The following requirements MUST be met by subscribing organisations in order to meet the information governance (IG) requirements of the NEMS. These requirements are aimed at making sure that data is not shared when it should not be and that a record of shared data is available to Data Protection Officers, Caldicott Guardians and IG leads if it is required.
Subscriptions SHALL only be create in order to receive data for the purpose of direct care.
The organisation creating a subscription MUST ensure that a legitimate care relationship exists with the patient which is the focus of the subscription and be able to prove the existence of a legitimate relationship on enquiry.
The organisation MUST also have processes in place for managing legitimate relationships which have expired or changed.
Subscriptions MUST only be created where the subscribing organisation has a lawful basis for use of the data they will receive.
Providers using the subscription API MUST audit all interactions with the API, including
The audit data MUST include:
- who or what triggered the subscription create, read or delete
- the date and time when the subscription was created / read / deleted
- details about the subscription such as the event type, the start and end dates for the subscriptions if included and the NHS Number the subscription was for