Understanding the assurance criteria

Your request will be reviewed by the Data Governance, Assurance and Testing team (DGAT). 

The team uses a national assurance framework to assess whether your request is appropriate, safe and deliverable.

Requests are assessed across 3 areas. Each area comes with clear, targeted criteria and your submission needs to address each one.  

This area assesses whether your request is lawful and aligned with strategy and policy objectives. 

It is informed by 2 criteria:

Funding and resourcing

This checks whether your request can be delivered and sustained over time.

It focuses on:

• whether funding is in place
• how long funding will last
• what the funding covers (development, implementation and support)
• whether resources and capability are available to deliver the request

Your request should:

• provide evidence of funding (for example, an approved business case)
• demonstrate that implementation is realistic and supported
• show how organisations will be supported to adopt the request

This checks whether your request is lawful and uses data appropriately.

It focuses on whether:

• there is a valid legal basis for the request
• the organisations in scope are covered by that legal basis
• the request aligns with relevant legislation (for example the Health and Social Care Act 2012)
• information governance requirements have been considered

Your request should:

• clearly state the intended legal powers being used
• confirm that the request aligns with the intent of the legislation
• evidence that the organisations in scope are clearly identified and covered by the legislation
• demonstrate that privacy, transparency and public trust have been considered (for example, through a DPIA).

This area assesses the impact of your request on organisations, staff and patients.

It is informed by 3 core criteria:

This area checks that your request is clinically safe and does not introduce risk to patients or the public.

It focuses on whether:

• clinical safety has been assessed
• risks have been identified and managed
• the request aligns with clinical standards and good governance

Your request should:

• provide evidence of clinical safety assessment
• demonstrate alignment with relevant standards, for example DCB0129 Clinical risk management for organisations that develop health IT systems or DCB0160 Clinical risk management for organisations that deploy and use health IT systems
• clearly describe any risks and how they will be mitigated

This checks whether the right people have been involved in shaping the request.

It focuses on whether:

• stakeholders have been identified
• appropriate engagement and consultation have taken place
• feedback has been captured and addressed

Your request should:

• demonstrate engagement with impacted organisations and groups
• show how their feedback has influenced the request
• consider the impact on different user groups, including those with protected characteristics under the Equality Act 2010

 Building trust and understanding with others provides more guidance and information about stakeholder engagement with and for the NHS.

This checks whether the value of the request justifies the effort required to implement it.

It focuses on:

• the expected benefits (financial and non-financial)
• the burden on organisations (cost, effort, system changes)
• whether the request is proportionate and provides value for money

Your request should:

• clearly define the benefits of the request
• assess the impact on organisations required to implement it
• demonstrate that the benefits outweigh the burden

This area assesses whether your request can be implemented and maintained effectively.

It is informed by 3 criteria.

This checks whether the technical solution for processing data is robust and aligned to national standards.

It focuses on:

• alignment with national data and technical standards
• the design of the data collection or standard
• testing and validation
• readiness for release and implementation

Your request should:

• demonstrate that your design aligns with existing architecture and standards
• provide evidence of testing (including end-to-end where possible)
• show that the request works for the people who will use it including details of accessibility standards where relevant

This checks whether the data collected will be accurate, reliable and usable.

It focuses on:

• how data quality will be measured
• how issues will be identified and resolved
• alignment with data quality frameworks

Your request should:

• describe how data quality will be monitored and improved
• align with the Data Quality Strategy and Implementation Framework
• define acceptable data quality levels

This checks whether the request can be successfully adopted across organisations.

It focuses on:

• how the request will be implemented
• how organisations will be supported
• how compliance will be monitored

Your request should:

• provide a clear implementation plan
• describe how change will be managed (communication, training, support)
• demonstrate how compliance will be tracked and enforced

A strong submission will:

• clearly explain the problem and why it matters
• show that existing solutions have been considered
• include evidence to support decisions
• demonstrate that the proposal is safe, lawful and deliverable
• consider the impact on organisations expected to implement it

Providing clear and relevant information will help your request progress smoothly. You can submit your request with initial details and build on it with support and guidance from the Assurance team.