Demonstrate your product meets the core conformance criteria

For one or more of the APIs you're using, you need to complete technical conformance testing to demonstrate appropriate use of the API.

Technical conformance is the process of demonstrating your product’s conformance against the technical specification for an API. Upon completion, we will generally issue you with a technical conformance certificate.

Help and tips for completing this section

For more details on how to complete technical conformance for the specific APIs you are using, find and read the relevant API specifications in our API catalogue.

Q.1

Will your product only be used for the use cases that you have described and the information declared in the API-specific conformance sections?
You can enter up to 2000 characters
Q.2
Supporting information

Review the ICO advice and checklists for more information about controllers and processor roles.

You can enter up to 2000 characters
Q.2.1
Supporting information

The processor organisation is likely to be you / the Connecting Party.

You do not need to detail NHS England’s role in the provision of the Service(s) you are onboarding to.

You can enter up to 2000 characters
Q.2.2
Supporting information

The controller organisation is likely to be the End User Organisations that are instructing you to process the data.

You do not need to detail NHS England’s role in the provision of the Service(s) you are onboarding to.

You can enter up to 2000 characters
Q.3

When integrated with this Service does your product or service collect, store or process ‘personal data’ only in the UK?

Please note that if you select 'No' your response will be subject to further scrutiny
Supporting information

Find out more about personal data.

Q.4

Have you updated your privacy notice to meet the requirements of the NHS England services you are using?
Supporting information

Some NHS England services require you to update your Privacy Notice with specific text. Where required, you should update the bold text with relevant details for your organisation.

PDS FHIR API

If you are receiving care from a health or care organisation, that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number the health and care organisations can work together more closely to improve your care and support.

Your NHS number is accessed through an NHS England service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored in our case management system. These data are retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice. Further information is available on our website.

We will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.

The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have.

If you wish to opt-out from the use of your NHS number in this way, you can contact us by phoning 01234 123123 or by emailing hello@example.com.

NHS login

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

NHS Care Identity Authentication (CIA)

Please note that if you access our service using your NHS Care Identity credentials, the identity access and management services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get a national digital identity and authenticate your claim to that identity, and uses that personal information solely for that single purpose. For any personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England's Privacy Notice and Terms and Conditions, view the NHS Care Identity Service 2 page. This restriction does not apply to the personal information you provide to us separately which is managed in accordance with our Privacy Policy.

GP Connect

The 'End user organisation privacy notice statement' is available on the GP Connect privacy notice page.

NHS App

If you view or manage your hospital appointments [add activity as appropriate, e.g. referrals] via the NHS App [we/your hospital] share[s] your data with NHS England who operate the NHS App and provide this functionality, known as NHS Wayfinder services. For more information, see the NHS Wayfinder services privacy policy.

You can enter up to 2000 characters
Q.5

Has appropriate penetration testing been undertaken for your product in a suitable environment?

Supporting information

If the product is new:

  • A penetration test must be completed by a 3rd party CHECK/CREST accredited organisation prior to go-live.
  • Penetration testing must also be repeated annually thereafter or following any change that alters the product’s security profile in any way (e.g., introduction of a new interface, or enabling third-party access).
  • An action plan must be in place to mitigate any vulnerabilities identified within an appropriate timeframe.
  • Critical and high-risk vulnerabilities must be fixed or mitigated before onboarding.
  • Outstanding Medium-risk vulnerabilities will be assessed, and suppliers may be required to provide a dated plan for resolution.

If the Product is existing:

  • A penetration test must be completed by a 3rd party CHECK/CREST accredited organisation. This testing must have been carried out within the last 12 months, and must also be repeated within 12 months of the previous test and annually thereafter, or following any change that alters the product’s security profile in any way (for example, the introduction of a new interface or enabling third party access).
  • There must be no major change to the product as a result of the update unless a new penetration test is performed.
  • An action plan must be in place to mitigate any vulnerabilities identified within an appropriate timeframe.
  • Critical and high risk vulnerabilities must be remediated or mitigated before onboarding.
  • Outstanding Medium risk vulnerabilities will be assessed, and suppliers may be required to provide a dated remediation plan outlining how and when these will be resolved.

Please refer to the following links for further information:
https://www.ncsc.gov.uk/schemes/check/introduction
https://www.crest-approved.org

See Connection Agreement:

  • Standard terms applicable to all services, Clause 3.5 of the 3. CONNECTION CRITERIA & REQUIREMENTS.

Provide the date the penetration testing was conducted
For example, 24 04 2026
You can upload one file that is smaller than 250MB. If you need to provide multiple files you should zip them up and upload them as a single .zip file.

Do you have penetration testing already scheduled?

Provide the date the penetration testing is scheduled
For example, 24 04 2026
Q.6

If requested by NHS England, will you provide a list of all End User Organisations that are using your product?
You can enter up to 2000 characters
Back to NIR XCA Provider