsequently available on request, a risk assessment regarding the possibility that specific individuals might be identified from the published material either directly or indirectly through association of the published material with other information/data in or likely to be placed in the public domain. | MUST |
STD006-5 | 5 Whether this standard or alternative guidance is used, affected organisations MUST record, carry out, and make subsequently available on request, an anonymisation plan, and SHOULD record their reasoning for choosing that plan. A spreadsheet for this purpose is provided and Anonymisation Standard for Publishing Health and Social Care Data Specification 21/02/2013 Final v1.0 © Crown Copyright 2013 Page 15 of 41 MAY be used. | MUST/SHOULD |
STD006-6 | 6 Whether this standard or alternative guidance is used, affected organisations MUST, prior to publishing, confirm with the organisation's Caldicott Guardian or other responsible officer that the information to be published does not identify individuals, and this confirmation MUST be recorded and be available subsequently on request. | MUST |
STD006-7 | 7 Where data previously published by the affected organisation are found to have led to confidential information about an individual being revealed, organisations SHOULD carry out an investigation into the incident and review their procedures for anonymising and publishing health and social care data. Any concerns, or suggested improvements, relating to this standard SHOULD be notified to the Health and Social Care Information Centre at: enquiries@ic.nhs.uk. | SHOULD |
STD006-8 | 8 Organisations using the standard may wish to conduct a periodic audit to check the process is being followed and that appropriate judgements are being made by staff using the standard.. | SHOULD |
ID | STD016 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Data Standard (NHS) |
Status | Alpha |
Effective Date | TBC |
Description
This standard provides a set of requirements suitably structured to promote and ensure the effective application of clinical risk management by those health organisations that are responsible for the deployment, use, maintenance or decommissioning of Health IT Systems within the health and care environment.
The standard includes implementation guidance and is supported by the related standard for the application of clinical risk management in the manufacture of Health IT Systems - DCB0129 (STD017)
Applicability
This standard is addressed to Manufacturer personnel who are responsible for ensuring clinical safety in the development and modification of Health IT Systems through the application of clinical risk management. This standard applies to all Health IT Systems including those that are also controlled by medical device regulations , though the requirements defined in this standard are broadly consistent with the requirements of ISO 14971.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD016-1 | Organisations / Suppliers of IT systems that deploy and modify IT Systems used in a healthcare setting MUST ensure that effective clinical risk management is carried out. Within this standard the term ‘clinical risk’ is used to emphasise that the scope is limited to the management of risks related to patient safety as distinct from other types of risk such as financial. | MUST |
ID | STD017 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Data Standard (NHS) |
Status | Alpha |
Effective Date | TBC |
Description
This standard provides a set of requirements suitably structured to promote and ensure the effective application of clinical risk management by those organisations that are responsible for the development and maintenance of Health IT Systems for use within the health and care environment.
The standard includes implementation guidance and is supported by the related standard for the application of clinical risk management in the deployment and use of Health IT Systems - DCB0160.(STD016)
Applicability
This standard is addressed to Manufacturer personnel who are responsible for ensuring clinical safety in the development and modification of Health IT Systems through the application of clinical risk management. This standard applies to all Health IT Systems including those that are also controlled by medical device regulations , though the requirements defined in this standard are broadly consistent with the requirements of ISO 14971.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD017-1 | The suppliers of IT Systems used in a healthcare setting MUST ensure that effective clinical risk management is carried out. | MUST |
ID | STD050 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
ISO8000-1 is the global standards for data quality and enterprise master data. It provides assurance that data management and architecture controls are the highest standard
Applicability
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD050-1 | The supplier of IT Systems used in a healthcare setting SHOULD comply with the principles set out in ISO8000-1:2022 | SHOULD |
ID | STD051 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Data Standard (External) |
Status | Alpha |
Effective Date | TBC |
Description
ISO9000-1 sets out the criteria for a quality management system and is a standard that can be complied with.
Applicability
The standards provide guidance and tools for companies and organisations which want to ensure that their products and services consistently meet customers’ requirements, and that quality is consistently improved.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD051-1 | Healthcare provides SHOULD comply with the principles set out in ISO9000-1 | SHOULD |
ID | STD077 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
The Government Service Standard helps teams to create and run great public services.
Applicability
Providers of digital services within the UK government sector
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD077-1 | IT system suppliers/Providers of digital services SHOULD adhere to the principles below:
Full details can be found here | SHOULD |
ID | STD082 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Guidance |
Status | Alpha |
Effective Date | TBC |
Description
The Standard of Good Practice for Information Security 2020 (SOGP 2020) provides a business-orientated focus on current and emerging information security issues and helps organisations develop an effective framework for information security policies, standards and procedures.
This latest edition of the SOGP includes new or enhanced coverage of the following Categories, Areas and Topics: Security Workforce, Core Cloud Security Controls, Security Operation Centres, Mobile Application Management, Asset Registers, Security Assurance, Supply Chain Management and Security Event Management.
Applicability
The standards provide guidance and tools for companies and organisations which want to ensure that their products and services consistently meet customers’ requirements, and that quality is consistently improved.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD082-1 | Healthcare providers SHOULD comply with the guidance set out in the Standard of Good Practice for Information Security 2020 (SOGP 2020) | SHOULD |
ID | STD092 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Data Standard (External) |
Status | Alpha |
Effective Date | TBC |
Description
OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.
Authentication and authorisation are done together. Authentication is done by NHS CIS2 Care Identity Authentication API but we co-ordinate that under the covers behind our OAuth2.0 authorisation server.
Applications only needs to be registered with the API Platform, not NHS CIS2.
The healthcare worker authenticates with either an NHS smartcard or a more modern alternative. To use smartcards, you need to be connected to the Health and Social Care Network (HSCN).
Applicability
accessing a user-restricted RESTful API
the end user is a healthcare worker
you want a simpler integration
you do not need the healthcare worker's identity information
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD092-1 | Software suppliers who wish to access user-restricted RESTful API. In particular, the NHS Care Identity Service 2 (NHS CIS2) combined authentication and authorisation pattern, which uses our OAuth 2.0 authorisation server. 
| MUST |
ID | STD093 |
|---|---|
External ID | N/A |
Version | 1.0 |
Link to standard | |
Standard Type | Data Standard (External) |
Status | Alpha |
Effective Date | TBC |
Description
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Applicability
OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and logout, when it makes sense for them.
Requirements
Requirement ID | Requirement Text | Level |
|---|---|---|
STD093-1 | Authorization Code Flow The diagram below depicts the Authorization Code Flow at a high level:
| SHOULD |
ID | STD096 |
|---|---|
External ID | N/A |