Main sections

Executive summary

The NHS provides general practices with digital services as required by the GP contract and the ICB practice agreement. Details of how these digital services should be provided, the standards they should meet and how they are funded are published in this document, also known as the GP IT operating model.

As successor bodies to clinical commissioning groups (CCGs), integrated care boards (ICBs) have a devolved responsibility to provide these services to their practices. This document provides a regularly updated commissioning framework to assist ICBs in this.

ICBs and their commissioned GP IT delivery partners should make full use of this guidance to ensure their practices are fully supported with world class digital services. By necessity this is a comprehensive and consequently lengthy document. Practices may find the general practice guidance section helpful in using this document.

A new ICB practice agreement, published with this operating model, gives practices and ICBs clarity on their respective obligations and responsibilities. All ICBs and practices are required to sign the ICB practice agreement.

We have worked to ensure close alignment between the GP contract, the new ICB practice agreement and this operating model; as a result, some terminologies and definitions have changed.

The challenges identified in previous versions of the operating model remain equally relevant today. It is underpinned by the need to support ‘business as usual’ activities and enable service transformation while keeping practices and their patients safe.

Further guidance and clarification is given on serious incident reporting and business continuity responsibilities.

Cyber security remains a critical part of the requirements and all parties (individuals, practices, ICBs, GP IT delivery partners, system suppliers) have an essential role to play.

The demands on general practice are probably the greatest since the inception of the NHS. Digital tools, with the right infrastructure and support, play a crucial part in practice resilience and innovation. Primary care networks (PCNs) are developing and delivering a wider range of primary care services and need the same access to digital tools, infrastructure and support as practices.

Support for place-based healthcare and technology-enabled transformation is vital and technology-enabled general practice is integral to this. Services provided through this operating model can support integrated community working while ensuring practice requirements continue to be met.

As practices and PCNs work to find more efficient and effective service delivery models, the use of specialist third party organisations sub-contracted by practices is increasing. We recognise this as a valuable route to access specialist resources and benefit from efficiencies of scale.

This operating model and the new ICB practice agreement give more detail on how these providers might be supported with access to digital tools and GP IT infrastructure.

Remote provision by practices was essential in ensuring service continuity during the COVID-19 pandemic and continues today as an integral part of practice operations. This is supported here with a mandated requirement for remote access and with guidance on supported premises and sub-contractor access.

Practices need the right underlying network infrastructure, broadband connectivity and wireless technology in place to support the growing demand for bandwidth and reliable connectivity.

Moving all primary care health and social care network (HSCN) connections to gigabit-capable connectivity is an essential enabler.

WiFi provision with practice premises remains a core service and must support patients, public and the practice.

The NHS Fuller Stocktake highlighted the essential role of data and access to shared records across integrated care systems (ICS) communities underpinned by robust and resilient digital architecture. This operating model provides the platform to ensure this can happen in a consistent manner in the practice estate.

ICBs have – in addition to devolved GP IT responsibilities – a mandate to develop and implement an ICS-wide digital strategy to accelerate digital and data transformation, as outlined in:

• What Good Looks Like (WGLL) framework
• Integrated care system design framework
• NHS operational planning and contracting guidance
• A plan for digital health and social care

ICBs need to align and integrate this with their responsibilities described in this operating model.

The 10 Year Health Plan for England: Fit for the future focuses on 3 key shifts, one of which is a system wide shift from analogue to digital.

A key component of this shift is a greatly expanded NHS App. In primary care both patients and practices will benefit from direct patient engagement in for example appointment and prescription management and in self referrals.

The NHS App integrated with NHS Notify will become the patient online solution of choice subject to functionality being available.

Patient online services have been a great success story in primary care. The Delivery plan for recovering access to primary care further builds on this success by supporting practices with the provision of the digital tools needed to implement modern general practice (MGP). This operating model ensures these are integral to the primary care digital eco-system. ICBs and practices need to be aware of the risk of digital exclusion as this area develops.

In accordance with the GP contract, when practices procure new or replacement telephony systems they are required to procure through the Better purchasing framework and, when available, from the Digital services for integrated care (DSIC) catalogue of frameworks (or successor).

The Digital services for integrated care (DSIC) catalogue of frameworks (or successor) continues to grow and develop providing practices and wider primary care with access to accredited solutions for practice clinical systems and online digital tools. This list is not exhaustive and will continue to iterate as more frameworks (or successor procurement routes) are established.

Commissioners must also ensure that the GP IT enabling services offered as required by this operating model are provided in a manner that does not disadvantage any practice because of their choice of foundation solution.

New requirements in this version include:

• business continuity planning,
• medical (connected) devices support
• digital services assurance
• ICB GP IT policy and operational controls

Under practice business requirements, additional guidance for practices has been given on practice and PCN websites and GP advanced telephony, as well as indications of areas where ICBs will or may support practices with these requirements.

This operating model will continue to be reviewed and updated to reflect the ever-changing landscape in primary care and the role of digital tools.

Introduction

This document sets out the revised operating model for the provision of high-quality general practice digital services, building upon Securing excellence in GP IT services; first published in December 2012, with subsequent editions published in 2014, 2016, 2019 and 2021.

Changes in this revision (v6)

ICBs have responsibility for providing GP digital services as described in this operating model and subject to the terms and responsibilities set out in the new ICB Practice Agreement (version 3).

ICBs also have specific ICS-wide digital delivery responsibilities which must work with and support their GP IT responsibilities.

National organisational changes – the decommissioning of NHSX and the merging of NHS Digital and NHS England – are reflected in the responsibilities attributed in this operating model.

Detailed guidance on providing access to the services by a sub-contractor to the practice and the digital standards required by these organisations. This includes locum GPs and GP federations.

Similarly, guidance is also given on providing The Services to premises where practices, PCNs or their sub-contractors deliver remote services using telecommunication and digital tools.

Requirements and capabilities are now in revised categories which will support:

• the development of local specifications for GP IT enabling service
• the determination of which of The Services sub-contractors might access when approved

The scope now provides more detail on organisations, locations and services in and out of scope.

References to GP Systems of Choice (GPSoC) and GP IT futures have been removed or minimised, replaced with the digital services for integrated care (DSIC) catalogue of frameworks (or successor) to allow more scope for future framework options. NHS Mail is now referred to as NHS.Net Connect.

The definitions have been revised and aligned with the new ICB Practice Agreement (version 3). Changes have been made in terminology, responsibilities and accreditation requirements to align with the current GP Contract.

The following core and mandated requirements are added:

• ICB GP IT policy and operational controls
• ICS wide digital requirements
• Digital services assurance (local)
• Medical (connected) device support
• Business continuity and disaster recovery planning

Responsibilities for reporting incidents (for example, cyber incidents, personal data breaches and patient safety incidents) have been updated to reflect national guidance.

Under the General practice business requirements there is new and updated support for:

• practices using the new Advanced telephony better purchasing framework and successor frameworks
• procuring practice websites
• procuring digital tools and systems

Guidance is provided on donation of NHS-owned GP IT devices with social value to charitable organisations.

The GP IT enabling services specification support pack, which comprised an MS Word document and an MS Excel document, has been replaced with Guidance on procurement of GP IT enabling services within the operating model and a downloadable template specification as an MS Word document.

This version is published as an online document.

More recent changes (since publication) are shown in the Document history section.

About this operating model

Since the publication of the first GP IT operating model in 2012, this document has been welcomed as a definitive reference point on digital services to be provided to general practices and responsibilities of the parties involved.

The NHS, its care systems and providers continue to change and evolve. The operating model is regularly updated based on the knowledge and understanding at the time of publication. Definitions used in this operating model and in the ICB practice agreement are set out in the glossary.

Purpose of the operating model

The operating model, along with the ICB practice agreement, provides a commissioning framework supporting the provision of digital services required for general practices and PCNs:

• describing the digital requirements for general practice as clinical and business capabilities and the necessary IT enablers
• attributing standards and guidance to these requirements to ensure quality, safety and compatibility
• assigning responsibilities for the commissioning, provision and use of services which meet these requirements

Key documents

The GP contract(s):

• includes requirements for electronic patient records systems, patient online services, remote service provision, etc
• references the GP IT operating model for the applicable requirements and standards

The ICB practice agreement:

• enables the ICB (NHS) to fund and provide and practices to receive and use digital services related to the GP contract commitments
• defines the responsibilities and obligations of the parties

The GP IT operating model:

• directs the ICBs on the digital services and support to be offered to practices and the standards applicable
• mandates a number of digital requirements which must be provided by the NHS to meet obligations under the ICB practice agreement and the GP contract
• requires ICBs to fulfil these requirements, and any additional locally agreed requirements, by providing the services to the practice to the standards described in this operating model
  • ICBs as local commissioners should not view this as defining the limits of local investment in digital services for general practice, but as the minimum set of digital services to be provided to practices
• describes responsibilities for general practices in using the services provided through this operating model and in accordance with the GP contract and ICB practice agreement
• does not define policy or strategy but ensures the digital tools and supporting services necessary to enable these are in place
• ensures the support and long-term business as usual enablers are in place for nationally led digital innovation programmes

The Good practice guidelines for GP electronic patient records (GPG):

• advises practices on using the digital services effectively, safely and in accordance with the law and other standards
• general practices and PCNs need to use and exploit these digital services making the necessary service changes to optimise their use and realise the benefits

Drivers and trends

NHS England recognises a number of significant drivers:

• A requirement to protect general practices increasingly reliant on digital technologies through cyber and data security, robust procurement and clinical safety measures.
• Unprecedented pressures on general practice from workforce capacity, patient demand, pandemic recovery and financial constraints.
• Practices working within new ICSs.
• Practices continue to develop and implement new models of care, innovative working practices and at-scale working.
• Delivering on the digital commitments made in the NHS Long Term Plan, the GP Contract (2019), the ICS design framework (2021), The Health and Care Act 2022, Next steps for integrating primary care: Fuller stocktake report and the Delivery plan for recovering access to primary care (2023).
• Themes and recommendations of the Independent investigation of the national health service in England, including tilt towards technology.
• Supporting the net zero ambition for each trust and ICS to have a Green plan setting out their aims, objectives, and delivery plans for carbon reduction.
• The 2 targets set to support the aim to be the world’s first net zero national health service:
  • for the emissions NHS control directly (the NHS carbon footprint), to reach net zero by 2040, with an ambition to reach an 80% reduction by 2028 to 2032
  • for the emissions NHS can influence (NHS carbon footprint plus), to reach net zero by 2045, with an ambition to reach an 80% reduction by 2036 to 2039

NHS England also recognises significant trends:

• A significant move to remote personal working (for example, from home) and remote premises (driven by the demands and constraints of the pandemic).
• Increasing use of third parties to provide some (or all) of primary care services to practices.
• A growing market in digital services available to practices.
• Citizen empowerment through digital enablers.
• A need to access and use data to support informed decisions about patient demand, practice capacity and care delivery.
• A move to use public cloud first, internet first and browser tools as described in the NHS architecture principles.

In updating the operating model, NHS England has – with the positive support of general practice and their professional bodies – considered the following:

• previous operating models and earlier guidance have – with strong clinical engagement and the progressive inclusion of digital and online services in the GP Contract – developed a highly digitised general practice estate with a large percentage of paper free processes; we continue to build on this success
• the essential role of digital technology in underpinning general practice resilience and business continuity
• general practice continues to lead the NHS in the adoption of patient online services
• the importance of learning from national crisis events including Wannacry Ransomeware attack (2017), COVID-19 pandemic (2020-21) and Advanced Health Systems Ransomeware attack (2022)

Aims

This operating model aims to:

• ensure NHS obligations to support general practice digital requirements are met:
  • supporting the digital commitments in the GP Contract and the ICB Practice Agreement
  • setting mandatory digital requirements for general practice and applicable standards
  • ensuring ICBs as local commissioners have access to funds to meet the NHS obligations to support general practice as defined in this operating model
• support place-based healthcare technology-enabled transformation:
  • ensuring technology-enabled general practices are integral to this
  • allowing the services provided through this operating model to support integrated community working while ensuring the requirements of the practice are met
• support general practice service delivery:
  • providing IT infrastructure to a standard which allows the practice to efficiently and effectively use the capabilities identified in this operating model
  • supporting practice resilience and business continuity with digital enablers
  • enabling general practice transformation and efficiencies, including:
    • patient online service capabilities
    • new ways of working and models of care
    • digital integration within the ICS footprint
    • Practices can exploit and benefit from digital innovations
    • safely adopting digital technologies at pace
• keep general practice and patients safe:
  • emphasis on security and safety of digital technologies used in general practice
• ensure service quality and value for money:
  • using NHS funds to support GP IT services locally
  • ensuring appropriate and proportionate assurance measures and controls are in place where The Services identified in this operating model are delivered

This operating model describes specific arrangements that NHS England will put in place for The Services which:

• explain how the NHS will fulfil its obligations regarding GP digital services and support under the ICB practice agreement; this includes
  • the operating arrangements, including financial procedures and associated controls
  • the governance arrangements, including stakeholder roles and responsibilities
  • the leadership necessary to achieve excellence in commissioning, in operational delivery, and in clinical and patient engagement
• inform general practice of what to expect through the provision of the services, and what is expected of practices receiving the services
• explain how the NHS will ensure strategic digital programmes and digital mandates across the national and local (ICS) health and care system are reflected and supported in general practice
• encourage the availability of digital technologies locally to enable service improvement, transformation of care arrangements and patient digital engagement with primary care
• define the responsibilities of all principal stakeholders in the delivery and use of digital services for general practice
• set a requirement for regular review to ensure this operating model addresses the needs of a changing commissioning and provisioning healthcare environment
• provide assurance that quality and value are being maintained and delivered consistently across primary care services within the NHS
• ensure digital enablers are available and used to support the NHS commitment to net zero carbon emissions

Scope

The obligation on the NHS to provide practices with electronic patient record systems and the local infrastructure and services necessary to support these systems remains the underpinning rationale for this operating model; and in turn, defines the organisational scope.

Stakeholders:

• Primary stakeholder organisations include ICBs, practices, PCNs and NHS England national and regional teams.
• Secondary stakeholder organisations include locally commissioned GP IT delivery partners, accredited suppliers under DSIC catalogue of frameworks (or successor) and the Health Systems Support Framework (HSSF), General Practitioners Committee (GPC), local medical committees (LMCs) and others representing and supporting general practices nationally and locally.

Organisations in scope:

• General practices and providers contracted under the GP Contract (this includes general medical service [GMS] contracts, personal medical service [PMS] agreements and alternative provider personal medical service [APMS] contracts) to provide essential services; and where the ICB practice agreement (or CCG practice agreement v2) has been signed.
• PCN services provided by the above practices under the Network contract direct enhanced service (DES) using the additional roles reimbursement scheme (ARRS).
• Sub-contractors as set out in appendix 1 of the ICB Practice Agreement and subject to any limitations described in this operating model.

Organisations out of scope:

• Other primary care contractors.
• Providers contracted through the NHS standard contract.
• GP federations and other collaborative forms, established as separate organisational entities to provide back office administrative functions for member general practices or to deliver non-GMS services; for example, through a standard NHS provider contract.
• General practices contracted under the GP contract (this includes GMS contracts, PMS agreements and APMS contracts) where the ICB practice agreement (or the CCG practice agreement v2) has not been signed.

However, the above organisations may:

• access or use some of the services provided as part of transformation developments subject to the conditions described in this operating model
• find this operating model useful as a reference to service requirements and standards

Services in scope:

The operating model describes a number of services which:

• are core and mandated and must be provided
• are enhanced – that is, they may be provided at the discretion of the ICB

Services out of scope:

• Practice business requirements as described in this operating model.
• Clinical services outside the GP Contract but independently provided by practices; for example, occupational health services.
• Software and IT infrastructure to support dispensing operations in dispensing practices (approximately 1,000) operating under NHS England standard contract arrangements for pharmaceutical dispensing regulations.
• Apps, websites and software used by patients, which are not commissioned by the NHS or by practices, but which may be recommended by the practice.

Locations in scope:

Onsite services – for example, IT infrastructure, HSCN, WiFi, IT equipment, IT support – will be provided to the following locations:

• Practices operating at the practice premises.
• Sub-contractors operating at practice premises, providing the ICB has agreed the sub-contractor can access the services (access to the services for sub-contractors and third parties).
• Location addresses set out in appendix 1 of the ICB practice agreement.

Onsite services – for example IT infrastructure, HSCN, WiFi, IT equipment, IT support – may, at ICB discretion, be provided to the following locations:

• Practices delivering remote services from remote premises.
• Sub-contractors delivering remote services from remote premises, providing the ICB has agreed the sub-contractor can access the services (access to the services for sub-contractors and third parties).

Support for authorised users at personal domestic residences and mobile locations will be limited to the provision of remote access as described in the operating model.

Locations out of scope:

Onsite services – for example, IT infrastructure, HSCN, WiFi, IT equipment, IT support – will not be provided to the following locations:

• Remote premises which the ICB has not agreed to support (access to the services for sub-contractors and third parties).
• Practice premises used (solely) by a sub-contractor which the ICB has not agreed can access The Services.
• Other locations or premises where primary care services are delivered, which are not solely remote services and which have not been registered as a practice premises under the GP Contract.
• Any addresses not set out in the ICB Practice Agreement in appendix 1 table (ii).

Key challenges

The operating model continues to address a number of challenges for digitally enabled general practices and supporting ICBs:

Supporting general practice digital needs

• the ICB practice agreement
• requirements
• accreditation and choice
• service availability
• commissioning and procurement

Supporting general practice service delivery

• clinical systems
• infrastructure
• remote access
• business continuity
• sub-contracting by Practices
• patient online service capabilities

Keeping general practice and patients safe

• managing risks
• when things go wrong
• support required

Quality and value for money

• funding
• assurance

Building on success

• previous operating models
• the GPSoC and GP IT futures frameworks
• GP profession investment in digital primary care

Supporting general practice digital needs

Organisations out of scope

• Other primary care contractors.
• Providers contracted through the NHS standard contract.
• GP federations and other collaborative forms, established as separate organisational entities to provide back office administrative functions for member general practices, or to deliver non-GMS services; for example, through a standard NHS provider contract.
• General practices contracted under the GP Contract (this includes GMS contracts, PMS agreements and APMS contracts) where the ICB Practice Agreement (or the CCG Practice Agreement v2) has not been signed.

However, the above organisations may:

• access or use some of The Services provided as part of transformation developments, subject to the conditions described in this operating model
• find this operating model useful as a reference to service requirements and standards

The ICB practice agreement

A new ICB practice agreement (v3) has been published, replacing the CCG practice agreement (v2). ICBs are required to sign the agreement with each practice. This provides clarity and assurance on the requirements for the provision and use of The Services available to general practices under this operating model.

Under the terms of the ICB practice agreement:

• Practices are eligible to receive NHS funded digital services (the services) to meet the requirements described in this operating model.
• The ICB will offer the services to the practice as described in this operating model.
• Responsibilities attributed to the ICB may be carried out by a third party (for example, GP IT delivery partner) on behalf of the ICB, where delegated by the ICB and providing it is not an ICB responsibility which may not be delegated.

ICBs must ensure a signed ICB practice agreement is in place.

Organisational change

The CCG practice agreement (v2) transitioned to the relevant ICB under the CCG-to-ICB transfer scheme. Practices and ICBs were not required to sign a new agreement as a result of the establishment of ICBs.

A revised agreement – the ICB practice agreement (v3) – has been published. All ICBs and individual practices are required to sign this new agreement as soon as possible, and by 30 June 2025 at the latest. This can be signed digitally.

Until the new agreement is signed by both parties, the previous agreement – the CCG practice agreement (v2) – remains in effect.

The ICB practice agreement will by variations (clauses 13.4, 13.5) continue to apply in the event of the merger and succession of practices or ICBs.

The obligation to support practices, under the ICB practice agreement and as detailed in this operating model, includes supporting the impact on The services arising from local general practice changes; for example, practice mergers and closures.

The agreement:

• confirms that the ICB will provide the services to practices to the standards described in this operating model
• provides a single reference point identifying practices receiving the services
• defines the responsibilities of the respective parties in providing and using the services
• references the operating model as defining the scope of digital requirements to be provided and standards applicable to those requirements
• describes how accreditation where required will be assured for the services
• defines categories for service availability
• requires the practice as the end user organisation to comply with any terms and conditions of use for systems commissioned by the NHS and made available to the practice
• defines processes for the management of change requests, escalations and disputes relating to the delivery of services under the agreement

Responsibilities and accountabilities

The ICB practice agreement describes the practice and ICB responsibilities for the provision and receipt of the services.

Detailed accountabilities and responsibilities for all parties involved in the operating model are given in responsibilities and accountabilities.

Assurance, escalations and disputes

The ICB practice agreement requires that:

• the practices have an annual IT review with their ICB (or a party delegated on the ICB’s behalf)
• there is an agreed local escalation process which can be accessed where there are concerns regarding compliance with the terms of the agreement, or where there are significant unresolved system or service performance issues
  • the process must be inserted or referenced (if an external document) in appendix 3 of the agreement
  • where there is a local primary care contractor escalation and dispute resolution process (or equivalent) then either (i) this may be referenced in appendix 3 as the process to be used, or (ii) a separate process can be developed; in which case, it is recommended that this aligns with the local primary care contractor escalation and dispute resolution process
  • the practice may request the LMC to provide support to manage the process
  • note this escalation process should not be confused with operational escalation processes; for example, for service desk incidents and requests
• there is a dispute resolution process (see section 10)

NHS England regional teams are responsible for assuring the ICB practice agreements are signed by all parties and acting as a point of escalation when required.

Agreement schedules

6 appendices are included in the agreement:

• appendix 1 – summary of services – for the practice
  • table (i) – services and providers
  • table (ii) – supported premises
  • table (iii) – sub-contractors to the practice
• appendix 2 – support and maintenance service levels (local content)
• appendix 3 – escalation procedure (local content)
• appendix 4 – business justification form (standard template)
• appendix 5 – conditions for digital and IT compliance for practice sub-contracted providers (letter)
• appendix 6 – local data processing deed (local content)

Schedules in appendix 1 should be reviewed locally:

• not less than every 12 months
• when there is a change to the content of any schedule
• on request for review by either party

New schedules or schedule changes should be agreed with both parties through a local agreement addendum.

Data processing agreements

As data controller, each practice is responsible for securing assurance on the General Data Protection Regulation (UK GDPR) compliance in any contract for third party system or service which processes patient data and in the activities of the third party as a processor.

For the services provided here, NHS England or the ICB may undertake this assurance on behalf of general practices with the practice remaining ultimately accountable as controller.

NHS England or the ICB may assign responsibility to carry out this work on its behalf to another organisation for example via a framework, via other NHS procurement or to another nominated organisation within the ICS.

Services procured through the DSIC catalogue of frameworks (or successor) and National Digital Services require data processing agreements and safeguards to be in place.

In addition to each party’s obligations under current data protection legislation, the DSIC (or successor) data processing deed (or any successor) is a unilateral undertaking which suppliers of DSIC (or successor) solutions sign, and in which general practices, NHS England, and the Secretary of State for Health and Social Care DHSC are also beneficiaries.

NHS England or the Secretary of State for Health and Social Care may, in exceptional circumstances (for example, a high severity incident) take direct intervention (step-in services) in the management of DSIC (or successor) and national digital services contracts; including the processing of patient data as described in the ICB Practice Agreement and the data processing deed.

Where the ICB procures services which include data processing activities from third parties for use by the general practice, the ICB will ensure data processing agreements are in place as part of the contractual arrangements, and are accessible to the practice as controller.

Where the ICB directly provides services which include data processing activities, individually or as part of a local shared service or collaborative arrangement, the ICB will ensure data processing agreements are in place as part of the service level agreements (SLAs) or other local agreement and are accessible to the practice as controller.

Where the practice directly puts in place arrangements with a third party, which include the processing of patient data including:

• sub-contracting of primary care services
• a digital service (software or hosting) provider
• physical record handling services for example scanning or archiving

The practice must take necessary steps, including documentation, to ensure the digital service commissioned meets robust standards relating to information governance and data security, including the supplier’s compliance with current data protection legislation.

Assurance:

• DPCMA: IND21.2, IND24.0, IND26.0, IND 210.0, IND 212.0

Requirements and capabilities

The digital capabilities essential to enable the practice to safely and effectively fulfil its obligations under the GP Contract will be met through this operating model. These in turn scope the GP IT enabling requirements including infrastructure, equipment, service desk, cyber support, training, etc.

These are mandatory requirements but should not be considered as the limit of digital investment in primary care. Other digital tools and enablers will also be required to improve innovation and flexibility in general practice.

All requirements are described in the schedule of requirements by category.

Where published standards are appropriate and available these are assigned to the requirement in this operating model and should be met when the service is commissioned.

Responsibilities for fulfilling and assuring these requirements (for example commissioning, delivery, assurance, usage) are described in responsibilities and accountabilities.

When commissioning services locally the GP IT enabling requirements described here may need further development and clarification as part of the local procurement service specification. The Guidance on procurement of GP IT enabling services will assist ICBs in this task.

Requirements and capabilities under this operating model

Core and mandated requirements

• Foundation digital capabilities
  • Accredited foundation solutions through DCIS catalogue frameworks
  • Practice determines
• Non-foundation digital capabilities
  • Solutions through DCIS catalogue framework, other national framework or local procurement
  • ICB determines in collaboration with practices
• Patient online service capabilities
  • Where NHS App does not meet a capability, use solutions meeting the national capabilities and standards
  • ICB determines in collaboration with practices
• National digital services
  • For example: SCR, EPS, GP2GP, NHS.net Connect, NHS App
  • NHS England determines
• GP IT enabling requirements
  • For example: infrastructure, equipment, support services; through framework, for example HSSF or local procurement
  • ICB determines and commissions

Enhanced requirements

• For example:
  • enabling collaborative and at-scale working
  • using data better and improving data quality
  • practice efficiency enablers
  • additional patient management capabilities
  • additional patient online solutions
  • IT infrastructure
  • additional GP contract digital capabilities
• Solutions meeting the national capabilities and standards, subject to conditions set out in GP IT operating model
• ICB determines in collaboration with practices

Practice business requirements

• Practice business systems
  • For example: websites, business systems, telephony, dispensing
• Practice determines and procures (subject to compliance with ICB practice agreement)

Note: Collaboration with practices will include ICBs consulting with local medical committees (LMCs) or other local practice representative groups.

The following describe these requirements and capabilities by category in more detail. See schedule of requirements for full details.

Core and mandated requirements

The necessary digital services and IT enablers for the delivery of essential services under the GP contract or as otherwise nationally required are core and mandated requirements.

Through the ICB practice agreement these are provided by the ICB and NHS England for general practices.

These are categorised as follows:

Category 1: Foundation digital capabilities

Patient and clinical management functions enabled through essential clinical system capabilities – the 6 Foundation Digital Capabilities. Practices will choose their preferred foundation solution(s) from those available in the DSIC catalogue catalogue of frameworks (or successor).

For these capabilities, where a signed ICB practice agreement is in place:

• the foundation solution is funded by the NHS for GP Contract holders
• the foundation solution must be accredited through compliance with the standards as mandated on the DSIC catalogue of frameworks (or successor)
• the preferred foundation solution will be determined by the individual practice from the accredited systems available on the DSIC catalogue of frameworks (or successor)
• the practice and ICB will jointly select the preferred foundation solution subject to the conditions in the GP contract and ICB practice agreement

Category 2: Non-foundation digital capabilities

Patient and clinical management capabilities which can be enabled through application and data solutions. These are core and mandated requirements, but exclude the Foundation digital capabilities and Patient online service capabilities.

ICBs will choose (in consultation with local practices) solutions to be available to their practices. LMCs may be consulted if appropriate.

These will be sourced by default through the NHS Commercial Procurement Hub, DSIC catalogue of frameworks (or successor), or through another Applicable national framework.

For these capabilities, where a signed ICB practice agreement is in place with the practice:

• the solutions are funded by the NHS for GP contract holders (see funding conditions)
• accredited solutions are not mandated for non-foundation digital capabilities but compliance with any standards attributed to the capability in this operating model is essential
• the practice and ICB will jointly select the solution(s) for the practice having considered any non-foundation digital capabilities already met by the foundation solutions

Non-foundation digital capabilities are further categorised as below to facilitate different procurement and funding requirements. See funding conditions.

Category 2a: Non-foundation digital capabilities – supporting practice operations

Category 2b: Non-foundation digital capabilities – supporting digital pathways

[This excludes those solutions which meet patient online service capabilities. Procurement must follow the Digital pathways tools guidance 2025/26 – NHS England Digital.]

Category 2c: Non-foundation digital capabilities – supporting PCN contract (DES)

Category 3: Patient online service capabilities

To ensure compliance with the GP contract requirements for patient online services, a number of core and mandated patient online service capabilities are described which must be met through:

• the NHS App as a national digital service
• where the NHS App does not meet the capability, solutions which meet the national capabilities and standards with procurement support provided by the NHS Commercial and Procurement Hub

ICBs will choose in collaboration with local practices any patient online solutions, other than NHS App, to make available to their practices.

For these capabilities where a signed ICB practice agreement is in place with the practice and the capability is not met by the NHS App:

• the solutions are funded by the NHS for GP contract holders
• the solutions must meet the national capabilities and standards and procured with the support of the NHS Commercial and Procurement Hub using the process set out in Digital Pathways Tools Guidance 2025/26 – NHS England Digital
• the practice and ICB will jointly select the solutions(s) for the practice having considered any patient online service capabilities already met by the NHS App, foundation and non-foundation solutions

Additional patient online solutions may be made provided as enhanced digital services to meet local requirements. Care must be taken over considerations such as cyber security, data processing, access and authentication controls and clinical safety standards.

ICBs and practices should use the procurement standards checklist in this operating model.

Category 4: National digital services

Nationally commissioned services provided – in some cases, as single instance services – at no local cost to all NHS-commissioned providers (where functionally appropriate). These are standard services with no element of local choice:

• ICBs will ensure the availability of enablers required such as infrastructure, equipment, training and deployment support for practices.
• Alternatives, including local services, should not be used, and should not be funded by ICBs. Local services which do not meet the same security, safety and data quality standards must not be supported.
• Through the ICB Practice Agreement, practices are required to comply with supplier’s end user terms and conditions of use.
• Practices will use these either as discrete systems or integrated with foundation solutions as appropriate. Foundation solution suppliers will integrate with these as specified through the DSIC catalogue of frameworks (or successor).

Category 5: GP IT enabling requirements

Includes infrastructure, equipment and support services as required in general practice to operate The Services, which meet the capabilities in categories 1, 2, 3, and 4.

Locally commissioned enabling requirements should also include the support necessary to enable those enhanced digital services commissioned.

As commissioner the ICB is responsible for sourcing these enabling requirements, but is expected to work with local practices in doing this.

Accredited services are not mandated, but compliance with any standards attributed to the requirement in this operating model is essential. The use of an applicable national framework with underpinning standards such as Health services support framework (HSSF) will assist ICBs in that compliance.

Category 5a: GP IT enabling requirements – commissioner requirements

These are a responsibility of the ICB which is expected to deliver these directly, although some specialist support may be needed from the GP IT delivery partner.

Category 5b: GP IT enabling requirements – IT infrastructure and technical services

These are requirements at supported premises. This includes connectivity (for example HSCN), network and other infrastructure, IT equipment and the associated support services.

Category 5c: GP IT enabling requirements – organisation and staff support

These are requirements to support the practice and its staff but are not directly related to the provision of infrastructure and equipment at a supported premises.

Some services may not be readily provided outside NHS organisations; for example, Registration Authority (NHS Smartcards).

Category 6: Enhanced requirements

These requirements, while not core and mandated (see above), are enablers for service improvement and transformation.

These requirements are agreed locally. They should support local GP service delivery and the ICS local digital strategy.

Where possible, strategic rather than tactical solutions should be developed. Enhanced capabilities where resources provided as core and mandated services through the operating model may support:

• evidence based good practice
• modern general practice model
• neighbourhood health services
• locally led innovation and service transformation
• PCN services, where allocated member practice resources are insufficient

Not all of these will be applicable, or will represent good practice in every locality.

Accredited services are not contractually mandated, but compliance with any standards attributed to the capability in this operating model should be considered essential.

ICBs are strongly advised to use the DSIC catalogue of frameworks (or successor), Health Services Support Framework (HSSF) or other applicable national framework.

Where the enhanced requirement cannot be met through such a framework using the procurement standards checklist and the digital technology assessment criteria (DTAC) will support this.

In providing services to meet enhanced requirements, ICBs should consider the following:

• ICBs have an obligation to ensure requirements already met through NHS funded services or funded through other routes (for example, GP global sum, provider baseline tariff) are not also funded as enhanced requirements
• an enhanced service where provided should be supported by the GP IT enabling requirements necessary to use the enhanced service for example infrastructure, equipment, service desk, specialist support
• where an ICB chooses to commission a service to meet an enhanced requirement any standards referenced in this operating model and applicable to that requirement must be met
• the ICB is responsible for determining any enhanced services but should collaborate with local practices in this
• enhanced does not infer a capability of lesser importance, only that the relevance and appropriateness will be dependent on the locality context and that provision of these services must be secondary to meeting core and mandated requirements
• many enhanced digital capabilities will be enablers for service/business change which can realise significant benefits to the NHS, patients and general practice
  • ICBs therefore need to work with local practices to invest effectively in digital technologies which should align with the wider ICS strategy enabling and underpinning service improvement and transformation
• services to meet these capabilities will be available through the DSIC Catalogue of frameworks (or successor), the HSSF and other applicable national frameworks.
• there is compliance with ICB standing financial instructions (SFIs) will require demonstration of value for money and product quality and safety

Sub-categories include:

• 6a: Enabling collaborative and at-scale working
• 6b: Using data better and improving data quality
• 6c: Practice efficiency enablers
• 6d: Additional patient management capabilities
• 6e: Additional patient online solutions
• 6f: IT infrastructure
• 6g: Additional GP contract digital capabilities

Category 7: Practice business requirements

The requirements for digital systems, infrastructure and organisation activities necessary to run the internal practice business and organisational governance and are the responsibility of the practice to provide. These include:

• practice business systems
• practice telephony systems
• practice buildings and estate
• practice operating costs
• practice legal and regulatory responsibilities
• practice websites
• dispensing services

The global sum within the GP contract makes provision for practice expenses including staffing costs and general running costs of the practice (stationery, telephone, heating and lighting, repairs and maintenance).

ICBs have an obligation to ensure services already NHS funded, directly or indirectly, are not also funded as an enhanced GP IT service. Any changes to existing funded arrangements should be discussed with the practices and transition arrangements agreed.

Although responsibility for commissioning and provision of these requirements rests with the individual practices, they may use managed GP IT infrastructure and are required to be compliant with standards, assurance, interoperability and security described in this operating model. in such cases practices are required to comply with any relevant technical and security standards.

The managed GP IT infrastructure and IT support required to operate these services (namely desktops, printers, network connectivity) can, at the discretion of the ICB, be funded and provided as enhanced GP IT enabling requirements where this allows the practice to operate more efficiently and is considered affordable locally.

There are specific aspects of GP IT enabling requirements (categories 5b, 5c) which the ICB is required to meet to support practice business requirement – these will be described within the relevant enabling requirement description.

Where there is a demonstrable benefit in incorporating elements of GP business support services – for example, advanced cloud-based telephony – as part of broader efficiency and improved patient care initiatives, GP contributions are to be considered as part of local funding provision/business case arrangements.

These services should routinely be assumed to be out of scope, unless local business cases can demonstrate patient benefit, in which case, when considering funding any of these services, ICBs should take account of whether this service is already funded via alternative routes; for example, global sum GP contract.

ICBs will provide practices with access to a (local) digital services assurance catalogue which should include a solutions assurance catalogue giving practices assurance on cyber security, data security and clinical safety using the standards and guidance referenced in this operating model.

This will support practice and ICB compliance with the ICB practice agreement including the use of third party software.

Responsibility for selecting and funding GP telephony systems remains with the individual practice(s). Practices procuring new, or replacement, telephony systems are required through the GP contract to use the Advanced telephony better purchasing framework or successor framework.

Practices are required to provide a practice website (or online profile) to include minimum content and which will meet legal accessibility requirements.

Refer to the schedule of requirements for details.

Accreditation, choice and selection of services

Accreditation and assurance

Practices, which use computerised patient records, are required, through the ICB practice agreement, to use an accredited foundation solution. The accreditation is determined by compliance with the standards mandated on the DSIC catalogue of frameworks (or successor).

Where the capability is not provided through the NHS App patient online solutions can be procured if the solution meets the national capabilities and standards, supported by the NHS Commercial and Procurement Hub until frameworks become available.

Accreditation for non-foundation and enhanced digital services is not mandatory but compliance with the standards attributed to that capability and the standards described in this operating model is essential.

GP IT enabling services will be commissioned to the general standards described in this operating model and to standards assigned to each requirement (see schedule of requirements).

Choice of services available to practices

Each practice will choose/determine the most appropriate accredited Foundation Solution from the DSIC catalogue of frameworks (or successor) to meet the 6 foundation digital capabilities described in schedule of requirements).

The ICB in collaboration with the practices will determine non-foundation solutions from either solutions that meet the national capabilities and standards or the DSIC catalogue of frameworks (or successor) or other applicable national framework to be made available.

Where a patient online service capability cannot be met through the NHS App then, subject to the criteria in this operating model (Patient online service capabilities), the ICB in collaboration with the practices will determine patient online digital tools that meet the national standards and capabilities until frameworks become available.

National digital services are commissioned centrally and made available to practices to be used directly or through their clinical system interfaces. There is no local choice of these services.

The ICB will determine GP IT enabling services available.

The ICB in collaboration with the practices will determine enhanced digital services to be made available.

Practices will determine any practice business services providing these are complaint with:

• the standards described in this operating model
• the ICB practice agreement

Within any single ICB, practice requirements may vary and procurement of more than one service may be appropriate locally. Compliance with ICB standing financial instructions (SFIs) will require demonstration of value for money and product quality and safety.

Solutions must meet the national capabilities and standards

Selection of services for the practice

The ICB and the practice will jointly select the practice choice of accredited foundation solution, subject to the conditions described in the GP contract and the ICB practice agreement and using the selection process.

ICBs must support the practice’s choice of accredited foundation solution, in accordance with the requirements of the GP contract. where the ICB does not support the practice’s choice of foundation solution, the conditions and process described in the GP contract and the ICB practice agreement must be followed.

The ICB and the practice will jointly select any non-foundation solutions using the selection process and subject to the conditions described in the ICB practice agreement.

Where a patient online solution is required, the ICB and the practice will jointly select patient online solutions, using the selection process and subject to the conditions described in the ICB practice agreement.

The ICB will select the GP IT enabling services.

The ICB and the practice will jointly select enhanced digital services.

The practice will select any practice business services (subject to specific conditions for certain services for example GP telephony and practice websites and approvals from the ICB as required in the ICB practice agreement).

In all cases, ICBs should only procure services which meet the standards referenced in this operating model and whenever possible should use the DSIC catalogue of frameworks (or successor), the support of the NHS commercial and procurement hub or an applicable national framework.

In selecting and commissioning all services required by this operating model ICBs must ensure they are provided in a manner which does not disadvantage any practice because of the practice choice of foundation solution.

Choice, selection, funding, mandatory accreditation and procurement

Table 1: Choice, selection, funding, mandatory accreditation and procurement

* See funding for details.

† “Local ICB procurement” is subject to compliance with standards in this operating model and NHS procurement and financial obligations.

Service availability and incident response

GP digital services must be provided for the hours the general practices are contracted to offer primary care services.

However, some (enabling) services need only be available for restricted ‘office’ hours, while others may be required for longer hours with appropriately adjusted support levels.

Support for GP digital services needs to:

• match the contracted hours of general practice services
• reflect business critical digital functions
• support extended access
• respond to high severity incidents (through business continuity and disaster recovery planning)

The following are the minimum service availability requirements:

Standard service hours

Periods for services to be provided between 9am and 5pm, Monday to Friday, excluding public holidays, but which do not require a response at any other times within the core hours as detailed in the GP Contract.

Operational service hours

Periods for services to be provided throughout core hours between 8am and 6.30pm, Monday to Friday, except Good Friday, Christmas Day or bank holidays or as stated in the GP Contract.

Extended operational service hours

Periods for services to be provided for enhanced access hours as detailed in the GP Contract (Network Contract DES) between 6.30pm and 8pm, Mondays to Fridays; and from 9am to 5pm on Saturdays. Or as stated in the GP Contract and any other local arrangement between the ICB and the practice, which provides additional GP Contract services outside the core hours.

The ICB will consult with PCNs to determine the scope of, and any applicable restrictions to, the ‘extended operational service hours’ – including:

• exceptions (for example public holidays)
• practices, supported premises and GP IT enabling services
• applications supported

High severity incident service hours

All practices must have access with 24 hour, 7 day availability to log a high severity incident using one of the following methods:

• telephone
• email
• web portal (internet accessible)
• app

GP IT enabling services must provide:

• monitoring of high severity incidents outside operational service hours
• escalation of high severity incidents to 24 hour, 7 day response as necessary, whether raised locally or nationally
• support to the ICB in reporting high severity incidents, in line with national guidance and Network and information systems (NIS) regulations
• the ability to accept and respond, at any time during high severity service hours, to a high severity incident reported by practices, internal GP IT services, suppliers, national service desk, NHS cyber alert service
• a business continuity plan and associated disaster recovery plans which provides a response based on a 48 (actual) hour recovery time objective (RTO) for the practice to provide Essential Services; this will include a response outside standard operating hours which includes the mobilisation of resources as necessary

See requirements for Cyber security, Clinical safety assurance, Service desk, and Information governance.

Systems and infrastructure availability

Critical systems and infrastructure should provide 24 hour, 7 day availability with individual contracts defining percentage of availability and service hours.

This includes foundation solutions, NHS applications, HSCN, WiFi, local networks and GP online and video consultations.

Third party support availability

Where an incident involving a service requiring third party referral, advice or action the availability of that service outside the service hours contractually offered by the third party may be limited.

In such cases resolution of incidents and problems should be prioritised and based on work around or contingency solutions.

In the case of high severity incidents and activated business continuity (BC) and disaster recovery (DR) plans third party communications and activities should be integral within these plans.

Commissioning and procurement

ICBs should exercise best practice and comply with NHS England financial guidance and local standing financial instructions (SFIs) in the commissioning, procurement and contract management of GP digital services. These activities will ensure:

• value for money
• compliance with procurement legislation and internal SFIs

ICBs will ensure procurements are compliant with the standards described in this operating model including:

• data protection regulations and cyber security controls
• clinical safety standards and medical device safety standards
• information standards
• interoperability standards
• clinical terminology standards

ICBs must ensure, as a core and mandated requirement, that they and their practices and PCNs have access to competent procurement advice for any digital services and equipment being procured under this operating model (Schedule of requirements).

Practices vary considerably in size, resources and inhouse technical capabilities. ICBs need to ensure consistent access to such services is available to all practices.

ICBs are encouraged to collaborate on procurements and make use of Applicable national frameworks such as DSIC catalogue of frameworks (or successor) and the HSSF to ensure best value for money, compliance with applicable standards and to reduce procurement workload.

Note: Net Zero and social value in procurement drives the supply chain to deliver additional social, economic and environmental benefits alongside their commercial commitments. ICBs should align with the NHS net zero supplier roadmap to ensure:

• procurements include carbon reduction plan and net zero commitments requirements according to the published guidance
• procurements include a minimum of 10% social value weighting and included contract key performance indicators (KPIs)
• Digital net zero tooling (via NHS Futures – login required) is available to provide support and guidance

Procuring clinical systems

ICBs will use notional GPIT allocations held by NHS England to procure services through the DSIC Catalogue of frameworks (or successor), including the Tech innovation framework (TIF) which meet the foundation digital capabilities for their practices.

In exercising this responsibility, ICBs must (subject to the conditions in the ICB Practice Agreement):

• ensure the foundation and non-foundation digital capabilities (schedule of requirements) are provisioned for all eligible practices
• ensure compliance with procurement legislation and internal standing financial instructions (SFIs)
• ensure practices are able to choose their preferred accredited foundation solution

Practices and ICBs should refer to the ICB practice agreement for responsibilities (4.21 – 4.29) including:

• appendix 4: the ‘Business justification guidance for change of digital services integrated care foundation solution’
• appendix 3: the ‘Escalation procedure’ (local)
• clause 10: ‘Escalation and dispute resolution’

In the absence of formal procurement routes such as frameworks for digital pathways tools, ICBs must continue to engage with the NHS Commercial and Procurement Hub to support buying activities, following the process set out in Digital pathways tools guidance 2025/26 – NHS England digital.

Procuring GP IT enabling services

The ICB will provide GP IT enabling services including IT infrastructure, IT equipment, and support services as required to operate the foundation and non-foundation solutions and the national digital services.

There are a number of approaches for ICBs to provide these services

Commissioning all or some of services within appropriate frameworks

ICBs are encouraged to use an Applicable national framework with underpinning standards for example HSSF to procure GP IT Enabling Services.

The GPIT Enabling Services Specification Support Pack v5.0 and GPIT Enabling Services Data Capture Service Schedule v5.0 provide a specification template and supporting tools for ICBs commissioning these services.

Commissioning all or some of services outside a framework

Where the GP IT Enabling Services cannot be provided through an appropriate framework such as HSSF then ICBs may commission these services through other procurement routes – this includes private providers, local NHS trusts, ICB shared services and other local consortia arrangements providing that the capabilities and standards described in this operating model are met.

Direct provision of services

Some ICBs may choose to provide all or part of the GP IT enabling services directly as either:

• an individual ICB (in-house services)
• an ICB collaborative (in-house services)
• an ICS shared service for example through a local host organisation within the ICS
• a common commissioned ICS wide service

Supporting pan-geographic GP service providers

Where ICBs support practice organisations which hold multiple contracts in geographically dispersed ICBs, they may wish to consider the following dual approach:

• collaborating with the other ICBs to commission, through a lead ICB, a GP IT enabling service operating across a wider geographical boundary

and

• commissioning a local GP IT Enabling Service, if appropriate in collaboration with other ICBs in the geographic locality, for those practices based in the ICB locality

Neither the practices in question nor the remaining practices in the ICB(s) should be disadvantaged by such an arrangement. (Note see also sub-contracting of services)

Some digital services will be procured through dedicated framework contracts as directed by national NHS programmes.

Whatever the approach taken to procurement of GP IT Enabling Services the ICB remains responsible for ensuring:

• the NHS meets its obligations to general practices regarding digital services under the GP contract and ICB practice agreement and as described in this operating model
• resilience in service provision and infrastructure
• that Core and Mandated Requirements described in this operating model are provided to their practices
• all other requirements and standards in the operating model are met
• any organisation providing GP IT enabling services must meet the standards for GP IT delivery Partner organisations described below
• standards in particular for data and cyber security and clinical safety are assured throughout the supply chain from the decision to procure, supplier selection, contract award, supplier delivery, incident support/ management and contract termination
• compliance with any relevant legal and regulatory obligations for example as data processor including any requirements for data processing agreements (DPA)
• that the ICB is able to meet its obligations under the ICB Practice Agreement
• the service is governed either by a fixed term formal contract or fixed term formal NHS service level agreement (SLA); either to be supported by a robust specification which reflects the requirements to be met and the standards applicable
• there is compliance to a service specification with robust KPIs and standards, which is used to inform the support and maintenance levels schedule in appendix 2 of the ICB practice agreement
• value for money can be demonstrated
• compliance with the ICB’s standing financial instructions (SFIs)

In addition to the above, where the ICB directly provides some or all of the GP IT enabling services then the ICB must also put in place robust arrangements which:

• ensure any necessary and appropriate steps are taken to manage any potential conflicts of interest for the ICB as both commissioner and provider

All ICBs, regardless of procurement approach, are encouraged to make use of the Guidance on procurement of GP IT enabling services.

Without precluding providers offering innovative approaches ICBs should give consideration to the following:

• services where demand is likely to be linked to quantities supported (for example, number of managed GP IT devices, number of authorised users, etc) and how incremental and organic growth can be accommodated
• where specialist (expert) services (for example training, data quality, project management, information governance etc) are commissioned what is the available capacity procured and how will it be accessed and resourced
• where a framework is used how does the framework provide assurance on compliance with required standards

ICBs should consider the National Cyber Security Centre (NCSC) published supply chain cyber security guidance.

Organisational standards for GP IT delivery partners

When commissioning GP IT enabling services, the following mandatory organisational standards must be met by the provider:

• NHS information governance – to demonstrate compliance with all mandatory assertions in the NHS Data Security and Protection Toolkit (DSPT) for the relevant organisation type completed annually.
  • from September 2024 DSPT will be aligned with the NCSC cyber assessment framework (CAF) for large organisations (trusts, ICBs, CSUs ALBs, independent providers designated as operators of essential services under the NIS regulations)
• the organisation will be accredited to Cyber Essentials Plus, ISO27001 or other relevant information security standards
• The organisation will also have ISO 22301 for Business Continuity Management or will be compliant/ aligned with the NHS England Business Continuity Management Framework

Organisational standards may apply to whole organisation and all services it provides internally and externally or may be scoped in more detail, for example within the Information Security Management System (ISMS) scope or Business Continuity Management System (BCMS) scope.

Commissioners should seek assurance that any standards compliance or certification from a provider fully applies to the scope of The Services being commissioned and to all providers delivering The Services commissioned.

Note: individual requirements have applicable standards assigned as required (see Schedule of requirements).

The ICB must also obtain assurance, for example through a data processing agreement/deed, that the provider organisation is able to meet it’s obligations as data processor required under the General Data Protection Regulation (UK GDPR) Compliance Guidelines.

These should be regarded as minimum standards for the organisation. Using an appropriate framework such as HSSF will provide assurances for compliance with standards.

Assurance:

• DPCMA: IND 2.0, IND 26.0, IND 28.0, IND 158.0, IND 183.1

Procuring GP IT Equipment

When procuring GP IT equipment using NHS capital funds, ICBs will adhere to NHS England financial guidance, internal SFIs and procurement legislation.

National framework contracts which offer the best value for money should be used where possible. ICBs have access to the NHS Commercial and Procurement Hub for advice and support in procurement of GP IT equipment using capital funds.

The use of NHS standard terms and conditions for the procurement of goods is advised.

Decommissioning

The ICB may decommission any service provided to meet the capabilities described in this operating model and used by the practice, providing:

• it does not conflict with the practice’s choice of foundation solution
• any service meeting a core and mandated requirement is still met either through a replacement service or by rationalising service duplication
• the practice has been consulted in the determination of any replacement or alternative non-foundation digital services
• the practice is advised of any changes and the ICB Practice Agreement updated as necessary

Practice direct procurement

Individual practices may directly fund, procure and contract manage:

• additional capacity to the core and mandated requirements already met, for example, Foundation Solutions
• additional digital systems and equipment, not already met as core and mandated requirements, which assists the practice deliver its contract
• third party systems
• practice business systems
• medical (connected) devices

This operating Model assists practices and PCNs directly procuring in the following ways:

• Procurement standards checklist
• Digital services assurance (local catalogue)
• Digital services procurement support (advice)
• access to appropriate frameworks such as Health Systems Support Framework (HSSF) and DSIC Catalogue of frameworks (or successor) offering assurances in standards and value for money

Any practice procured software, digital system or equipment which uses NHS systems or managed infrastructure must be approved as described in ICB Practice Agreement. Such approvals should not be unreasonably withheld.

Access to a digital services assurance catalogue will assist both practices and ICBs in this process. Use of the DTAC will be helpful.

Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure.

Where practices procure digital services directly, they remain responsible as contract holder, for the maintenance of that service which will include ensuring it remains supported by the supplier/developer.

The security of systems and applications which are unsupported or unmaintained cannot be assured and must not be used on NHS managed infrastructure.

Supporting general practice service delivery

Clinical systems

A number of core and mandated digital capabilities will be met through clinical systems for practices.

These include 6 foundation digital capabilities which must be met using a foundation solution which is:

• accredited through the DSIC catalogue of frameworks (or successor)
• chosen by the individual practice from the DSIC Catalogue of frameworks (or successor) with ICB agreement, in accordance with the conditions set out in the GP contract
• funded by the NHS for eligible practices with a signed ICB-practice agreement
• sourced through the DSIC catalogue of frameworks (or successor)

Non-Foundation digital capabilities will be met by providing solutions which:

• are funded by the NHS for eligible practices with a signed ICB practice agreement
• meet standards referenced in this operating model
• are selected by the commissioning ICB in collaboration with local practices

Patient online service capabilities will be met by the NHS app and by providing solutions which:

• meet the national capabilities and standards
• integrate with the NHS App
• provide patient online service capabilities which are not available in the NHS App

Further services which offer capabilities beyond those core and mandated to meet local needs may be procured as enhanced digital services.

Digital capabilities where defined have standards attributed. Suppliers must meet the standards described in the DSIC catalogue of frameworks (or successor) for their services to be ‘onboarded’ to the catalogue. These include critical areas such as SNOMED CT, interoperability, clinical safety and cyber security.

Details on the funding arrangements are given in Quality and value for money.

Infrastructure and connectivity

IT infrastructure should be provided to a standard which allows the practice to efficiently and effectively operate the capabilities met by services provided through this operating model.

The ICB will maintain an ICB GP IT warranted environment specification (WES-GP) and an ICB GP IT asset management policy. These will ensure GP IT infrastructure and equipment is maintained, replaced as scheduled and is able to support the GP clinical systems in local use.

GP IT infrastructure funding should include

• IT infrastructure necessary to operate digital services provided through this operating model including both those meeting core and mandated requirements and enhanced requirements
• IT hardware to a specification which meets the local WES as a minimum
• any required operating system and software licencing costs
• requirements created through the expansion and development of the GP estate – these should be factored into the business planning process for the estate development
• requirements created as a result of growth in workforce and/or practice activity

Capital allocations and other sources of non-recurrent funds can be used to provide and refresh the necessary IT infrastructure.

Individual practice IT reviews should include discussions on possible practice service and estate developments which may increase demands on GP IT infrastructure.

It is essential to ensure the right underlying network infrastructure, broadband connectivity and Wi-Fi technology is in place to support the growing demand for bandwidth and reliable connectivity especially in those locations which are hard to reach.

All of the digital services, especially bandwidth hungry services (for example cloud-based telephony) are critically underpinned by gigabit capable connectivity. ICBs and GPs should continue to evaluate their network, and connectivity needs to ensure they have the maximum bandwidth (gigabit capable) for productivity and efficiency needs

Within supported practice premises WIFi services must continue to support patients and public while also supporting the use of WiFi connected devices to deliver practice services.

Additional IT hardware may attract additional recurrent costs to align with the volume of the IT hardware estate for example operating system and anti-virus licences, GP IT support contracts. Where possible GP IT support contracts should include a tolerance which allows for organic growth of the GP IT estate and GP IT infrastructure without the requirement to renegotiate support costs.

Remote access

Remote access to the practice clinical system and managed GP IT infrastructure is required to support remote personal working for individual practice and PCN staff during normal business operations and is a key part of practice business continuity plans offering resilience and flexibility.

A remote access service available to practices is a core and mandated requirement in this operating model and should have the capability of supporting at least 60% of normal operational capacity of the practice.

The ICB will maintain an ICB GP IT asset management policy which includes remote access equipment and support to support this service.

Remote access solutions used to access DSIC services, national digital services or the managed GP IT infrastructure must not bypass or otherwise reduce the effectiveness of installed security measures, including authentication meeting the NHS Care Identity Service 2 standards using NHS Smartcard or other approved authenticator.

Operating the practice foundation solution without the proper use of an NHS Smartcard, or an approved alternative which supports secure authentication and an ‘advanced electronic signature’, may compromise the legal status of e-prescribing. Those signing a prescription need to be able to demonstrate that they were in sole control of the signing capability at the point of signing.

Approved remote access solutions include:

• issuing of an NHS managed laptop (or other endpoint) and means of secure VPN access
• issuing of an NHS managed laptop (or other endpoint) and use of secure accredited Internet First applications available through the DSIC catalogue of frameworks (or successor)
• use of a secure virtual desktop infrastructure (VDI) solution

Remote personal working will be more effective if remote access to both practice clinical systems and practice telephony systems is available to staff for example by using an advanced cloud-based telephony solution procured from the Better Purchasing Framework.

Remote access to practice business systems is a practice responsibility but any solution must comply with standards in this operating model if the managed GP IT infrastructure is used or accessed in any way.

Business continuity plans

Practices are required to maintain a business continuity plan (BCP) which should include loss of access to relevant IT services which the practice requires to maintain essential services. These should be reviewed and updated as necessary.

Providers of GP IT enabling services must also have robust business continuity and disaster recovery plans. See Business continuity and disaster recovery planning for more details.

ICBs must ensure that plans which meet current standards are in place.

The above should align with section 1.4 of the NHS England business continuity management toolkit.

Sub-contracting primary care services by practices

Practices and PCNs may choose to sub-contract certain services to specialist third party providers, providing the conditions for sub-contracting of clinical matters under the GP Regulations are met (see Primary medical care policy and guidance manual [PGM] v4.0, 2022).

Sub-contracting of services may enable practices and PCNs to innovate, achieve efficiencies and enhance resilience.

Scenarios for organisation and staff providing primary care services for practices are set out in Access to The Services by sub-contractors and third parties.

Practices are eligible for receipt of NHS-funded digital services as described in this operating model where they hold a GP Contract and have signed an ICB practice agreement.

PCNs will be eligible for receipt of NHS-funded digital services as described in this operating model where all practices hold a GP contract, have signed the ICB practice agreement and the practice(s) deliver the service.

The practice may request and the ICB may agree to provide these third party providers with access to the services. These are referred to as sub-contractors in this operating model.

The following principles apply:

• Practice, PCN, independent, and third party staff working in supported premises and directly reporting to the practice should have access to the services in the supported premises; and to remote access, to support remote personal working.
• Practices may sub-contract (subject to the conditions in the GP contract) the delivery of primary care services from other organisations who may not hold a GP contract.
• the NHS (ICB) obligation to provide the services set out in this operating model is to the practice where it has signed the ICB practice agreement.
• The practice may request from the ICB that their sub-contractor is given access to the services. The ICB may allow this, subject to assurances and considerations.
• The ICB is not obliged to provide the sub-contractor with access to the services.
• GP IT funds are not directly available to the practice or its sub-contractor in lieu of services.
• Assurances will be secured by the ICB from the sub-contractor as described in Access to the services by sub-contractors and third parties; including compliance with relevant cyber, information governance, registration authority, clinical safety, and digital standards.
• Provision of local GP IT enabling services – for example, HSCN-GP, IT premises infrastructure, support services and remote access – should be additionally reviewed by the ICB, taking into consideration premises and organisational status.
• Access to the services by a sub-contractor is restricted to supporting the delivery of the contracted primary care service (including PCN service), and must not be used to directly support the sub-contractor organisation’s business functions, or the delivery of any other clinical service they have been commissioned to provide.
• Ensure the cost of providing the services for this practice is proportionate to other similar GP contracts they support (based on a cost per registered patient basis).

Access to the services by sub-contractors and third parties gives guidance to ICBs on determining which of The Services are appropriate to make available to sub-contractors and the standards to be complied with by the sub-contractor.

Appendix 1 in the ICB practice agreement sets out the supported premises in which the ICB has agreed to provide the services.

Appendix 1 in the ICB practice agreement sets out the sub-contractors where the ICB has agreed to provide access to the services.

Data processing agreements which comply with data protection legislation must be in place between the practice as controller and the sub-contractor as processor.

The GP contract gives direction on restrictions on advertising and hosting private GP services. These restrictions apply to the use of The Services provided to the practice.

Good practice guidelines

The Good practice guidelines for GP electronic patient records – (GPGv5) provide the information required to use digital tools and services effectively, safely and in accordance with the law and other national standards.

They also provide guidance on how to meet specific GP contract requirements aligned to this operating model. Practices and ICB responsibilities under the ICB practice agreement have regard to these guidelines.

Systems which hold patient information outside the foundation solution

Digital tools such as telephony systems, video consultations, email consultations, instant messaging consultations may hold patient data for example a recording.

This data may, at the discretion of the individual practice as data controller, be:

• summarised and documented in the main patient record (foundation solution)
• considered significant to be retained, if needed for clinical negligence or other legal purposes
• in exceptional circumstances, considered part of the main patient record

In all cases, the systems and infrastructure should enable retention periods required to support the purpose of the data held. Refer to NHS records management code of practice for guidance.

Patient online service capabilities

To ensure the patient online service commitments in the GP contract can be met and are aligned with the wider ICS strategy.

Practices are required to offer the following patient online service capabilities:

• online consultations
• secure electronic communications
• appointments management
• prescription (repeat) ordering
• view patient record
• update patient details
• register with a GP

These capabilities, which are core and mandated under this operating model, will be met through the NHS App and by providing solutions which:

• provide patient online service capabilities which are not available in the NHS app
• meet the national capabilities and standards
• integrate with the NHS App

Practices are required, when procuring new or replacement telephony systems, to use the Better purchasing framework to ensure the solution meets the national standards and capabilities, a significant benefit of which is an improved patient experience particularly during peak demand periods for telephone access.

Digital inclusion

The principle of the ‘inverse care law’ and the potential for an exacerbated impact of patient online services is recognised. GP providers and GP commissioners need to be aware of those in their population at risk of digital exclusion when deploying and prompting the use of digital services for patients in primary care.

The Kings Fund has produced informative further reading on this matter. It highlights that in England, 27% of people has the lowest digital capability: that is, they don’t have regular access to a device, or the skills and confidence to turn on a device, use an app, log in or enter information on a digital device by themselves.

Furthermore, about 30% of people who are offline (that is, with no online access or use) find the NHS to be one of the most difficult organisations to interact with.

The challenges of ensuring digital inclusion when driving forward growth in availability and use of digital health channels is recognised in the NHS plan for digital health and social care.

Some of the challenges and barriers faced are described in the Nuffield Trust Research on Supporting patient engagement with digital health care innovations.

Mitigating the risk of digital exclusion is one of 5 key priorities that NHS England has asked ICSs to address in its drive to reduce health inequalities, supported by Inclusive digital healthcare: a framework for NHS action on digital inclusion.

Digital services (including practice websites) that are accessible through a website or an app must ensure that the practice (as a public authority) can comply with its legal obligation to meet accessibility standards and must be fully compliant with the Web content accessibility guidelines (WCAG) 2.2.

NHS England has published Creating a highly usable and accessible GP website for patients which provides further support and guidance.

Assurance:

• DPCMA: IND 205.0

Digitally enabled service transformation

Supporting GPs, PCNs and ICBs locally to prioritise and invest in technologies which improve practice efficiency and enable local service transformation.

Those capabilities described in this operating model as core and mandatory must be first priority in the use of local GP IT funds as these capabilities are essential for practices to meet their GP contract obligations.

There are a number of digital capabilities described in this Operating Model as enhanced which enable general practice service improvement, efficiency and transformed care. This does not mean these capabilities are of less importance. Local investment in the right digital enablers for service improvement can improve patient outcomes and experience within a stable and efficient service.

Digital technologies and systems when commissioned for practices should whenever possible be accompanied by the availability of regular use data.

ICBs in addition to the responsibility for the provision of GP IT services, as described in this Operating Model, will also provide certain digital capabilities (see Schedule of Requirements) across the whole ICS. ICBs must ensure that general practice IT both supports and benefits from the delivery of these capabilities by the ICB and that general practice is engaged with and is represented in the ICS digital service transformation programme.

Supporting the commitment to deliver a net zero NHS

This Operating Model supports the NHS net zero commitment:

The net zero benefits are:

• using digital technology to reduce carbon emissions in general practice including:
  • reducing staff and patient travel with digital consultations and monitoring
  • rationalising estate requirements/usage (approximately 9,000 buildings)
  • continuing progress to a paper free environment for patient records and transactions
  • increased use of digital tools for peer-to-peer communications

Managing costs to Net Zero:

• investing in and deploying GP IT infrastructure which minimises energy usage including:
  • power saving on IT devices
  • optimising equipment life cycle; for example, with Virtual Desktop Indicator (VDI) to reduce manufacturing energy costs
• selecting by default, TCO Certified (or equivalent) GP IT Devices
• ensuring adherence to policy advice which will be issued to ensure NHS data centres and companies providing these services as part of the managed GP IT infrastructure minimise their environmental impact and support the drive to reach Net Zero
• developing ICB policies on:
  • GP IT Device allocation, refresh and replacement
  • GP IT Device disposal and re-deployment.

See also Business Continuity – climate change impact considerations.

Assurance:

• DPCMA: IND 197.1

Keeping general practice and patients safe

Managing risks to general practice

Risks to general practice

Practices have a critical operational dependence on digital systems to operate routinely on a daily basis. Practices are at risk from:

• significant system failure which may severely disrupt or close Essential Services in a practice with almost immediate effect. Workarounds may be limited depending on the nature and extent of the system failure
• the loss of data (patient records) or loss of access to data, whether arising from failure of digital systems or of infrastructure will present high impact risks to the practice in:
  • operational continuity
  • patient safety
  • corporate criminal liability
  • potential regulatory action from the Information Commissioner’s Office (ICO) including fines
• errors, faults or algorithmic based outputs from embedded logic and knowledge bases in software which processes patient information may lead to clinically unsafe recommendations or decisions

Minimising risks

Practices as independent organisations have certain legal and regulatory responsibilities relevant to data protection and business continuity.

Understanding these responsibilities at a senior level within practices and within ICBs and providing practices with access to specialist support and advice forms the foundation of minimising these risks.

In accordance with its obligations as an Operator of Essential Services (OES) under the NIS Regulations, the ICB is responsible for:

• managing and minimising security risks within the managed GP IT infrastructure.
• reporting any serious network and information incidents (including cyber incidents) which impact on provision of The Service through the NHS DSPT Incident Reporting Tool.

The ICBs are required, through this Operating Model, to provide practices with access to specialist advice to support practices. This includes:

• information governance, including advice and support for the practice designated Data Protection Officer (DPO)
• cyber security management and oversight
• clinical safety assurance advice and support
• digital systems procurement advice
• support for and oversight of practice business continuity plans (see business continuity and disaster recovery planning for more details)

These are complemented by a range of GP IT Enabling Requirements described in Schedule of Requirements which underpin a safe digital operating environment for practices.

Continuity and digitisation of general practice records

The continuity of GP medical records – electronic and paper – can be disrupted in a number of ways. Causes include:

• operational and technical failures of the GP2GP electronic records transfer system
• delays in printing records in the event of a failure or a record going to archive
• the persistence of paper in general practice because of historic Lloyd George records.

NHS England are working to improve continuity via improvements to GP records management systems, and the introduction of national digitisation guidance. These include:

• reducing the amount of paper created in the system
  • Lloyd George paper envelopes stopped being created in January 2021
  • practices are no longer required to print out the electronic records for deceased patients for sending to archive (although existing paper records will still be collected from practices by primary care support services).
• providing a national specification and guidance for local areas to digitise Lloyd George records
• considering different options for managing Lloyd George records nationally to remove over time the burden of paper records on general practice and make use of digitisation
• working with Foundation Solution Suppliers to reduce technical GP2GP transfer failure rates and improve performance
• exploring new services that remove the need to create paper records when GP2GP fails or a record needs to go into archive

Supporting local procurement of digital systems and technologies

Digital systems and technologies, including medical (connected) devices, procured locally; for example, by practices or PCNs, may present a security and safety risk within the Managed GP IT Infrastructure.

The benefits available from such systems however may be invaluable to a busy practice.

To support practices, make safe procurements, comply with the ICB practice agreement and use digital systems and technologies with confidence this operating model puts in place the following:

• Practices, ICBs and GP IT delivery providers must meet the capabilities and standards described in this operating model including those related to hardware, infrastructure and procurement. ICBs and practices will have access to specialist advice on procurement of digital services and systems.
• ICBs, practices and PCNs should make full use of the DSIC catalogue frameworks and other applicable national frameworks to procure solutions which meet necessary standards.
• A simple checklist for practices, PCNs and ICBs considering local procurement where a framework is not applicable is provided in the GPIT Enabling Services Specification Support Pack v5.0 and GPIT Enabling Services Data Capture Service Schedule v5.0. This includes using the Digital technology assessment criteria (dtac).
• The ICB will provide a Digital services assurance catalogue to assist practices in selecting systems and services.
• Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure.
• The contract holder (usually the original purchaser) is responsible for ensuring systems, applications and hardware remain supported (by the original supplier or their agent).
• Practices as data controllers should ensure where applicable that responsibilities of the digital service supplier as data processor are contractually recognised and the agreed data flows are documented.

Note: This does not include personal devices and applications owned by Practice Staff and other Authorised Users (see Remote Access and Bring Your Own Device (BYOD)).

Use of third party software

To protect the security of the clinical systems and the managed GP IT infrastructure practices (and their sub-contractors) must comply with the conditions in the ICB practice agreement on the installation and use of third party software on managed GP IT infrastructure.

See clauses 4.10, 4,11, 4.13, 4.51, and 9.14 to 9.21 in the ICB practice agreement.

This includes requests by the practice to use third party software on managed GP IT devices

When things go wrong

A high severity incident includes

• an incident defined or classified as severity level 1 or 2 in accordance with the NHS England severity level guidelines
• a high severity NHS Cyber Alert
• a notifiable NIS Incident
• a notifiable Personal Data Breach
• a Patient Safety Incident

NIS notifiable incidents

These are network and information systems incidents (including a cyber security incident) which have a ‘significant impact’ on the continuity of Essential Services.

As an Operator of Essential Services (OES) the ICB is responsible under NIS Regulations for ensuring adequate data and cyber security measures in place taking appropriate measures to:

• manage risks posed to the security of the network and information systems which their essential services rely on
• prevent and minimise the impact of incidents on the delivery of essential services
• report serious network and information incidents which impact on provision of the essential service through the NHS DSPT Incident Reporting Tool

All parties namely individual practices, ICBs, GP IT Delivery Partners, NHS England will support the ICB in meeting this responsibility. This will include providing urgent out of hours contacts and communication routes as well as access to Supported Premises and digital systems and equipment outside normal working hours.

National guidance on the notification of data security and protection incidents should be followed.

In the event of a critical impact national network and information systems incident including a cyber security incident being formally declared (for example by the NHS England Data Security Centre) all parties will fully cooperate and support the actions required by the NHS Resilience Team, NHS England, or any other party with delegated authority.

This will include providing urgent out of hours contacts and communication routes as well as access to Supported Premises and digital systems and equipment outside normal working hours.

Practices will be supported by a Cyber Security Service.

A NIS Reportable Incident may also result in Notifiable Personal Data Breaches.

Responsibilities and accountabilities are summarised in Responsibilities and Accountabilities.

Personal data breaches

As data controllers and public authorities, practices have a responsibility under UK GDPR (Article 33), to report notifiable personal data breaches using the NHS DSPT Reporting Tool within 72 (actual) hours of identification. Practices, under UK GDPR (Article 34), also have responsibility to notify patients of a personal data breach where it is likely to result in a high risk to the rights and freedoms on the individual.

Practices will be supported with access to specialist information governance services who can provide expert advice and guidance in the event of a personal data breach.

National guidance on the notification of data security and protection incidents should be followed.

Personal data breaches can include:

• confidentiality breach: unauthorised or accidental disclosure of, or access to personal data
• availability breach: unauthorised or accidental loss of access to, or destruction of, personal data
• integrity breach: unauthorised or accidental alteration of personal data

Personal data breaches must be reported by the practice (as data controller) through the NHS DSPT incident reporting tool within 72 hours of becoming aware of the breach.

ICBs, GP IT providers, practices and their sub-contractors must be aware of the legal responsibilities for data processors and data controllers.

All parties – namely individual practices, ICBs, GP IT delivery partners, NHS England – will support the practice in meeting this responsibility.

Loss of access to (or destruction of) patient records may present a patient safety risk and a personal data availability breach. Possible causes could include host system failure, network failure, power failure, premises disruption, system configuration fault denying permissions.

ICBs will ensure work to resolve as a critical incident takes place and will ensure national bodies and suppliers are involved as required.

Each practice will maintain a business continuity plan (BCP) approved by the ICB which will include as well as response to threats to data security a response to loss of access to patient records. This should be activated as necessary. Practices should follow national guidance in assessing and reporting this as a personal data breach and if relevant report any patient safety incident.

As more systems become securely hosted externally and fewer are located within individual practice premises the role of a practice disaster recovery plan (DR) becomes less relevant, although business continuity planning remains essential. Assurances are required however that third parties, providing infrastructure and/or data processing services have robust DR Plans.

Practices will be supported by a specialist information governance service and Cyber Security Service.

Patient safety incidents

All NHS organisations in England have a role to play in reporting and responding appropriately to patient safety incidents in to support improvement in patient safety. 

Practices are encouraged to report patient safety incidents related to digital systems in line with national guidance through the Learn From Patient Safety Events Service (LFPSE) provided by NHS England.

Adverse Medical Device incidents should be reported by healthcare professionals or patients via the MHRA Yellow Card System.

Practices will be supported by a specialist clinical safety assurance service.

Note: patient safety incidents and adverse medical device incidents which do not involve digital systems are outside the scope of this Operating Model.

Digital infrastructure, equipment and systems performance

The end user’s experience of digital systems can be variable and subject to a number of factors including, but not limited to:

• network bandwidth, latency and contention
• hosted system performance
• local equipment and infrastructure age, specification, concurrent applications and configuration
• unsupported systems
• external threats

Where the digital system performance for the practice is impacted to the extent that it obstructs ongoing efficient and effective access to the patient record and the clinical systems then the practice should consider whether this represents a patient safety issue (or even an availability personal data breach); in which case, they should escalate to the ICB, requesting that it is processed as a high severity incident. The ICB should lead the resolution using methodologies applicable to potentially complex, multi-factor and multiple party problem solving.

Incident reporting responsibilities summary

Note: as described in the ICB practice agreement, NHS England or the Secretary of State for Health and Social Care may, in exceptional circumstances (for example, a high severity incident) take direct intervention (‘Step-in services’) in the management of digital services for integrated care framework (or successor); and national digital services contracts, including the processing of patient data.

NHS England operates the EPRR framework providing strategic national response to meet incidents or emergencies that could affect health or patient care.

Quality and value for money

Funding

ICBs as local commissioners have access to funds to meet the NHS obligations to support practices as defined in this operating model. detailed guidance on current funding arrangements and allocations is provided in Primary care service development funding (SDF) and general practice IT funding guidance 2025/26.

Further guidance as published and where applicable will supersede funding guidance in this operating model.

Key points:

• Core and mandated GP IT enabling requirements (see schedule of requirements) are mandatory for local investment.
• Investment for GP IT should be maintained and enhanced to support local plans to address the sustainability and quality of general practice, as outlined in the NHS planning guidance.
• Investment in enhanced requirements should be commissioner led, and in consultation with general practices. It should align closely with local ICS digital strategy which underpin the transformation of care locally.
• ICBs are accountable for any financial risks associated with over-spending as part of their overall resource limit.
• Clear financial protocols must be established and agreed between commissioners and GP IT delivery partners to ensure ICBs remain in compliance with their financial obligations.
• ICBs and their GP IT delivery partners must follow all necessary financial guidance in relation to provision of GP IT services, including NHS England financial guidance. where the commissioned GP IT delivery partner is not an NHS England body or an ICB they will be required contractually to support the ICB in its compliance with NHS England financial guidance in all matters relevant to GP IT services provided, for example procurement support services.
• If individual practices do not wish to receive the ICB services required under this operating model the ICB has no obligation to provide alternatives or to offer direct funding to the practice in lieu of services.

Revenue funds

Core service allocations

ICB core service allocations include GP IT revenue funding as well as previous specific funding allocations for GP IT infrastructure and resilience and primary care transformation.

This funding is not ring-fenced; however, priority must be given to funding the core and mandated digital requirements described in this operating model for both practices and additional roles associated with PCNs.

The Primary care access recovery plan (PCARP) funding ceased 31 March 2025.

ICBs still need to ensure service continuity and the availability of highly usable and accessible digital tools required for continued delivery of modern general practice, as per the requirements of the 2025/26 priorities and operational planning guidance, the primary care service development funding (sdf) and general practice IT funding guidance 2025/26, the GP contract, and this operating model.

Operational plans prepared by ICBs must address explicit support for funding the digital tools required to support modernising general practice including the core and mandatory requirements set out in this operating model.

The ICB will use the core service allocations to provide solutions to meet the following core and mandated requirements categories:

• 2b: non-foundation digital capabilities – supporting digital pathways
• 2c: non-foundation digital capabilities – supporting PCN contract (DES)
• 3: patient online service capabilities where the capability is not met by the NHS App
• 5: GP IT enabling requirements

The ICB may use the core service allocations to provide solutions to meet the following requirements categories:

• 6: enhanced requirements

GP IT allocations

These are revenue allocations managed by NHS England and held centrally but with a notional allocation based on registered patient capitations to each ICB.

The ICB will use the GP IT allocations to provide solutions to meet the following core and mandated requirements categories:

• 1: foundation digital capabilities as first call on the GP IT allocations
• 2a: non-foundation digital capabilities – supporting practice operations (subject to available funds)

In addition the ICB will only use the GP IT allocations to:

• procure services through the DSIC catalogue of frameworks (or successor arrangements)
• provide services to support practices which have signed an ICB practice agreement

Capital funds

GP IT capital

NHS England BAU (business as usual) capital funding for GP IT embedded in overall NHS England ICS system capital allocations, against which ICBs submit capital spending plans.

Primary care capital functionality is not delegated to ICBs and the assets will remain in the NHS England accounts and be managed with NHS England regional capital teams.

The funding is allocated on a ringfenced basis and represent a minimum level of spend.

ICSs are permitted to transfer further funding from provider capital to primary care based on a cross-system agreement, but not vice versa (NHS England » capital guidance 2025/26).

This funding is designated to deliver, as first priority, systematic refresh of the GP IT estate for both practices and additional roles associated with PCNs, in line with the requirements of this operating model.

Any remaining funds should be invested in technology advances that will improve the overall experience for staff and patients, as well as the security and cost-effectiveness of general practice and PCN IT infrastructure.

Priority should be given to maintaining the GP IT estate necessary to support the core and mandated digital capabilities described in this operating model and compliance with the ICB GP IT warranted environment specification (wes-GP).

Associated deployment costs for example installation, disposal, software licences should be considered within the capital bid.

Depreciation costs arising from GP IT capital will continue to be funded centrally by NHS England.

Other revenue consequences arising from the growth of the combined GP and PCN IT estate will need to be included within ICB revenue plans.

Practices need to discuss this with the ICB at an appropriate early stage.

£122 million of capital for primary care for BAU and GP IT capital. This funding will be allocated on a ringfenced basis and represent a minimum level of spend. ICSs are permitted to transfer further funding from provider capital to primary care based on a cross-system agreement, but not vice versa.

The ICB will use capital allocations to:

• procure IT equipment to support the core and mandated requirements and standards set out in the operating model

Future connectivity programme and successor networks and connectivity programmes of work

ICBs and GPs should continue to evaluate their network and connectivity needs to ensure they have the max bandwidth (gigabit capable) for productivity and efficiency needs.

They should also continue to enhance their onsite wi-fi provision for clinical and administrative staff including visiting clinical staff.

Microsoft 365 for the NHS licencing

No further central funding is allocated for Microsoft 365 (n365) licences and any further requirements should be supported from GP IT funds.

The NHS participation agreement relating to the n365 health memorandum of understanding (MoU) with Microsoft ended 30 April  2023. collaboration licences can now be purchased through the national (NHS) collaboration licensing MoU.

Time limited funding initiatives

To enable specified programmes additional allocations of non-recurrent funds may continue to be released to ICBs to support such programmes. These funds should be used to support the identified programme.

Assurances will be secured through the relevant programme generally based on deployment and capability outcomes.

ICBs should take into consideration financial impacts of any new systems or infrastructure deployed and the continuity of provision once the time limited funding ceases.

Any decision to enhance the ICB allocations to support any recurring costs after the transition period will be made on an individual programme basis. 

Direct funding

ICBs have devolved responsibility to provide (either directly or through commissioning) the services for their practices described in this operating model.

ICBs should not provide funds directly to practices or PCNs in lieu of these services, unless advised otherwise for a specified purpose in this operating model for example reimbursement to practices for clinical system training.

Where an ICB considers direct funding to practices for any such specified service, whether funded in advance or by reimbursement against an approved claim, the following requirements should be adhered to:

• ICB compliance with its SFIs
• compliance with NHS England financial guidance
• compliance with other standards for example cyber and data security, clinical safety, GP connect
• how value for money is assured when procurement is disaggregated; the ICB remains responsible for compliance with the standards in this operating model
• that other practices, not receiving direct funding for GP IT from the ICB, are not disadvantaged
• the funds are not awarded directly to another party acting on behalf of the practice (for example a sub-contractor), unless that party has been commissioned by the ICB to provide GP IT services set out in the operating model following appropriate procurement process

Out of scope funding

ICBs are expected to ensure that the provision of the services locally does not duplicate other funding allocations or provisions.

The general practice global sum is used to directly fund GP contracts and will include funding for services and utilities listed in this operating model as general practice business requirements.

Dispensing practices (approximately 1,000) operating under NHS England standard contract arrangements for pharmaceutical dispensing regulations require software and digital infrastructure to provide the dispensing function. These services are outside the scope for the receipt of GP digital services under this operating model.

Other funding sources

The funding allocations above will ensure ICBs are able to provide, as a minimum, the core and mandated digital requirements required by general practice as defined in this operating model.

ICBs should consider the use of any other locally available funding sources to support locally prioritised enhanced digital capabilities which reflect the local digital roadmap for service improvement and transformation in all local care settings.

Assurance

Use of funding allocations

Directions on coding and monitoring arrangements for ICBs is given in Primary care service development funding (sdf) and general practice it funding guidance 2025/26.

The DSIC reporting capability NHS England will, for each ICB:

• identify by each ICB that foundation solutions have been procured by the ICB for all its practices
• identify that the total in-year spend by the ICB flagged on the catalogue as centrally funded is within the value of the GP IT allocation for the ICB

In the event that the former assurance is not met, NHS England will investigate that there is no breach of GP contract obligations.

Individual practices can refer to appendix 1 – summary of services table within the ICB practice agreement to check the services the ICB has made available to the practice, the supported premises and any supported sub-contractors.

Digital primary care maturity assurance

Through the annual digital primary care maturity assurance (DPCMA) reviews, annual data from April 2015 demonstrating trends and changes over this period is available.

This allows the NHS to assess the effectiveness of the operating model. The DPCMA will continue to be used to support the operating model.

Data will be sourced annually from the following:

• Organisation data service (ODS)
• general practice annual e-declaration (eDEC)
• WGLL annual ICB survey
• NHS DSPT– GP submissions

The updated DPCMA indicators (from April 2025) are included in this guidance.

Where an indicator is relevant to a requirement described in this operating model, the indicator(s) is shown assigned to that requirement (schedule of requirements).

DPCMA data is available through the Primary care indicators dashboard. This dashboard provides access to general practice indicators and the DPCMA data. GPs and ICBs can register for an account online.

Local benefits include:

• supporting ICBs in the management or re-procurement of GP IT service provision
• provide assurance that ICBs are meeting the requirements of the operating model in the effective delivery of GP IT services
• demonstrate progress and identify areas for investment in GP IT services and digital innovation
• support care quality commission (CQC) assessment by providing insight into the use of digital technology within the practice, to help meet patient need and improve delivery of clinical services
• demonstrate local progress against GP contract digital requirements

NHS data security and protection toolkit (DSPT)

All practices must complete and submit an annual DSPT as a requirement under the ICB practice agreement. This is the responsibility of the individual practice, but support should be available to practices in the form of technical advice and access to required data which the ICB or its commissioned GP IT provider may hold.

The incident reporting tool within DSPT must be used (by ICBs and practices) to report cyber incidents and personal data breaches as required by NIS regulations and UK GDPR.

Commissioned GP IT delivery partners

Commissioned GP IT delivery partners will be required to meet organisational standards.

Access by sub-contractors

Where ICBs agree to provide certain GP digital services to a practice’s sub-contractor, the ICB can seek assurance on the sub-contractor’s commitment to standards in this operating model by confirming either of the following:

• The practice can provide assurance that their sub-contractor will comply with the standards in access to the services for sub-contractors and third parties and the conditions of this operating model. A template letter from the sub-contractor to the ICB is provided in appendix 5 of the ICB practice agreement to provide this assurance.
• The sub-contractor is supplying services through a framework agreement which requires compliance with the standards described in this operating model.

ICB collaboration

Having a common responsibility for the provision of GP digital services and support as described in this operating model, ICBs may wish to consider collaboration to reduce duplication and improve quality.

Collaboration areas may include procurement, digital services assurance catalogue and specialist support for example clinical safety assurance, cyber security, information governance, project management, training, etc.

Transition arrangements and timescales

The following describes the significant transition arrangements and timescales arising from the release of version 6 of the operating model and from amendments to the operating model.

More detailed transition actions are given against individual capabilities documented in schedule of requirements.

Schedule of requirements

Core and mandated requirements

Category 1: Foundation digital capabilities

Available through DSIC catalogue of frameworks (or successor)

GP referral management

Supports recording, reviewing, sending, and reporting of patient referrals. Enables referral information to be included in the patient record.

Prescribing

Supports the effective and safe prescribing of medical products and appliances to patients. Information to support prescribing will be available.

Recording consultations

Supports the standardised recording of consultations and other general practice activities.

Patient information maintenance

Supports:

• the registration of patients and the maintenance of all patient personal information
• the organisation and presentation of a comprehensive patient record
• the management of related persons and configuring access to citizen services

Resource management

Supports the management and reporting of practice information, resources, staff members and related organisations. Also enables management of staff member availability and inactivity.

Appointments management – GP

Supports the administration, scheduling, resourcing and reporting of appointments.

Resource management

supports the management and reporting of practice information, resources, staff members and related organisations. also enables management of staff member availability and inactivity.

Category 2: Non-foundation digital capabilities

The following capabilities are provided subject to availability of approved solutions.

Category 2a: Non-foundation digital capabilities – supporting practice operations

Note: some of these capabilities may be embedded in the foundation solution.

Document management

Supports the secure management and classification of all forms unstructured electronic documents including those created by scanning paper documents.

Also enables processing of documents and matching documents with patients.

GP extracts verification

Aggregated data is extracted from practice foundation solutions via the General practice extraction service (GPES) and sent to the Calculating quality reporting service (CQRS).

Calculations performed by the CQRS determine how much money a general practice should be paid for national services.

The data extracted in this process is based on information recorded in individual patient records.

The GP extracts verification capability provides practices with reports and search tools to establish which patients will be or have/have not been included in these payment extracts and calculations.

These reports and tools will ultimately support data quality investigations and improvements.

Scanning

Supports the conversion of paper documentation into digital format, preserving the document quality and structure. This may be embedded with or integrated with the document management solution.

Note: requires as an enabler compatible scanning hardware.

Category 2b: Non-foundation digital capabilities – supporting digital pathways

Digital pathways tools which do not meet the Patient online service capabilities and which support the Modern general practice model.

ICBs must engage with the NHS England National Commercial and Procurement Hub using the process described in Digital pathways tools guidance 2025/26 – NHS England digital to ensure that only products meeting the required capabilities are in place and/or purchased.

Contracts can move to new frameworks as they become available.

Demand and capacity planning tools

These allow health or care organisations to gain a greater understanding of their own data and performance to enable more informed planning. They are expected to offer the following capabilities:

• Access pre-configured dashboards: enables health and care professionals to access pre-configured dashboards provided by suppliers that are based on nationally-defined criteria and use data from core clinical solutions and other supporting solutions.
• Manage custom dashboards: enables health and care professionals to access, manage and share custom dashboards that use data from core clinical solutions and other supporting solutions.
• Data management: allows health/care professionals to configure how consumed data (including SNOMED CT codes) is mapped so it can be most effectively used by the dashboards.

Cross-organisation appointment booking

Enables appointments for patients and service users to be booked by health and care professionals across organisational boundaries.

Care navigation

Supports health and care professionals to appropriately process and respond to online patient and service user consultations using a pre-configured care navigation workflow.

Category 2c: Non-foundation digital capabilities – supporting PCN contract (DES)

Interoperability for PCNs

PCNs must ensure, when available, IT interoperability between the core network practices within the PCN, any non-participating practices the PCN is providing enhanced access cover for and other relevant providers as necessary.

This must include the ability – once consistently available – to view, book into, and cancel appointments, make referrals and request tests, to view and update patients’ records, and for all relevant staff to have the ability to access medical records within the PCN; and to cover other points in the core digital offer provided by member practices as part of their primary medical services contract.

Further guidance on IT interoperability will be made available. (Network contract directed enhanced service [DES])

Category 3: Patient online service capabilities

Practices will offer online services through the following capabilities as required under the GP contract and subject to the availability of the service.

Online consultations

Enables patients to access support from practice health professionals online without the need for a face-to-face encounter, and which need not operate in real-time.

Includes facility for real-time video consultations between the practice and the patient.

This is also part of the requirement for digital pathway tools.

Secure electronic communications

Secure electronic communications enabling communication in writing in a secure electronic form, which need not be in real-time, for practice health professionals to respond to requests made through an online consultation.

Note: may require as an enabler electronic messaging for direct patient communication.

Appointments management

Enables patients to manage their appointments online. Supports the use of appointment slots that have been configured in the GP appointments management system. This is also part of the requirement for digital pathway tools.

Prescription (repeat) ordering

Enables patients to request medication online and to manage their preferred and nominated pharmacy. Includes repeat prescription requesting.

View record

Enables patients to view their patient record online. includes viewing of full record, clinical and administrative documents and pathology and radiology test results by patients and patient’s proxy.

Update details

Enables patients to use an online method to inform their practice of a change of address, contact details or of their demographic information, including ethnicity.

The NHS App as a national digital service will be the default patient online solution meeting, subject to the NHS App development roadmap the capabilities described.

The NHS App, NHS notify and NHS login should be the default systems for patient online services, patient digital communications and patient digital authentication subject to the NHS App development roadmap.

Where the NHS App, as a national digital service, provides native functionality to meet the above capability IT should be used in preference to locally  procured solutions.

Where the NHS App does not directly meet the capability above a patient online solution must be provided which must:

• meet the national capabilities and standards or accredited through DSIC (or successor) onboarding
• integrate with and be accessible through the NHS app or be contracted to integrate within 6 months
• integrate and be accessible through the NHS.uk logged in section, with links offered through the practice website or be contracted to integrate within 6 months
• integrate with NHS notify for secure electronic communications or be contracted to integrate within 6 months
• be jointly determined and selected by the practice(s) and the ICB

Where an online consultation, messaging or appointment management solution is to be procured this must be done with the support of the NHS Commercial and Procurement Hub using the process set out in Digital pathways tools guidance 2025/26 – NHS England digital.

Where additional local practice and ICB capabilities are required patient online solutions may be provided as enhanced requirements.

Transition plan

ICBs and practices should jointly agree and implement a transition plan which

• establishes NHS app as the default patient online solution for their patients
• decommissions patient online solutions which do not meet the criteria described above
• moves all secure electronic communications (practice to patient) to NHS app reducing or removing requirement for local SMS contracts

Category 4: National digital services

Foundation solution services

The following services are accessed through the foundation solution:

Personal demographics service (PDS)

The personal demographic service (PDS) holds the demographic details of users of health and care services in England, including name, address and NHS number.

It is used to confirm the identity of patients, link care records, support communications with patients and support management of NHS services.

Summary care record (SCR)

An electronic record created from GP medical records. It can be seen and used by authorised staff in other areas of the health and care system involved in the patient’s direct care.

There is a minimum core data set (medications, allergies and adverse reactions) and with patient consent, an enhanced SCR can now be created automatically to include additional patient data (for example, significant medical history, immunisations, etc.)

NHS notify

NHS notify allows organisations and services to send NHS app messages, emails, text messages and letters to patients and members of the public.

It uses different communications suppliers and is integrated with the personal demographics service (PDS).

GP2GP

This service allows patient electronic health records to be transferred directly, securely, and quickly between their old and new practices when they change GPs.

This improves patient care by making full and detailed medical records available to practices, for a new patient’s first and later consultations and significantly reduces the need to print records.

Electronic prescribing service (EPS)

Enables the electronic transmission of prescriptions to community pharmacies.

NHS e-referral service (e-RS)

The e-RS combines electronic booking with a choice of place, date and time for first hospital or clinic appointments.

Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online.

Calculating quality reporting service (CQRS) and GP extraction service (GPES)

The general practice extraction service (GPES) collects information for a wide range of purposes, including providing GP payments.

It works with the CQRS and GP foundation solution as part of the GP collections service.

Spine

The spine allows information to be stored and shared securely through national services such as the EPS, SCR and the ERS. This is done through integration with foundation solutions or through the spine portal.

The spine supports high number of registered users and can handle large volume messaging rates with fast response times.

Message exchange for social and health care (MESH)

The service supports both clinical and business encrypted data flows in supplier applications via a central mesh server located within the spine core messaging service.

GP connect

GP connect is a service that allows authorised clinical staff to share and view GP practice clinical information and data between it systems, quickly and efficiently.

It may also be accessed through other third party systems.

Interface mechanism (IM1) pairing

Pairing integration is the process that allows suppliers to integrate their system with any accredited GP foundation solution and other third party systems through an interface mechanism.

The following services are accessed directly by the ICB Registration Authority:

NHS care identity service 2 (CIS2)

The NHS care identity service 2 (CIS2) is an electronic system used by registration authorities supporting the identity verification of users, for registering and issuing smartcards meeting international standards for authentication and access including authentication over the internet and new authenticator types.

Using a device that is associated with the user allows them to authenticate with biometrics (fingerprint and facial recognition) and smartcards.

In the future there will be additional ways to be able to prove identity. Users will be able to undertake self-service registration.

Also accessed by Registration Authority through NHS spine portal using registration authority issued NHS smartcards. From June 2024 care identity management replaced the legacy care identity service application to meet modern security, adaptability and design standards.

Care identity management allows NHS and healthcare staff to be registered for a care identity which is a digital identity that can then be associated with health and care organisations they work for.

The system is used to assign and manage permissions that enable appropriate access to clinical systems and patient information.

It is also used to assign authentication tokens that allow healthcare professionals to perform multi-factor authentication to these clinical and patient record systems.

Services accessed by practice

The following services are accessed directly by the practice and other healthcare professionals:

NHS.net Connect

Previously NHSmail, NHS.net Connect is the secure email service approved by the Department of Health and Social Care for sharing patient identifiable and sensitive information.

Nhs.net Connect, messaging, and sharing is available to all general practices. Practices should use this as their primary email system, alternative email solutions will not be provided or supported under this operating model.

Access is through the NHS.net Connect portal or ms outlook configured to access NHS.net Connect. For enhanced security practices using NHS.net connect to communicate patient identifiable information requires the use of multi-factor authentication (MFA) for NHS.net connect.

Where a practice chooses to use an alternative principle email service to NHS.net Connect it must be compliant with DCB1596: secure email.

Practices are supported by an NHS.net connect administration and support service under this operating model. GP locums have a separate arrangement for accessing NHS.net Connect.

Licensing conditions restrict the use of NHS.net Connect by third party organisations providing primary care (see access to the services for sub-contractors and third parties).

Data security and protection toolkit (DSPT)

The DSPT is an annual requirement for all organisations that have access to NHS patient data and systems.

It is an online self-assessment tool that enables practices to measure and publish their performance against national standards for cyber security and information governance.

For most organisations these are based on the National Data Guardian’s (NDG) 10 data security standards. Over time (and in different ways for different organisations) the DSPT will be changed to be based on the Cyber assessment framework (CAF).

It is recommended that the named (senior) individual with lead responsibility for IT, data and cyber security in the practice approves the assessment for the practice.

An incident reporting tool is included with DSPT for use by practices and ICBs in reporting personal data breaches and NIS reportable incidents (including cyber incidents).

National care records service (NCRS)

A web accessed service that allows health and social care professionals to access and update a range of patient and safeguarding information across regional integrated care system (ICS) boundaries.

It includes access to SCR. The service provides a summary of health and care information for care settings where the full patient record is not required to support their direct care.

Data security awareness training

Topics covered include:

• introduction to data security awareness
• introduction to the law
• data security – protecting information
• breaches and incidents

Services accessed by patient

The following services are accessed directly by the patient:

NHS App

the NHS App is accessed using the NHS Login, and is available to the public through the Google Play and Apple App stores. NHS App will be the default patient online solution meeting, subject to availability and the NHS App roadmap, the capabilities required in the GP contract and this operating model.

NHS Account

The NHS Account provides an accessible and secure  way for people to access all the core NHS app features on the NHS website via a pc, smartphone or tablet. patients verify their identity through NHS login.

NHS Login

NHS Login is a single, easy to use system for verifying the identity of people who request access to digital health records and services including the  NHS App and the NHS website. Most people aged 13 or over will be able to verify their identity and register through NHS Login.

Register with a GP surgery

Register with a GP surgery is a free service for practices across England which simplifies online registrations and is available through the NHS App. All practices in England must offer this national service to patients, as outlined in the GP contract.

Assurance:

• DPCMA: IND 208.0, IND 209.0

Category 5: GP IT enabling requirements

Category 5a: GP IT enabling requirements – commissioner requirements

Effective commissioning of GP IT

Requirement

The ICB must have an effective means of commissioning, or otherwise providing, GP IT services to meet GP IT enabling requirements.

This is an internal ICB function, although ICBs may share or collaborate on this work.

Services

The ICB practice agreement:

• must be signed with all practices
• must be reviewed in the event of significant changes to either party for example organisation merger
• appendix 1 schedules require review not less than every 12 months
• appendix 2, 3 and 6 schedules require completion to meet local (ICB) requirements
• appendix 4 requires completion when a new/replacement foundation solution is selected

GP IT enabling services:

• must meet required organisational standards
• must be commissioned to required standards (for example SFIs)
• should be subject to regular service review of performance and suitability for requirements of local practices
• ICBs must ensure organisations providing GP IT enabling services are contractually required to develop and maintain a business continuity and disaster recovery plan (for services relevant to general practice it provision). See Business continuity and disaster recovery planning and Cyber security capabilities

ICBs will have a budgeted plan for annual investment to meet the core and mandated requirements and the enhanced requirements – this should include GP IT enabling services, infrastructure and equipment.

Practice responsibilities

The individual practice is responsible for:

• signing and compliance with the ICB practice agreement

Applicable standards

Where GP IT services are commissioned, there will be:

• robust and clear service specifications demonstrating alignment with this schedule of requirements
• formal SLAsin place
• identified and agreed KPIs
• regular performance reviews
• issue and problem management with escalation arrangements agreed and clearly documented
• formal complaints management procedure
• a communication plan regarding the services provided through this operating model for all practices
• a data processing agreement (DPA) where required
• compliance with the organisational standards referenced in this operating model
• where the ICB provides or is party to the provision of these services these standards still apply and the ICB must take steps to avoid conflicts of interest

The use of a suitable framework with underpinning standards, such as the health services support framework (HSSF), is recommended.

As required under the ICB practice agreement:

• Carry out practice IT reviews (clause 4.19).
• Where local IT and system performance issues should be identified, individual practices can request an additional service and infrastructure review.
• Complete and maintain appendix 1; completion of table (iii) requires receipt by ICB of signed letters by sub-contractors – see appendix 5.
• Complete and maintain appendix 2 – support and maintenance service levels.
• Complete and maintain appendix 3 – escalation procedure – which complies with the escalation and dispute resolution procedures (clauses 10.1 – 10.16).
• If required complete appendix 4 – business justification form.
• Provide local data processing deed(s) where applicable and insert into appendix 6.

Applicable guidance:

ICBs are advised to use the Guidance on procurement of GP IT enabling services in the procurement of GP IT enabling services and any ongoing review of GP IT enabling services with GP IT delivery partners.

Other controls:

Where ICBs choose to provide some or all of these GP IT enabling requirements internally, whether solely, as an ICB consortium or as a local shared service, ICBs must ensure sufficient arrangements and safeguards are in place so that the services provided meet the range and standards described in this operating model and that any conflicts of interest are avoided.

Assurance:

• DPCMA: IND 20.0, IND 21.2, IND 24.0, IND 86.0, IND 150.1, IND 150.2, IND 152.0, IND 157.0, IND 174.1, IND 212.0

ICB GP IT policy and operational controls

Requirement

The ICB has responsibility from NHS England to provide GP IT services as described in the ICB practice agreement and in the operating model. In discharging this responsibility ICBs should ensure a number of controls and policies are developed and followed.

The development and maintenance of these controls and policies may be delegated to the ICB’s GP IT delivery partner, but the ICB remains responsible for these policies and controls and the assurance that they are in place and adhered to.

Out of scope

• National standards, policies and regulations as referred to in this operating model.
• Statutory regulations.
• Local (ICB) appendices in the ICB practice agreement.

Assurance:

• DPCMA: IND 14.0, IND 15.0, IND 171.0, IND 197.0, IND 181.0, IND 211.0

Services

ICBs should develop and maintain the following:

ICB GP IT asset management policy

This will describe how NHS owned GP IT equipment and NHS procured software licences are provided to practices, re-deployed where appropriate, and disposed of.

For NHS-owned GP IT equipment provision it will:

• define equipment standards compliant with the ICB warranted environment specification (WES-GP)
• require the individual recording all devices individually in the asset management database
  • this will include a unique asset or serial number, location, date installed, planned replacement date
  • low value accessory items (for example, keyboard, mice, etc) should be excluded
  • where appropriate, items can be aggregated – for example mouse, keyboard, monitor – to a single recordable asset
  • all IT equipment with data storage must be included
• meet any requirements (for example, asset management) necessary for compliance with NHS capital funds expenditure rules
• ensure compliance with NHS procurement and ICS standing financial instructions (SFIs)
• ensure a continual refresh programme which identifies and replaces hardware subject to fair use and availability of funds where it has reached its service life
• set criteria for provision of GP IT equipment in supported premises; this may consider:
  • practice type, size, clinical system, etc
  • premises – that is, practice premises and remote premises
  • requirements specific to functions within the practice – for example, monitors and dual bin printers in consulting rooms, document scanners, network printing in administration offices, check-in screens in reception, etc – as digital tools develop, these needs may change
• set criteria for provision of GP IT devices to practices to support remote access
• set a target service life by equipment category. This should take into consideration:
  • performance
  • value for money
  • supporting the NHS commitment to deliver a net zero NHS
• describe approach for managing additional demands for GP IT equipment arising from additional workforce, premises development, service development and expansion
• where existing GP IT equipment is re-deployed:
  • ensure cyber and data security safeguards are in place
  • support the commitment to deliver a net zero NHS by investment in desktop infrastructure which will minimise energy usage, including: power saving on IT devices; optimising equipment life cycle (for example, with virtual desktop infrastructure [VDI]) to reduce manufacturing energy costs
• select by default, TCO-certified (or equivalent) devices
• define processes for lost or stolen assets to ensure compliance with data security requirements and capital asset management
• at end of device deployment or useful life the device to be decommissioned as described in the processes under GP IT equipment asset management may be either:
  • disposed of
  • re-deployed
  • or considered for social value, as part of the commitment to deliver a net zero NHS, despite reaching full capital depreciation and no longer deemed usable for NHS use
• where devices with social value are donated to charitable organisations follow the requirements described in GP IT equipment asset management

For NHS-owned GP IT equipment, the scope will include:

• desktop devices and portable devices (for example laptops, tablets). Where a device has several components for example processor, monitor, keyboard, mouse aggregate these are treated as one unit
• ancillary desktop equipment for example printers, scanners
• network switches, routers, wifi components

For NHS-procured software licences it will:

• require the recording all software application licences in the asset management database; licences for national digital services are excluded from this requirement
• follow the processes and requirements described in software licence management
• support the conditions on the use of third party software
• set conditions and approvals for use of NHS-funded applications and software licences to be provided for use on devices other than managed GP IT devices; for example, practice-owned and managed, third party managed, or personal devices; particular attention should be given to ensuring:
  • patient identifiable data does not become accessible from unmanaged and potentially insecure it infrastructure
  • end-user conditions of use for the licence and application are complied with

In addition, for IT equipment (devices) and software owned by, or the responsibility of, the practice or a third party and used within supported premises, it will:

• describe the minimum requirements and standards for it equipment (devices) and software

it may:

• provide guidance for the procurement, re-deployment and disposal of this equipment

ICB GP IT warranted environment specification (WES-GP)

version 6.01

The WES-GP will define the minimum requirements for operating systems, software applications and hardware configurations to be provided on managed GP IT devices.

As a minimum, on all managed GP IT devices (desktop and portable) it will:

• meet the spine WES
• meet the WES published by foundation solution suppliers for the foundation solutions used in the practices
• meet foundation solutions requirements
• mandate the minimum supported operating system (Windows 11 by 14 October 2025) and supported browser(s)
• require anti-virus, malware protection and firewall protection using MDE
• require access management and port control
• require encryption to NHS standards on portable devices
• require NHS identity agent (for NHS smartcards) or approved equivalent such as CIS2 authentication
• require effective patch and upgrade management for operating systems
• set conditions for use of Microsoft Office licences (under collaboration licence agreements held by the ICB) or alternative application(s) and licence(s)
• give minimum specifications for managed GP IT devices
• require the use of one or more standardised desktop image specification(s) which are documented and standardised across the managed GP IT infrastructure estate and managed through a formal change control management system
• describe standards necessary for the operation of managed GP IT devices for example printer consumables
• require managed GP IT devices (fixed workstations and portable devices) to be locked down and well managed, with advanced tools, processes and policies in place to support diagnosis, repair and updates
• require all managed GP IT devices to be supported by secure remote it support tools

It will also:

• describe the minimum requirements and standards for operating systems, software applications and hardware configurations to be used on IT equipment which is owned by (or is the responsibility of) the practice or a third party, and is used within supported premises
• be reviewed at least annually
• be reviewed when the hardware specification requirements of a foundation solution changes

GP IT systems access policy

version 6.01

All access to the managed GP IT infrastructure by individuals (including authorised users and GP IT delivery partner staff) must ensure that all cyber security, software licence and equipment asset management requirements described in this operating model and ICB-practice agreement can be met.

It will:

• confirm the requirement in the operating model (cyber security requirement) that authorised users are not able to install software applications or active devices onto the GP IT managed infrastructure unless given specific technical support access subject to conditions set out in this policy
• define any conditions required to allow authorised users technical support access including criteria to be met, the approval process and responsibilities
• define levels of access; for example, standard authorised users and technical support staff (possibly at different levels)
• describe any controls to be applied; for example, naming standards, password expiry periods, multi-part authentication
• set out conditions for the use of generic (that is, not individually assigned) access accounts
• describe processes and standards for:
  • allocation of access to third parties
  • access review processes and standards
  • authorisation for new access
  • rescinding access

WiFi-GP acceptable use policy

version 6.01

This will address the use of all the WiFi-GP services provided, including guest and bring your own device (BYOD) WiFi access.

Bring your own device (BYOD) policy

version 6.01

Where BYOD is supported (see remote access) for personal devices a BYOD policy must be in place; which will include cyber and data security, software licencing and ownership, data storage, support, data and security breaches, loss of device, and termination.

Note: staff cannot be mandated to use their personal devices for NHS purposes.

ICS-wide digital requirements

version 6.01

Requirement

In addition to responsibility for the provision of GP IT services, as described in this operating model, ICBs also have ICS-wide digital responsibilities.

Although out of scope for GP IT commissioning and provision responsibilities under this operating model these may be indirectly linked through the use of common infrastructure, standards, systems, support, assurance, interoperability and security.

The requirements and standards described in this operating model align with the What good looks like (WGLL) framework.

The WGLL framework is included in the ICS design framework; the Priorities and operational planning guidance 2024/25; and A plan for digital health and social care; reflecting the expectation that the standards in the WGLL framework will be used to accelerate digital and data transformation.

The WGLL framework has 7 success measures:

• well-led
• ensure smart foundations
• safe practice
• support people
• empower citizens
• improve care
• healthy populations

Details on how these can be met are available on the WGLL framework webpages.

Elements of GP IT provision may help the ICB to meet these capabilities; for example, where:

• GP IT infrastructure and estate is involved or impacted
• there are patient online solutions deployed in practices, such as repeat prescription and appointment request and records access
• there is a requirement for ICS-wide specialist services which are also core requirements to support practices under this operating model; for example:
  • cyber security
  • clinical safety assurance
  • information governance

ICBs should consider the role of the GP IT services provided under this operating model in supporting the wider ICB digital responsibilities and to:

• avoid duplication
• avoid creating disadvantage or reduction in GP IT service provision
• ensure practices, and their patients, are able to benefit from ICS wide digital services
• ensure GP IT funding is not used to provide these ICS digital capabilities beyond the requirements described in this operating model

Assurance:

• DPCMA: IND 12.0, IND 72.0, IND 73.0, IND 84.1, IND 84.2, IND 195.0, IND 196.0, IND 153.0, IND 204.0, IND 206.0, IND 207.0, IND 161.0, IND 155.0, IND 154.0, IND 156.0, IND 86.0

Category 5b: GP IT enabling requirements – it infrastructure and technical services

GP IT support service desk

version: 6.01

Requirement

a GP IT support service desk for authorised users which provides:

• triage
• incident management
• request management
• problem management
• sla reporting
• access to report and escalate high severity incidents

Transactional services

Availability: operational service hours

An ITIL-aligned, or equivalent, management process for:

• incidents
• problems
• requests
• change control

The service must:

• provide at least 2 of the following access routes available, of which IT must be possible to log an incident or service request using at least 1 of these methods 24 hours a day, 7 days a week:
  • a single telephone number for logging incidents and requests
  • a single email address for logging incidents and requests
  • a self service web portal or app for users which should provide, as a minimum, either by direct access or by re-directing/signposting to a third party self service portal or app, the following:
    • log incident
    • log service request
    • enable practices to track the progress of logged calls/requests/incidents through at least 1 of the above routes
    • reset passwords
• include remote IT support to managed GP IT devices in an audited and secure manner subject to user consent for remote IT diagnostic and resolution purposes, including the management of remote working solutions
• have clear incident priority categories, with minimum response and target fix times to ensure the safe and effective operation of GP digital services. the GP IT enabling services specification support pack can assist in setting incident priority categories and times
• prioritise all calls to the agreed standard, in conjunction with the person reporting the incident. a minimum standard should be agreed for percentage of incidents resolved on first contact or within an agreed timeframe from call logging. the GP IT enabling services specification support pack can assist in setting these reporting and performance indicators
• where third party support is required for incident or problem management, ensure a robust and effective resolution plan is in place with agreed responsibilities and led by the GP IT service desk provider. this will include issues reported to the service desk concerning national digital services and foundation solutions. supported applications will be scoped through appendix 1 (summary of services) in the ICB practice agreement
• where third party support is not available for required incident or problem management, for example when outside third party service hours advise practice on timescales and any practical workarounds, the GP IT service desk provider remains responsible for the incident until the third party can take action to resolve
• have access to the asset management database

Availability: high severity incident service hours

Access must be available for out-of-hours high severity incident alerting, logging and escalation in accordance with the approved business continuity and disaster recovery plans.

This may not operate in the same way as the operational service hours support; and response will be appropriate to the impact of the incident and the GP IT delivery partner’s business continuity and disaster recovery plans.

The ability to accept and respond to a high severity incident reported by any of the following:

• a practice
• internal GP IT services
• a supplier
• national service desk
• NHS cyber alert service

Specialist support services

Availability: standard service hours

SLA reporting

Applicable standards:

• ISO/IEC 20000-1 – IT service management standard
• An ITIL-aligned, or equivalent, management process for incidents, problems, requests

Applicable guidance:

• Recommendation: the local SLA is based upon an agreed managed IT device volume.

Assurance:

• DPCMA: IND 28.0, IND 26.0, IND 183.1

Desktop infrastructure

version: 6.01

Requirement

Provision and management of managed GP IT devices in supported premises.

All practice staff, who require the digital capabilities described in this operating model to carry out their role, will have access to a managed GP IT device (desktop or laptop) with access to the foundation solutions within the supported premises.

Out of scope

The following devices and equipment are out of scope:

• medical (connected) devices
• IT equipment defined under general practice business requirements
• practice owned and managed IT equipment
• remote access (see separate requirement)
• equipment (devices) for sub-contractor staff not supported by the ICB
• personal devices and BYOD

Transactional support services

Availability: operational service hours

To include:

• installation and management of all managed GP IT devices as determined through the ICB GP IT asset management policy
• installation and management of applications, operating systems and security controls in compliance with the WES-GP on managed GP IT devices

Specialist support services

Availability: standard service hours

To include:

• supporting the ICB in the development of the ICB GP IT asset management policy and the WES-GP
• development and maintenance of standardised desktop image(s), with a formal change control management system as required in the WES-GP
• compliance testing and installation of standard software products on devices
• compliance testing of software upgrades with NHS national digital services on devices

Infrastructure

To include:

• Managed GP IT devices are provided to practices as necessary for the practice to operate the digital services set out in appendix 1 – table (i) summary of services within the ICB practice agreement.
  • The devices will be provided to the practice in accordance with the ICB GP IT asset management policy.
• Managed GP IT devices must be compliant with the WES-GP.
• No unsupported operating system should be used.
  • Managed GP IT devices must use a supported operating system – all Windows 10 operating systems must be replaced with Windows 11 operating system before October 2025.
  • Windows operating systems must be managed through the Windows managed service which must include installation of Microsoft Defender for Endpoint (MDE), operational and attributed to the responsible organisation (ICB).
  • Any configuration exceptions – for example, earlier (unsupported) versions of Windows, or in scanning folders or files – must be based on a documented local risk assessment.
  • A custom support agreement (CSA) must be in place (at local cost) for any managed GP IT device(s) still requiring the use of Windows versions beyond their end of support dates where this is for an unavoidable specified purpose.
• An ongoing replacement programme for NHS-owned GP IT equipment which identifies and replaces hardware subject to availability of funds where it has reached its service life.
  • This will include assessment, procurement, rollout, asset tracking and secure disposal as required in the ICB GP IT asset management policy and the GP IT equipment asset management service.
• The ICB will have a budgeted plan which supports the managed GP IT device replacement programme and meets the requirements of the ICB GP IT asset management policy.
• GP IT equipment is expected to be funded through NHS capital funds, although ICBs are free to use other appropriate funding sources.

Systems and applications

To include:

• applications, browsers and operating systems which are not supported or maintained by the supplier must not be used on managed GP IT infrastructure
• a capability for the central control of desktop security, patch control, access and software installation across the managed GP IT infrastructure
• to ensure the current version of the IA client (v2.4.6.0) is installed
• installation of new desktop components as required to access new NHS applications and services that support NHS Care Identity Service 2 (CIS2)

Practice responsibilities

The individual practice is responsible for:

• providing consumables – for example, for printers and other operating requirements – to equipment manufacturer’s standard, or to any standard specified in the WES-GP
• ensuring software, browsers and operating systems not supported or maintained by the supplier are not used on managed GP IT infrastructure
• ensuring the physical security, protecting against loss, theft or damage and power supplies for NHS-owned GP IT equipment on supported premises

Applicable standards:

• NDG standard 8
• Information security management: NHS code of practice
• NHS England: data security standard 9: IT protection
• Spine WES

Applicable guidance:

• Respond to an NHS cyber alert service
• NHS England green plan guidance document

Recommendation: a local SLA should be based upon an agreed desktop estate volume.

Other controls:

• ICB GP IT asset management policy
• ICB GP IT warranted environment specification (WES-GP)
• Windows 10 support ends on October 14, 2025 – Microsoft Support

Assurance:

• DPCMA: IND 14.0, IND 15.0, IND 34.0, IND 58.0

GP IT equipment asset management

version: 6.01

Requirement

Asset management and disposal of all NHS-owned GP IT equipment.

Service and asset management of all managed GP IT devices.

Activity tracking for all managed GP IT devices and connected GP IT devices.

A robust asset management database, recording the above, which is accessible by the GP IT service desk.

Out of scope

Practice or third party owned devices, leased IT equipment, personal devices and medical devices which are not connected GP IT devices.

IT equipment defined under general practice business requirements.

Devices and asset management process requirements

The following processes are required:

Capital asset management processes will be required:

• for NHS-owned GP IT equipment where purchased with capital funds

Asset disposal processes will be required:

• for NHS-owned GP IT equipment

Device service and asset management processes will be required:

• for NHS-owned GP IT equipment
• for practice owned GP IT equipment which is a managed GP IT device
• for third party devices which are managed GP IT devices

Device activity tracking processes will be required:

• for NHS-owned GP IT equipment
• for managed GP IT devices including
• for managed GP IT devices
• for practice-owned GP IT equipment which is connected to the managed GP IT infrastructure (a connected GP IT device)
• for third party devices which are connected to the managed GP IT infrastructure (a connected GP IT device)
• for a medical (connected) device
• for a personal device connected to managed GP IT infrastructure as a BYOD

No asset management processes are required:

• for personal devices which are not connected to managed GP IT infrastructure – that is, not BYOD
• for medical devices or third party provided devices which are not connected to the managed GP IT infrastructure

Transactional support services

Availability: standard service hours

All managed GP IT devices will be:

• managed in compliance with the ICB GP IT asset management policy
• compliant with the WES-GP
• recorded individually in the asset management database which must be accessible by the GP IT service desk providing support for those devices. This will include:
  • unique device identification (for example, asset tag)
  • device description and model number
  • deployment(s) to practice organisation
  • deployment(s) to supported premises (or remote access use)
  • decommissioning and disposal actions for the device
• where the device is NHS-owned GP IT equipment, include:
  • where applicable, the device as a capital GP IT asset, including (as a minimum) the age of the asset (date of procurement) and the value of the asset (at procurement)

All connected GP IT devices will be:

• identified individually when connected to the managed GP IT infrastructure and recorded in the asset management database which should include as a minimum:
  • device identification
  • its location (supported premises)
  • subject to control on access to the managed GP IT infrastructure so that security risks in devices can be managed

All NHS-owned GP IT equipment to be decommissioned will be either:

• disposed of
• re-deployed
• considered for social value, as part of the commitment to deliver a net zero NHS, despite reaching full capital depreciation and no longer deemed usable for NHS use

All devices with data storage to be decommissioned must be included.

All NHS-owned GP IT equipment disposed of will:

• be recorded in a robust audit trail of equipment re-deployment and disposal within the asset management database
• be disposed in compliance with the ICB GP IT asset management policy
• be disposed through authorised compliant contractors for disposal
• have certificates of disposal retained
• require compliance with the Waste electrical and electronic equipment (WEEE) regulations (2013).
• ensure any requirements relating to the disposal of NHS capital assets are followed for example disposal to a third party only after the end of the capital depreciation period

All NHS-owned GP IT equipment re-deployed will:

• be recorded in a robust audit trail of equipment re-deployment and disposal within the asset management database be re-deployed in compliance with the ICB GP IT asset management policy
• ensure cyber and data security on re-deployment
• be compliant with the WES-GP

All NHS-owned GP IT equipment with social value donated to charitable organisations will:

• be recorded in a robust audit trail of equipment re-deployment and disposal within the asset management database
• ensure safeguards on cyber and data security by ensuring devices capable of storing patient information are properly sanitised using a service or product certified by the National cyber security centre under commodity assurance services (CAS-S)
• record the appropriate certification
• ensure all NHS procured software under license is uninstalled
• in the case of mobiles any associated subscription-based services, for example to access vpns or cellular data networks, must be cancelled, removed or deactivated (with sims recovered if required)
• for disposal – recipients/beneficiaries must, as part of any transfer, agree to eventually dispose of the hardware in compliance with the Waste electrical and electronic equipment (WEEE) regulations (2013) and the net zero policy
• for liabilities – as a condition of the transfer/donation, the NHS or ICB is released from any responsibility, risk or liability arising from the devices, including any use or misuse, performance and functions, future defects and faults
• ensure that the selection of recipients/beneficiaries complies with equality, diversity and inclusion regulations
• be publicised and accounted for separately in the ICB net zero reports
• ensure any requirements relating to the disposal of NHS capital assets are followed for example disposal to a third party only after the end of the capital depreciation period

Specialist support services

Availability: standard service hours

Support the ICB in the development of the ICB GP IT asset management policy.

Systems and applications

Software, browsers and operating systems not supported or maintained by the supplier must not be used on managed GP IT devices.

Practice responsibilities

The individual practice is responsible for:

• providing consumables – for example, for printers and other operating requirements – to any standard specified in the GP IT warranted environment specification (WES-GP) or as otherwise specified by the manufacturer of the equipment
• taking all reasonable steps to ensure the physical security of NHS-owned GP IT equipment, which does not require to be individually insured under practice policies (content insurance), is protected against loss, theft or damage
• ensuring environmental requirements are met within supported premises; for example, air-conditioning, fire suppression and power supply for NHS-owned GP IT equipment
• the disposal of any practice-owned IT equipment but is advised to seek specialist advice from the ICB on the secure disposal of such it equipment. ICBs may at their discretion offer practices the use of their commissioned managed GP IT device disposal services
• the use of NHS-owned GP IT equipment by practice sub-contractors

Applicable standards:

• Waste electrical and electronic equipment (WEEE) regulations (2013)
• NDG standard 8

Other controls:

• UK general data protection regulation (UK GDPR)
• Data protection act 2018
• ICB GP IT asset management policy
• ICB GP IT warranted environment specification (WES-GP)
• Delivering a net-zero national health service
• Greening government ICT and digital services strategy 2020-2025
• Secure sanitisation and disposal of storage media

Assurance

• DPCMA: IND36.0, IND38.0

Software licence management

version: 6.01

Requirement

All software and operating systems installed and operated on managed GP IT equipment and connected GP IT devices will be licensed and managed.

An electronic licence register which is part of the asset management database and is accessible by the GP IT service desk to support those assets.

Out of scope

Software licences for national digital services are excluded from this requirement.

Software and licence management process requirements

Capital asset management processes will be required:

• for NHS-procured software licences where purchased with capital funds

Software licence management processes will be required:

• for NHS-procured software licences

Software identification and tracking processes will be required:

• for NHS-procured software licences
• for practice-procured software licences where use of these is ICB-approved and are used on a connected GP IT device
• for third party provided software licences where use of these is ICB-approved and are used on a connected GP IT device
• for software not-procured or using external licence (including ‘free’ licence) where these are ICB-approved and used on a connected GP IT device

No software licence management process is required:

• for software licences not NHS-procured and not approved by ICB for use on managed or connected GP IT devices
• for software licences not NHS-procured and used solely on independent GP IT devices

Transactional support services

Availability: standard service hours

NHS-procured software licences will:

• comply with the ICB GP IT asset management policy
• comply with the WES-GP
• be identified by device on which it is installed or used and recorded in the asset management database which should include a minimum:
  • licence details
  • licensed numbers or volumes
  • licence type (for example, per seat or per user)
  • version
  • expiry date
  • contract and support arrangements
  • deployment by practice organisation
  • deployment by device
• be allocated and controlled, including removal of software/licences on decommissioned devices
• be used in compliance with any licence conditions including organisations eligible to use the licences

Software licences, procured by the practice or a third party, and used on managed and connected GP IT devices will:

• be identified by device on which it is installed or used and recorded in the asset management database, which should include as a minimum:
  • software details
  • deployment by practice organisation
  • deployment by device
• be approved in compliance with the ICB practice agreement requirement on conditions for the use of third party software, and assessing practice requests to use third party software
• used under a current licence and is supported

Open source and other no-cost software to be used on any managed GP IT device or connected GP IT devices will:

• be identified by device on which it is installed or used and recorded in the asset management database which should include a minimum:
  • software details
  • deployment by practice organisation
  • deployment by device
• be approved in compliance with the ICB practice agreement requirement on conditions for the use of third party software, and assessing practice requests to use third party software
• be permitted for use in a business (non-personal) environment

Specialist support services

Availability: standard service hours

Support the ICB in the development of the ICB GP IT asset management policy and the WES-GP and their assurance.

Specialist support for Microsoft 365, Windows 10 and 11 and MDE deployments.

Systems and applications

All software (including operating systems) used on managed GP IT infrastructure must:

• be approved and recorded on a software licence register as part of the asset management database which must confirm that the software is appropriately and legally licensed for such use and does not present a cyber security risk
• comply with the ICB GP IT asset management policy
• comply with the WES-GP

For NHS-owned GP IT devices, Microsoft 365 will be provided through collaboration licences held by the ICB.

Practice responsibilities

The individual practice is responsible for:

• compliance with terms of the ICB practice agreement on use of third party software, including requesting permission to use third party applications on managed GP IT devices and connected GP IT devices
• ensuring any practice-procured software is licenced and currently supported

Applicable standards:

• NDG standard 8

Applicable guidance:

• Respond to an NHS cyber alert service

Other controls:

• ICB GP IT asset management policy
• WES-GP

Assurance:

• DPCMA: IND37.1

Controlled digital environment

version: 6.01

Requirement

The effective and secure management of the GP IT estate and GP digital services requires that there is an accurate and contemporaneous record of the digital environment, the devices using or connected to the managed GP IT infrastructure, and that the desktop estate can be updated and monitored centrally.

Out of scope

• Independent GP IT devices
• Personal devices

Transactional support services

Availability: operational service hours

Practices must notify the ICB when authorised users leave the practice or no longer require IT access, and ensure access is removed within the performance standards for authorised user account management.

This facility will extend to sub-contractors where they are supported.

Specialist support services

Availability: operational service hours

For all managed GP IT devices there must be:

• the capability for the central control of desktop security, patch control, access and software installation for all managed GP IT devices
• devices using windows 11 operating systems will be managed through the windows managed service installation of MDE, operational and attributed to the responsible organisation (ICB)
  • note: Windows 10 operating systems must be replaced with Windows 11 before October 2025

For all connected GP IT devices there must be:

• the capability to identify such devices, including their location (supported premises) when connected to the managed GP IT infrastructure
• the capability to block access by such devices where a security risk is identified

Availability: standard service hours

There will be an accurate and contemporaneous record of the following:

• managed GP IT devices in compliance with the ICB GP IT asset management policy
• connected GP IT devices including medical (connected) devices
• software application licences in use on managed GP IT devices
• approved third party software (see digital services assurance [local])
• supported premises
• supported organisations (practices and others)
• support contracts
• authorised users

Applicable guidance:

• where centralised technologies are deployed assurances should be sought to ensure that the security, performance and resilience of foundation solutions, other DSIC catalogue of frameworks (or successor) services and national digital services are not compromised

Other controls:

• ICB GP IT asset management policy
• WES-GP
• Windows 10 support ends on 14 October 2025 – Microsoft support

Essential infrastructure

version: 6.01

Requirement

The provision, maintenance and support of the necessary infrastructure to deliver core and mandated GP IT services.

Out of scope

To include:

• HSCN-GP
• WiFi-GP
• remote access
• desktop infrastructure and devices
• data processing and storage within hosted and cloud based digital systems provided through an applicable national framework (for example DSIC or HSSF), national digital services, advanced cloud-based telephony and other externally hosted applications
• practice and PCN-based website hosting

Transactional support services

Availability: operational service hours

To include:

• access through GP IT support service desk
• providing break/fix incident and problem resolution
• third party management; for example, for cloud hosting providers

Availability: high severity incident service hours

To include:

• response to high severity incident raised through GP IT support service desk
• supporting practice and ICB business continuity and disaster recovery plans

Infrastructure

Provision, maintenance and technical support of the necessary infrastructure to deliver services to meet core and mandated GP IT capabilities, to include:

• network connectivity:
  • network connectivity and access to core and mandated GP IT services as described in this operating model at supported premises
  • local network services, including equipment, structured cabling and support in supported premises
  • interface between locally managed networks and HSCN-GP, nationally managed services (for example, Windows managed services)
  • as practices move to using advanced cloud-based telephony ICBs will provide access to advice and technical support regarding the use of practice network infrastructure and, if applicable, HSCN connections; individual practices remain responsible for the cost of their telephony services, including any additional infrastructure costs
• Data hosting and management:
  • access to secure, resilient off-site data storage facilities for all practice electronic patient identifiable data other than that stored in the Digital services for integrated care (DSIC) catalogue of frameworks (or successor) solutions, NHS.net Connect, national digital services and other externally hosted and managed clinical and patient management applications
  • these should be cloud-based services compliant with Health and social care data: off-shoring and the use of public cloud services guidance.
  • guidance from NHS England cloud centre of excellence should be followed
  • data must only be hosted (if outside the UK) within territories deemed to be GDPR adequate by the UK government, as listed by the Information Commissioner’s Office (ICO) international data transfers guidance
  • where cloud hosting is not available, ‘local’ hosting in a secure data centre should be used, to a standard not less than tier 2 data centre or as a crest-assured data centre
  • hosting of patient identifiable data within practice premises is not advised and should only be used when the above methods are not available
  • following guidance and policy advice as issued to ensure data centres minimise their environmental impact and support the NHS drive to reach net zero
  • maximum use should be made of best practice to reduce costs and increase efficiency such as cloud hosting services, server virtualisation and storage area networks
  • data storage disaster recovery (DR) plans must be able to support the agreed recovery point objective (RPO)
  • storage of non-patient identifiable data for example as processed by practice business systems, where this is not provided by secure external hosting through a cloud or hosted application, can be offered; although this may not involve patient identifiable data, the loss of or disruption to accessing this data can affect practice business continuity

Practice responsibilities

the individual practice is responsible for:

• use of the managed GP IT infrastructure in compliance with the ICB practice agreement
• the processing including storage of practice business systems data (see above).

Applicable standards:

• The GP IT delivery partner and any subsidiary service or infrastructure provider will operate to any prevailing NHS security standards, including the DSPT
• Data centre tier classification (Uptime Institute)
• CREST assurance
• International data transfer agreement (IDTA)
• NHS architecture principles

Applicable guidance:

• NHS England cloud centre of excellence
• NHS cloud security guidance
• NHS and social care data: off-shoring and the use of public cloud services guidance – NHS England
• NHS England green plan guidance document

Other controls:

• HSCN connection agreements
• ICB GP IT asset management policy

Assurance:

• DPCMA: IND39.2, IND 194.0, IND197.1

HSCN-GP

version: 6.01

Requirement

All (supported) practice premises are required to have appropriately-sized HSCN connectivity capable of supporting their current and future business needs.

All procurements for network connectivity to existing and new practice premises (where supported) are required to provide gigabit capable connectivity which is usually delivered either as fibre to the premises (FTTP) services or ethernet leased-line services as available.

At premises where there are high demands on bandwidth and where bandwidth-hungry services (for example, cloud based telephony) are used, upgrades before the end of existing contracts may be required.

The Future connectivity programme in NHS England advises that ICBs and GPs continue to evaluate their network and connectivity needs to ensure they have the maximum bandwidth (gigabit capable) for productivity and efficiency needs.

The provision of HSCN-GP services into remote premises is at the discretion of the ICB.

Out of scope

• Encryption and protection of patient and sensitive data at the application layer
• Local network infrastructure
• HSCN-GP services into any location which is not a supported premises

Transactional support services

Availability: operational service hours

Through GP IT service desk access to third party (HSCN consumer network service provider).

Break / fix incident and problem resolution.

Specialist support services

Availability: standard service hours

Commissioning of HSCN-GP services for practice premises (where supported).

NHS England provides a central service co-ordination function to monitor CN-SP and network performance and co-ordinate response to high severity service issues.

Infrastructure

HSCN is the essential underlying network infrastructure that underpins the use of digital technology in the NHS.

Networking services: management and support for provision of HSCN connectivity and interim legacy transition network services, including connections to main and branch practice sites as per national entitlement.

The HSCN peering exchange provides the highly available points of interconnection for the HSCN CN-SPS and the transition network.

Systems and applications

Advanced network monitoring (ANM) monitors and filters all internet traffic from HSCN providing an advanced malware detection and prevention capability.

Network analytics services – monitors network flow metadata from HSCN to provide advanced threat detection and analytics to the NHS England data security centre.

HSCN-GP connections may be utilised to support advanced cloud-based telephony. Supported premises would need to be served by a HSCN connection that has sufficient bandwidth and is capable of a basic level of quality of service to support the prioritisation of VoIP traffic.

Local CNSPs can advise on these requirements. This should be factored into plans to provide all supported practice premises with HSCN with access to gigabit connectivity.

Prior to HSCN connections being used for advanced cloud-based telephony, the ICB and HSCN provider (CN-SP) will review:

• existing data services, for example, bandwidth
• changes required to practice premises network infrastructure to support security and quality of service for satisfactory performance of both the telephony service and the practice foundation clinical system
• with the practice any other requirements for business continuity for example in case of HSCN connection failure

Individual practices remain responsible for the cost of their telephony services including any additional infrastructure costs but not HSCN connections.

Practices may choose, at their expense, to install and use a dedicated connection in preference to HSCN-GP and rely on HSCN-GP for backup telecoms connectivity.

Practice responsibilities

The individual practice is responsible for ensuring the practice is covered by an HSCN connection agreement signed on their behalf by the appropriate ICB.

Applicable standards:

• HSCN consumer handbook
• the Standards for HSCN suppliers known as consumer network service providers (CN-SPs)
• HSCN compliance operating model
• HSCN mandatory supplemental terms

Applicable guidance:

• HSCN compliance
• HSCN overlays
• HSCN connectivity options
• HSCN technical guidance
• Further information: HSCNenquiries@NHSdigital.nhs.uk

Other controls:

• HSCN customer connection agreements
• consumer network service providers (CN-SP) compliance documents required by NHS England
• local contracts between commissioners such as ICBs and CN-SPs
• if shared, local arrangements with partners (for example, support and any associated funding)

Service availability:

• 99.95% minimum availability (as per ISO 27001)

Assurance:

• Suppliers of HSCN services (consumer network service providers, CN-SP) are assured and accredited by NHS England as being compliant with HSCN standards
• The CN-SP has to demonstrate that the network solution provided to the consumer is correctly configured and allows the appropriate routing and to the agreed HSCN end points and supplies the agreed capacity to the HSCN consumer
• It is important that access to any national and local applications used by a site are identified and tested as part of migration
• DPCMA: IND213.1, IND213.2

WiFi-GP

version: 6.01

Requirement

Secure, stable, and reliable wi-fi access for practice staff, other NHS staff and patients in practice premises (where supported).

The wi-fi GP service within practice premises (where supported) will enable:

• guest wi-fi
• patients to access NHS online public facing services and the public internet (subject to filtration), free of charge for personal purposes
• practice staff, other authorised users, other NHS staff and practice visitors to access the public internet (subject to filtration), free of charge for personal and (NHS related) work purposes
• practice wi-fi
• practice staff, other authorised users to access the managed GP IT infrastructure
• practices to connect wireless enabled devices for example medical (connected) devices to the internet or managed GP IT infrastructure as necessary

There is a capability to support roaming.

Provision of wi-fi GP into remote premises is at the discretion of the ICB.

Out of scope

• End user or patient chargeable services arising from the use of the service (there should be no cost to end users and patients).
• Wi-fi service in any location which is not a supported premises.
• Wi-fi services in personal domestic premises or mobile data access when used for remote access.

Transactional support services

Availability: operational service hours

Adequate support arrangements as outlined in the NHS wi-fi-GP technical and security policies and guidelines are in place

Specialist support services

Availability: standard service hours

Provision of usage information to ICB commissioners.

Infrastructure

Appropriate wi-fi-GP services for practices ensuring:

• a secure, stable, and reliable wi-fi capability within practices
• national wi-fi GP security standards are followed
• wi-fi GP service usage does not impact on core practice activities in particular performance of foundation solutions and NHS national systems
• there is compliance with NHS data security and protection requirements, including appropriate content filtering

Systems and applications

Software, browsers and operating systems not supported or maintained by the supplier or unsupported devices must not be used to access the wi-fi GP network in the practice.

A wi-fi landing page.

Applicable standards:

• wi-fi technical policies and guidance
• ICB wi-fi acceptable use policy

Assurance:

• DPCMA: IND171.0

Electronic messaging for direct patient communication

version: 6.01

Requirement

Electronic messaging for direct patient communication.

The ability for practices to communicate short messages to patients, for example:

• reminders of forthcoming appointments
• requests to patients to make an appointment for example: immunisations, routine reviews, blood test
• notifications of ‘missed’ appointments (DNAs)
• notifications of test results

The ability to support secure electronic communications as required in GP contract.

Out of scope

The use of electronic messaging for requirements other than above, such as local surveys, is discretionary.

Transactional support services

Vendor via local helpdesk.

Systems and applications

Provision of electronic messaging functionality for direct individual patient communication, to be used for clinical and associated administrative purposes.

NHS App will become the default patient online solution and through NHS notify will provide practice to patient digital communications and notifications. solutions should be enabled to integrate and use NHS notify.

As NHS App take up increases NHS notify will utilise inbuilt NHS app messaging reducing requirements for local SMS contracts.

Specialist support services

Support for practices (through the IG and DPO service) for the preparation of DPIAs where required (see below) for electronic messaging. this may be provided as a shared activity across multiple practices.

Transition plan

ICBs and practices should develop and implement a transition plan to increase the use of NHS App to reduce or remove the use of local SMS contracts.

Practice responsibilities

The individual practice is responsible where electronic messaging is used to support the processing of special category (sensitive) data including 2-way communications between patients and the practice a DPIA should be completed and regularly reviewed.

Other controls:

• privacy and electronics communications regulations
• UK general data protection regulation (UK GDPR)
• Data Protection Act 2018
• Accessible information standard – using email and text messaging for communicating with patients – guidance
• compliance with digital token definition for use of SMS for paper token replacement for non-nominated prescriptions

Assurance:

• DPCMA: IND9.1

Remote access

Version: 6.01

Requirement

To support remote personal working authorised users have secure access outside the supported premises to the clinical systems as necessary to support patient consultations and access to other core digital services for example NHS. Net connect. This includes any necessary remote access IT infrastructure. The options for remote access are described below.

To support resilience and business continuity requirements the service(s) provided should be available to support at least 60% of normal operational capacity working remotely.

Out of scope

Any remote access solutions not part of the managed GP IT infrastructure.

Infrastructure; for example, broadband connections, routers, wi-fi, cabling in locations which are not supported premises – for example, personal domestic residence or mobile location.

Infrastructure and remote access within supported premises.

Telephony access (see separate requirements).

Mobile data and voice connectivity to equipment which is not a managed GP IT device (for example, personal smartphone).

Application of health and safety (including DSE and PAT) regulations for remote personal working.

Transactional support services

Availability: operational service hours

Provision, maintenance and support of the necessary technology and supporting infrastructure to deliver remote access to the clinical system for consultation purposes.

Support will be available through the GP IT support service desk during operational service hours (unless other support arrangements are made specifically to support remote access provision).

Where managed GP IT devices are provided (see option 1 below):

• This includes provision, maintenance and support (remote and return to base) for applications and managed GP IT devices including portable devices necessary to support clinical system access.

in all cases:

• the use of computing systems (including portable devices) for remote access is controlled, monitored and audited to ensure their correct operation and to prevent unauthorised access
• all remote access solutions should be protected by multifactor authentication (MFA), particularly privileged or accounts with administration rights; any exceptions to the use of MFA must be documented and risk assessed, with sign-off or acceptance of the risk at a relevant board

Remote access will be provided by one of the two options described below, or a combination of both:

Infrastructure – option 1

Availability: operational service hours

Managed GP IT devices (for example, desktop or portable device or other endpoint) are provided which:

• have all software necessary for the role (as native application or in a virtual desktop infrastructure [VDI] service) together with a means of secure VPN access and a smartcard reader
• are provided and managed in compliance with the ICB GP IT asset management policy; they will be asset managed as described above.
• will be prepared and configured in compliance with the WES-GP this will include:
  • the managed GP IT device is locked down and well managed; users must not be able to install unlicensed or unauthorised software or change critical settings
  • encryption to NHS standards on all portable devices (NHS England: data security standard 9: it protection)
  • connections between the managed GP IT device to HSCN and the practice clinical system using public network services (internet) must be encrypted to approved NHS standards

A refresh programme (for portable NHS-owned GP IT devices) to include:

• a portable device replacement programme which identifies and replaces hardware subject to availability of funds where it has reached the end of its service life; this will include assessment, procurement, rollout, asset tracking and secure disposal as required in the ICB GP IT asset management policy
• the ICB will have a budgeted plan which supports the portable device replacement programme and meets the requirements of the ICB GP IT asset management policy
• GP IT equipment, including portable devices, is expected to be funded through NHS capital funds, although ICBs are free to use other appropriate funding sources

Infrastructure – option 2

Availability: operational service hours

Personal devices (also known as bring your own device – BYOD). Where personal devices/BYOD are used:

• a virtual desktop infrastructure (VDI) service will be provided allowing access to the clinical systems as necessary with a means of secure VPN access and a smartcard reader
• only NHS applications approved for use over the public internet (see internet first policy) may be used on the device (for example, web accessed NHS.net Connect – not local email programme such as outlook) unless they are used through a VDI service
• when used within supported premises BYOD equipment may only connect to the managed GP IT infrastructure using the public WiFi-GP service
• smartcard readers should be provided as required
• an assurance process must be in place to ensure the personal devices are sufficiently secure including broadband firewall, secure wi-fi, anti-virus software, dedicated user account, patch management and operating system updates
• mobile application management (MAM) and mobile device management (MDM) should be considered
• an ICB BYOD policy must be in place which includes cyber and data security, software licencing and ownership, data storage, support, data and security breaches, loss of device, and termination; staff cannot be mandated to use their personal devices for NHS purposes

Remote access solutions must not be used which bypass or otherwise reduce the effectiveness of the security measures provided within the DSIC catalogue of frameworks (or successor) solutions, the national digital services and the managed GP IT infrastructure (including authentication using NHS smartcard or any approved alternative/replacement).

Specifically, remote access solutions must not be provided or supported which use a personal device (portable or desktop) to access clinical systems using either:

• client software installed on the personal device
• desktop sharing software, that is remote desktop protocol (RDP) or equivalent to remotely access a host device; for example, in the practice

Systems and applications

Where online consultations or video consultations are carried out secure access to accredited applications is required.

Software, browsers and operating systems not supported or maintained by the supplier must not be used on NHS managed infrastructure.

Practice responsibilities

The individual practice is responsible for:

• compliance with the conditions for remote services outside practice premises as described in the GP contract; ensuring remote digital access to patient details and online, telephone or video consultations take place in a confidential environment with controlled access to the digital equipment used for these functions
• compliance with the requirement (above) in the operating model on limitations on the use of remote access solutions
• compliance with NHS and local information security standards and policies
• following NHS England advice on using online consultations in primary care including:
  • working collaboratively with local IT/technical teams to understand network issues, explore technology options and then with local data protection officers (DPO) and clinical safety officers (CSO) for using technology within information governance, data security and clinical risk management guidelines
  • robust measures for patient and carer verification and authentication are in place
• health and safety regulations (including DSE, PAT and WTD) will include remote personal working (see practice business requirements)

Applicable standards:

• NDG standard 8
• Information security management: NHS code of practice
• NHS England: data security standard 9: IT protection
• NHS.net Connect acceptable use policy
• Working safely with display screen equipment
• Using online consultations in primary care: implementation toolkit

Applicable guidance:

• Recommendation: the local SLA is-based upon an agreed portable device estate volume or number of remote access authorised users.

Other controls:

• ICB GP IT asset management policy
• WES-GP
• ICB BYOD policy

Assurance:

• DPCMA: IND33.10, IND33.9

Medical (connected) device support

version: 6.01

Requirement

Support for equipment and devices required specifically for diagnostic or clinical treatment purposes (for example specialist cameras, physiological measurement devices) used in the supported premises and which is connected or uses the managed GP IT infrastructure.

Out of scope

Provision and ownership of this equipment.

Support for equipment which is not connected or does not use to the managed GP IT infrastructure.

General maintenance and upgrade of this equipment.

Transactional support services

Availability: operational service hours

Supporting installation – that is, connection of the medical connected device in the supported premises.

Encryption to NHS standards on all portable devices (NHS England: Data security standard 9: IT protection).

Installation of software required to operate the medical (connected) device or which constitutes the medical device, on managed GP desktop estate.

Specialist support services

Availability: standard service hours

action and or advice to the practice in response to a cyber incident for example isolating the medical (connected) device.

Advice on selection and procurement of medical (connected) devices with reference to the standards required in this operating model. The Digital technology assurance criteria (DTAC) should be used. Note DTAC is applicable to each product not the provider organisation.

Infrastructure

Connection of the medical connected device to the managed GP IT infrastructure including networking services, WiFi-GP and desktop computing.

Technical measures as required to cyber protect the devices.

All managed GP IT infrastructure which the connected medical device uses or connects to is controlled and protected as described elsewhere in this operating model.

Systems and applications

Software, browsers and operating systems not supported or maintained by the supplier must not be used on managed GP IT infrastructure.

Practice responsibilities

The individual practice is responsible for:

• provision and replacement of medical connected devices in the supported premises
• procurement of medical connected devices using an applicable national framework or the procurement standards checklist
• ensuring the specialist maintenance and support of medical connected devices in accordance with manufacturer’s recommendations
• providing consumables; for example, for printers and other operating requirements to medical connected device manufacturer’s standard
• ensuring software, browsers and operating systems not supported or maintained by the supplier are not to be used on NHS managed infrastructure
• ensuring requirements issued by the GP IT provider regarding it compatibility and cyber security are followed; for example, anti-virus software

Applicable guidance:

• Guidance on protecting connected medical devices
• Guidance on procuring and deploying connected medical devices
• Medical devices: software applications (apps)
• Respond to an NHS cyber alert service
• Software and AI as a medical device change programme
• Regulating medical devices in the UK (gov.uk)

Assurance:

• DPCMA: IND203.0

Category 5c: GP IT enabling requirements – organisation and staff support

Business continuity and disaster recovery planning

version: 6.01

Requirement

Ensuring disaster recovery and business continuity plans are in place and managed for systems and infrastructure relevant to GP IT services.

Supporting practice business continuity plans.

Out of scope

Disaster recovery and business continuity plans for national digital services and for DSIC catalogue of frameworks (or successor) services will be managed nationally, although these should be referenced as third party services in plans produced under this requirement.

Specialist support services

Availability: standard service hours

For GP IT enabling services:

• the business continuity management system (BCMS) scope must include all GP IT enabling services provided and must ensure equivalent assurance is in place for any services sub-contracted by the provider
• business continuity plans must include considerations of the impact of and response to:
  • high severity incidents including cyber security and NIS-reportable incidents and personal data breaches
  • climate change and other environmental events for example flooding, heatwaves, supply chain disruption, energy security and civil infrastructure failures
• business continuity plan response will be based on a recovery time objective (RTO) of not more than 48 (actual) hours for essential services
• business continuity plans and disaster recovery plans require review and refresh:
  • at regular intervals (at least annually)
  • following change in key parameters
  • following invocation of the plan(s)
• in the event of the business continuity or disaster recovery plans being invoked where services relevant to essential services were impacted (including it security threats and incidents), the ICB should receive an initial report within 12 (working) hours of the incident, and a full report – including root cause and remedial actions – within 2 weeks of the incident
• business continuity response for managed GP IT infrastructure must include the capability to isolate affected devices from the network within no more than 48 (actual) hours of a cyber attack.
  • Note: systems provided through DSIC catalogue of frameworks (or successor) and national digital services have their own contracted service level specifications

For practices:

• ICBs shall ensure business continuity plans are in place for all practices and are reviewed and approved as required under the ICB practice agreement
• advice and guidance to support the development of the digital element of practice business continuity plans will be available to practices when required
• in the event of a practice business continuity plan being invoked specialist technical support will be available
• practice BCPS will consider the impact on essential digital, it and telephony services and also the role of digital, it and telephony technologies in mitigating the impact of critical events

Practice responsibilities

The individual practice is responsible for:

• maintaining a practice business continuity plan (BCP) approved by the ICB as required in the ICB practice agreement and the Primary medical services policy and guidance manual (PGM)
• ensuring the practice business continuity plan includes considerations of the impact of and response to:
  • high severity data or cyber security incidents
  • personal data breaches (including reporting through NHS DSPT incident reporting tool)
  • failure of telephony and online patient communication systems
  • climate change and other environmental events; for example, flooding, heatwaves, supply chain disruption, energy security and civil infrastructure failures (in addition to a direct impact in the practice as an organisation these may impact on digital and it enabling services used by the practice or may require greater use of digital services as mitigation steps)
  • pandemic or other major public health events
• recognising responses may require out of premises activities or collaboration with other practices and health providers (which will often need greater access to digital technologies)
• an example template for a practice business continuity plan is available from NHS England South West which can be further augmented with the guidance in this operating model.
• although few digital systems are now hosted within individual practice premises business continuity planning remains critical; assurances are also required from any third parties commissioned directly by the practice, providing infrastructure and/or data processing services that they have robust disaster recovery plans.

Applicable standards:

• GP IT enabling services must only be commissioned from organisations which are accredited to ISO 22301 for business continuity management or compliant with the NHS England business continuity management toolkit
• Primary medical services policy and guidance manual (PGM)
• ICB practice agreement

Assurance:

• DPCMA: IND2.0, IND181.0, IND199.1

Cyber security

version: 6.01

Requirement

Cyber security management and oversight, including configuration support, audit, investigation, incident management and routine monitoring, relevant to the services and all managed GP IT infrastructure:

• protective technical and organisational measures to reduce the likelihood and impact of cyber security incidents
• response to and management of NHS cyber security alerts
• reporting and management of nis notifiable incidents
• disaster recovery and business continuity plans for systems and infrastructure relevant to GP IT services
• supporting practice business continuity plans

Transactional support services

Availability: high severity incident service hours

To include:

• GP IT support service desk must include access for out of hours high severity incident alerting, logging and escalation in accordance with the approved business continuity and disaster recovery plans
• ICBs (and CSUs) are required to register to receive and respond to NHS cyber alerts
• cyber-attacks against general practice essential services are identified and resisted
• urgent out of hours contacts and communication routes for all practices and suppliers should be held by the ICB and regularly maintained. The MHRA central alerting system (CAS) requirement for email and mobile phone contacts for general practices may also allow ICBs to fulfil this requirement for practice contacts. ICBs should ensure practices have registered for this service using a practice generic email account (not an individual account)
• action is taken immediately following a cyber incident with a report made to the senior management within the ICB and the impacted practice within 12 working hours of detection
• the ICB as a category 1 operator of essential service (OES) is required to report any network and information systems incident which has a ‘significant impact’ on the continuity of the essential service that they provide including general practice services they commission. This must be done without undue delay, and in any event within 72 (actual) hours of becoming aware of the incident. This includes incidents affecting essential services within their supported general practices
• high severity incidents / nis notifiable incidents are not restricted to cyber attacks and may include significant failures of critical infrastructure for example widespread network failures
• any incident notifiable under the nis regulations may also be reportable as a personal data breach under the GDPR reporting requirements. Where this is the case reporting through the NHS incident reporting tool will ensure that the incident is reported to both the ICO and the DHSC. The affected practices however must be informed as the data controller they have legal responsibilities to report and manage the personal data breach. When an incident is reported under both the nis regulations and GDPR the department of health and social care will work with the ICO to ensure appropriate consistency of approach and avoid unnecessary duplication
• for high severity incidents a lessons learned report (with relevant action plan as appropriate) to be provided to the ICB within 2 weeks of the recorded resolution of the incident on the GP IT support service desk
• the data security centre operated by NHS England offers a range of specialist services that help health and care organisations manage cyber risk and recover in the event of an incident
• in the event of a national cyber incident being formally declared (for example by the NHS England data security centre) all parties will fully cooperate and support all actions required by NHS England resilience team, the NHS England data security centre, or any party with delegated authority. This may include providing urgent out of hours access to premises, digital systems and equipment
• the ICB and its commissioned GP IT delivery partner(s) will ensure full cooperation in high severity cyber incident management and invocation of national and local business continuity and disaster recovery plans

Specialist support services

Availability: standard service hours

Infrastructure

A cyber security service will be available to all practices encompassing all managed GP IT infrastructure and systems to ensure:

• provision of necessary IT security / cyber evidence to support DSPT for general practice
• audit and investigative services are available
• specialist cyber security advice is available
• there is a shared HSCN-GP security contact for practices
• monitoring to identify dormant accounts for authorised users staff and operate a process to archive and disable these. Provide practices with a facility to notify the GP IT delivery partner when authorised users leave the practice organisation or no longer require IT access, and ensure access is removed within the performance standards for authorised user account management (NDG standard 4)
• use of Microsoft Defender Advanced Threat Protection (MDATP) to monitor the Microsoft Windows operating system on managed GP IT device (pc, laptop or server) with MDE installed to identify any indicators of cyber security compromise or attack
• the managed GP IT infrastructure is subject to penetration testing to NCSC standards at least annually. The scope of the penetration testing must be agreed by the ICB SIRO (or equivalent officer) and must include:
• checking that the default password of network components has been changed
• all webservers, on the managed GP IT infrastructure, that practices utilise
• under the business continuity response for the managed GP IT infrastructure the capability to isolate affected devices from the network within no more than 48 (actual) hours of a cyber attack.
  • Note: systems provided through DSIC catalogue of frameworks (or successor) and national digital services have their own contracted service level specifications

ICBs must ensure there are appropriate governance arrangements for example policies and audits to provide assurance on the following:

• administration access rights for active directory configuration and services relevant to the managed infrastructure used by the practice must be strictly controlled to a limited number of named and technically qualified individuals as part of the overall managed infrastructure management
• administration access rights for Microsoft 365 should align to those for active directory
• administration access rights for network configuration and equipment (for example routers, switches, firewalls, wireless access points etc) must be strictly controlled to a limited number of named and technically qualified individuals as part of the overall managed infrastructure management
• generic (that is, not assigned to an individual) administrator accounts must not be used
• authorised users are not able to install software applications or active devices onto the GP IT-managed infrastructure unless given specific technical support access subject to conditions set out in the ICB GP IT systems access policy

Systems and applications

Password managers and single sign-on (SSO) technologies can be provided or supported subject to prior security assessment. Where used these tools should augment existing security and authentication controls and should not be used to bypass or reduce the effectiveness of accredited multi factor authentication (MFA) controls (for example, NHS smartcards). NCSC provides guidance on password managers.

The same sign-on solution for NHS.net Connect may be implemented (see NHS.net Connect administration and support).

High severity cyber alert notifications

ICBs must ensure:

• cyber alert notifications are acted on in line with national guidance. Action on high severity cyber alerts are evidenced through the NHS cyber alert service
• confirmation is given within 48 hours that plans are in place to act on high severity cyber alerts
• a response should be completed within 14 days of the alert being issued
• a primary point of contact for the ICB or its GP IT delivery partner to receive and co-ordinate your organisation’s response to cyber alert notifications is registered

Note: action might include understanding that an alert is not relevant to your organisation’s systems and confirming that this is the case

Cyber assurance

Where the GP IT delivery partner is an eligible organisation (such as a CSU or NHS trust) it is recommended they register for the cyber assurance service which provides centrally funded assessments to help NHS organisations identify vulnerabilities and understand and overcome areas of high risk.

Where the GP IT delivery partner is an eligible organisation (that is: a CSU, ICB, or NHS trust) it is recommended they register for the vulnerability monitoring service, a scheduled and regular non-intrusive external vulnerability scan using a supplied range of IP addresses to assess vulnerabilities.

These will help the organisation achieve DSPT standards.

Organisational awareness

ICBs must ensure their commissioned GP IT delivery partner(s) have allocated senior level (for example, director or equivalent) responsibility for cyber and data security within their organisation.

ICBs, as responsible commissioners of GP IT services, should have board level awareness of cyber security, including undertaking nationally recommended cyber security training.

Eligible organisations are encouraged to make use of NHS England’s cyber security support model services.

Supporting projects

Advice for practices and the appointed project teams on cyber security considerations where projects involve:

• change of foundation solution for the practice (including data migration activities)
• significant estate developments and new builds
• deploying new technologies
• practice and PCN websites
• although practices remain responsible for providing their own practice website (or online practice profile) ICBs will provide:
  • assistance for the practice as an NHS organisation to secure a NCSC web check for the practice website with the NCSC to check for website vulnerabilities result from misconfigurations or software flaws which might be exploited by an attacker

Practice responsibilities

The individual practice is responsible for:

• a named partner, board member or equivalent senior employee within the practice to be responsible for data and cyber security in the practice. This requirement further defines practice obligations within the ICB practice agreement to identify the person with lead responsibility for it matters in the practice. The ICB as commissioner of GP IT services will be responsible for providing specialist support to this role but each practice remains accountable
• fully co-operating with an on-site cyber security assessment if invited to do so and will act on the outcome of that assessment, including implementing any recommendations where applicable to the practice
• providing urgent out of hours contacts and communication routes as well as access to premises, digital systems and equipment outside normal working hours
• when a cyber security incident takes place quickly establishing if a personal data breach has occurred (in accordance with UK GDPR) and if so take prompt steps to report and manage this (see information governance and support)
• assurance through the general practice DSPT which each practice is required under the ICB practice agreement to complete annually
• ensuring all staff have an appropriate understanding of information governance and cyber security as outlined in the DSPT training requirement

Applicable standards:

• National cyber security centre (NCSC) approved penetration testing
• NDG standards 6,7,8,9
• Data security standard 9 IT protection (NHS England)
• Data security and protection toolkit (DSPT)
• Information security management: NHS code of practice
• GP IT enabling services must only be commissioned from organisations compliant with the following standards:
  • NHS information governance – to demonstrate satisfactory compliance as defined in the NHS DSPT for the relevant organisation type annually
  • Accreditation to cyber essentials plus (CE+)
  • Registered for NHS England cyber alert service and high severity cyber alerts

Other controls:

• UK general data protection regulation (UK GDPR)
• Data Protection Act 2018
• ICB GP IT systems access policy
• Primary medical services policy and guidance manual

Applicable guidance:

• NCSC password manager guidance
• NCSC supply chain cyber security guidance
• Good practice guidelines for GP electronic patient records

Assurance:

• DPCMA: IND8.1, IND181.0, IND183.1, IND176.0, IND201.4

NHS.net Connect administration and support

version: 6.01

Requirement

The local administration of NHS.net accounts which are provided to all practices as a national digital service.

Out of scope

• National NHS.net Connect service desk.
• Support for email solutions other than NHS.net Connect.
• Independent registration for NHS.net Connect by GP locums and GP federations.
• Registration and support for third party staff or organisations (unless the email account is created within the practice NHS.net Connect organisation unit for specific staff to use solely in direct support of the practice).

Transactional support services

Availability: standard service hours

To include:

• creation and deletion of authorised user email accounts
• password resets, account unlocking etc
• setting up shared mailboxes and enabling distribution lists

Specialist support services

Availability: standard service hours

To include:

• providing local administrator support for example for access and support for NHS.net Connect, support for migration from local email services to NHS.net Connect
• provide practices with a facility to notify the GP IT delivery partner when authorised users leave the organisation or no longer require NHS.net Connect access, and ensure access is removed within the agreed performance standards for user account management
• support GP locum use of NHS.net Connect where the email account is created within the practice NHS.net Connect organisation unit in support of the practice

Systems and applications

The same sign-on solution for NHS.net Connect may be implemented to:

• allow the same password to be used to access local workstations, NHS.net Connect services, applications using NHS.net Connect single sign on and azure active directory
• ensure the application of a single password policy for both NHS.net Connect and local active directory (ad)
• align password expiry dates between NHS.net Connect and local active directory

Practice responsibilities

The individual practice is responsible for:

• ensuring NHS.net Connect is the primary email system for practices
• authorising creation and removal of NHS. Net accounts belonging to their practice organisation within NHS.net Connect
• ensuring the security of any data held in NHS. Net accounts registered under the practice organisation, and for the correct removal or archiving of such data when any practice staff member leaves the practice or an authorised user no longer requires access to a practice NHS. Net account
• ensuring the practice has at least 1 securely managed and frequently monitored (at least once daily) NHS. Net account to receive clinical documentation
• ensuring practice staff and other authorised users follow NHS.net Connect acceptable use policy and advice on cyber security in their use of NHS.net Connect; for example, phishing, spam etc
• ensuring personal, sensitive or confidential information is never sent by NHS.net Connect unless:
  • it is sent to another NHS. Net account
  • or an email account with the same security accreditation standards (see DCB1596: secure email)
  • or sent as an encrypted email to a non-secure email address
• where the practice chooses to use an alternative principle email service to NHS.net Connect it is compliant with DCB1596: secure email and will not be funded or supported under this operating model

Where NHS.net Connect is used as part of 2-way written communications with patients encryption must be used.

Applicable standards:

• NDG standard 4
• NHS.net Connect acceptable use policy
• DCB1596: secure email

Applicable guidance:

• NHS.net Connect support portal
• Sending sensitive information to non-secure email addresses (including patients)
• GP locum arrangements for accessing NHS.net Connect
• Registering GP (group of general practices) federation – NHSmail support
• Registering a primary care network (PCN) – NHSmail support
• Good practice guidelines for GP electronic patient records – NHS mail

Information governance support

version: 6.01

Requirement

Information governance support, guidance and advice to support practice compliance with common-law duty of confidence, records management, information security, DSPT, Data Protection Act 2018, UK GDPR and Caldicott principles and to ensure all devices and systems are managed and used in a secure and confidential way.

Individual practices remain responsible for information governance and data protection but must have access  to the support of a specialist information governance service and qualified information governance staff to support them discharge this responsibility.

Out of scope

• Legal advice.

Transactional support services

Availability: standard service hours

Personal data breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Breach reporting is mandatory for all organisations.

All health and care organisations, regardless of whether they are in scope of the nis regulations, are required to report GDPR breaches through the DSPT. This includes breaches relating to network and information systems.

A network and information systems incident that disrupts the delivery of health and care, or compromises the confidentiality of health and care data, is likely to risk the rights and freedoms of individuals.

Such incidents should be reported through the DSPT in line with UK-GDPR Requirements even where there is not a Requirement to report the incident under the nis regulations.

Any data breach (or near miss) of practice patient personal information will require actions by one or more of the following:

• the individual practice – as data controller
• national NHS commissioned suppliers of GP digital services as data processor(s)
• local ICB commissioned GP IT delivery partner – as data processor and as specialist support service to practice
• local health and social care providers where data has been shared – as data processors
• any digital services supplier commissioned by the practice – as data processor
• any practice sub-contractor – as data processor

ICBs will ensure practices are supported with:

• the provision of advice and/or support to practices on the investigation of possible information security breaches and incidents
• advice on personal data breach assessment, management and reporting in line with national guidance via the incident reporting tool within the DSPT
• advice on post-incident reviews and recommended actions or practice implementation
• to lead or direct data breach reviews and investigations where highly specialist knowledge is required or complex multi–party issues are involved
• ICBs will require commissioned GP IT delivery partners as data processors where the breach involves data processing activities for which the GP IT delivery partner is responsible to:
  • take action immediately following identification of a data breach or a near miss, alerting promptly the practice as data controller and with a report made to the senior management within the ICB and the practice within 12 (working) hours of detection
  • provide a lessons learned report (with relevant action plan as appropriate) to the ICB within 2 weeks of the recorded resolution of the incident on the service desk

Specialist support services

Availability: standard service hours

IG policy support

Support for the production and maintenance of local information governance policies and procedures for practices.

Provision of advice and support to practices on approval, ratification and adoption of the policies for their organisation.

Support for DSPT compliance

Provide advice and guidance to practices on how to complete the DSPT, including the collection and collation of evidence in support of DSPT submissions and resolving failure to meet DSPT standards.

Provide practices with evidence required for DSPT where this is held by the ICB or its commissioned GP IT delivery partner(s).

IG consultancy and support

provision of advice, guidance and support on IG related issues, including existing operational processes and procedures or new business initiatives.

Advice and guidance on personal data access (but not extending to legal advice).

IG advice and data protection officer (DPO) support

Provision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated data protection officers including existing operational processes and procedures or new business initiatives.

To include:

• specialist advice on UK GDPR matters and compliance
• advice to support practices develop and maintain best practice processes that comply with national guidance on citizen identity verification, including Patient online services in primary care – good practice guidance on identity verification, that underpins the delivery of NHS App and patient online solutions, and assurance requirements as these are developed
• advice to support practices achieve mandatory compliance with the National data opt-out policy

DPO function

Availability of a named DPO, in addition to DPO support and advice for practices to designate as their data protection officer. As data controllers and public authorities are legally required to designate a DPO. The function is supportive and advisory, practices remain responsible for data protection.

Practices may choose to make their own DPO arrangements, but ICBs are not expected to fund these if a DPO service has been offered by the ICB.

Reviews

Support practices and their DPO to review at least annually to identify and improve processes which have caused breaches or near misses, or which force authorised users to use workarounds which compromise data security. This may, for example, be a facilitated workshop at ICB level which would encourage shared learning.

Supporting projects

Advice for practices and the appointed project teams on IG/DSP, data sharing, data protection impact assessment (DPIA) completion and cyber security considerations where projects involve:

• change of foundation solution for the practice (including data migration activities)
• new initiatives involving sharing patient data with third parties
• merging practices
• closing practices
• significant estate developments and new builds
• deployment of new technologies

This is not an exclusive list. Specialist support for projects beyond general advice for example preparing data privacy impact assessments should be resourced as part of the project plan.

Data processing activities

Data processing activities using general practice controlled personal data carried out by local ICB commissioned data processors will be identified and recorded in a data processing agreement in accordance with the digital services acquired and will be regularly reviewed.

Supporting local procurement

The use of the Digital technology assurance criteria (DTAC) may be helpful in local procurement activities.

Practice responsibilities

The individual practice is responsible for:

• reporting personal data breaches in line with NHS guidance using the NHS incident reporting tool within 72 (actual) hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, the practice must also inform those individuals without undue delay
• production, approval and maintenance of (and adherence to) their IG and IT security policies but support will be provided.
• Submitting a data security and protection toolkit (DSPT) return annually as required under the ICB practice agreement and responsibility for this lies solely with practice
• under UK GDPR to designate their own data protection officer (DPO), which can be shared. Any practice may decline the commissioned IG advice and DPO service and make their own arrangements although in such circumstances ICBs are not expected to provide funding in lieu of the services offered
• nominating a person with responsibility for practices and procedures relating to the confidentiality of personal data held by the practice
• completion by all practice staff of annual data and cyber security training
• FOIA compliance
• the regular review of internal processes. This should include a review at least annually to identify and improve processes which have caused breaches or near misses, or which force authorised users to use workarounds which compromise data security
• ensuring data protection management and reporting arrangements are in place and formally agreed with any practice sub-contractor
• understand and comply with UK GDPR and Data Protection Act 2018
• mandatory compliance with the National data opt-out policy
• sourcing any legal advice required to support these activities

Applicable standards:

• Data security and protection toolkit (DSPT)
• NDG standards
• Incident reporting tool for data security and protection incidents within the data security and protection toolkit

As minimum to note and comply with:

• Records management code of practice 2020
• Code of practice on confidential information
• Information security management NHS code of practice
• Staff providing the service should be appropriately trained and qualified to recognised industry standards such as the British Computer Society (BCS) Practitioner certificate in data protection or equivalent level recognised industry standard.

Applicable guidance:

• NHS England information governance resources
• Guide to the notification of data security and protection incidents
• Patient online services in primary care – good practice guidance on identity verification
• Digital technology assurance criteria (DTAC)
• Good practice guidelines for GP electronic patient records

Other controls:

• UK general data protection regulation (UK GDPR)
• Data Protection Act 2018
• DSIC data processing deed (or successor)

Assurance:

• DPCMA: IND158.0

Clinical safety assurance

version: 6.01

Requirement

clinical safety assurance advice and support. note this includes patient safety where the use of digital systems by the practice are involved.

Individual practices remain responsible for clinical safety and compliance with clinical risk management: its application in the deployment and use of health IT systems (DCB0160), but must have access to support of a specialist clinical safety assurance service and qualified clinical safety officer(s) to support them discharge  this responsibility.

Out of scope

The responsibility and burden of effort for clinical safety assessment and assurance under DCB0129 rests with the system developer. This includes any third party software incorporated into the system. However, when procuring digital services assurances should be secured from system suppliers that this standard, if applicable has been met.

• Legal advice

Specialist support services

Availability: standard service hours

To include:

• supporting practices ensure that the necessary standards are met for management of clinical risk in relation to the deployment and use of health software
• advice on compliance with:
  • Clinical risk management: its application in the manufacture of health software DCB0129 as part of procurement activities
  • Clinical risk management: its application in the deployment and use of health it systems DCB0160: during clinical system deployment, decommissioning or significant reconfiguration and in business as usual activities
  • medical device requirements where a system/software (or part of it) is classified as a medical device

Incident management including:

• supporting and advising practices in the identification of and response to digital related patient safety incidents
• supporting practices reporting patient safety incidents in line with national guidance through the Learn from patient safety events service (LFPSE) provided by NHS England

Supporting projects and clinical system deployments:

Advice for practices and the appointed project teams on clinical safety (DCB0160) where projects involve:

• change of practice foundation solution including data migration activities
• new initiatives involving clinical systems to support different or innovating ways of working
• reconfiguring clinical systems with the potential to bypass or deviate from internal system controls and safeguards
• new clinical systems integrating with the foundation solution
• decommissioning clinical systems eg when merging or closing practices
• deploying new digital technologies
• clinical system procurement including third party assurance
• practices are responsible for  applying DCB0160: clinical risk management: its application in the deployment and use of health IT systems when implementing clinical systems in the regular review of business and clinical process. this will ensure patient safety is not put at risk by operational work rounds.
• support for projects beyond general advice for example preparing clinical risk management plan, clinical safety case records and hazard reports and supporting procurement activities should be resourced as part of the project plan

Supporting local procurement by:

• advising on the use of the digital technology assurance criteria (DTAC) will be helpful in local procurement activities
• where ICBs or individual practices procure clinical software or medical devices which interact with the clinical software and patient record from routes other than the DSIC catalogue assurances should be sought that the supplier has applied if applicable to the product current medical device regulations: Medical Devices (amendment etc.) (eu exit) Regulations 2020; and the Medicines and Medical Devices Act 2021. Users of such software and medical devices should follow manufacturer’s instruction for use (IFU). Any change of use needs to be properly assured with the manufacturer’s knowledge/permission as any “off-label” use will mean that the user has taken on the responsibilities/liabilities of the manufacturer/developer
• where ICBs or individual practices procure clinical software from routes other than the DSIC catalogue of frameworks (or successor) steps should be taken by the procuring authority (namely ICB or general practice) during procurement to ensure the supplier has applied DCB0129: clinical risk management: its application in the manufacture of health IT systems in the development and manufacture of the software

CSO function

• Availability of a named CSO, in addition to clinical safety support and advice for practices to designate as their clinical safety officer.
• The function is supportive and advisory, and practices remain responsible for clinical safety.
• Practices may choose to make their own CSO arrangements, but ICBs are not expected to fund these if a CSO service has been offered by the ICB.

Practice responsibilities

The individual practice is responsible for:

• compliance with DCB0160: clinical risk management: its application in the deployment and use of health IT systems
• reporting patient safety incidents related to digital systems in line with national guidance through the LFPSE provided by NHS England
• registering with the MHRA CAS for both email and mobile phone text alerts. This is a web-based national cascading system for issuing patient safety alerts, important public health messages and other safety critical information and guidance to the NHS and others
• sourcing any legal advice required to support these activities
• meeting clinical safety standards and appointing a qualified CSO which can be shared and which can be provided by the ICB. Any practice may decline the commissioned clinical safety advice and CSO service and make their own arrangements although in such circumstances ICBs are not expected to provide funding in lieu of the services offered

Applicable standards:

• DCB0160: clinical risk management: its application in the deployment and use of health IT systems
• DCB0129: clinical risk management: its application in the manufacture of health IT systems
• LFPSE
• EU Medical Devices Regulations (MDR)
• Staff providing this service must be appropriately trained and qualified to recognised industry standards such as the NHS England CSO practitioner training or equivalent level recognised industry standard
• Clinical risk management: IT
• Digital clinical safety strategy – key tools and information – NHS transformation directorate
• Clinical system migration guide – NHS England digital

Applicable guidance:

• Clinical safety guidance
• Introductory guide to the new MDR and IVDR (MHRA)
• Digital technology assurance criteria (DTAC)
• Regulating medical devices in the UK (gov.uk)
• Medical devices: software applications (apps)
• Clinical risk management: its application in the deployment and use of health it systems – implementation guidance
• Digital clinical safety strategy – key tools and information – NHS transformation directorate
• Clinical system migration guide – NHS England digital
• Good practice guidelines for GP electronic patient records

Other controls:

• DSIC data processing deed (or any successor)

Assurance:

• DPCMA: IND11.0

Registration authority

version: 6.01

Requirement

An accredited function that carries out the identity checks of prospective authorised users and assigns a digital care identity with appropriate access registration authority profile to the health professional’s role as approved by the practice.

The service will extend to authorised users not directly employed by the practice but where the users require access to the practice clinical systems.

NHS smartcards (physical or virtual) or other approved authenticators are required to access NHS spine information systems and registration authority roles and responsibilities are defined by NHS policy.

Where new authenticators are reviewed and approved the registration authority function will continue to support issuance of approved alternatives.

Given the standards basis of these authenticators it is likely that they will place a greater emphasis on the user behaviour when using the authenticator – that is, users will need to closely manage how they use their authenticator and log out of sessions when leaving a PC unattended.

Ensure practices are aware of their obligations under the care record guarantee to protect patient data and not leave sessions unattended.

Transactional support services

Availability: operational service hours

To include:

• unlocking of NHS smartcards
• position-based access control (PBAC) configuration

Availability: standard service hours

To include:

• issuing of NHS smartcards (including identity checks, printing etc) in accordance with registration authority policy and governance
• providing practices with a facility to notify the registration authority service provider when authorised users leave the practice organisation or no longer require access to the practice clinical systems. Ensure access is removed within the agreed performance standards for user account management
• providing practices with a facility to notify the ra service provider when authorised users change roles or otherwise require changes to their access rights through the registration authority. Ensure the changes are made within the agreed performance standards for user account management
• Specialist support services

Availability: standard service hours

To include:

• registration authority service including policing access policy and the delivery and management of role-based or position-based access control and issuing of NHS smartcards
• training of practice registration authority managers and sponsors
• training and awareness of how to use new authenticators and the risks when users don’t manage sessions appropriately
• support for software to access national systems for example identity agent, cis2
• ensuring adherence to access security policy
• advising practice registration authority managers and sponsors of configuration of business functions, completion of documentation and use of registration authority systems (for example resetting pins)
• involvement in national project roll out such as attendance at project boards to support project delivery
• production of registration authority reports
• supporting the self service registration process – allowing new users to self-register in their own time saving clinical and registration authority time
• utilising the user registration service. This will aide workflow, integration with other services and improved registration authority reporting and capabilities

Systems and applications

identity agent.
CIS
CIS2

Practice responsibilities

The individual practice is responsible for:

• determining which authorised users (practice and other organisation staff) can access practice data and system functions, and the (system) role of that staff member, through the registration authority process
• designation of a registration authority manager for the practice
• ensuring authorised users access to all systems processing patient identifiable data is regularly reviewed and updated by the practice using the NHS registration authority service (or other local practice access controls)
• promptly notify the registration authority when authorised users leave the organisation, no longer require access to the practice patient data or require a change in their access rights
• ensuring authorised users are aware of their obligations under the care record guarantee to protect patient data, and not leave sessions unattended. As new authentication technology arrives for use, particularly with new market entrants there will need to be a re-emphasis on training and awareness of how to use new authenticators and the risks when users don’t manage sessions appropriately

Applicable standards:

• Registration authority policy v2.5
• NDG standard 4
• only accredited providers can provide this service

Applicable guidance:

• Registration Authority guidance
• Good practice guidelines for GP electronic patient records – care identity service
• Good practice guidelines for GP electronic patient records – smartcards and access controls

Digital services assurance (local)

version: 6.01

Requirement

A locally developed and maintained catalogue of applications and digital services which have been assured to meet cyber security, information governance. Clinical safety, and accessibility standards. This will support practice and ICB compliance with the ICB practice agreement and conditions on the use of third party software.

Out of scope

• This is not a local framework agreement or procurement route.
• Procurement process or standards.
• Funding sources, process or standards.

Specialist support services

Availability: standard service hours

To include:

• development of a local catalogue of applications and digital services relevant to needs of local practices and PCNs which meet the standards described in this operating model
• the catalogue should be reviewed regularly (at least annually) or when a system is subject to a significant change. This ensures that suppliers maintain the standards under which a system is commissioned
• where possible the assurance should be -based on industry standards and regulated assessments (see below), to ensure consistency of standards and assessments. The digital technology assurance criteria (DTAC) should be utilised when it is applicable to the product, application or service. Note DTAC is applicable to each product not the provider organisation
• practices, PCNs, ICBs and their GP IT delivery partners will have ready access to the catalogue to support product selection and to review existing digital services deployed within the practice, PCN or ICS estate
• ICBs may wish to collaborate on this work to reduce duplication of effort and improve quality

Applicable standards:

• DCB0160: clinical risk management: its application in the deployment and use of health it systems
• DCB0129: clinical risk management: its application in the manufacture of health it systems
• EU medical devices regulations (MDR)
• Records management code of practice 2020
• Code of practice on confidential information
• Information security management NHS code of practice
• Cyber assessment framework (CAF)
• Cyber essentials plus (CE+)
• ISO 27018 (security for personally identifiable information in public cloud)
• ISO 9001 (quality management)
• ISO 14001 (environmental responsibility)
• MHRA medical devices: software applications
• Web accessibility initiative (WAI) | W3C

Accredited security testing organisations:

• CHECK accredited pen test organisations
• CREST accredited pen test organisations
• NCSC web check

Applicable guidance:

• NHS England information governance resources
• Patient online services in primary care – good practice guidance on identity verification
• Digital technology assurance criteria (DTAC)
• Creating a highly usable and accessible GP website for patients

Other controls:

• ICB practice agreement
• UK general data protection regulation (UK GDPR)
• Data Protection Act 2018
• WES-GP
• ICB GP IT asset management policy

Assurance:

• DPCMA: IND203.0

Digital services procurement support

version: 6.01

Requirement

Supporting ICBs and practices with specialist procurement and technical advice on procuring services described in the operating model, including advice on the procurement of services through the DSIC catalogue of frameworks (or successor).

Out of scope

Funding for the digital service being -procured and support for its deployment and implementation.

Specialist support services

Availability: standard service hours

General digital procurement support to include:

• provide strategic procurement advice, recommending collaboration and standard specifications to optimise efficiency and support costs
• advice and assistance in the development of outputs -based specifications to support GP digital procurement projects
• advice on procurement of GP IT enabling services using national frameworks as appropriate
• advice on applicable standards and accreditations for procurement
• ensure the obligations on the data processor to the individual practice(s) as data controller are reflected in the contract, in particular regarding reporting data breaches and near misses
• accessing where applicable, the national commercial and procurement hub to support ICB procurement
• ICBs must ensure that any procurement activity in support of GP IT, when delegated to GP IT delivery partner(s) or to ICS partner organisations, does not create conflicts of interest or potential procurement challenge

DSIC catalogue procurement support to include:

• supporting mini-competition work for the procurement by ICBs from the DSIC catalogue (or successor)
• meeting practice capabilities within ICB GP IT allocations whilst ensuring excellent value for money

Non-DSIC catalogue procurement support:

• support practices and ICBs purchasing non-DSIC catalogue clinical systems and digital technologies which include hosting patient identifiable information secure assurance against the standards below
• where applicable (to the product, application or service) use the Digital technology assurance criteria (DTAC). Note: DTAC is applicable to each product not the provider organisation
• where applicable use the NICE Evidence standards framework for digital health technologies

Utilise as appropriate the procurement standards checklist provided in this operating model

Applicable standards:

• NHS England financial guidance
• NDG standard 10
• digital technology assurance criteria (DTAC)
• evidence standards framework for digital health technologies (NICE)

Other controls:

• procurement legislation

Digital services contract support

version: 6.01

Requirement

Facilitating ICB GP IT delivery with support for contract and supplier management and technical support.

Services procured through the DSIC catalogue of frameworks (or successor) or directly by the ICB for use by its practices.

Where the contract is held by the ICB or NHS England a support service is required to manage local technical and contractual issues on behalf of the practice with the supplier.

Out of scope

• Support for contracts for practice business systems.
• Support for contracts held by parties other than ICB or NHS England.
• Support for contracts directly held by the practice.
• Payments and invoice processing for the contracted digital service.

Specialist support services

Availability: standard service hours

To include:

• ongoing support for practice clinical systems including technical liaison with system supplier and clinical systems support where not provided by system supplier
• in the event of any unresolved issues, escalate to suppliers on behalf of practices to facilitate a satisfactory resolution
• to meet ICB responsibilities to monitor and escalate to NHS England clinical systems performance issues in relation to the use of services provided under the ICB practice agreement
• use of the DSIC to track clinical system capabilities deployed by practice
• local management of service support contracts/supplier liaison
• ensure local DSIC (or successor) catalogue contracts are current and accurate
• manage local payments ensuring that all charges incurred are current and accurate, including payments for additional software to enhance the functionality of the clinical system
• inform foundation solution suppliers of any changes to existing contracts (held by ICB / NHS), for example terminations due to practices changing foundation solution or changes arising from practice mergers
• liaising with DSIC catalogue suppliers regarding future Requirements and developments
• management of ongoing system updates as necessary where these are not directly managed by the system supplier
• supporting practice data migration end to end process for foundation solutions in line with DSIC data migration standard

Practice responsibilities

The practice will comply with any applicable end user terms and conditions of use.

Project and change management

version: 6.01

Requirement

Recognised P3M (project, programme and portfolio management) methodologies which are used in the deployment of foundation solutions, local implementation of national services and major GP IT infrastructure changes or upgrades.

Specialist support services

Availability: standard service hours

Ensure skilled project and programme management resources are available to deliver the planned programme of work, both nationally and locally driven. This may be provisioned within support arrangements or could be -procured or called off on an ‘as required’ basis.

The service should include:

• programme management
• project management
• change management
• benefit realisation support

Technical and specialist expertise should also be available through the relevant requirement to support projects.

Supporting significant deployments and developments through end-to-end project management of DSIC catalogue services including:

• change of foundation solution for a practice including supporting data migration activities and training
• new initiatives involving sharing patient data with third parties
• merging practices
• closing practices
• significant estate developments and new builds
• deploying new digital technologies

This is not an exclusive list.

Staff providing this service must be appropriately trained and qualified to recognised industry standards such as APMG (equivalent level recognised industry standards) in:

• project management – for example PRINCE2 practitioner
• programme management – for example managing successful programmes practitioner
• change management – for example change management practitioner

Assurance:

• DPCMA: IND 32.0, IND 162.0

Clinical systems training and optimisation

version: 6.01

Requirement

Training service for authorised users to support the safe and effective use and optimisation of clinical systems.

Out of scope

Training in generic basic it skills, business administration systems and office systems.

Specialist support services

Availability: standard service hours

The service will include training for:

• foundation solutions
• DSIC catalogue solutions
• national digital services
• and will include training Requirements arising from:
• practice staff turnover
• refresher training
• new system functionality

The ICB:

• shall review the practice training plan
• may request changes to the plan in line with local priorities and plans for the deployment of services
• shall confirm its agreement to the training plan, amended as agreed by the parties

Training will be provided for practice staff in line with each agreed practice training plan.

All authorised users are trained in the use of the foundation solutions and that this is delivered to the content and standards described in the DSIC training standard, complementing and enhancing any training already provided by the foundation solution supplier.

System optimisation:

• support practice optimisation of clinical systems and national digital services, by providing support, guidance and advice, including user group facilitation to enable sharing of best practice

Training delivery should reflect:

• practice training plans and staff training needs analysis
• environment and estate accommodation and facilities
• virtual and online delivery channels
• resource availability
• user satisfaction and customer feedback

Practice responsibilities

• the individual practice is responsible for:
• conducting training needs analysis which identifies authorised users who require training in the use of the foundation and non-foundation solutions provided to the practice
• ensuring new starters receive adequate training, either using the services provided under this Requirement or at practice cost through another source, before they use the foundation and non-foundation solutions provided to the practice
• using the output from the training needs analysis, to prepare a training plan for the practice which identifies the authorised users to be trained and the training to be provided by the ICB within a 6 months period or as agreed by both parties
• ensuring authorised users are available for training in line with any timetable agreed with the ICB or its supplier(s). Practices shall be responsible for the costs of making staff available for such training including backfill costs and travel costs
• maintaining an up-to-date record of practice staff training
• to request and agree amendments to the training plan in line with new developments and the changing Requirements of the ICB and the practice
• ensuring authorised users are trained to a minimum entry level standard as per the NHS IT skills pathway including use of relevant operating systems and office productivity software. Training in generic basic IT skills, business administration systems and office systems is the responsibility of the practice

Applicable standards:

• NHS IT skills pathway

Applicable guidance:

• recommendation: provision agreements should quantify training resources -based on either the number of authorised users or the number of practices (w8ed by population where appropriate).

Assurance:

• DPCMA: IND7.0

Data quality support

version: 6.01

Requirement

data quality training, advice and guidance.

Specialist support services

Availability: standard service hours

Comprehensive data quality advice and guidance service is available to all practices, including training in data quality, clinical coding and information management skills.

Development and delivery of a practice data quality improvement plan, where necessary and supporting practice DSPT submission (data quality assertions). This may be carried out at individual or practice group level as appropriate.

The service should include advice and guidance for:

• national data audits/extracts/reporting; for example, national diabetes audit
• general reporting
• template development and template quality assurance
• spreading best practice
• supporting data migrations as part of system deployments
• clinical/medical terminology
• SNOMED CT clinical coding standards and Requirements, including training and facilitation for authorised users and associated support materials

Practice responsibilities

The individual practice is responsible for:

• the quality of their patient records and the application and use of clinical terminology

Applicable standards:

• SNOMED CT in general practice / standards change notice scci0034 Amd 35/2016
• Data security and protection toolkit (DSPT) (data quality assertions)
• DSIC data migration standard

Assurance:

• DPCMA: IND30.0

General practice estate strategy

version: 6.01

Requirement

Provision of advice and guidance on the provision of GP IT services and systems to support the development of GP estate.

Out of scope

Funding and resourcing support for new estate development should be provided through the business case supporting that development.

Specialist support services

Availability: standard service hours

To include:

• advice on IT infrastructure Requirements and standards
• identifying, as required, suppliers for GP IT infrastructure and external services for example HSCN connectivity, wi-fi-GP
• supporting development of associated business case for individual estates projects, including consideration of resource and funding Requirements
• advice and guidance should include consideration of transformation opportunities, enhanced GP IT services and local digital strategy
• ICBs must ensure that any of the above activities, when delegated to it delivery partner(s), do not create conflicts of interest or potential procurement challenge

The resourcing and funding for individual estate development projects should be incorporated into the overall business case for that development.

Practice responsibilities

The individual practice is responsible for:

• engaging with ICBs at an early stage of planning any premises development or expansion which will impact on GP IT provision

National digital services implementation

version: 6.01

Requirement

Local awareness, deployment/implementation and support of national digital services, including SCR, EPS2, e-RS, NHS App, Patient Online and GP2GP services.

Specialist support services

Availability: standard service hours

To include:

• advise for practices on current and planned national developments and services
• maintain records of local system deployments, changes and updates
• a local deployment programme for national systems implementation within practices, including benefits realisation, stakeholder engagement, business change support

Enhanced requirements

Enhanced capabilities may, when core and mandated services provided through the operating model and insufficient, be provided to support:

• evidence-based good practice
• modern general practice model
• neighbourhood health services
• locally led innovation and service transformation
• PCN services

Not all of these will be applicable or will represent good practice in every locality.

Category 6a: enabling collaborative and at-scale working

version: 6.01

Digital enablers required to support GP collaborative and at scale operations including, but not restricted to:

• practice hubs to share resources and improve patient access
• practices working collaboratively
• practice co-location to share resources

Tracking: DPCMA: IND 57.1, IND 57.2, IND 57.4, IND57.5

Category 6b: using data better and improving data quality

CQRS support

version: 6.01

CQRS training, advice and guidance for practices.

Tracking: DPCMA: IND 168.0

GP data quality accreditation service

version: 6.01

A structured data quality accreditation programme is available for practices to ensure continuous review and improvement which includes:

• data quality baseline/audit review
• development and delivery of a general practice data quality improvement plan with practice(s)

Applicable standards and guidance:

• SNOMED clinical terms (CT) in general practice / standards change notice SCCI0034 Amd 35/2016
• Data security and protection toolkit (DSPT) (data quality assertions)
• Records management code of practice 2020
• Good practice guidelines for GP electronic patient records – CQRS

Tracking: DPCMA: IND30.0

Category 6c: practice efficiency enablers

version: 6.01

Digital diagnostics

Supports electronic requesting with other healthcare organisations. Test results can be received, reviewed and stored against the patient record. Nb: this is additional to the pathology messaging already available through foundation capabilities.

Digital tools supporting

• advanced appointment management
• advanced document management
• dictation
• data entry e-forms

Access to third party patient management systems

Client software and integration with third party patient management systems e.g. Hospital patient administration system (pas), hospital radiology viewers.

Artificial intelligence (AI) enabled digital tools

Ambient scribing products – s

Applicable guidance:

• Guidance on the use of AI-enabled ambient scribing products in health and care settings
• Software and AI as a medical device change programme

Category 6d: patient management capabilities

Version: 6.01

Additional capabilities for patient management and patient record management including digital tools supporting:

• chronic disease management, drug monitoring, anticoagulation management
• medical (connected) devices

Category 6e: patient online solutions

version: 6.01

where additional local practice and ICB capabilities are required over and above those provided by NHS app and patient online services capabilities these may be commissioned locally. these must meet the criteria set out under the procurement checklist in this operating model.

Applicable standards:

• Designing and assessing digital heath services – digital technology assessment criteria (dtac)
• Patient online services in primary care – good practice guidance on identity verification
• NHS service standard
• How to make digital services accessible
• Licence for digital interoperability platform
• FHIR standard for interoperability
• DCB0129: clinical risk management: its application in the manufacture of health IT systems
• National specified capabilities to support digital pathways – NHS England digital

Category 6f: IT infrastructure

Desktop infrastructure

For example:

• Display screens (for example, large TV screens and Jayex boards)
• Dual monitors in consulting rooms
• Projectors
• Multi-function devices
• Webcams

Bring your own device (BYOD)

version: 6.01

Provision for authorised users to use personal devices for work related purposes (also known as bring your own device – BYOD) and to connect to the managed GP IT infrastructure.

Because personal devices are not part of the managed GP IT infrastructure, they are assumed to be insecure.

Applicable standards and guidance:

• where this service is offered the standards and requirements described under the remote access capability above apply
• where this service is supported the ICB will maintain a BYOD policy

Enhanced infrastructure

version: 6.01

Infrastructure requirements which enable enhanced digital capabilities, or which support a more efficient, effective or secure means of GP IT provision in the locality.

Examples include networking services, such as:

• management and support for provision of additional HSCN services
• where community of interest networks (COINs) are a feature of local digital primary care infrastructure, the use of GP IT allocated funds, to support these, needs to consider the following:
  • where the COIN is used to support GP IT, there is a clear requirement for this in addition to HSCN connectivity
  • where the COIN is shared between providers, the costs need to be appropriately proportioned
  • where the COIN is used to support GP IT, the network must have sufficient bandwidth, low latency and low contention ratio to support the necessary services
    [Please note – The cost of COINs which are cross-care settings should be shared with organisations within those care settings]

Other examples include enhanced or alternative architectures, in addition to that required for remote access, including, but not limited to:

• virtual desktop infrastructure (VDI)
• Citrix access gateway (CAG)
• smartcard/remote secure access token authentication
• single sign-on

Applicable guidance:

• where centralised infrastructure (for example, but not limited to, network infrastructure and virtual desktop infrastructure) is deployed, particular attention should be given such that the security, end user performance and resilience of DSIC catalogue of frameworks (or successor) services and national digital services is not compromised

Category 6g: additional GP contract digital capabilities (examples)

Additional GP contract digital capabilities

version: 6.01

Additional digital requirements needed to support those elements of a GP contract additional to providing essential and PCN services – including but not limited to:

• community provider services
• population management
• urgent care services
• walk in centres
• minor injury units
• GP out of hours
• homeless primary care services
• referral management services

Category 7: general practice business requirements

version: 6.01

GP IT funds must not be used to purchase or support systems not directly related to patient care and delivery of GP contract services.

The ‘global sum’ within the GP contract makes provision for practice expenses including staff costs and general running costs of the practice (stationery, telephone, heating and lighting, repairs and maintenance).

The following list, which is not exhaustive, describes common practice business (digital or digitally related) systems. The practice is responsible for the funding, procurement and operation of these services. Some support from the ICB may be provided as described below.

Practices must comply with the conditions of the ICB practice agreement concerning the use of software or it hardware not supplied as part of the services.

General practice business systems

Systems and services which a practice may utilise for business purposes enabling the non-clinical business functions to operate and support the practice as a business organisation to fulfil the GP contract:

• practice estate (building) infrastructure
• production and maintenance of practice staff id cards
• practice intranet – hosting, maintenance and development
• insurance against loss or damage of practice-owned IT equipment
• insurance against consequential losses, harm or damage arising from the failure of digital systems or equipment used by the practice to deliver their contractual obligations
• equipment which only supports the practice as a business for example photocopiers. (note faxes must not be used by practices for the processing/communication of patient identifiable information)
• systems that only support the practice as a business; for example, payroll, hr systems, billing systems and associated hardware
• email systems other than NHS.net Connect

ICBs will provide:

• access to specialist advice and support where practices commission, procure and contract manage digital services directly and such systems interface with NHS provided systems or connect to managed GP IT infrastructure, although practices procuring business support systems are responsible for resourcing and managing their own procurement and any ongoing contract management
• a (local) assured digital services catalogue advising practices on digital software and systems

ICBs may provide:

• infrastructure and general support required to operate these services (for example, desktops, printers, network connectivity) can, at the discretion of the ICB, be funded and provided as ‘enhanced’ services where this allows the practice to operate more efficiently and supports a more secure it environment within the practice, subject to practice compliance with any local technical and security policies
• storage of practice business systems data, where this is not provided by secure external hosting through a cloud or hosted application, may be available through the essential infrastructure service offered under this operating model. Although this may not involve patient identifiable data the loss of or disruption to accessing this data can affect practice business continuity

Tracking indicators: IND 203.0

General practice legal and regulatory obligations

Legal and regulatory obligations, for example assigning a DPO, Caldicott guardian, serious incident reporting, etc. Ensuring practice compliance with:

• data protection legislation
• health and safety legislation
• freedom of information legislation
• NHS DSPT
• health and safety regulation compliance, including PAT and DSE requirements, associated with the supported premises and in remote services (regardless of equipment ownership)

Software to support redaction when processing patient record documentation for patients or third parties, for example SAR, legal and insurance reports (refer to the procurement standards checklist).

Note: some redaction functions are provided within the foundation solutions.

ICBs will provide:

• an offer to practices for a DPO service which the practice can then designate as their named DPO. Practices are still entitled to select an alternative DPO of their choice although ICBs are not expected to fund this if a DPO function has been offered
• information and data held by the ICB (or a GP it delivery partner) which is necessary for the practice to comply with its legal and regulatory obligations (above) – the ICB should make reasonable efforts to provide this to the practice

General practice buildings and estate

Including:

• building and estate including environment to house securely any practice-based GP IT equipment
• environmental requirements as required for any practice-based GP IT equipment, for example physical security, fire suppression and air conditioning/cooling equipment
• health and safety regulation compliance associated with the buildings and estate including dse and pat requirements for GP IT equipment operated by staff on supported premises (regardless of equipment ownership)
• building security
• power supply for GP IT equipment (including cabling and outlets)

Applicable standards, guidance and controls:

• using online consultations in primary care implementation toolkit
• working safely with display screen equipment

General practice operating costs

Examples include:

• digital system consumables (printer paper, printer ink/cartridges)
• power utility charges
• backup media for any practice premises data storage
  • note practice premises-based data storage is not recommended (see essential infrastructure requirements)
• practice billing systems including card readers and cashless payment systems

Applicable standards, guidance and controls:

• where specified in the WES-GP or otherwise where specified by the equipment manufacturer any digital system consumables purchased or used by the practice in the operation of the managed GP IT infrastructure must meet these specifications.

General practice telephony systems

The global sum within the GP contract makes provision for practice expenses including telephony as a general running costs of the practice. This includes:

• telephony equipment and installation
• telephony operating costs, call charges, equipment costs and implementation costs (or agreed pro rata costs of shared systems or managed service costs)

Practices must ensure any new telephony service contract or other arrangement relating to relevant telephone services is-procured under the Advanced telephony better purchasing framework (or successor).

Practices may find the NHS England published guidance How to improve telephone journeys in general practice helpful.

PCNs must ensure, when available, appropriate telephony and IT interoperability will operate between the core network practices within the PCN, any non-participating practices the PCN is providing enhanced access cover for and other relevant providers as necessary (Network contract directed enhanced service [DES]).

ICBs will provide:

• support to move to advanced cloud-based telephony – practices will have access to advice and technical support regarding the use of practice network infrastructure and, if applicable, HSCN connections
• access to advice and guidance on using the Advanced telephony better purchasing framework (or successor) including access to the NHS England national commercial and procurement hub

ICBs may provide:

• financial support for implementation of the new advanced cloud-based telephony solution

Applicable guidance:

• how to improve telephone journeys in general practice

Tracking indicators: IND 57.3

Dispensing in general practices

Digital capabilities required to support the dispensing operations in practices which hold a dispensing contract.

ICBs will provide:

• digital capabilities required to support the personal administration of medications within practices, for example vaccinations (these are provided as integrated functions within the foundation solution)

ICBs may provide:

• infrastructure and general support required to operate these services (such as desktops, printers, network connectivity) can, at the discretion, of the ICB be funded and provided as ‘enhanced’ services where this allows the practice to operate more efficiently

Applicable standards, guidance and controls:

• EPS dispensing systems compliance specification

General practice and PCN websites

The GP contract requires all practices to provide to patients:

• an up-to-date accessible and secure website (or online practice profile) and an NHS website profile which includes key information described in the GP contract.

 The practice website will require:

• NHS.UK domain registration
• hosting of website
• design and publication of website
• links to all core NHS app features that are available through the NHS website version: online consultations, prescriptions, record access, appointment management, GP registration and patient messaging; a prominent link to download the NHS app should also be present on the homepage of the website
• links to patient online solutions, other than NHS App, used by the practice
• compliance with regulations and mandatory standards
• maintenance of website including a responsive service to resolve performance and access issues, update website and implement necessary changes in a timely manner as required to fulfil the GP contract obligations and ensure accessibility and usability for patients/public

Practices may commission specialist providers to assist in this. Guidance to assist procurement and support accessibility is provided in the NHS England publication Creating a highly usable and accessible GP website for patients. Guidance for practices to improve practice website online journeys is provide in the NHS England publication Step-by-step guide to improving general practice website online journeys.

Design of the practice website should include research with a representative range of patients and staff, using qualified user researchers, and implementation of analytics that are reviewed by staff responsible for improving the website’s effectiveness.

Practice NHS website profiles can be managed through the NHS profile manager.

Practices should also consider data and cyber security controls where the practice website will process patient identifiable information. Requiring prospective providers of the practice website design, management and hosting to complete the Digital technology assurance criteria (DTAC) is a practical and recommended approach to securing these assurances. Note DTAC is applicable to each product not the provider organisation.

Practices should ensure, where the website processes patient identifiable information, that tools, such as meta pixel, are not embedded in the website allowing individual website user/patient details to be passed third parties without the user’s knowledge or consent.

Practices may also provide:

• a practice social media presence and management following best practice for content and management of these channels, such as how to write for digital NHS services and good practice guidelines for GP electronic patient records – social media

ICBs will provide:

• patient online service capabilities as defined in core and mandated requirements. Note the practice website (or online practice profile) will provide a link for the patients to these online services
• cyber security assistance to the practice as an NHS organisation to secure a NCSC web check for the practice website with the National Cyber Security Centre; this will check for website vulnerabilities result from misconfigurations or software flaws which might be exploited by an attacker

Applicable standards, guidance and controls:

• The GP contract requires that where general practices have a website (or online practice profile) specifically defined information and access to patient online services will be published on the website (or online practice profile)
• The GP contract requires all practices to have an up to date and informative online presence, with key information being available as standardised metadata for other platforms to use the GP contract also places restrictions on the advertising and hosting of private GP services including through practice websites
• Practice websites are legally required to meet accessibility standards and must be fully compliant to the standard WCAG 2.2 AA
• Equality Act 2010 (EQA)
• Statutory code of practice for services, public functions and associations (under EQA 2010)
• The Privacy and electronic communications regulations (PECR)
• UK general data protection regulation (UK GDPR) and Data Protection Act 2018
• Creating a highly usable and accessible GP website for patients
• Understanding accessibility requirements for public sector bodies
• Digital technology assessment criteria (DTAC)
• Good practice guidelines for GP electronic patient records – practice websites
• Step-by-step guide to improving general practice website online journeys
• How to write for digital NHS services
• Good practice guidelines for GP electronic patient records – social media
• Using qualified user researchers

Please note: practice and PCN intranet and extranet websites are also covered by the accessibility regulations. These are internal websites which disabled employees may use.

Tracking indicators: IND 201.3, IND 201.4, IND 201.5

Services provided outside GP contract

Where a practice (or PCN) is contracted to provide services outside the GP contract – for example, privately or through an NHS standard provider contract – the practice is wholly responsible for the digital services required to deliver such services.

ICBs may provide:

• infrastructure and general support required to operate these services (such as desktops, printers, network connectivity, data storage) can, at the discretion of the ICB, be funded and provided as ‘enhanced’ services where this allows the practice to operate more efficiently; however, this must not compromise or detract from the capability and performance of the services offered to the practice under the ICB practice agreement and as described in this operating model

Responsibilities and accountabilities

Version: 6.01

Please refer to the ICB practice Agreement for details on ICB and practice responsibilities and obligations.

General responsibilities

Core and mandated requirements

General practice business requirements

Applicable national frameworks

version: 6.01

Frameworks will vary in the extent of standards assurance offered. This should be considered in the selection and use of any framework.

The Digital services for integrated care (DSIC) catalogue of frameworks (or successor) are the default route to source clinical systems for general practice.

A wider schedule of frameworks and standards is available at Guidance for trusts when buying digital and it goods and services in the NHS.

The NHS England National commercial and procurement hub provides expert advice, guidance and support to integrated care boards (ICBs), general practices and legally incorporated practice affiliations with all aspects of procurement, including buying via the Digital service for integrated care catalogue of frameworks (or successor).

Where a suitable service, other than a foundation solution, cannot be sourced through one of the following frameworks ICBs, practices and PCNs are advised to refer to the procurement standards checklist to support any local procurement and to engage with the NHS England national commercial and procurement hub to support buying activities,

Digital services for integrated care (DSIC) catalogue of frameworks (or successor)

version: 6.01

the default route for the procurement of digital services for general practice and PCNs is via the DSIC catalogue of frameworks (or successor). This allows commissioners and primary care (providers) to buy assured digital tools and systems from the frameworks therein, via the Buying catalogue including the technical innovation frameworks and the Advanced telephony better purchasing framework (or successor).

Foundation solutions must be accredited through compliance with the standards mandated on the digital services integrated care (DSIC) catalogue. Services available on the DSIC catalogue have been assured as compliant against all relevant standards. 

To meet non-foundation capabilities – supporting digital pathways and patient online service capabilities in the absence of formal procurement routes such as frameworks, systems must continue to engage with the NHS Commercial and Procurement Hub to support buying activities following the process set out in: Digital pathways tools guidance 2025/26 – NHS England digital.

Note: the following frameworks have now expired:

• GP IT Futures framework
• Digital first online consultation and video consultation (DFOCVC) framework
• GPSoC framework

Health systems support framework (HSSF)

The framework focuses particularly on services that can support the move to integrated models of care-based on intelligence-led population health management. This includes new digital and technological advances that help clinicians and managers understand a population’s health and how it can best be managed.

The lead provider framework (LPF) is no longer available and the health services support framework (HSSF) provides an alternative route to market for GP it enabling services described in this operating model.

ICBs, individual general practices and ICS can access this framework.

Managed by NHS England.

Relevant services:

• ICT infrastructure support and strategic ICT services, including primary care IT support and cyber security
• Patient empowerment and activation (including remote technology including consultations, supported self-management, social prescribing and personal health records)
• Shared or integrated care records
• Transformation and change support (including development of service change and reconfiguration)
• System-optimisation (including patient pathway optimisation, care model design and patient flow)
• Workforce development (including e-rostering, temporary staffing, job planning solutions and digital staff passports)

Further information: Health systems support framework

Note: the following frameworks have now expired:

• Lead provider framework (LPF)

Health and social care network (HSCN)

version: 6.01

HSCN access services dynamic purchasing system.

Access to the HSCN for data sharing. Including support for transition and implementation.

Managed by NHS England.

Relevant services:

This agreement provides access to the HSCN for health, social care, and related organisations. The HSCN is a data network that enables health and social care services to access and share information reliably, flexibly and efficiently. The agreement includes support for transition and implementation. The framework uses a dynamic purchasing system (DPS) which helps customers find relevant suppliers through a filtering system.

Further information:

HSCN remote access solutions

G Cloud 14

version: 6.01

Cloud computing services covering hosting, software and cloud support on a commodity-based, pay-as-you go service. For use by the UK public sector.

Managed by Crown Commercial Service

Relevant services:

• Lot 1: cloud hosting
• Lot 2: cloud software
• Lot 3: cloud support

Further information: G Cloud 14

Note: the following frameworks have now expired:

• G Cloud 12
• G Cloud 13

Cyber security services 3

version: 6.01

A dynamic purchasing system (DPS) that allows public sector buyers to buy an extensive variety of cyber security services from pre-qualified suppliers.

2 distinct routes to finding pre-qualified suppliers who offer a range of cyber security services:

The first route provides the buyer with suppliers who are assured by the national cyber security centre (NCSC). Using this filter will ensure that your supplier has been assessed by NCSC, the national technical authority for cyber security in the UK.

The second route provides the buyer with a set of suppliers who provide similar services to those under the NCSC assured route but without the assurance the national technical authority provides. It is the purchasing authority’s responsibility to determine whether the service offered is fit for purpose. This may involve understanding what is assured by other accreditation bodies and how they are tested.

Managed by Crown Commercial Service.

Relevant services:

• Lot 1 cyber security services 3

Further information:

• Cyber security services 3

Tech devices – link 4 framework agreement

Provides a compliant route to source the latest consumer-oriented technologies that meet customer requirements across a range of ict hardware categories. Products include laptops and notebooks, tablets, desktop devices, healthcare related it hardware such as workstations on wheels, clinical reporting monitors, infection control products, printers and scanners, and refurbished and remanufactured it goods.

Managed by NHS Shared Business Services (NHS SBS) in partnership with NHS North of England Commercial Procurement Collaborative (NOE CPC).

Relevant services:

• Lot 1: tech devices, peripherals and associated services
• Lot 2: specialist healthcare related it hardware
• Lot 3: printing and scanning devices
• Lot 4: refurbished and remanufactured devices

Further information:

• Framework agreement – tech devices – link 4

Note: the following frameworks have now expired:

• Digital workplace: hardware (link 3) framework
• Link 2: it hardware and services framework

Procurement standards checklist

version: 6.01

Where an applicable national framework such as those available through the DSIC catalogue of frameworks (or successor) or the HSSF cannot be used, practices, ICBs and PCNs may choose to procure clinical systems, technologies and digital services (the ‘product’) through local procurement arrangements.

Where the product being-procured includes processing of patient identifiable information the supplier must be able to offer assurances where applicable as described below. The use of the DTAC is strongly recommended in establishing such assurances. Note DTAC is applicable to each product not the provider organisation.

• Provide information governance assurances for their organisation via the NHS Data security and protection toolkit.
• Confirm that product(s) to be-procured are fully in scope of the supplier’s cyber essentials certification.
• Confirm that the manufacturer/developer of the product has applied clinical risk management as required under DCB0129 (clinical risk management: its application in the manufacture of health IT systems) during the development of the product-procured.
• Confirm that where the product being-procured is classified as a medical device the product complies with the medical device directives.
• As data processor can and will comply with UK GDPR and DPA legislation. This will include agreement to and compliance with a data processing agreement. The use of standardised terms and conditions such as NHS terms and conditions for provision of services: purchase order version and the associated data protection protocol is advised.
  • Note: where ICB is the procuring authority the supplier should be asked to sign a data processing deed (ICB practice agreement – appendix 6).
• If data is hosted outside UK provide: assurance, where data processing takes place overseas, the overseas country is covered by UK adequacy regulations (section 17a of the 2018 data protection act). These include EU countries. The names of third countries or international organisations that personal data are transferred to must be provided.
• Give assurance it has a defined process for assessing third party products which form part of the service and evidence that any third-party products have been assessed against all relevant standards.
• How the product integrates with the practice foundation solution and what methods and standards are used to integrate. This should be through one of the following methods:
  • GP connect accreditation.
  • Through legacy GPSoC IM1 accreditation.
  • As a supplier-asserted integration (for example, through a foundation system supplier partner programme).

Where the product being-procured includes processing of patient identifiable information the provider must be able to offer assurances where applicable as described below. These are not referenced in DTAC.

• Where the product uses a clinical decision support tool (namely utilising predefined algorithms and/or a knowledge base) for direct use by the patient or clinician to provide details on how these are checked for accuracy and provenance.
• Provide details on any clinical coding system used (for history, diagnosis, symptoms, findings, diagnostic investigations and results, treatment, prescribed drugs).
• Confirm the product uses the NHS number as primary patient identifier.
• Describe how the product will support the individual practice discharge their legal responsibilities as data controller; in particular with the following:
  • data sharing between legal entities
  • response to a full data disclosure subject access request (SAR) made by a patient under data protection legislation
  • an audit log automatically maintained in the product recording access to (patient) records
• As data processor can support the practice as data controller in carrying out a data privacy impact assessment (DPIA).
• Where practice works within a collaborative group for example through a practice federation, a shared hub, PCN, etc how the service will support practices working within the group.
• Provide processes to manage the following scenarios:
  • patients changing registered general practice
  • deceased registered patients
  • other patient identity management issues (name change, gender reassignment, legal protections)
  • termination of the service contract (to include but not be limited to repatriation of the patient identifiable data to the data controller)
  • on the supplier (or its sub-contractor) ceasing to trade
  • on the supplier ceasing to use it’s sub-contractor (including a clinician) in the delivery of the service
  • supporting patients to exercise rights of rectification, erasure (the right to be forgotten), restriction, data portability and, objection to processing as part of UK GDPR compliance on practice merger or closure

where patients can directly access the service (a patient online solution) then the product will:

• use NHS login to verify identity
• integrate with and be accessible through the NHS app or be contracted to integrate within 6 months
• integrate and be accessible through the NHS.uk logged in section, with links offered through the practice website or be contracted to integrate within 6 months

where the product uses electronic messaging to patients this will:

• integrate with NHS notify and use the NHS App messaging function

Where the product being procured is also an AI enabled digital tool the following guidance should be used:

• Guidance on the use of ai-enabled ambient scribing products in health and care settings

Where the product being-procured is accessible as a published website or app the provider must be able to offer assurances as described below:

• The website or app supports the practice (as a public authority) legal obligation to meet accessibility standards and must be fully compliant to the standard WCAG 2.2 AA.
• Tools, such as meta pixel, are not embedded in the website allowing individual website user/patient details to be passed third parties without the user’s knowledge or consent.

Where the product includes GP it hardware equipment which will use, connect to or become part of the GP it managed infrastructure they should confirm the following:

• Confirm that unsupported operating systems and internet browsers are not used on these devices.
• Confirm that portable devices are encrypted to NHS security standards.
• Confirm that the equipment is compatible with the (local) managed GP IT infrastructure.

Where applicable:

• use the NICE Evidence standards framework for digital health technologies to assist in product assessment and selection

General questions:

• To describe how the support for the service will be provided during practice business hours.
• To describe how the product will be maintained and upgraded (operationally, technically and contractually).

The National commercial and procurement hub support service commissioned by NHS England is able to provide expert advice and guidance.

Guidance on procurement of GP it enabling services

version 6.01

This section will help ICBs prepare service specifications to support the procurement and commissioning or review of GP it enabling services. It must be used in conjunction with the ICB practice agreement and the current published GP it operating model.

Where a contract for GP it enabling services is already in place and re-procurement is not scheduled in the near future this document will assist ICBs and their GP it suppliers to:

• review current services and agree any changes needed
• ensure data needed by both parties is available to deliver high quality efficient services to general practices

A template specification aligning with and supporting the requirements schedule in this operating model is provided as a separate word document here.

This operating model includes a schedule of GP IT enabling requirements which may be used as a basis for the development of local GP it specifications. Although the ICB is required to meet all the defined core and mandated GP it requirements not all the requirements listed will be appropriate to include in each local specification as procurement routes may differ for some requirements, for example HSCN-GP. ICBs should be familiar with the requirements outlined within this operating model when they review their local GP it specifications.

Some key considerations when re-procuring GP IT services are set out.

Once the contract has been awarded if the template specification has been used then:

• tables 5.1, 5.2, 5.3 and 5.4 may be used as the basis of appendix 1 (summary of services) in the ICB practice agreement
• section 4 (standards and assurance) may be used as the basis of appendix 2 (support and maintenance service levels) in the ICB-practice agreement

Service recipients will include:

• all practices who have a signed ICB practice agreement
• primary care network services provided directly by practices directly as directed enhanced service (DES) providing the host practice has signed the ICB practice agreement
• sub-contracted providers where the practice has requested and the ICB has approved access to the services providing the conditions and process for this approval as described in the ICB practice agreement and this operating model have been followed; supported sub-contractors are listed in appendix 1 of the ICB practice agreement for each practice
• ICBs may wish to extend the procurement of it enabling services to include it support for other organisations and services not operating under a GP contract, for example a community provider; this is a local ICB decision at the discretion of the ICB and the ICB must ensure additional and sufficient funding, other than the ICB allocated GP it funds, is available to support this

These should exclude:          

• unless otherwise stated, the following provider organisations are outside the scope of the service recipients:
  • other primary care contractors
  • providers contracted through the NHS standard contract
• where there is no signed ICB practice agreement the practice should be considered outside the scope of this procurement

All service recipients will be listed in the specification.

Supported premises are addresses where this service, including connectivity, equipment and infrastructure, will be provided and include:

• premises designated (through the GP contract) as practice premises where:
  • the practice delivers primary care services
  • the practice has signed the ICB practice agreement.
• premises designated (through the GP contract) as practice premises where:
  • a sub-contractor for the practice delivers primary care services
  • the ICB has agreed to give the sub-contractor access to the practice digital services
  • the practice has signed the ICB practice agreement
• at the discretion of the ICB premises where:
  • remote services, as defined in the GP contract, are provided by the practice
  • the practice has signed the ICB practice agreement
• at the discretion of the ICB premises where:
  • remote services, as defined in the GP contract, are provided by a sub-contractor
  • the ICB has agreed to give the sub-contractor access to the practice digital services
  • the practice has signed the ICB practice agreement
• any other premises defined as supported premises
• where ICBs have at their discretion extended the procurement of it enabling services to include it support for other organisations the premises from which those additional services operate will be included as supported premises; the ICB must ensure additional and sufficient funding, other than the ICB allocated GP it funds, is available to support this

These exclude:

• domestic and mobile locations where authorised users are able to use remote services, to access foundation solutions and other clinical systems

Supported premises are listed in appendix 1 of the ICB practice agreement for each practice and will be listed in the specification.

Procurement approach

ICBs are advised to consider using an applicable purchasing framework underpinned by standards such as HSSF in procuring GP it enabling services. Applicable national frameworks which can be considered are listed here.

Where a framework is not appropriate or cannot be used ICBs must be assured that they meet all necessary procurement, financial, organisation and requirement standards set out in this operating model and are encouraged to engage with the NHS England National Commercial and Procurement Hub to support buying activities.

ICBs must ensure that any procurement activity in support of GP IT, when delegated to a supplier or to an ICS partner organisation, does not create conflicts of interest or potential procurement challenge.

ICBs are strongly recommended to engage with the National commercial and procurement hub for advice and guidance.

Preparation

The discovery process

Local GP IT services can be detailed, complex and wide ranging for a number of reasons, for example legacy arrangements, community wide initiatives, individual practice requirements and variations in operational practice forms from small local practices to pan-geographical or city wide practices.

It is essential that the ICB embarks on any GP it enabling service procurement with clarity on the services, assets, and liabilities in the local environment. Leaving the discovery process to take place as part of, alongside, or after the service mobilisation process once the contract is awarded can lead to significant financial and service continuity risks for the ICBs and their practices

Assets which include IT hardware, software licences, staff access accounts and physical estate will attract support, maintenance and replacement costs. Bidders may use these asset profiles to calculate baseline service costs.

Without baseline information, planning and engaging constructively with the successful bidder on primary care service improvement and digitally enabled transformation may be compromised. Consideration should be given to agreeing tolerances to allow for organic growth and developments

Ensure that all supported premises and any third party practice sub-contractors authorised to access the services have been identified as described in this operating model.

There may be significant revenue costs associated with legacy and residual it service contracts, for example software applications, community of interest networks (coins), remote access tokens, etc.

Both the ICB and bidders need to have visibility of these and clarity on how they are to be managed and funded in the future.

Some legacy services may support healthcare providers other than practices, for example in shared primary care sites and shared infrastructure in which case the ICB (as commissioner) should consider how it wishes to support the provision of these in the future.

ICBs should ensure that it does not duplicate the funding or resourcing of such services for practices and other providers.

Exit strategies should be considered for legacy contracts where these have not been managed out of service through the current or previous operating models

Given the importance of the above a commitment to ongoing collation and management of this information, identified as part of the discovery process, should, once the contract is awarded and service is mobilised, be seen as a critical delivery success factor for a successful bidder.

The ICB should have access to up to date and accurate details of it’s GP it estate and the digital and it enabling services provided to its practices

Digital primary care maturity assurance

On undertaking a re-procurement of GP IT services, ICBs should review the digital primary care maturity assurance (DPCMA) data, to assist their understanding of local levels of digital maturity across their primary care estate.

The DPCMA is aligned to the operating model and outlines progress against core and mandated requirements and gives insight into progress against some elements of productive and transformational service delivery.

This will help ICBs to identify gaps in current service provision and areas for future investment.

It can provide insight into existing and future GP it service provision and should be shared with bidders as part of the procurement process to ensure that supplier responses are fit for purpose.

Local engagement

Where possible, practices as primary service recipients should be able to contribute to this specification through existing forums, GP it representatives, LMCs, practice manager groups, etc.

The ICB must maintain good communication with practices throughout the processes of discovery, specification development, procurement and service mobilisation.

The views, positive and negative, of practices as service recipients on existing GP it enabling services should be sought as they can be particularly valuable.

Contract length

The length of the contract awarded is likely to affect the value for money the ICB can achieve.

Longer contracts should drive greater investment in service transformation as suppliers seek to drive efficiencies and quality improvement.

Although there may be uncertainties for ICBs on the future state there should be flexibility in the contract to enable the ICB and supplier to co-design the solution that best meets the ICB’s needs.

By taking this approach and bringing in the suppliers at the start of a redesign process the cost of transformation may be spread over multiple years and identify where efficiencies can be made that can (and should) be reinvested in further transformation and service improvement.

In developing a local specification:

• a template specification-based on this operating model is provided with this operating model. The ITT development process shown above will assist ICBs further develop a locally appropriate specification
• all core and mandated requirements have been included in this template; ICBs should remove those where a provision through other routes and contracts has been put in place
  • amend the service requirements to meet local needs while ensuring there is compliance with the current published operating model
• while not precluding bidders from offering innovative approaches, ICBs should give consideration on how the following will be managed:
  • services where demand is likely to link to volumes (of, for example, devices, users, premises, etc) and how incremental or organic growth can be accommodated (possibly using a tolerance level)
  • specialist (expert) services (for example, training, data quality, project management information governance, clinical safety, etc), what will the available capacity be and how will it be managed
• ICBs should be clear when procuring what capability what capacity is included in the baseline service, with what tolerances and at what cost to access additional capacity for the service
• some requirements may be met by specialist providers, for example, HSCN, WiFi, in which case these should be excluded from the specification; although support for use of these services may still be needed – for example, through service desk, cyber security, and infrastructure

In procuring and commissioning GP IT enabling services, ICBs should ensure:

• due regard is given to the need to eliminate discrimination, harassment and victimisation, to advance equality of opportunity, and to foster good relations between people who share a relevant protected characteristic (as cited under the equality act 2010) and those who do not share it
• due regard is given to the need to reduce inequalities between patients in access to, and outcomes from healthcare services and to ensure services are provided in an integrated way where this might reduce health inequalities
• consideration is given to the challenge and risk of digital exclusion when driving forward digital health channels as recognised in the NHS plan for digital health and social care
• that in considering the above requirements, areas of the service which include or support patient-facing aspects – such as access to records; online digital, telephone and video consultation and triage; electronic messaging for direct patient communication, for example SMS, and public and patient WiFi – should be examined
• any procurement activity in support of GP IT services, when delegated to third party or to an ICS partner organisation, does not create conflicts of interest or potential procurement challenge. ICBs are strongly recommended to engage with the national commercial and procurement hub for advice and guidance

ITT development

Before publishing the ITT the ICB should have considered, as a minimum, the following questions:

Local engagement

• Have service delivery arrangements been reviewed with practices and other key stakeholders, ensuring their views, positive or negative, are adequately reflected?

Baseline information

• Has a robust discovery process been undertaken?
• Has sufficient information been supplied on the supported IT estate, supported premises, local ICB practice agreements, in-flight projects and current service provision?
• Has the information available within the DPCMA Tool been reviewed to support the developing service specification? Is this information clearly articulated, including highlighting use of this tool to bidders, as a means of identifying current progress towards digital maturity within primary care?
• Have any practice sub-contractors been identified and are any agreements in place with the ICB allowing these organisations access to these services (following the process described in the ICB practice agreement)?

Requirements

• Are cyber security and clinical safety requirements understood and adequately reflected in the specification documentation, including mandatory responsibilities for all parties – see operating model and ICB practice agreement?
• When using the service specification template provided have requirements been amended to remove those met elsewhere (such as other procurements) and any additional (enhanced) requirements added?

Strategy, development and innovation

• Has the information available above been used to identify those existing service areas which need strengthening? Is this clearly articulated in the service specification?
• Has the ICB articulated general practice service improvements? What are the GP IT service requirements that will be needed to enable these? Is information provided in sufficient detail to allow the contract to be flexible to meet developing needs?
• Has the ICB reviewed local strategic plans – including as a minimum ICSs, One Digital and Neighbourhood digital strategies – to ensure procurement of GP IT services that will support changing demands on primary care, particularly in relation to enhanced service requirements?
• Where there is an expectation that the successful bidder will develop innovative service offerings and provide service options, is this clearly articulated within the tender documentation?

Financial

• How long does the ICB intend to award the contract for? Has the ICB considered the benefits of enabling a supplier to spread the cost of transformation over a longer period?
• Does the financial envelope reflect the core and mandated requirements and is it supported by the GP IT funding provision?
• Has consideration been given to funding arrangements for enhanced service requirements?
• If other organisations (that is, not general practices) are included, has additional funding for services to these organisations been identified?
• How can value for money be demonstrated?

Assurance:

• DPCMA: IND 2.0, IND 26.0, IND 28.0, IND 158.0, IND 183.1

Access to the services for sub-contractors and third parties

Version: 6.01

Where a practice requests from the ICB that a sub-contracted third party provider, see table (ii) below, is given access to The Services the ICB will consider the following:

• the organisational status of sub-contractor and its relationship to the practice
• assurance of the sub-contractor’s compliance to the standards and conditions required in this operating model as set out in table (iii) below

by either:

• the provider has provided to the ICB a signed letter using the template in appendix 5 of the ICB practice agreement

or:

• the Sub-contractor is supplying services through a framework agreement which requires compliance with the standards and conditions required in this operating model

• the cost of providing The Services to the practice and its sub-contractor is proportionate to other similar practices supported (based on a cost per registered patient basis)
• the practice and the ICB comply with the conditions and liabilities described in the ICB practice Agreement concerning Sub-contractors accessing and using The Services
• any licencing conditions which prevent or limit access to certain GP digital services by other parties
• limitations on providing The Services to locations other than the practice Premises
• the availability of NHS-owned GP IT equipment
• use of NHS software/applications on non-NHS managed devices

When the ICB approves access to The Services by a sub-contractor Appendix 1 of the ICB practice agreement should be updated.

Scenarios for organisation and staff providing primary care services

Requirements met by NHS

Key:

• yes: these services are be expected to be provided
• no: these services are not expected to be provided
• opt: these services may be provided at discretion of the ICB

Notes:

* These are core and mandated requirements, required to be met by the practice, and therefore also by any practice sub-contractor. If access to these cannot be provided to a sub-contractor the practice must consider whether it is able to sub-contract.

** NHS.net connect can only be used for third party staff if the NHS.net accounts are created within the practice NHS.net Connect organisation unit for specific staff to use solely in directly supporting the practice. (Where NHS.net Connect is not used DCB1596: Secure email standard should be complied with). GP locums can register independently for access to NHS.net Connect. Where GP federations listed as independent sector healthcare providers in ODS are eligible to apply for NHS.net Connect they will be permitted to create accounts for staff providing patient facing services. Departments or groups such as HR, Finance, Property Services etc will not be eligible to have NHS.net accounts.

*** Collaboration Licences purchased at discount through the national (NHS) collaboration licensing memorandum of understanding using GP IT funds can only be used on Managed GP IT Infrastructure.

† For an individual (for example, practice member or independent professional under direct contract) working overseas the practice as Data Controller must ensure access & infrastructure controls, standards, working practices and conditions for Remote Provision under GP Contract are in place and not compromised.

‡ The overseas country from which the provider delivers its service must be covered by UK Adequacy Regulations (section 17A of the 2018 Data Protection Act). These include EU countries. In the absence of Adequacy Regulations the Controller (the practice) may transfer personal data to a third country or an international organisation if appropriate safeguards have been provided, and only on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The conditions for Remote Provision under GP Contract are in place and not compromised.

§ The sub-contractor may use their own digital systems, IT infrastructure and telecommunications systems, providing:

• the practice has signed and complies with the ICB practice agreement
• the ICB has agreed to the sub-contractor accessing the digital services available to the practice under this operating model
• the sub-contractor fully supports the practice comply with the GP contract obligations, including use of an accredited clinical records system (foundation solution), the use of certain national digital services, remote services and accredited patient online services; these include conditions of the selection of digital software and telecommunications tools to support these functions
• no digital system or IT equipment owned or managed by the sub-contractor is connected to the managed GP IT infrastructure in the supported premises (other than guest WiFi-GP) without explicit approval from the ICB – this approval must be requested the practice
• any remote personal working uses services meeting the criteria for remote access set out in this operating model
• the systems and equipment meet the standards required in this operating model as listed below
• the sub-contractor will comply with the relevant sections of the ICB GP IT Asset Management Policy and the ICB GP IT Warranted Environment Specification (WES-GP)

†† Registration authority services will be available to all authorised users who require access rights to the practice patient data and clinical systems as a minimum to the extent of providing those access rights.

Standards and conditions to be met

Refer to the ICB practice agreement for details on ICB and practice responsibilities and obligations.

General practice guidance

Version: 6.01

The following will guide practices and provide a quick reference to the operating model. The full document contains more detail and should be consulted as appropriate.

The operating model is part of a set of 4 key documents which require practices to use certain digital services (including electronic patient records), require the NHS to provide digital systems and supporting services to practices and support practices to use these digital services safely and to optimum benefit of their patients.

The GP contract(s):

• includes requirements for electronic patient records systems, patient online services, Remote Service provision, etc
• references the GP IT operating model for the applicable requirements and standards

The ICB practice agreement:

• enables the ICB (NHS) to fund and provide and practices to receive and use digital services related to the GP contract commitments
• defines the responsibilities and obligations of the parties
• as the contracts for most digital systems and services are held between the NHS and the suppliers the ICB practice agreement is essential in ensuring that practices, as recipients and end users of these services, are included
• points to provisions in the form of data processing deed (or similar) which allow the NHS to take action on behalf of collective practices where there is a national or whole system clinical safety, data security or cyber security risk. This does not detract from the individual practice organisation’s role and responsibility as data controller and clinical services provider

The GP IT operating model:

• directs the ICBs on the digital services and support to be offered to practices and the standards applicable
• mandates a number of digital requirements which must be provided by the NHS to meet obligations under the ICB practice agreement and the GP contract
• requires ICBs to fulfil these requirements, and any additional locally agreed requirements, by providing the services to the practice to the standards described in this operating model; ICBs as local commissioners should not view this as defining the limits of local investment in digital services for general practice, but as the minimum set of digital services to be provided to practices
• describes responsibilities for practices in using the services provided through this operating model and in accordance with the GP contract and ICB practice agreement
• does not define policy or strategy but ensures the digital tools and supporting services necessary to enable these are in place
• ensures the support and long-term business as usual enablers are in place for nationally led digital innovation programmes

The Good practice guidelines (GPG) for GP electronic patient records:

• advises practices on using the digital services effectively, safely and in accordance with the law and other standards
• general practices and PCNs need to use and exploit these digital services making the necessary service changes to optimise their use and realise the benefits

The ICB practice agreement is a standard national agreement with a number of appendices.

Appendices which are completed locally (by the ICB) include:

• appendix 2 – support and maintenance service levels
  • this may be the service specification
• appendix 3 – escalation procedure
  • this may be specific to the GP IT operating model and ICB practice agreement or may be a general practice to ICB escalation procedure
  • this should be used to escalate or resolve disputes over the terms of the ICB practice agreement
  • there will be separate local escalation processes for managing GP IT service desk incidents as appropriate
• appendix 6 – local data processing deed

Appendices which are completed for each practice include:

• appendix 1 table (i) – services and providers
  • lists the digital services (including foundation solution clinical system) to be provided to the practice
• appendix 1 table (ii) – supported premises
  • lists all premises for the practice into which the ICB will provide digital services as described in the operating model
• appendix 1 table (iii) – sub-contractors to the practice
  • lists any sub-contractors to the practice which the ICB has agreed can use the digital services available to the practice

Practices and ICBs should ensure these appendices are correct and regularly reviewed.

Appendices which are standard templates:

• appendix 4 – business justification form
  • for change of digital services for integrated care (or successor framework) foundation solution(s)
• appendix 5 – conditions for digital and IT compliance for practice sub-contracted providers – letter

The GP contract and ICB practice agreement require that the practice can choose a preferred foundation solution for the practice. This requires approval by the ICB subject to conditions set out in the GP Contract.

This is described in accreditation, choice and selection of systems and services. The ICB may require the practice to complete the business justification form in Appendix 4. If the practice and ICB do not agree the escalation process in Appendix 3 should be used.

Note – to avoid conflicts of interest foundation solution system suppliers should not be involved in these processes.

The role of the new ICB practice agreement which now includes arrangements supporting the DSIC (or successor) Data Processing Deed and clarification on responsibilities and liabilities regarding third party providers sub-contracted by practices and a letter of compliance for these providers.

The GP contract sets out a number of digitally enabled service requirements for practices and the NHS and refers to the operating model for relevant detail and standards for these requirements.

But it is essential, in the interests of both parties, that each practice and ICB sign the ICB practice agreement which defines the terms governing the provision and receipt of digital services in general practice and the responsibilities of each party.

Specific areas the operating model addresses are:

• the organisations, services and locations in the scope of the operating model including PCNs
• digital requirements which are core and mandated (must dos) which must be available to practices and include:
  • clinical systems
  • national digital services
  • patient online services
  • GP IT enabling services – this includes:
    • commissioning of GP IT services and setting of ICB policies
    • GP IT Service Desk
    • equipment asset management
    • software licence management
    • registration authority (NHS smartcards)
    • net connect administration
    • essential infrastructure (for example networking and data hosting)
    • HSCN
    • WiFi
    • desktop infrastructure
    • remote access (including home)
    • electronic messaging (for example SMS)
    • controlled digital environment
    • cyber security
    • information governance
    • clinical safety assurance
    • clinical system training
    • data quality support
    • project management
    • support for procurement contract management and general practice estate

(Note – if the practice does not wish to use the core and mandated services available they are not entitled to funding in lieu of the services)

• digital requirements which are enhanced requirements (locally determined) which may be available to practices
• digital requirements which are practice responsibility to provide choose, procure and fund (general practice business systems)
  • as independent organisations practices are responsible for compliance with any legal requirement for their organisation; these include practice websites, telephony, dispensing practices systems and infrastructure, business systems – for example, payroll and accounting systems – estate related – for example power, comms rooms, air conditioning – IT consumables, and practice legal and regulatory responsibilities
  • areas where the ICB should or may support practices are described
• what service availability (hours) a practice can expect the GP IT enabling services to be available
• how high severity incidents are reported and managed and what business continuity plans should be in place
• the process for sub-contractors to the practice is accessing the digital services available to the practice and the standards to which they need to comply
• to support practices and ICBs procure digital systems locally a procurement standards checklist and a digital assurances catalogue (of software and systems)

The operating model requires the ICB to provide a number of local policies for which guidance and standards are given but the local ICB will produce the content detail. These include:

• ICB GP IT asset management policy:
  • describes how NHS Owned GP IT Equipment and NHS Procured Software Licences, are provided to practices, re-deployed where appropriate and disposed of
• ICB GP IT warranted environment specification (WES-GP)
  • defines the minimum requirements for operating systems, software applications and hardware configurations to be provided on managed GP IT devices
• GP IT systems access policy:
  • all access to the managed GP IT infrastructure by individuals (including authorised users (practice staff) and GP IT delivery partner staff) must ensure that all cyber security, software licence and equipment asset management requirements described in the operating model and ICB-practice agreement can be met
  • will include conditions and criteria required to allow individual authorised users to have administrative (privileged) access
• WiFi-GP acceptable use policy:
  • will address the use of all the WiFi-GP services provided, including guest and bring your own device (BYOD) WiFi access.
• Bring your own device (BYOD) policy (if supported):
  • where BYOD is supported for personal devices a BYOD policy must be in place which will include cyber and data security, software licencing and ownership, data storage, support, data and security breaches, loss of device, and termination
  • Note: Staff cannot be mandated to use their personal devices for NHS purposes

Practice responsibilities

Specific legal, regulatory and contractual responsibilities for each practice include:

• compliance with health and safety regulations and employment legislation
• compliance with data protection legislation
• contractual requirements on practice websites, practice telephony, dispensing systems, remote provision of services
• submission of annual practice DSPT
• nomination of a registration authority manager*
• nomination of a data protection officer (DPO)*
• nomination of a clinical safety officer (CSO)*

*Note: these roles may be shared between practices and the resources commissioned by the ICB to be provided for practices.

Advice and guidance available specifically for practices and PCNs  include:

• Step-by-step guide to improving general practice website online journeys
• How to improve telephone journeys in general practice
• Primary medical care policy and guidance manual
• Creating a highly usable and accessible GP website for patients
• GP Federations in England are eligible to apply for NHS.net Connect
• Guidance on the use of AI-enabled ambient scribing products in health and care settings

References

Glossary

Version 6.01

Additional GP contract digital capabilities

Additional digital systems, technologies and services needed to deliver elements of a GP contract in addition to providing essential and PCN services; for example, an APMS contractor providing walk-in services, minor injuries, GP out-of-hours, etc.

APMS contract

The alternative provider medical services contract entered into by NHS England and a provider of primary medical services under Section 83(2)(b) of the National Health Service Act 2006.

Asset management database

An electronic asset management log, recording details of hardware and software assets and which is accessible by the GP IT service desk to support those assets.

Authorised users

Individuals approved by the data controller; that is the practice to access the digital systems which process their patient data and which require the issuing of an NHS Care identity or smartcard.

Authorised users will have access, as described in this operating model, to the GP IT managed infrastructure and the GP IT enablers, as necessary, to use the digital systems provided.

This will include practice staff.

Bring your own device (BYOD)

Any personal device which is a connected GP IT device and used, subject to the approval of the ICB, and in compliance with the ICB BYOD policy.

Care identity

Digital identity for staff that can then be associated with health and care organisations they work for.

CCG practice agreement

The agreement between the clinical commissioning group (CCG) and the practice which defined the terms governing the provision and receipt of digital services in general practice.

This novated to the ICB in 2022 and will be replaced by the ICB practice agreement when signed by both parties.

Clinical safety

The freedom from unacceptable clinical risk to patients.

Clinical system

A digital application or group of integrated digital applications used by the practice to store and manage its electronic patient records.

This includes the foundation solution, non-foundation solution and any additional application integrated or interfaced with the foundation solution and used by the practice.

Choice of service

The process to determine a service or services which meet the required capabilities, the procurement source and assurance against applicable standards.

Collaboration licences

Licences purchased at discount through the national (NHS) collaboration licensing memorandum of understanding (MOU) which replaces the previous MOU with Microsoft.

Connected GP IT device

Any IT device (hardware) which is connected directly (by direct physical connection or WiFi connection) to the managed GP IT infrastructure, including NHS managed GP IT devices, and may include third party or practice-owned IT equipment or medical device.

This does not include equipment which is connected to the managed GP IT infrastructure indirectly – that is, through public internet.

Controller or data controller

Has the meaning given to it under the data protection legislation.

Core and mandated requirements

The requirements for digital systems, technologies and services described in the operating model as necessary to deliver the GP contract or as otherwise nationally mandated.

Core hours

The period defined in the GP contract as core hours, during which the practice must deliver primary care services.

Core hours begin at 8am and end at 6.30pm on any day from Monday to Friday; except Good Friday, Christmas Day or bank holidays, or as stated in the GP contract.

Data processing agreement:

A formal agreement or contract between the data controller and the data processor as required under data protection legislation.

Data processing deed

The deed of undertaking for data processing entered into under the under the GP ITF Framework 1 from the Digital Services for Integrated Care (DSIC) Catalogue of frameworks (or successor) by a supplier for the benefit of the practice and other beneficiaries.

This shall include any successor deed or data processing agreement from the DSIC catalogue of frameworks (or successor).

Data protection legislation

All applicable data protection and privacy legislation in force from time-to-time in the UK, including:

• the General Data Protection Regulation ((EU) 2016/679) (to the extent applicable)
• the UK GDPR
• the Data Protection Act 2018
• the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) (to the extent applicable) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended
• any other European Union legislation relating to personal data (to the extent applicable)
• all other legislation and regulatory requirements in force from time-to-time which apply to or relating to the use of personal data (including, without limitation, the privacy of electronic communications)
• the guidance and codes of practice issued by the relevant data protection or supervisory authority

DSIC (Digital services for integrated care) catalogue of frameworks

The digital catalogue that is managed by NHS England which allows users to buy assured digital tools and systems through approved assurance frameworks (or successor).

DSIC framework call off agreement (or successor procurement routes)

An agreement under a framework (or successor procurement routes) from the DSIC catalogue of frameworks (or successor), pursuant to which specific digital services are ordered by the ICB for the practice.

DSIC catalogue of frameworks (or successor) data migration standard

The national standard supporting the safe and effective migration of data between DSIC (or successor) products.

DSIC catalogue of frameworks (or successor) training standard

The national standards applied to services provided through the DSIC catalogue of frameworks (or successor).

Digital primary care maturity assurance (DPCMA)

The annual data collection, storage and analysis from April 2015 demonstrating trends and changes over this period and allowing the NHS to assess the effectiveness of the operating model.

Enhanced requirements

The requirements for digital systems, technologies and services described in the operating model which may enable service or productivity improvement, but which are not core and mandated requirements.

Enhanced digital service

A digital service provided or procured by the ICB which meets the enhanced requirements.

Essential services

Essential (patient care) services, as defined in the GP contract and GP regulations.

Extended operational service hours

Any local arrangement between the ICB and the practice which provides additional GP contract services outside the core hours, to support enhanced access as detailed in the GP contract, which will be provided with additional operational support during those extended hours, in addition to the operational service hours.

Foundation digital capabilities

The set of clinical and business capabilities defined in the DSIC catalogue of frameworks (or successor) standards and capabilities model as necessary to meet the minimum clinical system requirements to carry out the essential services GP contract functions.

Foundation solution

Any accredited IT system (or group of accredited systems) which maps to the foundation digital capabilities and is sourced through the DSIC catalogue of frameworks (or successor).

The foundation solution must be accredited through compliance with the standards mandated on the DSIC catalogue of frameworks (or successor).

Services available on the DSIC catalogue of frameworks (or successor) have been assured as compliant against all relevant standards.

Foundation solution supplier

Any supplier who provides solutions as part of the foundation solution.

General medical services (GMS) contract

The general medical services contract entered into by NHS England and a provider of primary medical services under Section 84 of the National Health Service Act 2006.

Good practice guidelines

The Good practice guidelines for general practice electronic patient records – (GPGV5).

GP contract

A GMS contract, PMS agreement or APMS contract entered into by the contractor and NHS England or other NHS body.

GP IT allocations

The notional allocations (managed by NHS England) used to purchase foundation solutions and non-foundation solutions from the DSIC catalogue of frameworks (or successor).

GP IT delivery partner

Organisations commissioned by the ICB to deliver GP IT enabling services for practices, as required under this operating model.

Where the ICB provide these services directly, they have the same responsibilities as the commissioned GP IT delivery partners.

GP IT enabling requirement

A requirement for services – for example, infrastructure, equipment and support as necessary for practices – to operate the services provided to meet core and mandated and enhanced requirements provided and the national digital services.

GP IT enabling services

Services provided (directly or commissioned) by the ICB which map to the GP IT enabling requirements.

GP IT operating model

This document, titled Securing excellence in primary care (GP) digital services: The primary care GP digital services operating model; and preceding versions titled Securing excellence in GP IT services, published by NHS England, including any publications of subsequent amendments and revisions from time-to-time.

GP regulations

The National Health Service (General Medical Services Contracts) Regulations 2015.

High severity incident

1. An incident defined or classified by NHS national service desk as severity level 1 or 2 in accordance with the NHS England severity level guidelines.
2. A high severity NHS cyber alert.
3. An NIS notifiable incident.
4. A notifiable personal data breach.
5. A patient safety incident.

High severity incident service hours

24 hours a day, 7 days a week.

ICB practice agreement

The agreement between the ICB and the practice which defines the terms governing the provision and receipt of digital services in general practice.

Independent GP IT device

Any IT device (hardware) which is not connected directly (by direct physical connection or WiFi connection) to the managed GP IT infrastructure.

The equipment may be connected to the public internet including through GP-WI-FI services or it may be entirely standalone.

Local data processing deed

The deed of undertaking for data processing entered into for the benefit of the practice and other beneficiaries with a supplier commissioned to provide locally commissioned services.

Managed GP IT device

Any IT device (hardware) which the ICB has responsibility to provide or to manage as part of the services provided to the practice under this operating model.

This includes NHS-owned GP IT equipment; and also IT equipment which the NHS does not own, but is responsible for its technical management and configuration of – for example, leased, rented or practice-owned GP IT equipment.

Managed GP IT devices are an integral part of the managed GP IT infrastructure.

Managed GP IT infrastructure

All IT infrastructure, connectivity, networks, hardware, fixed and portable devices, applications and software which the ICB has responsibility to provide or to manage as part of the services provided to the practice under this operating model.

Medical device

An item of equipment or a device required specifically for diagnostic or clinical treatment purposes (for example, specialist cameras, physiological measurement devices), used in the supported premises.

Medical (connected) device

A medical device which is connected to or uses the managed GP IT infrastructure.

National commercial and procurement hub

The NHS England-funded service available to support primary care customers with all aspects of procurement, including buying via the DSIC catalogue of frameworks (or successor) and the Advanced telephony better purchasing framework.

National digital services

The national digital services commissioned centrally by NHS England, provided to, and used as applicable by NHS-commissioned providers.

NHS cyber alert, aka NHS cyber security alert

A high severity alert issued by the NHS England Data Security Centre (DSC) through the NHS Cyber Alert Service (replaced the NHS Care Cert Service).

NHS incident reporting tool

The NHS data security and protection toolkit (DSPT) incident reporting tool, the reporting function all NHS organisations must use to report personal data breaches to the Information Commissioner’s Office (ICO).

NHS-owned GP IT equipment

IT equipment purchased by the NHS, using NHS funds (capital or revenue) used to support general practice.

These items will be part of the managed GP IT infrastructure.

NHS procured software licence

A software licence procured by the NHS locally or nationally for use as part of the services.

It does not include practice or third party procured software licences.

NHS smartcard

A physical or virtual smartcard issued by an approved NHS registration authority, used in conjunction with a passcode known only to the smartcard holder, which gives secure and auditable access to national and local spine enabled health record systems.

This includes any NHS-approved authentication alternatives to or replacements for NHS smartcards.

Note: other smartcards, not NHS smartcards, may be used for other access control purposes and are not included in this definition.

NIS notifiable incident

Any network and information systems incident (including a cyber security incident) which has a significant impact on the continuity of essential services as defined under the NIS regulations.

NIS regulations

The Network and Information Systems (NIS) Regulations 2018 and any subordinate legislation made under them, each as amended, extended or re-enacted from time-to-time.

Non-foundation digital capabilities

The set of core and mandated clinical and business capabilities as defined in this operating model and which are not Foundation Digital Capabilities or patient facing digital capabilities

Non-foundation solution

Any IT system (or group of systems) which maps to the non-foundation digital capabilities.

Non-foundation solution supplier

Any supplier who provides solutions as part of the non-foundation solutions.

Operating model

The GP IT operating model.

Operational service hours

The core contracted hours, between 8am and 6.30pm, Monday to Friday, excluding public holidays or as otherwise detailed in the GP contract.

Patient online service capabilities

The set of core and mandated clinical and business capabilities defined in the operating model which support patient online services required under the GP contract.

Patient online solutions

Any IT system (or group of systems) which maps to the patient online service capabilities.

Patient safety incident

Any unintended or unexpected incident which could have, or did, lead to harm for one or more patients receiving healthcare.

For the purposes of this document this is limited to patient and clinical safety incidents related to the use of digital systems.

Personal device

Any IT device which is owned by, or is the personal responsibility of, an individual who is a member or employee or sub-contractor to the practice or PCN or an organisation contracted to provide services to the practice or PCN. This includes BYOD equipment.

Personal medical services (PMS) agreement

The PMS agreement entered into by NHS England and a contractor under Section 92 of the National Health Service Act 2006.

Portable device

Laptops, tablets, smartphones and removable devices that may hold or allow access to personal data.

Practice

The individual, partnership or other form of legal entity holding a GP contract to provide essential services (primary care) and eligible to receive GP IT services with a signed ICB practice agreement.

A practice with multiple branch sites shall constitute a single practice.

Where more than one practice operates from a shared location, or shares a common database with other practices, each separate practice shall be counted as a practice; and where one or more practices merge, the resulting practice shall be counted as a single practice.

Practice business requirements

The requirements for digital systems, infrastructure and organisation activities necessary to run the internal practice business and organisational governance which are the responsibility of the practice to provide.

Practice business systems

Systems and services not directly related to patient care which a practice may use for business purposes enabling the non-clinical business functions to operate and support the practice as a business organisation.

Practice managed IT equipment

Any GP IT equipment – including desktop and portable devices, printers, medical (connected) devices, multi-function copiers, etc – regardless of ownership, which is managed by the practice or a contractor appointed by the practice and is not directly connected to the managed GP IT infrastructure.

Practice-owned IT equipment:

IT equipment purchased by the practice.

Practice premises

The address(es) specified in the GP contract from which primary medical services are to be provided by the practice (or any sub-contractor).

Practice staff

General practitioners, practice employees and practice-employed PCN staff, as well as health and social care professionals individually commissioned directly by the practice

Primary care network (PCN)

The practices contracted under the Network contract direct enhanced service (DES).

Some or all PCN services may be sub-contracted by the practices to PCN providers, but they are not the PCN.

Processor or data processor

Has the meaning given to it under the data protection legislation.

Public authorities

NHS organisations (and general practices) which provide public services, as defined under relevant legislation including the Freedom Of Information Act 2000 and the Data Protection Act 2018.

Registration authority

A function approved to carry out the identity checks of prospective NHS smartcard users and assigns an appropriate access profile to a health professional’s role, as approved by the practice.

Remote access

The capability for managed and secured access to network services or clinical and business applications from a remote location, including personal domestic residence or mobile location.

Remote IT support

A service to diagnose and fix, when possible, managed IT infrastructure without requiring a physical or site presence; using existing network infrastructure or remote access tools.

Remote personal working

Individual authorised users using remote access services to deliver – subject to the conditions for remote services in the GP contract – certain primary care services through an appropriate digital or telecommunications method, from a location other than the practice premises or any remote premises; for example, personal domestic residence or mobile location.

Remote premises

An address which does not constitute the practice premises, from where the practice or any sub-contractor provides a remote service, provided that this excludes personal domestic residences and mobile working locations.

Remote service

Has the meaning given to it in the GP Contract.

Selection of service

The decision to deploy a digital service available to the practice using as applicable the appropriate selection process. This includes the planning and preparatory actions for deployment.

Selection process

The process to be followed in order to award and enter into a DSIC framework call off Agreement (or successor procurement routes) for the procurement of foundation solutions, non-foundation solutions or patient online solutions.

Standard service hours

Between the hours of 9am and 5pm, Monday to Friday, excluding public holidays.

Sub-contractor

A person or persons (including, but not limited to, limited companies) who has or have been contracted by the practice to provide certain primary care services to its patients in accordance with its GP contract and set out in Appendix 1 of the ICB practice agreement.

Supported premises

The practice premises and any remote premises (excluding personal domestic residences and mobile working locations) which the ICB has agreed to provide and support with managed GP IT infrastructure and IT connectivity (excluding personal domestic residences and mobile working locations) and set out in appendix 1 of the ICB practice agreement.

The services

The digital services commissioned by the ICB (or national NHS organisations) for the use of the practice to meet the requirements set out in the operating model, and described in appendix 1 of the ICB practice agreement.

Third party software

Software applications used by the practice but not provided as part of the services under this operating model and subject to approvals and conditions defined in the ICB practice agreement (clauses 10, 4,11, 4.13, 4.51, and 9.14 – 9.20).

Digital Primary Care Maturity Assurance (DPCMA) Indicators

Version: 6.01

Standards and guidance references

• Accessible Information Standard – Using email and text messaging for communicating with patients
• CHECK accredited pen test organisations
• Clinical system migration guide
• CPNI: Data centre security: Guidance for users
• Creating a highly usable and accessible GP website for patients
• CREST accredited pen test organisations
• CREST assurance
• Cyber Assessment Framework (CAF) 
• Cyber Essentials
• Cyber Essentials Plus
• Data centre tier classification (Uptime Institute)
• Data Protection Act 2018
• Data Security and Protection Toolkit (DSPT)
• DCB0129 (Clinical Risk Management: it’s Application in the Manufacture of Health IT Systems)
• Good practice guidelines for GP electronic patient records – social media
• DCB0160: Clinical Risk Management: Its Application in the Deployment and Use of Health IT Systems
• How to improve telephone journeys in general practice
• How to write for digital NHS services
• DCB1596: Secure email
• DSIC Data Migration Standard
• DSIC Training Standard 
• Delivering a net zero NHS
• Digital Services for Integrated Care Standards
• Digital Technology Assessment Criteria (DTAC)
• Digital token definition for use of SMS for paper token replacement
• Encryption to NHS standards on Portable Devices
• EPS Dispensing Systems Compliance Specification
• Equality Act 2010 (EQA)
• Equality and Human Rights Commission: Statutory Code of practice for “Services, public functions and associations” under the EQA (the Code).
• EU Medical Devices Regulations (MDR)
• Evidence standards framework for digital health technologies (NICE)
• Example template for a practice business continuity plan
• FHIR standard for interoperability
• Freedom of Information Act (2000)
• Good practice Guidelines for GP Electronic Patient Records
• GP Federations in England are eligible to apply for NHS.net Connect
• Guidance on the use of AI-enabled ambient scribing products in health and care settings
• Guidance for trusts when buying digital and IT goods and services in the NHS
• Guidance on procuring and deploying connected medical devices
• Guidance on protecting connected medical devices
• Health and Social Care Act (2012)
• HSCN compliance operating model
• HSCN connectivity options
• HSCN consumer handbook
• HSCN overlays
• HSCN technical guidance
• HSCN compliance
• How to make digital services accessible
• Information security management NHS code of practice
• International Data Transfer Agreement (IDTA)
• Internet First
• ISO 14001 – Environmental Responsibility
• ISO 20000 – IT Service Management Standard
• ISO 22301 – Business Continuity Management
• ISO 27001 – Information security, cybersecurity and privacy protection
• ISO 27018 – Security for personally identifiable information in public cloud
• ISO 9001 – Quality management systems
• Learn From Patient Safety Events Service (LFPSE)
• Licence for Digital Interoperability Platform
• Medical Devices: software applications (apps)
• Medical Devices (MHRA): Software applications
• National Cyber Security Centre (NCSC) approved penetration testing
• National Cyber Security Centre (NCSC) password manager guidance
• National Cyber Security Centre (NCSC) supply chain cyber security guidance
• National Cyber Security Centre (NCSC) web check
• National Data Guardian’s (NDG) ten data security standards
• Network and Information Systems (NIS) Regulations
• Network contract directed enhanced service (DES)
• NHS 10 year health plan for England: fit for the future
• NHS App roadmap
• NHS App integration
• NHS and social care data: off-shoring and the use of public cloud services guidance
• NHS architecture principles
• NHS Care Identity Service 2 standards
• NHS Code of practice on confidential information
• NHS England Business Continuity Management Framework
• NHS England Cloud Centre of Excellence
• NHS IT Skills Pathway
• NHS operational planning and contracting guidance
• NHS records management code of practice
• NHS service standard
• NHS Service Manual (Design and build digital services for the NHS)
• NHS standard terms and conditions for the procurement of goods
• NHSE Green Plan Guidance document
• Patient Online Services in Primary Care – Good practice Guidance on Identity Verification
• Primary care system development funding (SDF) and GP IT funding guidance 2025/26
• Primary Medical Care Policy and Guidance Manual
• Privacy and Electronics communications Regulations (ICO)
• Registration Authority Guidance
• Registration Authority Policy v 2.5
• Regulating medical devices in the UK (Gov.uk)
• Respond to an NHS Cyber Alert service
• SNOMED CT
• SNOMED CT in General practice / Standards Change Notice SCCI0034 Amd 35/2016
• Software and AI as a Medical Device Change Programme
• Spine WES
• Step-by-step guide to improving general practice website online journeys
• Statutory Code of practice for Services, public functions and associations (EQA 2010)
• TCO Certification
• UK Adequacy Regulations
• UK General Data Protection Regulation (UK GDPR)
• Understanding accessibility requirements for public sector bodies
• Using online consultations in primary care implementation toolkit
• Using qualified user researchers
• Waste Electrical and Electronic Equipment (WEEE) Regulations (2013)
• Web Accessibility Initiative (WAI) | W3C
• WiFi Technical Policies and Guidance
• Working safely with display screen equipment

History and change logs

Document history

Version: 6.01

Operating model

ICB practice agreement

Supporting documents

Changes log

The following changes have been made since this version (v6) of the GP IT Operating Model was published

Significant impact changes

Review retired content

Moderate impact changes

Review retired content

Minor impact changes

Review retired content

Retired content

Significant impact changes:

(to be logged)

Moderate impact changes:

(to be logged)

Minor impact changes:

(to be logged)

Contact us

If you wish to provide feedback on this operating model, please email england.DigitalPrimaryCare@nhs.net.

NHS colleagues and contractors should use this mailbox for queries relating to the management of the GP IT operating model and associated documents and should contact the relevant NHS England team or programme for further information on topic content.

This email address is not intended for use by members of the public, patients or their representatives; they should instead contact the NHS England Customer Contact Centre via email at england.ContactUs@nhs.net.