As described in the NHS Digital compliance process, if an end user organisation will be deploying the client, usage and settings approval must be obtained. This involves NHS Digital assessments of:
- If the purpose for which the data is required represents a legal basis for sharing that data with the organisation, if the purpose is not direct care (as defined in the Caldicott Review 2013). The PDS Access Request scrutiny process is owned by NHS Digital Information asset owner for PDS and described in detail in the PDS access request brief. The PDS Access Request process is concerned with the authority for a non-NHS organisation to access the PDS; it is the organisation that is granted authority at the end of the process. The associated legal agreements are the DSFC and the DSA which are also explained in the briefing document.
- The system(s) and setting in which the data will be used to ensure that Information Security and business process requirements are complied with.
The overall Usage and Settings assessment is achieved by completing Phase 1a Usage and Settings sections in the TOM and submitting the information to NHS Digital. These sections of the TOM are normally completed by the End User organisation, overseen and supplemented by the Supplier as appropriate.
On receipt of the TOM, the NHS Digital Demographics Team will scrutinise the details, including:
- The organisation type and type of service
- The purpose of requesting the data (the ‘use case’ including business flows of data, systems that data will flow through, user base etc.)
- Governance and IG arrangements, including Existing Data Sharing contracts with NHS Digital such as Data Sharing Framework Contract (DSFC) and any Data Sharing Agreements (DSAs) between the requesting organisation and NHS Digital. Each purpose will have a separate DSA.
The outcome of this scrutiny will be approval (or rejection) of the End User (organisation) access request.