The University of Nottingham - PRIMIS

Primary Care Clinical Data Specification

Development, review and quality assurance of data specifications for reporting of data from GP clinical IT systems, to meet the requirements of a national programme (for example the Seasonal ‘Flu Vaccination Uptake Programme), or a specific customer requirement. Specifications consist of clinical code groups and logical business rules.

Features

• Tailored for local or national reporting or clinical requirements
• Clinical concept definition (RV2, CTV3, SNOMED CT)
• Expert knowledge of primary care clinical system environment
• Can be implemented across multiple clinical systems
• Can be implemented with multiple data extraction tools
• Plain English Definition of specification
• Clinical review and collaboration
• Formal version of specification - coded Business Rules

Benefits

• Access to expert clinical and health informatics advice
• Comparable returns from different clinical systems/extraction mechanisms
• Shared understanding of what will be extracted
• Shared understanding of data outputs and returns

£5,000.00 an instance

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@primis.nottingham.ac.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

916223539219001

Contact

Kerry Oliver
0115 846 6420
enquiries@primis.nottingham.ac.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: This is part of the Primary Care Data Solutions service but can be offered as a standalone service
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements: N/A

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 72 hours (Monday to Friday except Public Holidays and University of Nottingham closure days)
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We provide an email helpdesk service, supported by remote dial-in facilities where appropriate. We provide customised training and consultancy services. ; ; The service will have a nominated project manager who will coordinate the input from PRIMIS clinical and technical teams. The Project Manager will agree a reporting schedule with each customer and will involve the appropriate members from the clinical and technical teams as required.; ; All costs are dependent upon requirements and charged according to the Rate Card.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: The service scope is agreed with the buyer in advance and can be adjusted in accordance with their requirements for end user onboarding.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • MS Excel
  • MS Word
• End-of-contract data extraction: PRIMIS retains data beyond the life of the contract unless requested, in writing, to remove it.
• End-of-contract process: All contracts are dependent on the requirement of the customer and are agreed and priced accordingly (see rate card)

Using the service

• Web browser interface: No
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: None or don’t know
• API: No
• Customisation available: Yes
• Description of customisation: The service scope is agreed with the customer in advance and can be adjusted subject to appropriate change control.

Scaling

• Independence of resources: Demand on this service is not volatile and is monitored on a regular basis to ensure availability.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Practices export their data using the search and report functionality within their GP IT systems. The aggregate data is exported to PRIMIS as a CSV file using a variety of means, including TLS 1.2 or via NHS mail. ; ; GP IT suppliers supply aggregate data to PRIMIS as a CSV file using NHS mail.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Availability will be agreed at project mobilisation with the customer. We will use reasonable endeavours to notify users of any scheduled maintenance or downtime and to limit the frequency and duration of any suspension or restriction.
• Approach to resilience: All University networks are designed, architected, and managed in such a way that data assets and critical systems are appropriately resilient to all threats, whether internal or external, accidental, or deliberate. Key considerations include access control, anti-malware, IT network security, logging and monitoring, system configuration and management, third party access, website and web app security. All University employees, staff, students, contractors, and other individuals who; access, use, or manage University data assets and digital technology services must comply with the University's Information Security Policy and related procedures and guidelines and undertake annual training, and compliance is measured via Priority Controls of the Assurance Framework and an annual self-attestation cycle.
• Outage reporting: University of Nottingham IT Service Status public dashboard - https://status.nottingham.ac.uk/; Email alerts and via the PRIMIS website

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Configuration and management operations are performed by members of the University of Nottingham's Digital Technology Service only. ; Support is provided by members of the PRIMIS Operational and Information Development Teams only. ; Privileged access is strictly limited to individuals who require it as part of their role.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Certification: Cyber Essentials Plus; Certification Number: 739e033f-03c0-4393-b933-7dee77628ef7; Scope: Data centre management networks, virtual desktops network and secure endpoint networks. ; Date of certification: 2024-03-21
• Information security policies and processes: The Chief Information Security Officer (CISO) for the University of Nottingham leads the Information Security and Compliance Team (exists to strengthen the University’s ability to protect the information and data held about staff, students, research participants, and partners; as well as meeting legislative compliance requirements on data protection, GDPR, FOIs, SARs and records management). ; The Managing Director of PRIMIS is the Senior Information Risk Owner (SIRO) within the PRIMIS business unit, responsible for understanding how the strategic business goals of PRIMIS may be impacted by any information risks, and for taking steps to mitigate them, overseen by a Governance Committee (including representative from the University of Nottingham's Information Security and Compliance Team).; Policies and processes - https://www.nottingham.ac.uk/governance/records-and-information-management/policies-and-guidance/policies-and-guidance.aspx

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: PRIMIS uses the University of Nottingham's change request form template which sets out the title, description and level of the proposed change, interruption to services, risk level and impact, start/end dates, communications and testing required, back-out plan, approvals and sign off.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Daily monitor of software vendor feeds and other security vulnerability news feeds to identify security vulnerabilities that may affect University systems. ; Monthly scans on key IT systems or assets to identify security vulnerabilities. ; An external perimeter penetration test performed by an accredited penetration tester annually with remediation plans put in place.; All vulnerabilities are remediated based on the risk they pose to the University network using a CVSS (Common Vulnerability Scoring System) to drive the required remediation timescale.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Systems which contain restricted data, or which can perform sensitive or business critical actions, have logging capabilities enabled in order to monitor both successful and unsuccessful access. The Information Security Policy (reviewed in March 2024) defines which activities should be logged, a minimum dataset and retained for 12 months.; ; Log reviews take place either manually or using automated alerts to detect suspicious activity, failure of security controls, unauthorised use or access, exfiltration of critical data and unauthorised changes to security settings or configurations; ; Issues identified during monitoring are handled using a scoring system that drives the required remediation timescale.
• Incident management type: Supplier-defined controls
• Incident management approach: The University of Nottingham's Digital Technology Service manages operational IT security issues with staff and students signposted to report any data breaches or potentially malicious incidents via an online portal. Staff and students undertake annual training and the process for incident reporting is covered. The incident is either cascaded to the University IT Security team or Information Compliance Team (if a data breach). Standardised online forms are used. The University uses iCasework to record incidents, which allows for the automation of processing, streamlining, the consistent management of incidents and management reports to be generated.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: Yes
• Connected networks: NHS Network (N3)

Social Value

• Social Value:

  Social Value

  • Covid-19 recovery
  • Equal opportunity
  • Wellbeing

  Covid-19 recovery

  The University of Nottingham is actively delivering services and contracts in a way that achieves social, economic and environmental benefits for our communities: https://www.nottingham.ac.uk/sustainable-development-goals/#the17goals; https://www.nottingham.ac.uk/strategy/documents/university-strategy.pdf.; ; Data specifications are used for health service planning/ evaluation and research purposes, including prioritisation of patients for review as part of Covid-19 recovery.

  Equal opportunity

  The University of Nottingham is committed to ensuring equal opportunity for all staff and students, and has a number of policies, charters and initiatives:; https://www.nottingham.ac.uk/edi/edi-priorities.aspx; https://www.nottingham.ac.uk/edi/race-equality-charter/race-equality-charter.aspx; https://www.nottingham.ac.uk/edi/university-initiatives.aspx; https://www.nottingham.ac.uk/edi/athena-swan/athena-swan.aspx; ; Other supporting documentation:; https://www.nottingham.ac.uk/fabs/procurement/documents/uon-msa-statement-2023.pdf; https://www.nottingham.ac.uk/sustainable-development-goals/goals/reduced-inequalities.aspx. ; ; Data specifications are used for health service planning/ evaluation and research purposes, including the delivery of data models addressing gender, age and ethnicity.

  Wellbeing

  The University of Nottingham is committed to fostering an inclusive culture, underpinned by our values of inclusivity, ambition, openness, fairness and respect. We have regard for each other’s rights and feelings and demonstrate this in our behaviour, treating each other with consideration and kindness.; https://www.nottingham.ac.uk/hr/documents/staff-wellbeing-guide.pdf; https://www.nottingham.ac.uk/sustainable-development-goals/goals/good-health-and-wellbeing.aspx; https://www.nottingham.ac.uk/sustainable-development-goals/goals/decent-work-and-economic-growth.aspx.; ; Data specifications are used for health service planning/ evaluation and research purposes.

Pricing

• Price: £5,000.00 an instance
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at enquiries@primis.nottingham.ac.uk. Tell them what format you need. It will help if you say what assistive technology you use.