Click below for the relevant section, or scroll down.
Considerations at the point of procurement
Data Protection impact assessments (DPIA)
Security impact assessments (SIA)
Data Protection and Security Toolkit (DSPT)
Considerations after the point of procurement
Considerations at the point of procurement
Digital Technology Assessment Criteria (DTAC)
As a healthcare organisation, we should use the DTAC linked below to assess suppliers at the point of procurement or as part of a due diligence process, to ensure new digital technologies meet minimum baseline standards.
The DTAC gives staff, patients and citizens confidence that the digital health tools they use meet our clinical safety, data protection, technical security, interoperability and usability and accessibility standards. As a healthcare organisation, we should use the DTAC to assess suppliers at the point of procurement or as part of a due diligence process, to make sure new digital technologies meet minimum baseline standards. For developers, it sets out what is expected for entry into the NHS and social care.
In an information governance context, the DTAC ensures that the product collects, stores and uses data (including personally identifiable data) compliantly.
Useful links:
DTAC_version_1.0_FINAL_updated_16.04.odt (live.com)
Sections C2 and C3 summarise the IG and Cybersecurity considerations
Other considerations
It is important at the point of procurement you are aware of what personal data (if any) is to be collected by the medical device creator and why this data is to be collected, so these can be considered as part of the due diligence process. You should also consider:
- Where the data is stored;
- How long the data is kept for;
- If it is shared with any third parties.
Documentation
North West London Information Governance Framework
Consider the North West London Information Governance Framework. Both an Interoperability Service Specification (ISS) and Mandated Data Processing Agreement (MDPA) will be needed for new projects.
Data Sharing Agreement (DSA)/ Data Processing Agreement (DPA)
Ensure that there is a data sharing or processing agreement in place between us and the procured supplier, and that the terms of the agreement are well understood by all parties. These agreements set out the purpose of the data sharing, details what happens to the data at each stage, sets standards and help all the parties involved in sharing to be clear about their roles and responsibilities.
The device may need to have an Interopability Service Specification to set out the specific scope and use of the device, as well as ensuring they sign the Mandated Data Processing Agreement if part of a collective project.
Data Protection Impact Assessments (DPIA)
Check that a DPIA has been produced prior to the medical device going live.
A DPIA is required when the use of a medical device is likely to result in a high risk to the rights and freedoms of individuals, this is particularly relevant to consider when a new technology or device is being introduced.
To assess whether the use of the medical device is likely to result in a high risk to the rights and freedoms of individuals, you should complete a DPIA questionnaire, which can be obtained from your DPO team.
Security Impact Assessments (SIA)
Complete a SIA prior to the medical device going live. Your IT & Cyber Security Team can assist in completing this.
Other Considerations
Controllers and Processors
Ensure you understand the roles of Data Controllers and Data Processors. More information on these roles can be found here - Controllers and Processors | ICO
Check in the DSA that the data processor indemnifies the controller against errors/breaches made by the data processor.
Data Protection and Security Toolkit (DSPT)
Confirm that the software developer has DSPT compliance.
You can check DSPT compliance here.
Considerations after the point of procurement
Guidance on protecting medical devices:
Using medical devices on clinical networks compounds three related issues:
As a medical device, security updates, patches and potentially virus signatures must be properly assessed by the supplier and confirmed as safe before they can be implemented on the medical device. This can take three months from the time that a security update is released;
When security updates are released, they are retro-analysed by attackers, increasing the likelihood that exploitable vulnerabilities will become known;
The latest security mitigations not being present increases the impact of vulnerabilities, making exploitation more likely to succeed, and making detection of any exploitation more difficult.
In combination, these issues mean that high-impact security incidents become more likely to occur. Security incidents affecting connected medical devices can cause significant disruption to the delivery of healthcare services.
See the Guidance on protecting medical devices for steps to consider when the network is connected to any medical device.
Register of Medical Devices
You will need to update the Register of Medical Devices if the device is connected to a network.
Further support
If you need any advice and guidance regarding medical devices you plan to utilise in your work, please contact the NWL IG Team at nhsnwlicb.dpo@nhs.net.
If you need any further guidance, you can also bring any questions for clarification to the Primary Care IG forum