Skip to main content

BETA - NHS digital, data and technology standards framework

Ministerial foreword

Rt Hon Matt Hancock MP, Secretary of State for Health and Social Care

I spoke at NHS Expo about the critical importance of standards in the development of digital, data and technology products for the NHS. Our technology landscape is very heterogeneous and interoperability is poor. This increases costs because we are not taking advantage of economies of scale, increases errors and introduces delays in the transmission of data from one system to another, which in turn has patient safety implications, and delays the digitisation of those parts of the system still very poorly served by technology.

Today we are publishing, for consultation, a draft new NHS Digital, Data and Technology Standards Framework, which describes our new expectations around the use of data, interoperability, and design standards within the NHS. This sets a new bar for quality and efficiency. Our new standards will be demanding and much work will be necessary across all NHS organisations and within supplier communities to move quickly towards achieving these higher expectations.

NHS organisations will be supported in meeting this challenge. NHS Digital and the NHS Chief Information Officer stand ready to provide guidance and help resolve issues. At the same time, these new expectations will, increasingly over time, be reflected as conditions that trusts need to meet when making IT investments. NHS Improvement will take account of trusts' compliance with these standards in line with its oversight and improvement responsibilities.

As we see migration towards standards, we will quickly see an increase in our ability to share data across the system, an increase in our ability to analyse and drive insights from the huge amount of data we hold across the system, and an ability to procure and redeploy technology with greater efficiency and at lower cost than has ever been possible historically.

Over the coming weeks, we will publish the detailed specifications for each of the standards referenced in the new framework, starting with Clinical Data Standards. We will publish proposed target standards openly and seek inputs from colleagues across the system and from the external supplier landscape. We will absorb feedback and use it to guide both the specific content of standards and the approach taken to mandating key standards and to enforcement.

I want to start this work immediately. We welcome the involvement of the whole community in shaping these and I urge you to participate in this discussion.

The Rt Hon Matt Hancock MP

Secretary of State for Health and Social care


As described in the Secretary of State's foreword, the use of robust standards in the development of digital, data and technology products for the NHS is critical  in ensuring these products are safe, cost effective and meet the needs of all health and care system users;  patients, clinicians, support staff and the health research community.

Standards will only be effective if they are useful, useable and used, and the key to ensuring they meet these tests is making sure they are rigorously defined and clearly explained and that users have access to expert support and guidance in their deployment. This draft framework and the specifications within it are the starting point of that journey and represents the initial objectives and core standards that we believe will have greatest impact. These will be enriched and extended over time through consultation with the health and care system and suppliers. As such, we need your input to ensure it meets its aims, and I would like to thank you in advance for sharing your experience, wisdom and guidance with us as we develop this work.

The standards described within this framework are not targeted at users. Good user experience and interface design should mean that users never need to memorise codes. Instead, these codes should be implemented alongside cutting-edge digital design so that services are both standards-compliant and highly intuitive and efficient to use.

None of the standards in the attached framework are brand new. Most of them have been in existence for many years. Wherever possible, we are leveraging international standards frameworks. This is intended to be a clear articulation of what matters most in our standards agenda, and is accompanied by a renewed commitment to their implementation.

We will seek feedback through a variety of channels throughout the Autumn, including workshops, webinars and digital collaboration tools. As the detailed guidance is made available over the coming weeks, we will keep you informed of progress and seek your views on each specific area.

We all know that implementing standards is hard work. We’ve had some successes and multiple delays and difficulties on this journey so far. But it’s a journey well-worth travelling, and our engines have been stoked by the passionate commitment of the Secretary of State to this challenging agenda. Let’s do everything we can, collectively, to go further and faster this time.

Sarah Wilkinson

CEO, NHS Digital


In determining the right standards to be used across the system, the following principles have been applied. 

  1. That these standards should be based on international standards and only specialised where it is necessary for these standards to be adopted, such as using the NHS Number as the primary identifier.
  2. That these standards are open standards. 
  3. That these standards address the user needs of patients and care professionals. 
  4. That we have a clear evidence base of these standards being useful, usable and used. 
  5. That we have considered how these standards apply across health and care.

The NHS digital, data and technology standards

This framework outlines the key standards for clinical safety, the use of data, interoperability and design interactions.

The expectations are:

1. Patient records for all health and care settings must use the NHS Number wherever possible

Every individual who registers with the NHS in England, Wales and the Isle of Man is issued with a unique patient identifier called the NHS Number.

Using the NHS Number helps ensure that every patient is identified correctly, and that their details are matched with their records. This is the foundation of safe and efficient care.  

Patients do not need to know their NHS Number in order to receive care, and no-one will be refused care because they don’t know it or don’t have one. Some electronic systems such as the NHS e-Referral Service do require the NHS Number to be provided.

Use of the NHS Number is already prevalent at the point of sharing information, but we will move to the position where NHS Number is available at the point of care.

Read more about the NHS Number standard

This standard is live now and should be adhered to in full immediately.

2. Logging in to NHS systems should be through an approved authentication system

All NHS systems used by patients should check personal details using the ‘NHS Login’ system.

Systems used by NHS staff must check that staff are authenticated and authorised by using the ‘NHS Identity’ platform.

These two systems will ensure that only approved and authorised people can view sensitive or confidential data, making patient data safer, and making systems easier to use.

This standard is a future requirement, which must be adhered to once the NHS Login and NHS Identity programs are in live operation.

3. Patient information held in electronic health records should comply with NHS clinical information standards

Clinical information standards define how a patient’s information is recorded, shared and analysed so that every clinician, care provider, NHS organisation and arms-length body (ALB) can be confident in the fidelity of the information they see to the information provided by the treating clinician.

This reduces the risk of mistakes being made between care settings, particularly for patients with multiple or complex conditions, and contributes to the improvement of patient outcomes through more efficient commissioning, better research, and more effective population and public health management and planning.

The NHS standard for clinical data records is SNOMED CT (the ‘Systematized Nomenclature of Medicine – Clinical Terms’). This standard is owned, managed and licensed by SNOMED International on behalf of its 35 country members worldwide, and maintained and distributed in the United Kingdom by NHS Digital. SNOMED CT is already a Data Coordination Board (DCB) published standard for all patient clinical information flows in the NHS. NHS Digital holds a country-member license for use of SNOMED CT in the United Kingdom.

Read more about SNOMED CT, including the requirements specification and implementation guidance here.

The NHS standard for diagnosis based statistical analysis of hospitals is ICD (the ‘International Statistical Classification of Diseases and Health-Related Problems’) to support payment for services and provide diagnosis based statistical analysis for hospitals. This standard is owned, managed and licensed by the World Health Organisation and distributed by NHS Digital in the United Kingdom. The UK has a mandatory obligation to collect and submit ICD morbidity and mortality data to the World Health Organisation for the production of international statistics and epidemiological data.

Read more about ICD here.

Medicines and medical devices should be described using the Dictionary of Medicines and Devices (dm+d).

The NHS Business Services Authority (NHSBSA), in partnership with NHS Digital, maintains dm+d. It is owned by the Department of Health and Social Care, and distributed by NHS Digital. It includes the vast majority of medicines and devices currently available, as well as those discontinued, in clinical trial, or imported along with the tariffs used in primary care. The NHS dm+d standard has influenced the design of the SNOMED International drugs model, and is strongly aligned to it. This standard brings together the UK clinical product reference source (UKCPRS), the primary care drug dictionary (PCDD), the secondary care drug dictionary (SCDD) and the medical device dictionary (MDD).

Read more about dm+d, including the requirements specification and implementation guidance here.

The current NHS standard for procedure based statistical analysis of hospitals (OPCS) will be changing.

The OPCS (Office of Population Censuses and Surveys - a forerunner of the Office of National Statistics) Classification of Interventions and Procedures is a Crown Copyright classification and published standard used to support payments and also to derive procedure based hospital statistical analysis. Currently OPCS enables interventions and surgical procedures performed on patients to be coded consistently for use in analyses. OPCS is managed, maintained and distributed by NHS Digital.

In the future OPCS will be replaced by a new DCB published standard for procedure based classifications, to complement the richness of ICD, and to provide better integration with SNOMED CT.

Read more about OPCS, including the requirements specification and implementation guidance.

The NHS standard for describing clinical tests and test results will be Unified Test List (UTL) which is an NHS-owned and developed standard, currently in development, with a first version due to be published in 2019. The UTL will describe the medical tests and results used across the NHS, with the first version covering haematology and clinical chemistry. The UTL will be managed and published by NHS Digital, and will become a DCB published standard.

Read here for a more detailed overview of the vision for NHS Clinical Information Standards.

SNOMED CT and dm+d and standards are live now and all NHS organisations should be using them or planning for their adoption. UTL will become a standard in 2020. ICD-10 is in use now but the NHS will be transitioning to ICD-11 in the future.

4. NHS Digital Reference Data Registers are the reference data source of choice in NHS systems

Registers are lists of information. They can also commonly be known as 'lookup' tables and are used to categorise data in databases, for example organisation codes or postcodes. In certain cases, registers underpin operational working, such as access control or, messaging. Each register is the most reliable list of its kind and represents the approved version of that data, typically managed and approved by a government department.

By using registers, you can:

  • reduce the time and cost of sourcing data from across government
  • be confident that your service is using the most up–to–date government data
  • receive data that is ready to use with no need for data cleansing

Each register is looked after by an individual, team or department, known as the ‘custodian’, who ensure that the register is kept up to date.

The custodian of each authoritative NHS Data Register is employed by the organisation responsible for the information in the register, and as such, multiple organisations across the NHS provide authoritative NHS Data Registers for use by other parties within the system.

NHS Data Registers are open lists of core NHS information such as NHS healthcare professionals, GP practices or NIHR-issued codes for research studies.

NHS Digital provides a standard platform for the publication and maintenance of NHS registers. Systems can use these registers through REST APIs in formats including CSV and JSON.

Read more about NHS Data Registers here.

This standard is a future requirement. New Registers are continuously being developed and published. NHS organisations should continually review their use of reference data sets against available NHS Data Registers and seek to migrate to the latter as soon as possible. This review period may vary dependent on context, but a full annual review should be a minimum requirement.

5. All health software and health IT systems must be designed, developed and operated safely to conform with clinical safety standards

The design, development and operation of health apps, software and IT solutions should be safe.

NHS Digital has led the development of light touch yet robust standards for the development of safe software, apps and IT systems and for deploying and operating such systems within the health and care environment. These clinical safety standards have been developed and adopted over the last ten years.

The standard for developers spans mobile health and care apps through to large integrated systems. The standard for the health IT environment covers locally hosted, remote and cloud hosted solutions.  It helps the management within healthcare organisations understand their risks and ensure their increasingly broad range of apps, systems and devices from a variety of developers coexist and collaborate to deliver safe care for our patients.

NHS Digital and MHRA are leading the development of new international standards with ISO and IEC, through the British Standards Institute. These international standards will be adopted in the future when they meet our requirements.

For more information see:

DCB 0129 – Clinical Risk Management: its Application in the Manufacture of Health IT Systems 
DCB 0160 – Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems

These standards are live now. All NHS organisations must have regard to the requirement to ensure developers of their software and systems have adopted DCB0129 and that health and care providers deploy and use safe systems conforming to DCB0160.

6. All NHS digital, data and technology services should achieve the Data Security Standards required through the Data Security and Protection Toolkit (DSPT)

All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practicing good cyber security and publish their performance against the National Data Guardian's ten data security standards.

The ten Data Standards are an overarching framework; each standard is broken down into evidence items called assertions which cover the detail required to meet each standard. They cover more than technology, encompassing people and process. 

1. People

Data Security Standard 1. Staff ensure that personal confidential data is handled, stored and transmitted securely, and personal confidential data is only shared lawfully.

Data Security Standard 2. All staff understand their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.

Data Security Standard 3. All staff complete appropriate annual data security training and pass a mandatory test.

2. Process

Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required.

Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes which have caused breaches and compromise data security.

Data Security Standard 6. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to.

Data Security Standard 7. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, tested annually.


Data Security Standard 8. No unsupported operating systems, software or internet browsers are used within the IT estate.

Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework reviewed annually.

Data Security Standard 10. IT suppliers are held accountable via contracts for protecting the personal confidential data they hold.

It is proposed that from April 2019 the toolkit is uplifted with elements of the government Minimum Cyber Security Standards which are not already incorporated within the DSPT. The amendments would be undertaken as part of the annual review cycle of the toolkit.

The adoption of the mandatory minimum cyber security standards for the NHS would support better cyber security and allow the Department of Health and Social Care and its relevant Arm’s Length Bodies (ALBs) to monitor compliance and support targeted improvement.

The updated toolkit will be tested with users before the uplifted evidence items being published by the end of January 2019 with organisations expected to begin working to compliance thereafter.

Read more about the Data Security Standards

Access the Data Security and Protection Toolkit

 All NHS organisations should ensure they meet current standards in the Data Security and Protection Toolkit immediately and should strive to achieve the minimum cyber security standard wherever possible before a potential implementation within the toolkit in 2019/20.

7. All NHS digital, data and technology services should support FHIR-based APIs to enable the delivery of seamless care across organisational boundaries

Fast Healthcare Interoperability Resources (FHIR) are part of an international family of standards developed by HL7 and in the direction of travel globally.

The data models and APIs developed using this standard provide a means of sharing health and care information between providers and their systems no matter what setting care is delivered in. Based on the international standard, we have created constrained FHIR profiles in the form of the ‘CareConnect’ and ‘Transfers of Care’ specifications.

These specifications outline the profiles for clinical concepts including diagnoses, procedures and medications whilst providing modular structures such as medications (to support activities such as medications-on-admission) and observations (to support assessments such as National Early Warning Score 2 (NEWS2)). These specifications will enable the exchange of agreed clinical content.

The specifications are available, and all future developments, will be created in collaboration with healthcare providers (NHS and social care organisations), system vendors (such as EPR and integration engine suppliers) and standards bodies (such as the Professional Records Standards Body (PRSB) and INTEROPen) to bring together clinical, informatics, terminology and implementation expertise. Together, we will develop and agree the necessary set of semantically interoperable FHIR API specifications to support safe patient care. NHS Digital will provide this curation function.

Read more about FHIR based specifications here.

Both ‘CareConnect’ and ‘Transfers of Care’ standards are available now for first-of-type implementation and are included as part of the NHS Standard Contract. NHS organisations should plan to use agreed FHIR APIs so that they can deliver joined up care to their patients. Global Digital Exemplars and Local Health and Care Records are expected to implement these APIs.

8. All NHS digital, data and technology services should be designed to meet user needs in line with the principles of the Digital Service Standard and Technology Code of Practice

NHS digital systems must be designed in accordance with the principles of the Government Digital Service (GDS) Digital Service Standard and the Technology Code of Practice. In particular, they must:

  • help users do the thing they want to do at the first attempt without having to understand government
  • be designed based on user research and user needs
  • be coded in the open and take full advantage of existing open source solutions

The Department of Health and Social Care and the Cabinet Office use these principles to check whether a service is suitable for public use.

Building on the good practice in the government standard, an NHS digital service manual has been released in public beta. The beta release covers services for patients and the public. Further work will be done to define NHS-specific design standards for services used by health and care workers, and the appropriate support and assessments to ensure they will be met consistently.

While the NHS standard is in beta, the GDS standards continue to be mandatory for nationally delivered services used by the public. They also remain sources of good practice for locally delivered services, and services used by health and care workers.

Read more about the Technology Code of Practice here.

Read more about digital service design standards here

This NHS standard is a future requirement, which must be adhered to once NHS service design standards exit the beta phase.

9. NHS services should be operated with an enabling infrastructure that supports technical evolution, financial investment and resilience

Infrastructure decisions should consider public cloud in adherence to the Government's Cloud First Policy. Such decisions should be underpinned through an understanding of the total cost of ownership of operating services for their full lifecycle including exit, together with maximising the benefits that cloud options can offer.

Health and social care systems should be challenged to continually innovate and evolve whilst aligning to wider strategies. Services should be designed with security at their core, based on open standards supporting safe interoperability with the wider health and care ecosystem. They should offer operational performance, scalability and recovery commensurate with business impact and operational service needs.

Cloud based services offer the best modernisation approach. A well architected review with the relevant cloud provider will allow Organisations to deliver the best value and modernisation from their investment. 

National enabling services such as NHS Identity and Secure Email support the Cloud First Approach.

Read more about enabling infrastructure here.

As part of managing cloud services across NHS Systems, NHS Digital will provide guidance on the governance, blue prints and automation of cloud based services ensuring that the underpinning platforms used across the health system are secure and optimised to gain the best value from cloud services.

10. NHS digital, data and technology services should be contracted for in accordance with the commercial standards

The Department for Health and Social Care, NHS England and NHS Digital have developed a simple tiered-model to frame the development of Commercial standards for IT contracting across the NHS:

  • The Commercial and Behavioural Principles upon which the NHS expects those suppliers wishing to do business with the sector to operate both in terms of performance and behaviour;
  • Common Business Standards – which set out how the above principles should be enacted by suppliers and the NHS organisations procuring their products and / or services; and
  • Precedent IT contracts – a library of precedent clauses and draft agreements for the NHS to utilise when going to market for IT services.

Read more about the Commercial and Behavioural Principles here.

It is intended that all NHS organisations, along with their suppliers, adopt and adhere to these Commercial standards when procuring, managing and delivering IT services and products. The aim is to help drive best practice and embed good working standards within IT contracts across the NHS.

Supporting adoption of the standards

NHS organisations will be supported to meet the challenge of adoption of these standards through the provision of guidance and an active programme of engagement. At the same time, these new expectations will be reflected as conditions that trusts need to meet when developing systems and services. NHS Improvement will take account of trusts' compliance with these standards as part of its oversight responsibilities.

Read here for more information on the options being considered (under development).

Last edited: 29 November 2021 3:48 pm