Appendix A – Schedule of GP digital requirements and capabilities

Essential clinical system capabilities – foundation capabilities

Six clinical digital capabilities enabled through software (and data) solutions which under the GP Contract are necessary to deliver primary care services and must be accredited through the GP IT Futures Framework. These are sourced through the GP IT Futures Framework.

For these capabilities, where a signed CCG Practice Agreement is in place

  • the solutions are funded by the NHS for GP Contract holders
  • the solution must be accredited through the GP IT Futures Framework
  • the Foundation Solutions for those capabilities described as GP IT Futures Foundation Capabilities will be determined by individual practice from the accredited systems available through the GP IT Futures Framework

Note: Non-Foundation Capabilities may be provided as an embedded part of the procured Foundation Solution at the supplier’s discretion. CCGs should determine which non-Foundation Capabilities are still required once the Foundation Solutions have been procured. Additional solutions for these capabilities may still be available and may be selected as enhanced items if they offer a greater level of functionality and more appropriately meet local needs.

Foundation Capabilities available through GP IT futures framework

Capability Description
GP Referral Management Supports recording, reviewing, sending, and reporting of patient referrals. Enables referral information to be included in the Patient Record.
Prescribing Supports the effective and safe prescribing of medical products and appliances to Patients. Information to support prescribing will be available.
Recording Consultations Supports the standardised recording of consultations and other General Practice activities.
Patient Information Maintenance Supports the registration of patients and the maintenance of all patient personal information.

Supports the organisation and presentation of a comprehensive Patient Record. Also supports the management of related persons and configuring access to citizen services.

GP Resource Management Supports the management and reporting of Practice information, resources, staff members and related organisations. Also enables management of staff member availability and inactivity.
Appointments management – GP Supports the administration, scheduling, resourcing and reporting of appointments.

Essential clinical system capabilities – Non-foundation capabilities

Clinical digital capabilities enabled through software (and data) solutions which are necessary to deliver primary care services under the GP Contract or as otherwise nationally mandated in addition to the six Foundation Capabilities.

These are sourced through the Digital Care Services (DCS) Catalogue or an applicable Framework (see table below and Appendix C).

For these capabilities, where a signed CCG Practice Agreement is in place:

  • the solutions are funded by the NHS for GP Contract holders
  • solutions will be determined by the commissioning CCG in collaboration with local practices from systems offered on frameworks in the DCS Catalogue or other applicable frameworks
  • non-Foundation Capabilities may be provided as an embedded part of the procured Foundation Solution at the supplier’s discretion. CCGs should determine which non-Foundation Capabilities are still required once the Foundation Solutions have been procured. Additional solutions for these capabilities may still be available and may be selected as enhanced items if they offer a greater level of functionality and more appropriately meet local need.

Accredited solutions are not contractually mandated for non-Foundation Capabilities but compliance with any standards attributed to the capability in this document should be considered essential.

Non-foundation capabilities available through applicable frameworks

Capability Description Applicable Framework(s)
Digital Diagnostics Supports electronic requesting with other healthcare organisations. Test results can be received, reviewed and stored against the patient record. NB: this is additional to the pathology messaging already available through Foundation Capabilities. GP IT Futures or other applicable framework.
Document Management Supports the secure management and classification of all forms unstructured electronic documents including those created by scanning paper documents. Also enables processing of documents and matching documents with patients. GP IT Futures or other applicable framework.
GP Extracts Verification Aggregated data is extracted from practice Clinical Systems via the General Practice Extraction Service (GPES) and sent to the Calculating Quality Reporting Service (CQRS). Calculations performed by the CQRS determine how much money a general practice should be paid for National Services.

The data extracted in this process is based on information recorded in individual patient records. The GP Extracts Verification Capability provides practices with reports and search tools to establish which patients will be or have/have not been included in these payment extracts and calculations. These reports and tools will ultimately support data quality investigations and improvements.

GP IT Futures or other applicable framework.
 Scanning Support the conversion of paper documentation into digital format preserving the document quality and structure.

Note: Requires as an enabler compatible scanning hardware.

GP IT Futures or other applicable framework.
Communication Management (patient-practice) Supports the delivery and management of (two way written) communications between patients and practice staff.

Note: May require as an enabler electronic messaging for direct patient communication (for example SMS) or NHS Mail.

GP IT Futures or other applicable framework.
Online-consultations (patient-practice) Enables patients to access support from health and care professionals, across a range of settings online without the need for a face to face encounter. Includes triage and consultations.

Note: This may also fulfil the above requirement for communications.

DFOCVC framework.
Video consultations (patient-practice) Enables patients to access support from health and care professionals, across a range of settings using video conferencing. Includes triage and consultations. DFOCVC  framework.

Patient facing capabilities

These must be available to patients through accredited solutions from the GP IT Futures Framework and through the NHS App. Foundation Solution suppliers may choose to embed these capabilities in their Foundation Solution.

Additional accredited solutions to meet these capabilities may also be commissioned centrally and made available directly to practice patients or commissioned locally.

Capability Description
Appointments management

 

Enables patients to manage their appointments online. Supports the use of Appointment slots that have been configured in the GP appointments management system
Prescription ordering

 

Enables patients to request medication online and to manage their preferred and nominated pharmacy.
View record Enables patients to view their patient record online. Includes viewing of full record, clinical and administrative documents and pathology and radiology test results by patients and patient proxy.
Update details Enables patients to use an online method to inform their practice of a change of address, contact details or of their demographic information, including ethnicity
Update record Shared record access, including patients being able to add to their record

These capabilities are in addition to the online and video consultation and the two way secure communication capabilities described previously.

National digital services

Digital services and systems commissioned and provided nationally and available at no local cost to all NHS commissioned providers (where functionally appropriate). These are standard solutions with no element of local choice, the rationale for a national solution being based on a requirement for standardisation and consistency. Local alternatives should not be provided or used.

Responsibilities:

  • NHS Digital commissions and provides a number of National Digital Services.
  • CCGs will ensure availability of enablers namely infrastructure, equipment, training and deployment support for practices.
  • alternatives including local solutions should not be used and should not be funded by CCGs. In particular local solutions which do not meet the same security, safety and data quality standards must not be supported.
  • through the CCG Practice Agreement practices are required to comply with the supplier’s end-user terms and conditions accepted by the contract holder (for example NHS Digital).
  • practices will use either as discrete systems or integrated with clinical systems as appropriate

Accredited clinical system developers will integrate with these as specified through the Digital Care Services (DCS) Catalogue. 

Service Description Notes
Personal Demographics Service (PDS) The Personal Demographic Service (PDS) holds the demographic details of users of health and care services in England, including name, address and NHS number. It is used to confirm the identity of patients, link care records, support communications with patients and support management of NHS Services. Accessed through accredited Clinical System Capabilities.
Care Identity Service – (CIS) CIS is a national electronic system that supports the identity verification of users, registering and issuing of NHS Smartcards and authentication when using national services such as PDS or SCR. Registration Authorities use the service to manage identities, Role-based access control (RBAC) and smartcard or other authenticator access to services. Through NHS Spine Portal using Registration Authority issued NHS Smartcards.
NHS Care Identity Service 2 – (CIS2) The evolution of the Care Identity Service. It will support international standards for authentication and access (including authentication over the internet and new authenticator types). Users will be able to undertake self-service registration to aid new user onboarding journeys.

CIS2 is a national electronic system that supports the identity verification of users, registering and issuing of NHS Smartcards and other authenticators Registration Authorities use the service to manage identities, RBAC and smartcard or other authenticator access to services.

Through NHS Spine Portal using Registration Authority issued NHS Smartcards.
Summary Care Record

(SCR)

An electronic record created from GP medical records. It can be seen and used by authorised staff in other areas of the health and care system involved in the patient’s direct care.  There is a minimum core data set (medications, allergies and adverse reactions) but with patient consent, an enhanced SCR can now be created automatically to include additional patient data (for example significant medical history, immunisations, etc.). Accessed through accredited Clinical System Capabilities.
GP2GP This service allows patient electronic health records to be transferred directly, securely, and quickly between their old and new practices when they change GPs. This improves patient care by making full and detailed medical records available to practices, for a new patient’s first and later consultations and significantly reduces the need to print records. Accessed through accredited Clinical System Capabilities.
Electronic Prescribing Service (EPS) Enables the electronic transmission of prescriptions to community pharmacies. Accessed through accredited Clinical System Capabilities.
NHS Mail NHS Mail is the secure email service approved by the Department of Health and Social Care for sharing patient identifiable and sensitive information. NHS Mail, messaging, and sharing can be accessed by any organisation commissioned to deliver NHS healthcare or related activities. Instant messaging and presence are part of core functionality. Directly by individual practice staff members through the NHS Mail portal or MS Outlook configured to access NHS Mail.
NHS E-Referral Service (e-RS) The e-RS combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online. Accessed through accredited Clinical System Capabilities or directly.
Calculating Quality Reporting Service (CQRS) and GP Extraction Service (GPES) The General Practice Extraction Service (GPES) collects information for a wide range of purposes, including providing GP payments. It works with the CQRS and GP clinical systems as part of the GP Collections service. Accessed through accredited Clinical System Capabilities.
Spine The spine allows information to be stored and shared securely through national services such as the EPS, SCR and the eRS.  This is done through integrated clinical system or through the spine portal.

The Spine supports high number of registered users and can handle large volume messaging rates with fast response times.

Accessed through accredited Clinical System Capabilities.
Message Exchange for Social and Health Care (MESH) The service supports both clinical and business encrypted data flows in supplier applications via a central MESH server located within the Spine Core Messaging Service. Accessed through accredited Clinical System Capabilities.
GP Connect Products

(delivered by Direct Care APIs Programme)

GP Connect products are a series of APIs which allow authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently. Accessed through GP IT Futures accredited clinical system capabilities and other third-party clinical systems
Interface Mechanism (IM1) Pairing Pairing integration is the process that allows suppliers to integrate their system with any principal GP clinical system through an interface mechanism. Accessed through GP IT Futures accredited clinical system capabilities and other third-party clinical systems
NHS App The NHS App provides a simple and secure way for people to access a range of NHS services on their smartphone or tablet including:

Directly by patient. If their GP practice is connected, patients can register and verify their identity. The NHS App is available to the public on Google Play and Apple app stores.

 

NHS Login NHS login, a single, easy to use system for verifying the identity of people who request access to digital health records and services including NHS App. Directly by patient. Most people aged 16 or over will be able to verify their identity and register through NHS login.
Data Security and Protection Toolkit (DSPT) The DSPT is an online self-assessment tool that all organisations must use if they have access to NHS patient data and systems. It replaced the previous Information Governance (IG) toolkit. An online self-assessment tool that enables practices to measure and publish their performance against the National Data Guardian’s (NDG) ten data security standards. Directly by individual practices.
Data Security Awareness Training The topics covered are:

  • introduction to data security awareness
  • introduction to the law
  • data security – protecting information
  • breaches and incidents
Directly online by individual practice staff members through e-learning for healthcare.

GP IT enabling requirements

Digital technologies and services necessary to support (i.e. enable the use of) National Digital Services, Foundation Solutions and other solutions selected to meet the Essential Clinical System Capabilities as needed to deliver the primary care services under the GP Contract or as otherwise nationally mandated. Under the CCG Practice Agreement these are funded by NHS for eligible contractors.

Unless funded nationally, meeting these enabling requirements will be the first call on GP IT revenue funding within CCG primary care allocations, or for IT equipment and infrastructure assets on GP IT Capital funds. The scope of the enabling requirements required is determined by the solutions selected to meet the Essential Clinical System Capabilities and the National Digital Services.

Locally commissioned enabling requirements will be extended to include the support necessary to enable those Enhanced Requirements commissioned.

As commissioner the CCG is responsible for selecting these enabling requirements but is expected to work with local practices in doing this.

Accredited solutions are not contractually mandated but compliance with any standards attributed to the capability in this document should be considered essential. The use of an applicable national framework with underpinning standards such as Health Services Support Framework (HSSF) (see Appendix C) will assist CCGs in that compliance.

Effective commissioning of GP IT

Requirement The commissioning of GP IT services by the CCG to meet GP IT Enabling Requirements. This is an internal CCG function, although CCGs may share or collaborate on this work.
Specialist Support Services The CCG Practice Agreement:

  • must be signed with all practices
  • must be reviewed in the event of significant changes to either party for example organisation merger
  • appendix 1 schedules require review not less than every 12 months
  • references (for example as links) to be provided to data processing agreements in appendix 1 schedules

GP IT commissioned (enabling) services:

  • must meet required organisational standards
  • must be procured to required standards (for example SFIs)
  • should be subject to regular service review of performance and suitability for requirements of local general practice

CCGs will have a budgeted plan for annual investment meeting the Core and Mandated Requirements and the Enhanced Requirements for GP IT – this should include GP IT enabling services, infrastructure and equipment.

Practice Responsibilities To sign and comply with the CCG Practice Agreement
Applicable Standards Where GP IT services are commissioned and contracted, there will be:

  • robust and clear service specifications demonstrating alignment with this schedule of requirements
  • formal SLAs in place
  • identified and agreed KPIs
  • regular performance reviews
  • issue management and escalation arrangements agreed and clearly documented
  • formal complaints management procedure
  • a communication plan regarding the services provided through this Operating Model for all practices
  • a Data Processing Agreement (DPA) where required
  • compliance with the organisational standards referenced in this document

The use of a suitable framework with underpinning standards such as Health Services Support Framework (HSSF) (see Appendix C) is recommended.

As required under the CCG Practice Agreement:

  • carry out practice IT reviews
  • where local IT and system performance issues should be identified, individual practices can request an additional service and infrastructure review.
Applicable Guidance CCGs are advised to use the GP IT Specification Commissioning Support Pack in the procurement of GP IT services and in the ongoing review of GP IT services with current GP IT Delivery Partners.
Other Controls Where CCGs choose to provide some or all of these GP IT Enabling Requirements internally, whether solely, as a CCG consortium or as a local shared service, CCGs must enable sufficient arrangements and safeguards to ensure the services provided meet the range and standards described in this Operating Model.
Assurance DPCMAT:  IND20.0, IND21.1, IND24.0, IND150.1, IND150.2, IND155.0, IND157.0, IND174.1

GP IT support service desk

Requirement GP IT support service desk for all users which provides:

  • triage
  • incident management
  • problem management
  • request management
  • SLA reporting
  • access to notify and escalate high severity cyber or data security incidents
Transactional Services Service availability: Operational support hours

An ITIL aligned or equivalent, management process for:

  • incidents
  • problems
  • requests
  • change control

Access channels – there must be at least TWO of the following access routes available:

  • a single telephone number for logging calls
  • a single email address for logging calls
  • a web portal for logging and managing calls
  • an App for logging and managing calls

It must be possible to log a call using at least one of these methods 24 hours a day, 7 days a week. Practices must be able to track the progress of logged calls/requests/incidents through any of these routes.

To improve efficiency and responsiveness the service should include remote access in a secure manner subject to end user consent to desktop PCs for diagnostic and resolution purposes, including the management of remote working solutions.

The service must have clear and agreed priority incident categories, with minimum response and target fix times to ensure the safe and effective operation of GP digital services.

  • All calls are prioritised to the agreed standard, in conjunction with the person reporting the incident. A minimum standard should be agreed for percentage of incidents resolved on first contact or within an agreed timeframe from call logging.
  • Where 3rd party support is required for incident or problem management, there is a robust and effective resolution plan in place with agreed responsibilities and led by the GP IT service desk provider. This will include NHS 111-GP Connect issues reported to the service desk. Supported software and hardware will be scoped through the Summary of Services (Appendix 1) in the CCG Practice Agreement.
  • Where 3rd party support is not available for required incident or problem management for example when outside 3 party support hours the end user (practice) will be advised on timescales and any practical workarounds. The GP IT Service desk provider remains responsible for the incident until the 3 party can take action to resolve.

Availability: High severity incident support

Access must be available for out of hours High Severity Incident alerting, logging and escalation in accordance with the approved business continuity and disaster recovery plans. This may not operate in the same way as support during operational service hours and response will be appropriate to the impact of the incident and the GP IT Delivery Partner’s Business Continuity and Disaster Recovery Plans. 

Specialist support services Service availability: Standard service hours

  • SLA reporting
Applicable standards
  • ISO 20000 – IT Service Management Standard
  • an ITIL aligned or equivalent, management process for: Incidents, Problems, Requests
Applicable guidance
  • Recommendation: The local SLA is based upon an agreed managed IT device volume
Assurance DPCMAT: IND28.0, IND26.0, IND90.1

GP IT equipment asset management

Requirement

 

The asset management and disposal of all NHS owned GP IT equipment.
Out of Scope GP IT equipment not NHS owned.
Transactional Support Services Availability: Standard Service Hours

All NHS Owned GP IT equipment:

  • must be recorded in an accurate asset register
  •  is subject to an approved GP IT equipment reuse and disposal policy and procedure – using authorised compliant contractors
  • on disposal must be recorded in an auditable log – this will include date of disposal, method of disposal and data destruction certificate (when the item has data storage capability)
Specialist Support Services All disposal must be carried out by authorised contracted specialist IT hardware disposal organisations (meeting standards listed below).

Develop and maintain a local IT equipment reuse and disposal policy.

Systems and applications Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS owned GP IT equipment.
Practice Responsibilities To provide consumables for example  for printers and other operating requirements to any standard specified in the local Warranted Environment Specification or as otherwise specified by the manufacturer of the equipment.

NHS owned GP IT equipment does not require to be individually insured under practice policies (content insurance) however the practice should take reasonable steps to ensure the physical security of the equipment, protecting against loss, theft or damage.

To ensure environmental requirements are met for example air-conditioning, fire suppression and power supply for NHS owned IT equipment on practice premises

Practices are responsible for the secure disposal of any practice owned IT equipment. Practices are advised to seek specialist advice (from commissioned GP IT Delivery Partner) on secure disposal of such IT equipment. CCGs may at their discretion offer practices the use of their commissioned GP IT Equipment disposal services.

Applicable Standards
Other Controls
Assurance DPCMAT: IND36.0, IND38.0

Software licence management 

Requirement All software and operating systems installed and operated on managed GP IT equipment will be licensed and managed.
Transactional Support Services Availability: Standard Service Hours:

  • allocation and control of available licences
  • procurement of additional licences
  • maintain licence register
Specialist Support Services Availability: Standard Service Hours

  • development and maintenance of a local Warranted Environment Specification (WES)
  • specialist support is available for Windows 10 and Advanced Threat Protection (ATP) deployments
Systems and applications All software (including operating systems) used on Managed GP IT Infrastructure must be approved and recorded on a software licence register which must confirm that the software is appropriately and legally licenced for such use and does not present a cyber security risk.

Supported operating system and browser compliant with the local WES.

Specific software requirements:

  • software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS owned or managed IT equipment
  • anti-virus software for example ATP
  • encryption software
  • effective patch and upgrade management for operating systems
  • PC Windows Operating Systems must be at least Windows 10 (supported version)
  • Identity Agent (for NHS Smartcards)

Microsoft Office will be provided on NHS owned devices through Microsoft Office 365 for the NHS licences until 31 March 2023. CCGs should make plans for office functionality after this date.

NHS funded applications and software licences are provided for use on Managed GP IT Devices. Their use on other devices, including personal devices, must be approved by the CCG, or their commissioned GP IT Delivery Partner on the CCG behalf. Particular attention should be given to ensuring (i) patient identifiable data does not become accessible from unmanaged and potentially insecure IT infrastructure (ii) the end user conditions of use for the licence and/or application are complied with.

Applicable Standards NDG standard 8
Applicable Guidance Respond to an NHS cyber alert service (formerly Care CERT)
Assurance DPCMAT: IND37.1
Timescales Participating CCGs must fully implement all elements of Microsoft Office 365 for the NHS licencing for general practices by no later than 13 October 2021 in accordance with the Microsoft Office 365 for the NHS Participation Agreement. The agreement will then run until 30 April 2023.

CCGs should start planning for the impact on Office application use in practices after 30 April 2023 when the current NHS participation Agreement ends. These plans should reflect NHS policy and guidance as it becomes available.

Registration Authority

Requirement A Registration Authority is a function, usually within an NHS organisation, that carries out the identity checks of prospective NHS Smartcard users and assigns an appropriate access profile to the health professional’s role as approved by the employing organisation.

NHS Smartcards or other approved authenticators are required to access NHS Spine information systems and registration authorities’ roles and responsibilities are defined by NHS policy.

Where new authenticators are reviewed and approved the Registration Authority function will continue to support issuance of approved alternatives. Given the standards basis of these authenticators it is likely that they will place a greater emphasis on the user behaviour when using the authenticator, ie users will need to closely manage how they use their authenticator and log out of sessions when leaving a PC unattended. Ensure general practices are aware of their obligations under the Care Record Guarantee to protect patient data, and not leave sessions unattended.

Transactional Support Services

 

Availability: Operational Support Hours:

  • unlocking of NHS Smartcards
  • Position Based Access Control (PBAC) configuration

Availability: Standard Service Hours:

  • issuing of NHS Smartcards (including ID checks / printing etc)
  • provide practices with a facility to notify the RA service provider when practice staff leave the practice organisation or no longer require RA access to the practice, and ensure access is removed within the agreed performance standards for user account management
  • deprecation of old NHS Smartcards: To remove all series, 3, 4, 5 and 6 NHS Smartcards by March 2023
  • locally support the target to deprecate the current Care identity Service (CIS) by September 2023 which will be replaced by the NHS Care identity Service 2 (CIS2)
Specialist Support Services Availability: Standard Service Hours:

  • Registration Authority service including policing ‘Access Policy’ and the delivery and management of role-based or position-based access control and issuing of NHS Smartcards.
  • training of practice RA managers and sponsors
  • training and awareness of how to use new authenticators and the risks when users don’t manage sessions appropriately
  • support for software to access national systems for example Identity Agent, CIS, CIS2
  • ensure adherence to access security policy
  • advise practice RA managers and RA sponsors of configuration of business functions, completion of documentation and use of RA systems (for example. reset PINs)
  • involvement in national project roll out such as attendance at project boards to support project delivery.
  • production of RA reports
  • support the new Self Service Registration process – allowing new users to self-register in their own time saving clinical and RA time
  • utilise the new improved User Registration Service. This will aide workflow, integration with other services and improved RA reporting and capabilities.
Systems and applications Identity Agent.
CIS.
CIS2.
Practice Responsibilities
  • practices are responsible for determining which practice staff and other organisation staff can access practice data and system functions, and the (system) role of that staff member, through the Registration Authority process.
  • practice staff access to all systems processing patient identifiable data is regularly reviewed and updated by the practice using the NHS RA service (or other local practice access controls).
  • designation of RA manager for the practice.
  • ensure practice staff are aware of their obligations under the Care Record Guarantee to protect patient data, and not leave sessions unattended. As new authentication technology arrives for use, particularly with new market entrants there will need to be a re-emphasis on training and awareness of how to use new authenticators and the risks when users don’t manage sessions appropriately.
Applicable Standards
Applicable Guidance

NHS Mail administration and support

Requirement The local administration of NHS Mail accounts. NHS Mail is provided to all practices as a National Digital Service.
Out of Scope National NHS Mail Service Desk.
Support for email solutions other than NHS Mail.
Transactional Support Services Availability – Standard Service Hours:

  • creation and deletion of user and email accounts
  • password resets, account unlocking etc
  • setting up shared mailboxes and enabling distribution lists.
Specialist Support Services Availability – Standard Service Hours:

  • providing local administrator (LA) support for example for access and support for NHS Mail, support for migration from local email services to NHS Mail
  • provide practices with a facility to notify the GP IT Delivery Partner when practice staff leave the organisation or no longer require NHS Mail access, and ensure access is removed within the agreed performance standards for user account management.
Practice Responsibilities NHS Mail is the primary email system for practices.

Practices are responsible for authorising creation and removal of NHS mail accounts belonging to their practice organisation within NHS Mail.

Practices are responsible for ensuring the security of any data held in practice staff NHS Mail accounts under the practice organisation, and for the correct removal or archiving of such data when any practice staff member leaves the practice.

Practices will have at least one securely managed and frequently monitored (at least once daily) NHS Mail account to receive clinical documentation.

Practices should ensure practice staff follow NHS Mail Acceptable use Policy and advice on cyber security in their use of NHS Mail e.g. phishing, spam etc.

Practices must ensue personal, sensitive or confidential information is never sent by NHS Mail unless it is sent to another NHS Mail account or an email account with the same security accreditation standards OR as an encrypted email if sent to a non-secure email address. Where NHS Mail is used as part of two way written communications with patients encryption must be used.

Applicable Standards
Applicable Guidance

Essential infrastructure

Requirement The provision, maintenance and technical support of the necessary infrastructure to deliver core and mandated GP IT services
Out of Scope HSCN-GP

WiFi-GP

Transactional Support Services Availability -Operational Support Hours:

  • through GP IT Service Desk
  • break/fix incident and problem resolution
Infrastructure Availability – Standard Service Hours

Provision, maintenance and technical support of the necessary infrastructure to deliver core and mandated GP IT capabilities, to include:

  • network connectivity and access to core GP IT services at point of care, including main to branch site(s) connectivity
  • local network services, including equipment, structured cabling and support
  • interface between locally managed networks and HSCN-GP, nationally managed services (e.g. Windows Managed Services), Legacy N3 and community partner networks
  • file management, data storage and hosting services for core services
  • provide access to secure, resilient off-site data storage facilities for all practice electronic patient identifiable and clinical data other than that stored in the Digital Care Services (DCS) Catalogue clinical systems and NHS Mail and as required to deliver clinical services to a standard not less than tier 3 data centre OR compliant with “Health and social care data: off-shoring and the use of public cloud services guidance”. Note that off-site storage arrangements made under the Privacy Shield may now require review. Data controllers and processors should ensure that any data transfer follows the latest ICO guidance and advice. Ensure adherence to policy advice as issued to ensure such data centres minimise their environmental impact and support the NHS drive to reach Net Zero
  • maximum use should be made of best practice to reduce costs and increase efficiency such as cloud hosting services, server virtualisation and storage area networks
  • all backups of shared data storage are configured and executed to support compliance with the data backup and recovery procedure to allow the agreed Recovery Point Objective (RPO)
  • where practices choose to use VoIP telephony CCGs should provide advice and technical support regarding the use of practice network infrastructure and if applicable HSCN connections. Individual practices remain responsible for the cost of their telephony services including any additional infrastructure costs.
Practice Responsibilities See General Practice Business Requirements.

Appropriate use of the infrastructure in compliance with the CCG Practice Agreement.

Applicable Standards
  • the GP IT Delivery Partner and any subsidiary service or infrastructure provider will operate to any prevailing NHS security standards, including the Data Security and Protection Toolkit or equivalent industry standard
  • tier 3 data centre
Applicable Guidance
Other Controls
  • HSCN connection agreements
Assurance DPCMAT: IND39.2

HSCN-GP

Requirement All practice premises are required to have appropriately sized HSCN connectivity capable of supporting their current and future business needs.  Further information on connectivity types can be found on the NHS Digital website.

  • all future procurements for network connectivity to existing and new practice premises are required to provide gigabit capable connectivity which is usually delivered either as Fibre to the Premises (FTTP) services or Ethernet leased-line services where available
  • Re-procurement of HSCN contracts should take place at end of term to ensure continued value for money and enable practices to take advantage of new technology
Out of Scope Encryption and protection of patient and sensitive data at the application layer

Local network infrastructure

Transactional Support Services Availability: Operational Support Hours

  • through GP IT Service Desk to 3rd party (HSCN Consumer Network Service Provider)
  • break/Fix incident and problem resolution
Specialist Support Services Availability: Standard Service Hours

  • commissioning of HSCN services for practices
  • NHS Digital provides a central service coordination function to monitor CN-SP and network performance and coordinate response to high severity service issues.
Infrastructure
  • HSCN is the essential underlying network infrastructure that underpins the use of digital technology in the NHS
  • networking services: Management and support for provision of HSCN connectivity and interim legacy Transition Network services, including connections to main and branch practice sites as per national entitlement
  • the HSCN Peering Exchange provides the highly available points of interconnection for the HSCN CN-SPs and the Transition Network
Systems and applications
  • Advanced Network Monitoring (ANM) monitors and filters all Internet traffic from HSCN providing an advanced malware detection and prevention capability
  • Network Analytics Services – monitors network flow metadata from HSCN to provide advanced threat detection and analytics to the NHS Digital Data Security Centre
  • where possible HSCN connections should be utilised to support hosted VoIP telephony. Practice premises would need to be served by a HSCN connection that has sufficient bandwidth and is capable of a basic level of Quality of Service to support the prioritisation of VoIP traffic. Each individual CNSP can advise on these requirements. Prior to HSCN connections being used for the VoIP telephony system the CCG (it’s commissioned GP IT Delivery Partner) and HSCN provider (CN-SP) will review (i) existing data services for example bandwidth (ii) changes required to practice premises network infrastructure to support security and Quality of Service (QoS) for satisfactory performance of both the telephony service and the practice Foundation Clinical System (iii) with the practice any  other requirements for business continuity for example a local SIP service in case of HSCN connection failure. Individual practices remain responsible for the cost of their telephony services including any additional infrastructure costs. Practices may choose, at their expense, to install and use a dedicated connection in preference to HSCN and rely on HSCN for backup telecoms connectivity
Practice Responsibilities Ensure their practice is covered by an HSCN Connection Agreement signed on their behalf by the appropriate CCG.
Applicable Standards
Applicable Guidance
Other Controls
  • HSCN customer Connection Agreements
  • Consumer Network Service Providers (CN-SP) Compliance documents required by NHS Digital
  • Local contracts between commissioners such as CCGs and CN-SPs
  • If shared, local arrangements with partners (e.g. support and any associated funding)
Service Availability 99.95% minimum availability (as per ISO 27001)
Assurance Suppliers of HSCN services (Consumer Network Service Providers, CN-SP) are assured and accredited by NHS Digital as being compliant with HSCN standards.

The CN-SP has to demonstrate that the network solution provided to the consumer is correctly configured and allows the appropriate routing and to the agreed HSCN end points and supplies the agreed capacity to the HSCN Consumer.

It is important that access to any national and local applications used by a site are identified and tested as part of migration.

Desktop infrastructure

Requirement A desktop device support service, which includes provision and maintenance of the Managed GP IT Device estate.

All practice staff, who require access to digital capabilities to carry out their role, will have access to a desktop or laptop computer at locations within the practice premises where they work with access to the Foundation Solutions

Where practice staff access desktop computers and laptops in patient facing environments they will, as operationally required, have access to local and networked printing facilities within the practice premises.

Transactional Support Services Availability – Operational Service Hours:

  • installation and support of all desktop computers and peripheral equipment related to core GP IT services
  • installation and support of all approved standard software and applications on desktop computers
  • anti-virus and malware protection (using Windows ATP), access management and port control on all Managed GP IT Devices
  • encryption to NHS standards on all mobile/portable devices (NHS Digital: Data Security Standard 9: IT Protection)
  • remote desktop support management available to 100% of workstations
Specialist Support Services Availability – Standard Service Hours:

  • defined and documented standardised desktop image(s), with a formal change control management system
  • compliance testing and installation of standard software products
  • compliance testing of software upgrades with NHS National Digital Services
  • development and maintenance of a local Warranted Environment Specification (WES) to include (i) minimum specifications for hardware to be used locally (ii) any required standards for operating and maintenance consumables needed for the hardware e.g. printers.
Infrastructure
  • the GP IT infrastructure estate provided to practices  includes desktop computers, laptops, printers and other equipment, as necessary for the practice to operate the digital services listed in the schedule: Appendix 1 – Summary Of Services within the local CCG Practice Agreement. Such equipment should be available subject to availability of funds, and reasonable and fair practice use. Equipment required specifically for diagnostic or treatment purposes for example specialist cameras, physiological measurement devices and IT equipment defined under  General Practice Business Requirements is excluded from this requirement to provide
  • an agreed desktop Warranted Environment Specification (WES) which as a minimum, meets the spine WES and the relevant clinical system requirements
  • user desktop devices (workstations and laptops) must be locked down and well managed, with advanced tools, processes and policies in place to support diagnosis, repair and updates. Unauthorised users must not be able to install unlicensed and unauthorised software or change critical settings
  • all (Windows) Managed GP IT Devices must use Windows 10 as minimum operating system managed through the Windows Managed Service which must include Advanced Threat Protection (ATP) installed,  operational and attributed to the responsible organisation (CCG). Any configuration exceptions for example earlier versions of Windows, or in scanning folders or files must be based on a documented local risk assessment (carried out as part of the cyber security service). A custom support agreement (CSA) must be in place (at local cost) for any Managed GP IT Device(s) still requiring to use versions of Windows beyond their end of support dates where this for an unavoidable specified purpose
  • the CCG will have a budgeted plan for desktop GP IT equipment refresh which includes desktop PCs, laptops, monitors, scanners, smartcard readers, printers including dual bin feed printers for consulting rooms and front desk/office areas as necessary
  • the CCG will ensure a continual refresh programme which identifies and replaces hardware subject to availability of funds where it has reached its service life.
  • GP IT Equipment would be expected to be funded through NHS Capital funds, although CCGs are free to use other appropriate funding sources
  • a local IT refresh and replacement plan will define equipment standards, availability for practices (where appropriate by practice type, size, clinical system etc) and target service life by equipment category
  • the refresh service will include assessment, procurement, rollout, asset tracking and secure disposal (see above)
  •  in support of the commitment to deliver a ‘Net Zero’ NHS investment in desktop infrastructure should minimise energy usage including (i) power saving on IT devices (ii) optimizing equipment life cycle (for example with Virtual Desktop Infrastructure (VDI)) to reduce manufacturing energy costs.
Systems and applications
  • software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure
  • he capability for the central control of desktop security, patch control, access and software installation across the managed GP IT estate
  • remove old versions of the IA Client from all Managed GP IT Devices replacing with v2.3+
  • install new desktop components when required to support new NHS applications and services that support NHS Care Identity Service 2 (CIS2).
Practice Responsibilities
  • to provide consumables e.g. for printers and other operating requirements to equipment manufacturer’s standard or to any standard specified in the local Warranted Environment Specification
  • software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure
  • to ensure the physical security, protecting against loss, theft or damage and power supplies for NHS Owned IT equipment on practice premises
Applicable Standards
Applicable Guidance
Assurance DPCMAT: IND14.0, IND15.0, IND34.0, IND58.0

WiFi-GP

Requirement Secure, stable, and reliable WiFi access for practice staff and patients in all supported practice premises.

WiFi-GP services is an overlay service which enables patients to access online services, including the internet (subject to filtration), free of charge within practice premises.

Practice staff, together with other clinicians, can access the local NHS network.

There is a capability for supporting roaming.

Out of Scope Any end user or patient chargeable services arising from the use of the service.
Transactional Support Services Availability – Operational Service Hours:

  • adequate support arrangements as outlined in the NHS WiFi-GP Technical and Security Policies and Guidelines are in place
Specialist Support Services Availability – Standard Service Hours:

  • provision of usage information to CCG commissioners
Infrastructure Appropriate WiFi-GP services for practices ensuring:

  •  a secure, stable, and reliable WiFi capability within practices
  • national WiFi-GP security standards are followed
  • WiFi-GP service usage does not impact on core Practice activities in particular performance of GP IT Futures Foundation Solutions and NHS national systems

There is compliance with NHS data security and protection requirements, including appropriate content filtering.

Systems and applications
  • software, browsers and operating systems not supported or maintained by the supplier or unsupported devices must not be used to access the “corporate” WiFi-GP network in the practice
  • a WiFi landing page
Applicable Standards
  • technical Policies and Guidance
  • locally agreed Acceptable Use Policies must be in place which should cover all the wireless network services provided, including Guest and Bring Your Own Device arrangements
Applicable Guidance
Other Controls
  • local contracts with commissioners such as CCGs
Assurance DPCMAT: IND171.0

Remote access

Requirement Practice staff have secure access outside the practice premises to the Foundation Solution and other Essential Clinical System Capabilities as necessary to support clinical consultations and access to other core digital services for example email. This includes any necessary mobile and remote access IT infrastructure. The options for remote access are described below.

To support resilience and business continuity requirements the service(s) provided should be available to support at least 60% of normal operational capacity working remotely

Out of Scope
  • any remote access solutions not part of the Managed GP IT Infrastructure
  • internet connectivity for example Broadband connections delivered into private homes or other places which are not Practice Premises
  • telephony access (see separate requirements)
  • mobile data and voice connectivity to equipment which is not a Managed GP IT Device
  • health and safety (including DSE and PAT) regulations for remote and home working
Transactional Support Services Availability: Operational Service Hours

Provision, maintenance and technical support of the necessary technology and supporting infrastructure to deliver remote access to the clinical system for consultation purposes.

Where Managed GP IT Devices are provided:

  •  the use of mobile computing systems is controlled, monitored and audited to ensure their correct operation and to prevent unauthorised access, supporting Data Security Protection Toolkit (DSPT) requirements for general practice
  • this includes provision, maintenance and return to base support of software and managed infrastructure including mobile devices necessary to support clinical system access
Infrastructure Availability -Standard Service Hours

The Remote Access solution will be provided either of the following options, or a combination of both:

Option 1

A Managed GP IT Device (for example laptop or desktop or other endpoint) with all software necessary for the role (as native application or in a Virtual Desktop Infrastructure (VDI) service) together with a means of secure VPN access and a smartcard reader.

Where Managed GP IT Devices are provided

  • mobile devices must be locked down and well managed, with advanced tools, processes and policies in place to support diagnosis, repair and updates. Users must not be able to install unlicensed or unauthorised software or change critical settings
  • encryption to NHS standards on all mobile/portable devices (NHS Digital: Data Security Standard 9: IT Protection)
  • connections between mobile/portable/remote devices to HSCN and the practice clinical system using public network services (internet) must be encrypted to approved NHS standards

Refresh Programme (for Managed GP IT Devices)

  • the CCG will have budgeted plan for mobile device refresh
  •  the CCG will ensure a continual refresh programme which identifies and replaces mobile devices where it has reached the end of its service life
  • a local IT refresh and replacement plan will define mobile equipment standards, availability for practices (where appropriate by practice type, size, clinical system etc) and target service life by equipment category
  • the refresh service will include assessment, procurement, rollout, asset tracking and secure disposal

Option 2

Using staff personal devices (also known as “Bring Your Own Device” – BYOD)

Where personal devices/BYOD are used

  • a virtual desktop infrastructure (VDI) service will be provided allowing access to the Foundation Solution and other Essential Clinical System Capabilities as necessary with a means of secure VPN access and a smartcard reader
  • NHS applications approved for use over the public internet (for example web accessed NHS Mail – not local email programme such as Outlook) may be used
  • when used within practice premises BYOD equipment may only connect to the Managed GP IT Infrastructure using the Public WiFi-GP service
  • smartcard readers should be provided as required
  • an assurance process must be in place to ensure the personal devices are sufficiently secure including broadband firewall, secure wifi, anti-virus software, dedicated user account, patch management and operating system updates
  • Mobile Application Management (MAM) and Mobile Device Management (MDM) should be considered
  • a BYOD policy must be in place which includes cyber and data security, software licencing and ownership, data storage, support, data and security breaches, loss of device, and termination. Staff cannot be mandated to use their personal devices for NHS purposes.

Remote access solutions must not be used which bypass or otherwise reduce the effectiveness of the security measures provided within the Digital Care Services (DCS) Catalogue Solutions, the National Digital Services and the Managed GP IT Infrastructure (including authentication using NHS Smartcard or any approved alternative/replacement). Specifically, the following remote access solutions should not be provided or supported:

Use of a personal device (laptop or desktop) accessing clinical systems using either:

  • client software installed on the personal device

or;

  • desktop sharing software (ie Remote Desktop Protocol (RDP) or equivalent) to remotely access a host device for example in the practice.
Systems and applications Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure.
Practice Responsibilities
  • compliance with NHS and local information security standards and policies
  • follow NHSE advice on using online consultations in primary care including (i) working collaboratively with local IT/technical teams to understand network issues, explore technology options and then with local Data Protection and Clinical Safety Officers for using technology within information governance, data security and clinical risk management guidelines (ii) robust measures for patient/carer verification and authentication are in place
  • ensure remote digital access to patient details and online, telephone or video consultations take place in a confidential environment. Access to the digital equipment used for these functions is controlled
  • Health and Safety (including DSE, PAT and WTD) Regulations include remote and home working (see Practice Business Requirements)
Applicable Standards
Applicable Guidance Recommendation: The local SLA is based upon an agreed mobile estate volume and/or number of remote access users.
Assurance DPCMAT: IND33.4, IND33.5, IND33.6, IND33.7, IND33.8, IND33.9

Electronic messaging for direct patient communication 

Requirement Electronic messaging (SMS or equivalent) for direct patient communication.

The ability for practices to communicate short messages to patients for example:

  • reminders of forthcoming appointments
  • requests for patients to make an appointment for example: immunisations, routine reviews, blood test
  • notifications of ‘missed’ appointments (DNA’s)
  • notifications of test results

Can support two-way secure electronic written (text)  communication between patients and practices

Out of Scope The use of electronic messaging for requirements other than above e.g. local surveys, is discretionary.
Transactional Support Services Vendor via local helpdesk.
Systems and applications Provision of electronic messaging functionality ie SMS messaging or equivalent, for direct individual patient communication, to be utilised for clinical and associated administrative purposes.
Specialist Support Services Support for practices (through the IG and DPO service) for the preparation of DPIAs where required (see below) for electronic messaging. This may be provided as a shared activity across multiple practices.
Practice Responsibilities Where electronic messaging is used to support the processing of Special Category (Sensitive) Data including two-way communications between patients and the practice a DPIA should be completed and regularly reviewed.
Other Controls
Assurance DPCMAT: IND9.1

Controlled Digital Environment

Requirement The effective and secure management of the GP IT estate and GP digital services requires that there is an accurate and contemporaneous record of the digital environment and that the desktop estate can be updated and monitored centrally.
Out of Scope Practice Owned GP IT Equipment and Practice Managed GP IT Equipment which is not connected to the Managed GP IT Infrastructure e.g. photocopier, practice provided telephony system.

Personal devices.

Transactional Support Services Availability: Operational Service Hours

  • there must be the capability for the central control of desktop security, patch control, access and software installation for all desktops and laptops within the managed GP IT estate
  • provide practices with a facility to notify the GP IT Delivery Partner when practice staff leave the practice organisation or no longer require IT access, and ensure access is removed within the performance standards for user account management
Specialist Support Services Availability: Standard Service Hours

The CCG will ensure there is an accurate and contemporaneous record of the following:

  • IT hardware inventory and assets
  • software and software licences installed on devices within the managed IT estate
  • information systems namely applications and data
  • premises where support services are provided, and Managed GP IT Infrastructure is used
  • supported organisations (practices and others)
  • support contracts
  • users and access accounts

All Managed GP IT Devices will be recorded individually on an electronic database. This will include a unique asset / serial number, location, date installed, planned replacement date. Low value accessory items (e.g. keyboard, mice etc) should be excluded. Where appropriate items can be aggregated for example  mouse, keyboard, monitor to a single recordable asset. All IT equipment with data storage must be included.

Managed GP IT Devices using Windows 10 operating system (see Desktop Infrastructure) will be managed through the Windows Managed Service which must include Advanced Threat Protection (ATP) installed, operational and attributed to the responsible organisation (CCG)..

Applicable Guidance Where centralised technologies are deployed assurances should be sought to ensure that the security, performance and resilience of GP Foundation Solutions, other DCS Catalogue solutions and National Digital Services are not compromised.

 Cyber Security

Requirement Cyber security management and oversight, including configuration support, audit, investigation, incident management and routine monitoring, relevant to the services and Managed GP IT Infrastructure:

  • protective technical and organisational measures to reduce the likelihood and impact of cyber security incidents
  • management of high severity cyber security incidents
  • oversight of management of low and medium severity cyber incidents
  • Disaster Recovery and Business Continuity plans for systems and infrastructure relevant to GP IT Services
  • supporting Practice Business Continuity Plans
Out of Scope Disaster Recovery and Business Continuity Plans for National Digital Services and for Digital Care Services (DCS) Catalogue Solutions will be managed nationally, although these should be referenced as third party services in plans produced under this requirement.
Transactional Support Services Availability – High Severity Incident Support:

  • GP IT support must include access for out of hours High Severity Incident alerting, logging and escalation in accordance with the approved business continuity and disaster recovery plans
  • cyber-attacks against General Practice services are identified and resisted
  • urgent out of hours contacts and communication routes for all practices and suppliers should be held by the CCG and regularly maintained. The MHRA Central Alerting System (CAS) using email and mobile phone text alerts for general practices may allow CCGs to fulfil this requirement for practice contacts. CCGs should ensure practices have registered for this service using a practice generic email account (not an individual account)
  •  action is taken immediately following a cyber incident with a report made to the senior management within the commissioning CCG and the impacted practice within 12 working hours of detection
  • significant cyber-attacks are to be reported in line with national guidance promptly following detection
  • for High Severity Incidents a Lessons Learned Report (with relevant action plan as appropriate) to be provided to the CCG within 2 weeks of the recorded resolution of the incident on the service desk
  • the Data Security Centre operated by NHS Digital offers a range of specialist services that help health and care organisations manage cyber risk and recover in the event of an incident
  • in the event of a national cyber incident being formally declared (e.g. by the NHS Digital Data Security Centre) all parties will fully cooperate and support the actions required by the NHS Digital and NHS England Emergency Preparedness, Resilience and Response (EPRR) team, (or any party with delegated authority). This may include providing urgent out of hours access to premises, digital systems and equipment
  • the CCG and its commissioned GP IT Delivery Partner(s) will ensure full cooperation in high severity cyber incident management and cyber related Business Continuity and Disaster Recovery Planning with any nationally commissioned organisation with geographical responsibility for coordination and management of high severity cyber incidents, as and when such a service is commissioned
Specialist Support Services Availability: Standard Service Hours

Infrastructure

A Cyber Security service will be available to all practices encompassing all Managed GP IT Infrastructure and systems to ensure:

  • provision of necessary IT security / cyber evidence to support DSPT for General Practice
  • audit and investigative services are available
  • specialist (cyber Security) advice is available
  • there is a shared HSCN-GP security contact for practices

Monitoring through Active Directory to identify dormant accounts for practice staff and operate a process to archive and disable these. Provide practices with a facility to notify the GP IT Delivery Partner when practice staff leave the practice organisation or no longer require IT access, and ensure access is removed within the performance standards for user account management (NDG Standard 4).

CCGs must ensure there are appropriate governance arrangements for example policies, audits etc to provide assurance on the following:

  • administration access rights for Active Directory configuration and services relevant to the managed infrastructure used by the practice must be strictly controlled to a limited number of named and technically qualified individuals as part of the overall managed infrastructure management
  • administration access rights for Office 365 should align to those for Active Directory
  • administration Access rights for network configuration and equipment (for example routers, switches, firewalls, wireless access points etc) must be strictly controlled to a limited number of named and technically qualified individuals as part of the overall managed infrastructure management
  • generic (ie not assigned to an individual) administrator accounts must not be used

Business continuity and Disaster Recovery Plans:

  • CCGs must ensure organisations providing GP IT services are contractually required to develop and maintain a business continuity and disaster recovery plan (for services relevant to General Practice IT provision). These plans must include responses to a high severity data or cyber security incident and must be based on a Recovery Time Objective (RTO) of not more than 48 (actual) hours for Essential Services
  • Business Continuity and Disaster Recovery plans should be regularly reviewed (at least annually) and refreshed. In the event of a major event when the plan(s) is utilised a review of the plan will be triggered
  • in the event of the Business continuity and/or Disaster Recovery plan being invoked where services relevant to GP Services were impacted (including IT security threats and incidents) the CCG should receive an initial report within 12 (working) hours of the incident and a full report including root cause and remedial actions within 2 weeks of the incident.

Practice Business Continuity Plans:

  • CCGs shall ensure business continuity plans are in place for all practices and are reviewed and approved as required under the CCG Practice Agreement
  • advice and guidance to support the development of the digital element of practice BC plans, will be available to practices when required
  • in the event of a practice Business Continuity Plan being invoked specialist technical support will be available.

Cyber alert notifications CCGs must ensure:

  • cyber alert notifications  are acted on in line with suggested timescales. Action on high severity cyber alerts are evidenced through the NHS cyber alert service
  • confirmation is given within 48 hours that plans are in place to act on high severity cyber alerts
  • a primary point of contact for the CCG or its GP IT Delivery Partner to receive and coordinate your organisation’s response to Cyber alert notifications is registered

Note: Action might include understanding that an alert is not relevant to your organisation’s systems and confirming that this is the case.

On-Site Assessments

CCGs will ensure the commissioned GP IT Delivery Partner(s) co-operate with any on-site data and cyber security assessment carried out under NHS Digital’s Data Security Assessment programme, or provide evidence of equivalent assessments or certification to a cyber security scheme approved within the Operating Model.

Organisational Awareness:

  • CCGs must ensure their commissioned GP IT Delivery Partner(s) have allocated senior level (e.g. director or equivalent) responsibility for cyber and data security within their organisation
  • CCGs, as responsible commissioners of GP IT services, should have board level awareness of cyber security, including undertaking nationally recommended cyber security training
  • eligible organisations are encouraged to make use of NHS Digital’s Cyber Security Support Model services.

Supporting Projects:

Advice for practices and the appointed project teams on cyber security considerations where projects involve

  • change of Foundation Solution for the practice (including data migration activities)
  • significant estate developments and new builds
  • deploying new technologies
Infrastructure
  • the Managed GP IT Infrastructure should be subject to penetration testing to National Cyber Security Centre (NCSC) standards at least annually. The scope of the penetration testing must be agreed by the CCG SIRO (or equivalent officer) and must include (i) checking that the default password of network components has been changed (ii) all webservers, on the Managed GP IT Infrastructure, the practices utilise
  • Business Continuity arrangements for Managed GP IT Infrastructure must include the capability to isolate affected PCs from the network within no more than 48 (actual) hours of a cyber attack
Systems and applications
  • systems provided through Digital Care Services (DCS) Catalogue Frameworks  have their own contracted service level specifications
  • National Digital Services have their own contracted service level specifications
  • password managers and single sign on (SSO) technologies can be provided or supported subject to prior security assessment. These tools where used should augment existing security and authentication controls and should not be used to bypass or reduce the effectiveness of accredited two part authentication controls (for example NHS Smartcards). NCSC provides guidance on password managers
Practice Responsibilities
  • each Practice must have a named partner, board member or equivalent senior employee to be responsible for data and cyber security in the practice. This requirement further defines practice obligations within the CCG Practice Agreement to identify the person with lead responsibility for IT matters in the Practice. The CCG as commissioner of GP IT services will be responsible for providing specialist support to this role but each practice remains accountable
  • practices will fully cooperate with an on-site cybersecurity assessment if invited to do so and will act on the outcome of that assessment, including implementing any recommendations where applicable to the practice
  • practices should provide urgent out of hours contacts and communication routes as well as access to premises, digital systems and equipment outside normal working hours
  • when a cyber security incident takes place the practice should quickly establish if a personal data breach has occurred (in accordance with GDPR Article 33, refer to Recitals 85, 86, 87 and 88 for further detail) and if so take prompt steps to report and manage this (see Information governance and support).
  • each practice will maintain a Business Continuity Plan (BCP) approved by the CCG which should include a response to threats to data security
  • assurance will be provided through the general practice Data Security and Protection Toolkit which each practice is required under the CCG Practice Agreement to complete annually
  • advice and guidance to support the development of the digital element of practice BCPs, will be available to practices when required
  • although fewer systems are now located within individual practice premises Business Continuity planning remains critical. Assurances are also required from any third parties, providing infrastructure and/or data processing services that they have robust Disaster Recovery Plans
  • all practice staff must complete annual NHS Data Security Awareness level 1 mandatory training.
Applicable Standards
Other Controls
Applicable Guidance
Assurance DPCMAT: IND2.0, IND181.0, IND182.0, IND183.1, IND176.0

Information Governance Support

Requirement Information governance support, guidance and advice to support practice compliance with common-law duty of confidence, records management, information security, Data Security and Protection Toolkit (DSPT), Data Protection Act 2018, GDPR and Caldicott standards and to ensure all devices and systems are managed and used in a secure and confidential way.
Out of Scope Legal advice
Transactional Support Services Availability: Standard Service Hours

Data Breaches

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

Any data breach (or near miss) of practice patient personal information will require actions by one or more of the following:

  • the individual practice as data controller
  • national NHS commissioned suppliers of GP digital services as data processor(s)
  • local CCG commissioned GP IT Delivery Partner as data processor AND as specialist support service to practice
  • local health and social care providers where data has been shared as data processors
  • any digital services supplier commissioned locally by the practice jointly or through a federation – as data processor

CCGs will ensure practices are supported with:

  • the provision of advice and/or support to practices on the investigation of possible information security breaches and incidents
  • advice on incident/breach assessment and reporting via the incident reporting tool within the Data Security Protection Toolkit (DSPT) to NHS England and reporting to the ICO (dependent upon severity of incident)
  • advice on assessment and reporting via the incident reporting tool within the DSPT to NHS England and ICO (dependent upon nature and severity of the breach
  • advice on post-incident reviews and recommended actions for practice implementation
  • to lead or direct data breach reviews and investigations where highly specialist knowledge is required or complex multi–party issues are involved

CCGs will require commissioned GP IT Delivery Partners as data processors:

  • to take action immediately following a data breach or a near miss, alerting promptly the practice as data controller and with a report made to the senior management within the CCG and the practice within 12 (working) hours of detection
  • report personal data breaches in line with NHS guidance (using the incident reporting tool within the DSPT) and GDPR (article 33) immediately following detection
  • provide a lessons learned report (with relevant action plan as appropriate) to the CCG within 2 weeks of the recorded resolution of the incident on the service desk
Specialist Support Services Availability: Standard Service Hours

IG policy support

Support for the production and maintenance of local information governance policies and procedures for practices. Provision of advice and support to practices on approval, ratification and adoption of the policies for their organisation.

Support for Data Security and Protection Toolkit (DSPT) compliance

Provide advice and guidance to practices on how to complete the DSPT, including the collection and collation of evidence in support of DSPT submissions. Provide practices with evidence required for DSPT where this is held by the CCG or its commissioned GP IT Delivery Partner(s).

IG consultancy and support

Provision of advice, guidance and support on IG related issues, including existing operational processes and procedures or new business initiatives. Advice and guidance on personal data access (but not extending to legal advice).

IG advice and Data Protection Officer (DPO) Support

Provision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated Data Protection Officers including existing operational processes and procedures or new business initiatives. To include:

  • access for Practices during normal service hours to specialist qualified advice on GDPR matters
  • advice on compliance with GDPR obligations
  • advice reflecting national guidance on GDPR compliance as it is published
  • a review at least annually to identify and improve processes which have caused breaches or near misses, or which force practice staff to use workarounds which compromise data security. This may for example be a facilitated workshop at CCG level which would encourage shared learning
  • advice to support practices develop and maintain best practice processes that comply with national guidance on citizen identity verification, including “Patient Online Services in Primary Care – Good Practice Guidance on Identity Verification”, that underpins the delivery of patient facing services, and assurance requirements as these are developed
  • advice to support practices achieve mandatory  compliance  with the  National Data Opt-Out policy

DPO Function

Availability of a named DPO, in addition to DPO support and advice for practices to designate as their Data Protection Officer.  Practices may choose to make their own DPO arrangements, but CCGs are not expected to fund these if a DPO service has been offered by the CCG.

Reviews

  • published NHS Digital Good Practice Guides will be reviewed and where applicable incorporated into commissioned GP IT Services.
  • support practices to review at least annually to identify and improve processes which have caused breaches or near misses, or which force practice staff to use workarounds which compromise data security. This may for example be a facilitated workshop at CCG level which would encourage shared learning.

Supporting Projects

Advice for practices and the appointed project teams on IG/DSP, data sharing, Data Protection Impact Assessment (DPIA) completion and cyber security considerations where projects involve:

  • change of Foundation Solution for the practice (including data migration activities)
  • new initiatives involving sharing patient data with third parties
  • merging practices
  •  closing practices
  • significant estate developments and new builds
  • deployment of new technologies

This is not an exclusive list. Specialist support for projects beyond general advice for example preparing Data Privacy Impact Assessments should be resourced as part of the project plan.

Data Processing Activities

Data processing activities using general practice controlled personal data carried out by local CCG commissioned data processors will be identified and recorded in a data processing agreement in accordance with the digital services acquired and will be regularly reviewed.

Supporting local procurement

  • The use of the Digital Technology Assurance Criteria (DTAC) may be helpful in local procurement activities
Practice responsibilities Individual practices as contractors are responsible for:

  • report personal data breaches in line with NHS guidance (using the incident reporting tool within the DSPT and GDPR (Article 33) where required, without undue delay and where feasible within 72 (actual) hours
  • managing data breaches and data breach near misses
  • communication of a “high risk” breach to individual patients as required under GDPR
  • the production, approval and maintenance of (and adherence to) their IG and IT security policies but support will be provided.
  • submitting a Data Security and Protection Toolkit (DSPT) return annually as required under the CCG Practice Agreement and responsibility for this lies solely with practice
  • under GDPR legislation to designate their own Data Protection Officer (which can be shared), any practice is entitled to decline the commissioned IG Advice and DPO service and make their own arrangements although CCGs are not expected to fund this if these services have already been offered
  • nominating a person with responsibility for practices and procedures relating to the confidentiality of personal data held by the practice
  • completion by all practice staff of annual data and cyber security training
  • FOIA compliance
  • the regular review of internal processes. This should include a review at least annually to identify and improve processes which have caused breaches or near misses, or which force practice staff to use workarounds which compromise data security
  • understand and comply with GDPR and Data Protection Act 2018
  • mandatory  compliance  with the  National Data Opt-Out policy

Individual practices are responsible for sourcing any legal advice required to support these activities.

Applicable Standards
Applicable Guidance
Other Controls
Assurance DPCMAT: IND158.0

Clinical Safety Assurance

Requirement Clinical safety assurance advice and support
Out of Scope The responsibility and burden of effort for Clinical Safety Assessment and assurance under DCB0129 rests with the system developer. This includes any third party software incorporated into the system. The requirement for this service is to secure assurance from system suppliers that this has been met during procurement or contract review stages.
Specialist Support Services Availability – Standard Service Hours

Ensuring that the necessary standards are met for management of clinical risk in relation to the deployment and use of health software.

Advice and Supporting Assurance

Advise CCG and practices on compliance with:

Incident Management

Support and advice for practices in the identification, reporting and responding to patient safety incidents (information system related) within practices.

Supporting Projects

Advice for practices and the appointed project teams on Clinical Safety (DCB0160) where projects involve:

  • change of practice Foundation Solution including data migration activities
  • new initiatives involving clinical systems to support different or innovating ways of working
  • reconfiguring clinical systems with the potential to bypass or deviate from internal system controls and safeguards
  • new clinical systems integrating with the Foundation Solution
  • decommissioning clinical systems for example when merging or closing practices
  • deploying new digital technologies
  • clinical system procurement including third party assurance

This is not an exclusive list.

Support for projects beyond general advice for example preparing Clinical Risk Management Plan, Clinical Safety Case Records and Hazard Reports and supporting procurement activities should be resourced as part of the project plan.

Supporting Local Procurement

The use of the Digital Technology Assurance Criteria (DTAC) may be helpful in local procurement activities

Practice Responsibilities Practices must report patient safety incidents in line with national guidance using the General Practice Patient Safety Incident Report Form provided by NHS Improvement.

Practices as independent contractors are responsible for sourcing any legal advice they may require supporting any of these activities.

Applicable Standards
Applicable Guidance Introductory guide to the new MDR and IVDR (MHRA)

Digital Technology Assurance Criteria (DTAC)

Assurance DPCMAT: IND11.0

 Digital Services Procurement Support

Requirement Supporting CCGs and practices with specialist procurement and technical advice on procuring services described in the Operating Model, including advice on the procurement of capabilities through the Digital Care Services (DCS) Catalogue.
Out of Scope Funding for the digital solution being procured and support for its deployment and implementation is not part of the procurement support service as this is an internal CCG (or general practice) responsibility.
Specialist Support Services Availability -Standard Service Hours

General Digital Procurement Support:

•       provide strategic procurement advice, recommending collaboration and standard specifications to optimise efficiency and support costs

•       advice and assistance in the development of outputs based specifications to support GP digital procurement projects

•       advice on procurement of GP IT enabling services using national frameworks as appropriate

•       advice on applicable standards and accreditations for procurement

•       ensure the obligations on the data processor to the individual practice(s) as data controller are reflected in the contract, in particular regarding reporting data breaches and near misses

o       accessing where applicable, the National Commercial and Procurement Hub to support CCG procurement

•       CCGs must ensure that any procurement activity in support of GP IT, when delegated to GP IT Delivery Partner(s), does not create conflicts of interest or potential procurement challenge.

DCS Catalogue procurement support:

•       supporting mini-competition work for the procurement by CCGs from the DCS Catalogue

•       meeting practice capabilities within nominated CCG funding allocations whilst ensuring excellent value for money

 

Non-DCS Catalogue procurement support:

•       support Practices and CCGs purchasing non-DCS Catalogue clinical systems and digital technologies which include hosting patient identifiable information secure assurance against the standards below including the Digital Technology Assurance Criteria (DTAC)

•       Utilise as appropriate the Procurement Checklist provided in the document

Other Controls Procurement legislation.
Applicable Standards •       NHS England Financial Guidance

•       NDG Standard 10

Applicable Guidance •       Digital Technology Assurance Criteria (DTAC)

Digital Services Contract Support

Requirement Facilitating CCG GP IT delivery with support for contract and supplier management and technical support.

Solutions procured through Digital Care Services (DCS) Catalogue Frameworks or directly by the CCG for use by its practices.

As end users of services practices are required to comply with any end user terms and conditions of use but wherever the contract is held by the CCG or NHS Digital a support service is required to manage local technical and contractual issues on behalf of the practice with the supplier.

Out of Scope Support for contracts for practice business support systems

Support for contracts held by parties other than CCG or NHS Digital.

Support for contracts directly held by the practice.

Payments and invoice processing for the contracted digital solutions is not part of the contract support service as this is an internal CCG (or general practice) responsibility.

Specialist Support Services Availability – Standard Service Hours: 

  • ongoing support for practice clinical systems including technical liaison with system supplier and clinical application support where not provided by system supplier
  • in the event of any unresolved issues, escalate to suppliers on behalf of practices to facilitate a satisfactory resolution
  • to meet CCG responsibilities to monitor and escalate to NHS England clinical systems performance issues in relation to the use of services and solutions provided under the CCG Practice Agreement
  • use of the GP IT Futures CRM to track clinical system capabilities deployed by practice
  • local management of service support contracts/supplier liaison
  • ensure local DCS Catalogue contracts are current and accurate
  • manage local payments ensuring that all charges incurred are current and accurate, including payments for additional software to enhance the functionality of the clinical system
  • inform Foundation Solution Suppliers of any changes to existing contracts (held by CCG / NHS), for example terminations due to practices changing Foundation Solution or changes arising from practice mergers
  • liaising with DCS Catalogue suppliers regarding future requirements and developments
  • management of ongoing system updates as necessary where these are not directly managed by the system supplier
  • supporting practice data migration end to end process for GP IT Futures Foundation Solutions in line with applicable data migration standard.

GP Estate Strategy

Requirement Provision of advice and guidance to support the development of GP estate relevant to the provision of GP IT services and systems.
Out of Scope Funding and resourcing support for new estates developments should be provided through the relevant business case for that development.
Specialist Support Services Availability: Standard Service Hours

  • advice on IT infrastructure requirements and standards
  • identify, as required, suppliers for GP IT infrastructure and external services for example HSCN connectivity, WiFi-GP
  • support development of associated business case for individual estates projects, including consideration of resource and funding requirements
  • advice and guidance should include consideration of transformation opportunities, enhanced GP IT services and local digital strategy
  • CCGs must ensure that any of the above activities, when delegated to IT delivery partner(s), does not create conflicts of interest or potential procurement challenge
  • Any increase in the managed GP IT estate will require agreement between the commissioners of primary care (NHS England/CCG) and GP IT services (CCG), GP and the IT delivery partner.
  • The resourcing and funding for individual estate development projects should be incorporated into the overall business case for that development.
Practice Responsibilities Practices should engage with CCGs at an early stage of planning any premises development or expansion which will impact on GP IT provision.

Clinical Systems Training and Optimisation

Requirement Training service for practice staff to support the safe and effective use and optimisation of clinical systems.
Out of Scope Training in generic basic IT skills, business administration systems and office systems.
Specialist Support Services Availability: Standard Service Hours

The service should include training for:

  • GP IT Futures Foundation Solutions to meet core and mandated capabilities
  • National Digital Services

And will include training requirements arising from:

  • practice staff turnover
  • refresher training
  • new system functionality

The CCG shall review the practice training plan and may request changes to the plan in line with local priorities and plans for the deployment of services. The CCG shall confirm its agreement to the training plan, amended as agreed by the parties.

Training will be provided for practice staff in line with each agreed practice training plan.

All end users in practices are trained in the use of the Foundation Solutions and that this is delivered in line with the GP IT Futures training standard.

System Optimisation:

Support practice optimisation of GP IT Futures Foundation Solutions, Digital Care Services (DCS) Catalogue solutions and National Digital Services, by providing support, guidance and advice, including user group facilitation to enable sharing of best practice.

Training delivery should reflect:

  • practice training plans and staff training needs analysis
  • environment and estate accommodation and facilities
  • virtual and online delivery channels
  • resource availability
  • user satisfaction and customer feedback
Practice Responsibilities Practices shall carry out a training needs analysis that identifies the practice staff that require training in the use of the core and mandated capabilities provided to the practice.

Practices shall ensure that new starters receive adequate training, either using the services provided under this requirement or at practice cost through another source, before they use the core and mandated capabilities provided to the practice.

Using the output from the training needs analysis, practices shall prepare a training plan for the Practice which identifies the practice staff to be trained and the training to be provided by the CCG within a six months period or as agreed by both parties.

Practices shall make their staff available for training in line with any timetable agreed with the CCG or its Supplier(s). Practices shall be responsible for the costs of making staff available for such training including backfill costs and travel costs.

Practices shall maintain an up-to-date record of practice staff training.

Practices can request and agree amendments to the training plan in line with new developments and the changing requirements of the CCG and the practice.

Practices shall ensure that all end users are trained to a minimum entry level standard as per the NHS IT Skills Pathway including use of relevant operating systems and office productivity software. Training in generic basic IT skills, business administration systems and office systems is the responsibility of the practice.

Applicable Standards NHS IT Skills Pathway

GP IT Futures Framework Training Standard

Applicable Guidance Recommendation: The local SLA should quantify training resources based on either the number of practice staff or the number of practices (weighted by population where appropriate).
Assurance DPCMAT: IND7.0

Data Quality Support

Requirement Data quality training, advice and guidance.
Specialist support services Availability -Standard Service Hours.

Comprehensive data quality advice and guidance service is available to all practices, including training in data quality, clinical coding and information management skills.

Development and delivery of a practice data quality improvement plan, where necessary and supporting practice DSPT submission (data quality assertions). This may be carried out at individual or practice group level as appropriate.

The service should include advice and guidance for:

  • national data audits/extracts/reporting e.g. National Diabetes Audit,
  • general reporting,
  • template development and template quality assurance
  • spreading best practice,
  • data migrations as part of system deployments,
  • clinical/medical terminology,
  • SNOMED CT clinical coding standards and requirements, including training and facilitation for practice staff and associated support materials in order to support the effective transition to SNOMED CT and ongoing support to fully realise the benefits that can be achieved through the use of SNOMED CT,
  • review of reports and templates to locally re-author within SNOMED CT. Failure to do so may mean reports and templates becoming out of date.
Practice responsibilities Individual practices are responsible for the quality of their patient records and the application and use of clinical terminology.
Applicable standards SNOMED CT in General Practice / Standards Change Notice SCCI0034 Amd 35/2016

Data Security and Protection Toolkit (DSPT) (data quality assertions)

GP IT Futures Data Migration Standard

Assurance DPCMAT:  IND30.0

Project and change management

Requirement GP IT services include formal P3M (Project, Programme and Portfolio Management) methodologies which are recognised and used in the deployment of GP IT Futures Foundation Solutions, local implementation of national solutions and major GP IT infrastructure changes or upgrades.
Specialist support services Availability: standard service hours

The CCG will ensure skilled project and programme management resources are available, to deliver the planned programme of work, both nationally and locally driven. This may be provisioned within current SLA support arrangements, or could be procured on an ‘as required’ basis.

The service should include:

  • programme management,
  • project management,
  • change management,
  • benefit realisation support.

Technical and specialist expertise should also be available through the relevant requirement to support projects.

Supporting significant deployments and developments through end to end project management of DCS Catalogue Solutions including:

  • change of Foundation Solution for a practice including data migration activities (to GP IT Futures Data Migration Standard) and training (to GP IT Futures Training Standard)
  • new initiatives involving sharing patient data with third parties
  • merging practices
  • closing practices
  • significant estate developments and new builds
  • deploying new digital technologies.

This is not an exclusive list.

Applicable standards GP IT Futures Data Migration Standard.

GP IT Futures Training Standard.

GP IT Delivery Partner staff should be appropriately trained and qualified to recognised industry standards such as APMG (equivalent level recognised industry standards) in:

  • project management – for example Prince II Practitioner
  • programme management – for example Managing Successful Programmes Practitioner
  • change management – for example Change Management Practitioner.
Assurance DPCMAT: IND32.0

Local digital strategy

Requirement Strong local leadership to develop and deliver a local digital strategy and digital roadmap, including GP IT.

The CCGs should:

  • have access to horizon scanning and advice on best practice and digital innovation
  • appoint a Chief Clinical Information Officer (CCIO) or equivalent accountable officer (dedicated or shared) who will provide leadership for the development of local digital strategy including the development of GP IT services
  • develop a patient and practice facing digital strategy, supporting innovation, service improvement and transformation, with GP IT as a key component. This will support the development of Local Digital Roadmaps
  • ensure CCG and GP IT requirements are represented in any relevant local, regional or national forum.
Specialist support services This is a direct CCGs responsibility.

CCGs may wish to commission specialist skills and resources to assist in developing their digital strategy.

Assurance DPCMAT: IND12.0, IND153.0

National digital services implementation

Requirement Local promotion, deployment/implementation and support of National Digital Services, including SCR, EPS2, e-RS, GP (Patient) Online and GP2GP services.
Specialist support services Availability – standard service hours:

  • advise practices on current and planned national developments and solutions
  • maintain record of local status of system deployments, changes and updates and update the national tracking database or it’s replacement
  • local deployment programme for national systems implementation within practices, including benefits realisation, stakeholder engagement, business change support.

Enhanced requirements

These are GP digital requirements which are agreed locally to support local strategic initiatives and commissioning strategies to improve service delivery. They should support the ICS and CCG local digital strategy and where possible, strategic rather than tactical solutions should be developed.

Enhanced Requirements include:

  1. Productive Digital Capabilities –digital technologies, systems and support services which enable and improve efficiency and effectiveness of practice contracted services including primary care at scale.
  2. Transformational Digital Capabilities -digital technologies, systems and support services which enable transformed care, often extending beyond the practice and its core GP Contract function. These may enable new models of care, service integration, wider GP functions, and models.

Where the practice is represented within an ICS, any decision to commission enhanced transformational requirements remains the responsibility of the CCG who has delegated responsibility for GP IT but would also be expected as local commissioner to work closely with the ICS.

CCGs may use local GP IT funds, subject to CCG Standing Financial Instructions (SFIs) and any other financial restrictions, and with the agreement of local practices to support to support community wide transformation digital initiatives which involve GP IT. GP IT funds should not be considered the sole source of funding in such cases and must not be at the expense of providing the Core and Mandated Requirements to practices.

  1. Additional GP Contract digital capabilities – required to deliver those elements of a GP Contract additional to providing Essential Services, for example a PMS or APMS contractor providing walk in services, minor injuries, GP out of hours etc.
  2. GP IT Enabling Requirements – any extension of the core and mandated GP IT Enabling Requirements necessary to support and enable those Enhanced Requirements commissioned locally.

Accredited solutions are not contractually mandated but compliance with any standards attributed to the capability in this document should be considered essential. CCGs are strongly advised to use the Digital Care Services (DCS) Catalogue, Health Services Support Framework (HSSF) or other applicable frameworks listed in Appendix C offering accredited solutions.

If GP IT Futures notional CCG funds are used then the solutions can only be sourced through the GP IT Futures Framework.

Provision of Enhanced Requirements through commissioner GP IT funding is secondary to funding Core and Mandated Requirements, but they should not be seen as less important as they underpin service improvement transformation in the locality. Compliance with CCG SFIs will require demonstration of value for money and product quality and safety.

As commissioner the CCG is responsible for selecting the solutions and services to meet Enhanced Requirements, but in doing so the CCG should collaborate with local practices.

Where Enhanced Capabilities are required which cannot be procured as an accredited solution local procurement or other frameworks may be used but solutions must still meet any standards attributed to the capability as defined in this Operating Model. The application of the procurement checklist in Appendix G and the Digital Technology Assessment Criteria (DTAC) will support this.

Listed below are some examples of enhanced capabilities which at local discretion may be provided.

Capability Description
Additional Patient Management Capabilities Additional capabilities for patient management as available through Digital Care Services (DCS) catalogue and Health Services Support Framework (HSSF).
Patient Facing Digital Services (local)

 

Locally commissioned patient facing digital services, where these capabilities are not provided through the NHS App, the DCS Catalogue or HSSF

Applicable Standards

GP Hubs and GP Collaborative enablement

 

Digital enablers required to support GP collaborative and at scale operations including, but not restricted to:

  • practices working collaboratively
  • practice co-location to share resources
  • hubs to share resources and improve patient access

Tracking DPCMAT: IND 57.1, IND 57.2, IND 57.4, IND57.5

Practice Efficiency and Service Quality Enablers
  • patient arrival and kiosk systems, patient touch screens
  • display screens (for example large TV screens and Jayex Boards), projectors, multi-function devices, webcams
  • chronic disease management, drug monitoring, anticoagulation management
  • digital order communications and results reporting for laboratory, imaging and diagnostic tests
  • advanced appointment management
  • advanced document management
  • dictation
  • data entry e-forms
  • client software and integration for third party patient management systems for example Hospital Patient Administration System (PAS), Hospital radiology viewers

Tracking DPCMAT: IND46.1, IND46.2, IND46.3, IND48.2, IND48.3, IND48.4

Additional GP contract digital capabilities Additional digital requirements needed to support those elements of a GP Contract additional to providing Essential Services – including but not limited to:

  • Community provider services
  • Population management
  • Urgent care services
  • Walk in centres
  • Minor injury units
  • GP out of hours
  • Homeless primary care services
  • Referral management services
CQRS support CQRS training, advice and guidance for practices.

Note: CQRS provides support for calculating approximately 12-14% of General Practice incentive-based payments (for example QOF). The service is business critical to general practice and to NHS England, as one of the primary mechanisms in place to support the GP Contract and to ensure that NHS England can meet its legal obligation to pay general practices.

Calculating Quality Reporting Service (CQRS) advice and guidance service is available to all general practices, to include review, report management and remedial action planning, particularly around exception reporting, to ensure appropriate data quality within GP sites to enable effective Quality and Outcomes (QOF) reporting

CQRS uses an Internet based payment calculation system: Management and support for provision payment calculation system services, supporting QOF and Enhanced Service payments.

GP data quality accreditation service

 

A structured data quality accreditation programme is available for practices to ensure continuous review and improvement.

Formal data accreditation support programme that includes:

BYOD Provision for practice staff to use their personally owned devices for work related purposes (also known as Bring Your Own Device – BYOD)

Because personal devices are not part of the Managed GP IT Infrastructure, they are assumed to be insecure.

Where this service is offered the standards and requirements described under the Remote Access capability above will apply.

Enhanced infrastructure Infrastructure requirements which enable enhanced digital capabilities, or which support a more efficient, effective or secure means of GP IT provision in the locality.

Networking Services:

  • management and support for provision of additional HSCN services
  • where Community of Interest Networks (COINs) are a feature of local digital primary care infrastructure, the use of GP IT allocated funds, to support these, needs to consider the following:
    • where the COIN is used to support GP IT there is a clear requirement for this in addition to HSCN connectivity.
    • where the COIN is shared between providers, the costs need to be appropriately proportioned.
    • where the COIN is used to support GP IT, the network must have sufficient bandwidth, low latency and low contention ratio to support the necessary services.

N.B. The cost of COINs which are cross care settings should be shared with those care settings.

Local network services, including equipment, cabling and local COIN.

Enhanced or alternative architectures including (but not limited to):

  • Virtual Desktop Infrastructure (VDI)
  • Citrix Access Gateway (CAG)
  • Smartcard/Remote Secure Access Token authentication
  • Single sign on

Applicable guidance: Where centralised infrastructure (for example but not limited to network infrastructure and virtual desktop infrastructure) is deployed particular attention should be given such that the security, end user performance and resilience of Digital Care Services (DCS) Catalogue solutions and National Digital Services is not compromised.

Advanced telephony An advanced cloud based Voice over Internet Protocol (VoIP) telephony solution offered to practices as a managed service (for example part of a community wide initiative). The solution will:

  • support resilience and flexibility including remote working, home working, hub working and alternative locations (namely for business continuity response)
  • support general practice manage large workload and demand including growth in telephone consultations
  • provide overall value for money
  • support local and national planning with better information on telephony based patient interactions
  • support the convergence of GP telephony and general IT/digital services ensuring that general practice can benefit from the latest and most innovative technologies.

Individual practices remain responsible for telephony recurring operating costs, capital and revenue consequences including pro rata costs of shared/managed systems.

Where possible HSCN connections to practice premises should be utilised to support the advanced telephony solution. See HSCN Requirement.

The practice may choose, at their expense, to install and use a dedicated broadband connection in preference to HSCN.

The capabilities required and applicable standards are described in the specification included in Appendix E.

Tracking DPCMAT: IND193.0, IND193.1, IND193.2, IND193.3, IND193.4

General Practice business requirements

Digital systems, technologies and services necessary to run the internal practice business and organisational governance namely:

  • general practice business support systems
  • general practice legal and regulatory obligations
  • general practice websites
  • dispensing Practices
  • general Practice Operating Costs
  • general Practice Buildings and Estate

Notes:

  1. Although out of scope for commissioning and provision responsibilities these may be indirectly linked through the use of common infrastructure, standards, assurance, interoperability and security. In such cases practices are required to comply with any relevant technical and security standards.
  2. The infrastructure and general support required to operate these services (namely desktops, printers, network connectivity) can at the discretion of the CCG be funded and provided through “enhanced GP IT Enabling Requirements” where this allows the practice to operate more efficiently.
  3. Where there are elements of the requirements described below which are not solely a practice responsibility these are descried as “Exemptions”

The ‘Global Sum’ within the GP Contract makes provision for practice expenses including practice staff costs and general running costs of the practice (stationery, telephone, heating and lighting, repairs and maintenance).

CCGs have an obligation to ensure services already NHS funded, directly or indirectly, are not also funded as an enhanced GP IT service. Any changes to existing funded arrangements should be discussed with the practices and transition arrangements agreed.

Where there is a demonstrable benefit in incorporating elements of GP business support services for example advanced telephony as part of broader efficiency release and improved patient care initiatives, GP contributions are to be considered as part of local funding provision/business case arrangements. These services should routinely be assumed to be out of scope, unless local business cases can demonstrate patient benefit, in which case, when considering funding any of these services, CCGs should take account of whether this service is already funded via alternative routes for example global sum GP Contract. 

General practice business support systems

Requirement Systems and services which a practice may utilise for business purposes enabling the non-clinical business functions to operate and support the practice as a business organisation. GP IT funds must not be spent purchasing or supporting Systems not directly related to patient care.

N.B. The ‘Global Sum’ within the GP Contract makes provision for practice expenses including practice staff costs and general running costs of the practice (stationery, telephone, heating and lighting, repairs and maintenance).

Practice estate infrastructure.

Exemption Where practices commission, procure and contract manage digital services directly they should have access to specialist advice and support where such services and systems will interface with NHS provided systems or operate on Managed GP IT Infrastructure. Although practices procuring business support systems are responsible for resourcing and managing their own procurement and any ongoing contract management they may seek advice where NHS systems or infrastructure may be integrated or impacted.

NHS owned equipment should be insured against loss or theft by the owners of the equipment.

Services Production of practice staff ID cards for new employees and changes to existing employees (name, role etc.).

Practice Intranet – hosting, maintenance and development.

Insurance against loss or damage of practice owned IT equipment.

Insurance against consequential losses, harm or damage arising from the failure of digital systems or equipment used by the practice to deliver their contractual obligations.

With evolving primary care delivery models, local service/support arrangements may develop that incorporate aspects of service provision that would traditionally have been considered GP business support functions to be directly funded by the practice under GP Contract arrangements.

Equipment which only supports the practice as a business for example photocopiers. (note faxes must not be used by practices for the processing/communication of patient identifiable information).

The infrastructure and general support required to operate these services (namely desktops, printers, network connectivity) can at the discretion of the CCG be funded and provided as “enhanced” services where this allows the practice to operate more efficiently subject to practice compliance with any local technical and security policies and change control procedures.

Systems that only support the practice as a business for example. Payroll, HR systems, billing systems and associated hardware.

Email systems other than NHS Mail.

General practice legal and regulatory obligations

Requirement Legal and regulatory obligations for example assigning a DPO, Caldicott Guardian, serious incident reporting etc.

Practice compliance with:

Exemption CCGs are required to offer General practices a DPO service which the practice can then designate as their named DPO. Practices are still entitled to select an alternative DPO of their choice although CCGs are not expected to fund this if a DPO function has already been offered.

Where a CCG (or a GP IT Delivery Partner) has information necessary for the practice to comply with its legal and regulatory obligations (above) the CCG should make reasonable efforts to provide this to the practice.

Services Software to support redaction when processing patient record documentation for patients or third parties for example SAR, legal and insurance reports (refer to procurement checklist)

Health and Safety regulation compliance, including PAT and DSE requirements, associated with the practice premises buildings and estate and where staff are working at home or remotely (regardless of equipment ownership).

Dispensing general practices

Requirement Digital capabilities required to support the dispensing operations in practices which hold a dispensing contract.
Exemption Digital capabilities required to support the personal administration of medications within practices for example vaccinations.
Services The infrastructure and general support required to operate these services (ie desktops, printers, network connectivity) can at the discretion of the CCG be funded and provided as “enhanced” services where this allows the practice to operate more efficiently.
Applicable standards, guidance and controls EPS Dispensing Systems Compliance Specification.

General practice websites

Requirement General Practice websites including:

  • domain registration
  • hosting of website
  • maintenance of website and
  • design
Exemption Online patient facing digital capabilities as defined in Core and Mandated Requirements. Note the practice website must provide a link for the public/patients to these online services.
Services Responsive service to resolve performance and access issues and to implement necessary changes as required to fulfil the practice GP Contract obligations.

Website design and maintenance.

Website hosting requirements.

Integration (links) with GP online services.

The core digital offer which all practices must provide to patients should include:

  • an up to date accessible online presence, such as a website, that, amongst other key information, links to online consultation system and other online services prominently
  • signposting to a validated symptom checker and self-care health information (for example nhs.uk) via the practice’s online presence and other communications
Applicable standards, guidance and controls GMS Regulations require that where General practices have a website specifically defined information and access to patient online services will be published on the website.

The GP Contract framework requires all practices to  have an up-to- date and informative online presence, with key information being available as standardised metadata for other platforms to use (for example the Access to Service Information (A2SI) Directory of Services Standard).

The GMS Regulations also place restrictions on the advertising and hosting of private GP services including through practice websites.

W3C Website Accessibility Initiative:

Equality Act 2010 (EQA).

Equality and Human Rights Commission: Statutory Code of Practice for “Services, public functions and associations” under the EQA (the Code).

The Privacy and Electronic Communications Regulations (PECR)

General Data Protection Regulation (GDPR)

Data Protection Act 2018

General practice operating costs

Requirement Examples include:

  • digital system consumables (printer paper, printer ink/cartridges)
  • power utility charges
  • telephony operating costs, call charges, equipment costs and implementation costs (or agreed pro rata costs of shared systems or managed service costs)
  • backup media for any local servers (practice premises based)
  • practice billing systems including card readers and cashless payment systems
Applicable standards, guidance and controls Where specified in the local Warranted Environment Specification (WES) or otherwise where specified by the equipment manufacturer and digital system consumables purchased or used by the practice in the operation of the Managed GP IT Infrastructure must meet these specifications.

General practice buildings and estate

Requirement Building and estate including environment to house securely any practice-based IT equipment.

Environmental requirements as required for any practice-based IT equipment for example physical security, fire suppression and air conditioning/cooling equipment.

Health and Safety regulation compliance associated with the buildings and estate including DSE and PAT requirements for IT equipment operated by staff on practice premises (regardless of equipment ownership).

Building Security.

Power supply for IT Equipment (including cabling and outlets).

Applicable standards, guidance and controls Using online consultations in primary care: implementation toolkit

Working safely with display screen equipment.

 

Guidance contents

Download a PDF copy of ‘Securing Excellence in Primary Care (GP) Digital Services: The Primary Care (GP) Digital Services Operating Model 2021-2023’