Login Talk to us
NHS Standard Contract

Security & Information Governance Alignment.

Formal positioning for procurement and assurance reviewers.

Security FAQ

Quick answers for procurement and assurance reviewers.

View the Security FAQ →

Data protection and confidentiality

In line with NHS Standard Contract provisions on data protection:

  • The service does not process Personal Data or Confidential Patient Information
  • No Data Processing Agreement is required for patient data
  • No Data Protection Impact Assessment (DPIA) is required for patient data processing

The service operates exclusively on publicly available, non-personal information.

Information governance and assurance

Consistent with NHS Standard Contract requirements:

  • The supplier maintains appropriate information governance accountability
  • Security and risk management arrangements are documented and proportionate
  • An incident reporting and escalation process is in place
  • Assurance information can be provided to Trusts and ICSs on request

DSPT is used as the baseline assurance mechanism for supplier security posture.

Cyber security and resilience

In accordance with NHS Standard Contract cyber security expectations:

  • Reasonable and proportionate technical and organisational measures are implemented
  • Systems are protected against unauthorised access and common cyber threats
  • Patch management and vulnerability awareness processes are in place
  • Service availability and recovery arrangements are defined

Controls are risk-based, reflecting the non-clinical, non-PII nature of the service.

Subcontractors and hosting

  • Hosting providers and subcontractors (if any) are subject to appropriate security controls
  • No subcontractor processes patient-identifiable data on behalf of the service
  • Supplier relationships are documented in line with NHS assurance expectations

Clinical safety and regulatory status

  • The service is not a medical device
  • It does not provide diagnostic or treatment recommendations
  • DCB0129 and DCB0160 clinical safety standards are not applicable
  • The service does not alter clinical workflows or patient pathways

Summary statement (Trust-ready)

This service provides read-only access to nationally published clinical guidance. It does not process patient-identifiable data, does not integrate with clinical systems, and does not provide clinical decision support. Security and governance controls are implemented proportionately in line with NHS DSPT and NHS Standard Contract expectations for low-risk IT suppliers.