Appendix G – Procurement checklist
Applicable Frameworks such as those offered through the Digital Care Services (DCS) Catalogue or through Health Services Support Framework (HSSF) should be used wherever possible. Where practices, CCGs, PCNs and ICS cannot do this and therefore choose to procure clinical systems and digital technologies (the “product”) which include hosting patient identifiable information through local arrangements steps must be taken to ensure that the product provider can offer the following assurances as applicable. The use of the Digital Technology Assessment Criteria (DTAC) may be helpful as indicated below.
Ref | Assurance required | DTAC |
1.1 | Provide Information Governance assurances for their organisation via the NHS Data Security and Protection Toolkit. | Yes |
1.2 | Confirm that products to be procured are fully in scope of the supplier’s Cyber Essentials + (CE+) certification. | Yes |
1.3 | Confirm that the manufacturer/developer of the product has applied clinical risk management as required under DCB0129 (Clinical Risk Management: it’s Application in the Manufacture of Health IT Systems) during the development of the product procured. | Yes |
1.4 | Confirm that where the product being procured is classified as a medical device the product complies with the medical device directives. | Yes |
1.5 | If the product uses a clinical decision support tool (namely utilising predefined algorithms and/or a knowledge base) for direct use by the patient or clinician, provide details on how these are checked for accuracy and provenance. | |
1.6 | If patients can directly access the product it complies with national guidance on citizen identity verification, including “Patient Online Services in Primary Care – Good Practice Guidance on Identity Verification”
OR That the product uses NHS Login to verify identity and NHS Number |
Yes |
1.7 | As data processor can and will comply with GDPR and DPA legislation. This will include agreement to and compliance with a Data Processing Agreement. The use of standardised terms and conditions such as NHS terms and conditions for provision of services: purchase order version is advised. | Yes |
1.8 | If data is hosted outside England provide:
|
Yes |
1.9 | Describe how the product will support individual General Practice(s) discharge their legal responsibilities as data controller. In particular with the following:
|
|
1.10 | As data processor can support the practice (the data controller) in carrying out a Data Privacy Impact Assessment (DPIA). | |
1.11 | Give assurance it has a defined process for assessing third party products which form part of the product and evidence that any third-party products have been assessed against all relevant standards. | Yes |
1.12 | Provide details on any clinical coding system used for (history, diagnosis, symptoms, findings, diagnostic investigations and results, treatment, prescribed drugs). | |
1.13 | Confirm the product uses the NHS number as primary patient identifier | Yes |
1.14 | Describe how the support for the product will be provided during practice business hours. | Yes |
1.15 | Describe how the product will be maintained and upgraded (operationally, technically and contractually). | Yes |
1.16 | How the product integrates with the practice clinical system and what standards are used to integrate. | Yes |
1.17 | Provide processes to manage the following scenarios:
|
Practices, CCGs, PCNs and ICS purchasing GP IT hardware equipment where applicable are able to support the assurances required:
Ref | Assurance required |
2.1 | Confirm that unsupported operating systems and internet browsers are not used on these devices. |
2.2 | Confirm that tablets and mobile devices are encrypted to NHS Security Standards. |
2.3 | Confirm that the equipment is compatible with the (local) Managed GP IT Infrastructure. |
Guidance contents
- Foreword
- Executive summary
- Introduction
- The CCG practice agreement
- Requirements and capabilities
- Funding
- Commissioning, procurement and contract management
- Assurance
- Addressing the challenges
- Transition arrangements and timescales
- Appendix A – Schedule of GP digital requirements and capabilities
- Appendix B – Responsibilities and accountabilities
- Appendix C – Applicable national frameworks
- Appendix D – Digital primary care maturity assurance tool indicators
- Appendix E – Commissioning GP IT enabling services
- Appendix F – Commissioning advanced GP telephony services
- Appendix G – Procurement checklist
- Appendix H – General practice quick reference
- Appendix I – Glossary of terms