The University of Nottingham - PRIMIS

Primary Care Data Quality Assurance

Data extracted from GP IT suppliers are compared to data sourced from individual GP practices to check that the GP IT supplier have implemented national data specifications correctly. Anomalies are identified and highlighted in a report for distribution to the system suppliers for remedial action.

Features

• Comprehensive report outlining deviations from specification
• Graphical presentation of level of agreement between data sources
• Recommendations for action by practices and system suppliers
• Reference queries developed to match specification
• Reference data obtained independent of system suppliers
• Analysis by experienced clinical informaticians

Benefits

• Improve accuracy of national primary care data collections
• Independent assessment of data from GP system suppliers against specification
• Identify implementation errors in GP system supplier data extraction
• Highlight systematic problems with coded patient data
• Provide feedback to practices and system suppliers

£35,000 an instance

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@primis.nottingham.ac.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

861869373797664

Contact

Kerry Oliver
0115 846 6420
enquiries@primis.nottingham.ac.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Primary Care Clinical Data Specification
• Cloud deployment model: Community cloud
• Service constraints: Service is limited to GP IT systems and software solutions used in England.
• System requirements:
  • GP IT systems and software solutions used in the UK
  • GP IT systems and software solutions using SNOMED CT

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 72 hours (Monday to Friday except Public Holidays and University of Nottingham closure days)
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide an email helpdesk service, supported by remote dial-in facilities where appropriate. We provide customised training and consultancy services. ; ; The service will have a nominated project manager who will coordinate the input from PRIMIS clinical and technical teams. The Project Manager will agree a reporting schedule with each customer and will involve the appropriate members from the clinical and technical teams as required.; ; All costs are dependent upon requirements and charged according to the Rate Card.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The service scope is agreed with the customer in advance and can be adjusted in accordance with specific requirements for end user onboarding.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • MS Excel
  • MS Word
• End-of-contract data extraction: PRIMIS retains data beyond the end of the contract unless requested in writing to remove it. Any practice contributing data to PRIMIS has the right to request a copy and the removal and destruction of their data if technically feasible.
• End-of-contract process: All contracts are dependent upon the requirements of the customer and are agreed and priced accordingly (as per the Rate Card).

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: The service scope is agreed with the customer in advance and can be adjusted subject to appropriate change control.

Scaling

• Independence of resources: Demand on this service has not been volatile and is monitored on a regular basis to ensure continuity, availability and the integrity of the service.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: Less than once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Practices export their data using the search and report functionality within their GP IT systems. The aggregate data is exported to PRIMIS as a CSV file using a variety of means, including TLS 1.2 and via NHS mail.; GP IT Suppliers supply aggregate data to PRIMIS as a CSV file using NHS mail.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • XML Searches (EMIS Web)
  • RPT Searches (TPP S1)

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Availability will be agreed at project mobilisation with the customer. We will use reasonable endeavours to notify users of any scheduled maintenance or downtime and to limit the frequency and duration of any suspension or restriction.
• Approach to resilience: All University networks are designed, architected, and managed in such a way that data assets and critical systems are appropriately resilient to all threats, whether internal or external, accidental, or deliberate. Key considerations include access control, anti-malware, IT network security, logging and monitoring, system configuration and management, third party access, website and web app security. All University employees, staff, students, contractors, and other individuals who; access, use, or manage University data assets and digital technology services must comply with the University's Information Security Policy and related procedures and guidelines and undertake annual training, and compliance is measured via Priority Controls of the Assurance Framework and an annual self-attestation cycle.
• Outage reporting: University of Nottingham IT Service Status public dashboard - https://status.nottingham.ac.uk/; Email alerts and via the PRIMIS website

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Access is limited to authenticated users via entry of their NHS email address.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Certification: Cyber Essentials Plus; Certification Number: 739e033f-03c0-4393-b933-7dee77628ef7; Scope: Data centre management networks, virtual desktops network and secure endpoint networks. ; Date of certification: 2024-03-21
• Information security policies and processes: The Chief Information Security Officer (CISO) for the University of Nottingham leads the Information Security and Compliance Team (exists to strengthen the University’s ability to protect the information and data held about staff, students, research participants, and partners; as well as meeting legislative compliance requirements on data protection, GDPR, FOIs, SARs and records management). ; The Managing Director of PRIMIS is the Senior Information Risk Owner (SIRO) within the PRIMIS business unit, responsible for understanding how the strategic business goals of PRIMIS may be impacted by any information risks, and for taking steps to mitigate them, overseen by a Governance Committee (including representative from the University of Nottingham's Information Security and Compliance Team).; Policies and processes - https://www.nottingham.ac.uk/governance/records-and-information-management/policies-and-guidance/policies-and-guidance.aspx

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: PRIMIS uses the University of Nottingham's change request form template which sets out the title, description and level of the proposed change, interruption to services, risk level and impact, start/end dates, communications and testing required, back-out plan, approvals and sign off.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Daily monitor of software vendor feeds and other security vulnerability news feeds to identify security vulnerabilities that may affect University systems. ; Monthly scans on key IT systems or assets to identify security vulnerabilities. ; An external perimeter penetration test performed by an accredited penetration tester annually with remediation plans put in place.; All vulnerabilities are remediated based on the risk they pose to the University network using a CVSS (Common Vulnerability Scoring System) to drive the required remediation timescale.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Systems which contain restricted data, or which can perform sensitive or business critical actions, have logging capabilities enabled in order to monitor both successful and unsuccessful access. The Information Security Policy (reviewed in March 2024) defines which activities should be logged, a minimum dataset and retained for 12 months.; ; Log reviews take place either manually or using automated alerts to detect suspicious activity, failure of security controls, unauthorised use or access, exfiltration of critical data and unauthorised changes to security settings or configurations; ; Issues identified during monitoring are handled using a scoring system that drives the required remediation timescale.
• Incident management type: Supplier-defined controls
• Incident management approach: The University of Nottingham's Digital Technology Service manages operational IT security issues with staff and students signposted to report any data breaches or potentially malicious incidents via an online portal. Staff and students undertake annual training and the process for incident reporting is covered. The incident is either cascaded to the University IT Security team or Information Compliance Team (if a data breach). Standardised online forms are used. The University uses iCasework to record incidents, which allows for the automation of processing, streamlining, the consistent management of incidents and management reports to be generated.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: NHS Network (N3)

Social Value

• Social Value:

  Social Value

  • Covid-19 recovery
  • Equal opportunity
  • Wellbeing

  Covid-19 recovery

  The University of Nottingham is actively delivering services and contracts in a way that achieves social, economic and environmental benefits for our communities: https://www.nottingham.ac.uk/sustainable-development-goals/#the17goals; https://www.nottingham.ac.uk/strategy/documents/university-strategy.pdf.; ; Data assurance projects are used to validate approaches to health service planning/ evaluation and research purposes, including prioritisation of patients for review as part of the Covid-19 recovery and the provision of the Covid-19 vaccination.

  Equal opportunity

  The University of Nottingham is committed to ensuring equal opportunity for all staff and students, and has a number of policies, charters and initiatives:; https://www.nottingham.ac.uk/edi/edi-priorities.aspx; https://www.nottingham.ac.uk/edi/race-equality-charter/race-equality-charter.aspx; https://www.nottingham.ac.uk/edi/university-initiatives.aspx; https://www.nottingham.ac.uk/edi/athena-swan/athena-swan.aspx; ; Other supporting documentation:; https://www.nottingham.ac.uk/fabs/procurement/documents/uon-msa-statement-2023.pdf; https://www.nottingham.ac.uk/sustainable-development-goals/goals/reduced-inequalities.aspx. ; ; Data assurance projects are used to validate approaches to health service planning/ evaluation and research purposes, including the delivery of data models addressing inequalities arising from a person's gender, age and ethnicity.

  Wellbeing

  The University of Nottingham is committed to fostering an inclusive culture, underpinned by our values of inclusivity, ambition, openness, fairness and respect. We have regard for each other’s rights and feelings and demonstrate this in our behaviour, treating each other with consideration and kindness.; https://www.nottingham.ac.uk/hr/documents/staff-wellbeing-guide.pdf; https://www.nottingham.ac.uk/sustainable-development-goals/goals/good-health-and-wellbeing.aspx; https://www.nottingham.ac.uk/sustainable-development-goals/goals/decent-work-and-economic-growth.aspx.; ; Data assurance projects are used for health and wellbeing service planning/ evaluation and research purposes.

Pricing

• Price: £35,000 an instance
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@primis.nottingham.ac.uk. Tell them what format you need. It will help if you say what assistive technology you use.