Commissioning, procurement and contract management

Clinical commissioning boards (CCGs) should exercise best practice and comply with NHS England financial guidance and local Standing Financial Instructions (SFIs) in the commissioning, procurement and contract management of GP digital services. These activities will ensure:

  • value for money
  • compliance with procurement legislation and internal SFIs.

CCGs will ensure procurements are compliant with the standards described in this Operating Model including:

  • data protection regulations and cyber security controls
  • clinical safety standards and medical device safety standards
  • information standards
  • interoperability standards
  • clinical terminology standards

CCGs must ensure, as a Core and Mandated Requirement, that they and their practices have access to competent procurement advice for any digital services and equipment being procured under this Operating Model  (Appendix A).

Practices vary considerably in size, resources and inhouse technical capabilities. CCGs need to ensure consistent access to such services is available to all practices.

CCGs are encouraged to collaborate on procurements and make use of appropriate framework agreements such as Digital Care Services (DCS) Catalogue frameworks and Health Systems Support Framework (HSSF) (see Appendix C) to ensure best value for money, compliance with applicable standards and to reduce procurement workload. As integrated care systems develop procurements they should align with integrated care systems digital strategies.

Procuring GP IT enabling requirements

CCGs are encouraged to use an applicable national framework (Appendix C) with underpinning standards for example HSSF to procure GP IT enabling services. Appendix E  provides a specification template and supporting tools for CCGs. Without precluding providers offering innovative approaches CCGs should give consideration to the following:

  • services where demand is likely to be linked to quantities supported (for example number of devices, users etc) and how incremental/organic growth can be accommodated
  • for specialist (expert) services (for example training, data quality, project management, information governance etc) what will the available capacity be and how will it be managed
  • how the framework can provide assurances against compliance with applicable standards

Where the GP IT enabling services cannot be provided through an appropriate framework such as HSSF then CCGs may commission GP IT enabling services from providers through other procurement routes – this includes private providers, local NHS Trusts, CCG shared services and other local consortia arrangements providing that the capabilities and standards described in this document are met.

Where CCGs support practice organisations which hold multiple contracts in geographically dispersed CCGs they may wish to consider the following dual approach:

  • collaborating with the other CCGs to commission, through a lead CCG, a GP IT service operating across a wider geographical boundary


  • commissioning a local GP IT service, if appropriate in collaboration with other CCGs in the geographic locality, for those practices based in the CCG locality.

Neither the practices in question or the remaining practices in the CCG(s) should be disadvantaged by such an arrangement. (Note see also sub-contracting of services)

Whatever the procurement approach used the CCG as commissioner is responsible for commissioning services which:

  • offer resilience
  • ensure the Core and Mandated Requirements described in this document are provided to their practices
  • meet all other requirements and standards in the Operating Model
  • ensure the provider organisation meet the standards for GP IT Delivery Partner organisations described below including Data Security and Protection Toolkit (DSPT) and other certification requirements
  • comply with any relevant legal and regulatory obligations for example as Data Processor. This should include any required Data Processing Agreements (DPA)
  • ensure the CCG is able to meet its obligations under the CCG-Practice Agreement
  • is governed either by a fixed term formal contract or fixed term formal NHS Service Level Agreement (SLA). Either to be supported by a robust specification which reflects the requirements to be met and the standards applicable
  • comply to a service specification with robust Key Performance Indicators (KPIs) and standards which is used to inform the Support and Maintenance Levels Schedule in Appendix 2 of the CCG-Practice Agreement
  • demonstrate value for money
  • complies with the CCG’s Standing Financial Instructions (SFIs)

All CCGs, regardless of procurement approach, are encouraged to make use of the GP IT specification commissioning support pack described in Appendix E.

Some digital services will be procured through dedicated framework contracts as directed by national NHS programmes.

Direct provision of GP IT enabling requirements

Some CCGs may choose to provide all or part GP IT enabling services directly either as an individual CCG (in-house services), a CCG collaborative (in-house services) or as a CCG shared service. In such cases the CCG(s) must put in place robust arrangements which meet all the requirements listed above (6.1) and also

  • ensure any necessary and appropriate steps are taken to manage any potential conflicts of interest for the CCG as both commissioner and provider

Organisational standards for GP IT delivery partners

When commissioning GP IT enabling Services, the following mandatory organisational standards must be met by the provider:

Organisational standards may apply to whole organisation and all services it provides internally and externally or may be defined in more detail, for example within the Information Security Management System (ISMS) scope or Business Continuity Management System (BCMS) scope. Commissioners should seek assurance that any standards compliance or certification from a provider fully applies to the scope of the services being commissioned and to all providers delivering the services commissioned.

Note: individual requirements have applicable standards assigned as required (see Appendix A).

The CCG must also obtain assurance, for example through a data processing agreement, that the provider organisation is able to meet its obligations as data processor required under the General Data Protection Regulation (GDPR) Compliance Guidelines.

These should be regarded as minimum standards for the organisation. Using an appropriate framework such as Health Systems Support Framework (HSSF) will provide assurances for compliance with such standards.

Procuring essential clinical system capabilities

Under the GP IT Futures Framework CCGs will use notional allocations of funds held by NHS Digital to procure solutions from the GP IT Futures Framework which meet the Essential Clinical System Capabilities for their practices. In exercising this responsibility CCGs must:

  • ensure Essential Clinical System Capabilities are provisioned for all eligible practices
  • ensure compliance with procurement legislation and internal Standing Financial Instructions (SFIs) (through utilising the GP IT Futures Framework)
  • ensure value for money
  • ensure practices are able to choose their preferred accredited Foundation Solution.

Procuring GP IT equipment

When procuring GP IT equipment using NHS capital funds CCGs will adhere to NHS England financial guidance, internal SFIs and procurement legislation. National framework contracts which offer the best value for money should be used where possible. CCGs have access to the NHS England National Commercial and Procurement Hub for advice and support in procurement of GP IT equipment using capital funds.

Practice direct procurement

Where practices commission, procure and contract manage digital services directly they should have access to specialist advice and support either through CCG commissioned GP IT services or, if applicable, through the NHS England National Commercial and Procurement Hub where such digital services and systems will interface with NHS provided systems or operate on NHS managed infrastructure. Practices procuring practice business support systems, local clinical systems and equipment enhancements are responsible for resourcing and managing their own procurement and contract management processes but should seek advice where NHS systems or managed infrastructure may be used, integrated or impacted and seek assurance that the systems do not represent a risk to other NHS IT systems. A local procurement checklist is provided in Appendix G which may help practices in these activities.

Any practice procured software, digital system or equipment which utilises NHS systems or managed infrastructure must be approved as described in CCG-Practice Agreement. Such approvals should not be unreasonably withheld. Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure.

Where practices procure digital services directly, they remain responsible as contract holder, for the maintenance of that service which will include ensuring it remains supported by the supplier/developer. The security of systems and applications which are unsupported or unmaintained cannot be assured and must not be used on NHS managed infrastructure. Where a practice chooses to procure its own solution to a “core and mandated” requirement or capability defined in this document the CCG is not obliged to reimburse the practice for the cost of this service – see Direct Funding.

Individual practices have direct access to appropriate frameworks such as Health Systems Support Framework (HSSF) and DCS Catalogue frameworks and are encouraged to use these to ensure value for money and compliance with applicable standards.

Guidance contents

Download a PDF copy of ‘Securing Excellence in Primary Care (GP) Digital Services: The Primary Care (GP) Digital Services Operating Model 2021-2023’