Information governance for the MESH API

You have a legal duty to keep information about others secure and confidential.

Information governance ensures you follow standards when information is processed. We recommend following the Information Security Management Code of Practice standards (ISMS). This is intended to help NHS organisations manage digital information effectively, and to comply with legal requirement of best practice.

Help and tips for completing this section

The Code of Practice for ISMS covers:

  • digital or hard copy patient health records
  • digital or hard copy administrative information
  • digital or printed X-rays, photographs, slides and images
  • digital media including data tapes, CDs, DVDs, USB disk drives, removable memory sticks
  • computerised records, including those that are processed in networked, mobile or standalone systems
  • email, text and other message types
Q.1

Have you updated your privacy notice to meet the requirements of the NHS England services you are using?
Supporting information

Some NHS England services require you to update your Privacy Notice with specific text. Where required, you should update the bold text with relevant details for your organisation.

PDS FHIR API

If you are receiving care from a health or care organisation, that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number the health and care organisations can work together more closely to improve your care and support.

Your NHS number is accessed through an NHS England service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored in our case management system. These data are retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice. Further information is available on our website.

We will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.

The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have.

If you wish to opt-out from the use of your NHS number in this way, you can contact us by phoning 01234 123123 or by emailing hello@example.com.

NHS login

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

NHS Care Identity Authentication (CIA)

Please note that if you access our service using your NHS Care Identity credentials, the identity access and management services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get a national digital identity and authenticate your claim to that identity, and uses that personal information solely for that single purpose. For any personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England's Privacy Notice and Terms and Conditions, view the NHS Care Identity Service 2 page. This restriction does not apply to the personal information you provide to us separately which is managed in accordance with our Privacy Policy.

GP Connect

The 'End user organisation privacy notice statement' is available on the GP Connect privacy notice page.

You can enter up to 2000 characters
Q.2
Supporting information

Review the ICO advice and checklists for more information about controllers and processor roles.

You can enter up to 2000 characters
Q.2.1
You can enter up to 2000 characters
Q.2.2
Supporting information

If unsure, state which organisation has requested the processing to be carried out.

You can enter up to 2000 characters
Q.3

When integrated with this service, does your product or service collect, store or process personal data only in the UK?

If you select No, your response will be subject to further scrutiny.

Supporting information

Find out more about personal data.

You can enter up to 2000 characters
Q.4

When integrated with this service, does your product or service collect, store or process special category data, such as health data, only in the UK?

If you select No, your response will be subject to further scrutiny
Supporting information

Find out more about personal data.

You can enter up to 2000 characters

Information governance for the MESH API

Q.1

Does your application provide Role-Based Access Control (RBAC) over access to its features?

The MESH Client Application must protect its functionality with RBAC controls sufficient to meet Information Governance (IG) Requirements for a system accessing a Spine service.

Supporting information

This includes:

  • Implementing role-based access control to authorise users’ access to the system’s functions and data
  • Restricting access to view audit trails
  • Protecting RBAC configuration data

Note that the use of local RBAC is acceptable.

You can enter up to 2000 characters
Q.2

Does your MESH Client Application ensure appropriate labelling of prescription data?

The capability and responsibility of the developer, and acknowledgement of the risk ownership, is to be demonstrated through the adherence to the Connection Agreement (CA) and Acceptable Use Policy (AUP).
You can enter up to 2000 characters
Q.3

Are your MESH Client Audit entries available on a queryable interface?

Audit entries must be available on a queryable interface.

The MESH Client Application must provide an interface for interrogating the audit log sufficient to meet IG Requirements for a system accessing National Services.

Searchable parameters must include user identifier, Message ID, Prescription ID and date/time.
You can enter up to 2000 characters
Q.4

Has your MESH Client Application implemented a maximum of one thread per mailbox?
You can enter up to 2000 characters
Q.5

Do you expect your traffic levels to stay within all of the following levels?

  • 10GB per day send/receive
  • 100k files per day send/receive
  • 100 mailboxes needed
Back to MESH OCT 24