Appendix G – Procurement checklist

Applicable Frameworks such as those offered through the Digital Care Services (DCS) Catalogue or through Health Services Support Framework (HSSF) should be used wherever possible. Where practices, CCGs, PCNs and ICS cannot do this and therefore choose to procure clinical systems and digital technologies (the “product”) which include hosting patient identifiable information through local arrangements steps must be taken to ensure that the product provider can offer the following assurances as applicable. The use of the Digital Technology Assessment Criteria (DTAC) may be helpful as indicated below.

Ref Assurance required DTAC
1.1 Provide Information Governance assurances for their organisation via the NHS Data Security and Protection Toolkit. Yes
1.2 Confirm that products to be procured are fully in scope of the supplier’s Cyber Essentials + (CE+) certification. Yes
1.3 Confirm that the manufacturer/developer of the product has applied clinical risk management as required under DCB0129 (Clinical Risk Management: it’s Application in the Manufacture of Health IT Systems) during the development of the product procured. Yes
1.4 Confirm that where the product being procured is classified as a medical device the product complies with the medical device directives. Yes
1.5 If the product uses a clinical decision support tool (namely utilising predefined algorithms and/or a knowledge base) for direct use by the patient or clinician, provide details on how these are checked for accuracy and provenance.
1.6 If patients can directly access the product it complies with national guidance on citizen identity verification, including “Patient Online Services in Primary Care – Good Practice Guidance on Identity Verification


That the product uses NHS Login to verify identity and NHS Number

1.7 As data processor can and will comply with GDPR and DPA legislation. This will include agreement to and compliance with a Data Processing Agreement. The use of standardised terms and conditions such as NHS terms and conditions for provision of services: purchase order version is advised. Yes
1.8 If data is hosted outside England provide:

  • assurance it complies with the requirements of UK Government IA policy in the overseas location
  • names of third countries or international organisations that personal data are transferred to
  • safeguards for exceptional transfers of personal data to third countries or international organisations
1.9 Describe how the product will support individual General Practice(s) discharge their legal responsibilities as data controller. In particular with the following:

  • data sharing between legal entities
  • respond to a Full Data Disclosure Subject Access Request (SAR) made by a patient under data protection legislation
  • a record access audit log automatically maintained in the system
1.10 As data processor can support the practice (the data controller) in carrying out a Data Privacy Impact Assessment (DPIA).
1.11 Give assurance it has a defined process for assessing third party products which form part of the product and evidence that any third-party products have been assessed against all relevant standards. Yes
1.12 Provide details on any clinical coding system used for (history, diagnosis, symptoms, findings, diagnostic investigations and results, treatment, prescribed drugs).
1.13 Confirm the product uses the NHS number as primary patient identifier Yes
1.14 Describe how the support for the product will be provided during practice business hours. Yes
1.15 Describe how the product will be maintained and upgraded (operationally, technically and contractually). Yes
1.16 How the product integrates with the practice clinical system and what standards are used to integrate. Yes
1.17 Provide processes to manage the following scenarios:

  • patients changing registered general practice
  • deceased registered patients
  • other patient identity management issues (name change, gender reassignment, legal protections)
  • termination of the service contract (to include but not be limited to repatriation of the patient identifiable data to the data controller)
  • on the Supplier (or a subcontractor) ceasing to trade
  • on the Supplier ceasing to use a subcontractor (e.g. clinician) in the delivery of the service
  • supporting patients to exercise rights of rectification, erasure (the right to be forgotten), restriction, data portability and, objection to processing as part of GDPR compliance
  • on practice merger and / or closure

Practices, CCGs, PCNs and ICS purchasing GP IT hardware equipment where applicable are able to support the assurances required:

Ref Assurance required
2.1 Confirm that unsupported operating systems and internet browsers are not used on these devices.
2.2 Confirm that tablets and mobile devices are encrypted to NHS Security Standards.
2.3 Confirm that the equipment is compatible with the (local) Managed GP IT Infrastructure.


Guidance contents

Download a PDF copy of ‘Securing Excellence in Primary Care (GP) Digital Services: The Primary Care (GP) Digital Services Operating Model 2021-2023’