What is Onboarding?
Onboarding is NHS Digital’s process for allowing ‘Connecting Systems’ to integrate with National Services. Connecting Systems are developed by technology partners to provide healthcare organisations and individuals with access to National Services, in support of the provision of direct care.
Which Services does it apply to?
The NHS Digital Services and APIs that currently follow the Onboarding process include:
- Spine Mini Service Provider for Personal Demographics Service (SMSP-PDS)
- Electronic Referrals Service (e-RS)
- Electronic Prescription Service (EPS) Prescription Tracker
- GP Connect capabilities e.g. HTML and Appointments
- NHS login
- NHS App
What is the purpose of the Onboarding process?
The Onboarding process is risk-based and:
- assesses the technical conformance of the Connecting System with the integration standards and requirements of the Service
- requires self-declared compliance with specified standards for data protection, clinical safety, information governance and security.
The aim of the Onboarding process is for all parties to work together to ensure the safe and secure transmission and/or sharing of data for healthcare purposes.
Who is involved in Onboarding?
The parties involved are:
- NHS Digital: the owner of the National Service.
- Connecting Party: an individual or organisation that develops, owns, and maintains the Connecting System that connects to one or more National Service(s). The term partner or supplier is also used.
- End User Organisation: the recipient or commissioning body wishing to use or commission a Connecting System to access National Service(s). The End User Organisation often represents individual end users e.g. healthcare professionals or patients.
What are the main documents used during Onboarding?
All parties have responsibilities and obligations for Information Governance, Data Protection, Information Security, clinical risk management and incident management. These are outlined in the following:
Each National Service also has a web page or portal, that contains the technical, functional, and non-functional standards and requirements that a Connecting System must meet in order to integrate to the National Service.
Finally, there is a Supplier Conformance Assessment List (SCAL), currently presented as a workbook. This is completed by the Connecting Party to create a record of the technical conformance of its Connecting System with the technical requirements of the National Service being integrated. It also contains declarations of organisational compliance with standards, regulations, and policies.
Examples of all documents are provided below are for information only. When you begin the Onboarding process for a National Service, you will be guided how to complete these documents.
- Supplier Conformance Assessment List (SCAL): completed by the Connecting Party during as a record of technical conformance
- Connection Agreement: signed by the Connecting Party each time a National Service is integrated with its Connecting System.
- Appendix 1A: End User Organisation Acceptable Use Policy (AUP) to be shared with all End User Organisations by the Connecting Party.
- Appendix 2A: Data Processing Form for the Connecting Party to detail the processing to be performed.
Special Terms for data protection relationships
The following Appendices will apply depending on the data protection relationships for the Service and parties involved:
Appendix 2B: Connecting Party as the Processor where NHS Digital is Controller e.g. where NHS Digital has a direction for a programme and the Connecting Party is a private sector supplier providing services pursuant to that programme.
Appendix 2C: Data protection relationship between Connecting Party and End User Organisation(s) e.g. where the Connecting Party is a processor to the End User Organisation but there is no data protection relationship between NHS Digital and the Connecting Party.
Appendix 2D: Connecting Party as Controller (Independently or Jointly with others) e.g. where Connecting Party is an NHS entity, and is a controller jointly with other NHS entities.
Appendix 2E: Connecting Party as Joint Controller with NHS Digital; NHS Digital lead on activity.
Appendix 2F: Connecting Party as Joint Controller with NHS Digital; Connecting Party as lead on activity e.g. when the Connecting Party is an NHS entity and working jointly with NHS Digital who has a direction in relation to the data, and there is a joint purpose or means in relation to the delivery of the programme.