Skip to main content

Onboard using the Supplier Conformance Assessment List process

For the 1-Click Service, we use the Supplier Conformance Assessment List (SCAL) process for onboarding.

To onboard using the SCAL process you should follow the steps below.

1. Confirm your use case

You must confirm you have a valid use case. You’ll need to give us details of your product and what it does.

2. Get the SCAL template

The SCAL is a document you use to tell us about your product and organisation, and to make various declarations about them.

When you sign the Connection Agreement (see step 12 below), the SCAL becomes part of your legally binding agreement with NHS Digital.

The SCAL is a spreadsheet with several tabs, including:

  • ‘Guidance & Process’ - explains how the SCAL works
  • ‘Supplier & Product information’ - general information and declarations about your product and organisation
  • one or more tabs for each service that your product uses

To get a SCAL template for your product, email us as and tell us:

  • your developer organisation name
  • your application name
  • the service you want to onboard

We will either create a new SCAL template for you or find your existing SCAL and add new tab for the 1-Click Service you want to onboard for.

3. Provide your ODS code

The Organisation Data Service (ODS) holds details of all healthcare organisations, including developers. Each organisation in ODS has a unique ODS code - sometimes referred to as an Application Service Provider (ASP) code.

During the onboarding process, the ODS code you provide represents you as a developer onboarding a commercial product or as an end user organisation (EUO) developing a product in-house.

You must provide your ODS code in the ‘Supplier & Product information’ details in the SCAL document and you will need it to complete other steps in the onboarding process.

If you're not sure about your ODS code, you can:

4. Get a Health and Social Care Network connection

The 1-Click Service can only be accessed over the Health and Social Care Network (HSCN).

You'll need an HSCN connection for:

  • integration testing
  • production use - if you are also an end user organisation

To get an HSCN connection:

  1. Make sure you have an ODS code (see step 3).
  2. See Connecting to HSCN.
5. Complete the Data Security and Protection Toolkit (DSPT)

As a software developer you might come into contact with patient data, when supporting your end users for example.

To ensure you have controls in place to keep patient data private and secure, you must complete the Data and Security Protection Toolkit (DSPT).

When you complete the DSPT, you’ll need to state your organisation profile. You should use:

  • ‘NHS Business Partner’ if your system directly processes patient data on a regular basis, for example a GP system
  • ‘Company’ if your software only has technical access to patient data, for example a middleware system

To complete the DSPT:

  1. Make sure you have an ODS code (see step 3).
  2. See Data and Security Protection Toolkit (DSPT).
6. Implement a Clinical Risk Management Process

As a developer of healthcare software, you must ensure you implement a clinical risk management process that conforms to the DCB0129 standard.

For the 1-Click Service we provide you with a hazard log which you must review and integrate into your own risk log.

7. Check your medical device status

You need to check whether your product is considered to be a medical device.

If it is, you need to ensure you comply with the relevant legal requirements.

For more details see Medical devices: software applications (apps).

8. Complete technical conformance testing

For the 1-Click Service, you need to complete technical conformance testing to demonstrate appropriate use of the 1-Click Service. We call this Interoperability Toolkit (ITK) Conformance.

Assurance of the SCR 1-Click requirements.

Upon completion, we will issue you with a technical conformance certificate.

9. Conduct penetration testing

For the 1-Click Service, you need to conduct penetration testing before you can go live.

CHECK - penetration testing - National Cyber Security Centre

For details on how to do this for a particular API, read its API specification in our API catalogue.

10. Register for service and incident management

To receive service updates and raise live incidents, you need to register with our service desk.

To register for incident management:

  1. Make sure you have an ODS code (see step 3).
  2. Complete the Service Desk Registration Form - you’ll find this embedded within the SCAL, on the ‘Supplier and Product information’ tab.
  3. Email it to the NHS Digital National Service Desk at
11. Complete and submit the SCAL

Once you have completed the preceding steps, you need to complete the various declarations in the SCAL.

Send the completed SCAL to us at the appropriate email address.

We’ll review your SCAL and send it back for rework if necessary.

Once we’re happy with your SCAL we will keep a copy of it for our records.

12. Sign the Connection Agreement

Once we’re happy with your SCAL, we will send you a copy of the Connection Agreement to sign. This is a legal document that sets out your obligations.

If you have previously signed a Connection Agreement, we will re-issue the existing document. In some cases you might need to re-sign it.

13. Issue the End User Organisation Acceptable Use Policy

Appendix 1A of the Connection Agreement is the End User Organisation Acceptable Use Policy.

You must issue it to each end user organisation that will use your product. It sets out their obligations in using your product.

If you are an end user organisation developing software for your own use, this policy applies to your own organisation.

14. Get production access

The live URL will be provided for Production go-live.

Last edited: 1 July 2021 5:01 pm