Added requirements which used to sit in the DPIA into the spec.

nhsconnect · Aug 9, 2019 · d4d8f71 · d4d8f71
1 parent 5372089
commit d4d8f71
Show file tree

Hide file tree

Showing 8 changed files with 85 additions and 13 deletions.
diff --git a/_data/sidebars/overview_sidebar.yml b/_data/sidebars/overview_sidebar.yml
@@ -1,7 +1,7 @@
 entries:
 - title: National Events Management Service (NEMS)  
   product: National Events Management Service (NEMS) 
-  version: 2.0.0-Beta
+  version: 2.0.1-Beta
   levels: one
   folders:
 
@@ -68,6 +68,9 @@ entries:
       url: /explore_subscriptions.html
       output: web
       type: homepage
+    - title: Information Governance
+      url: /subscription_ig.html
+      output: web
     - title: Generic API Guidance
       url: /subscription_general_api_guidance.html
       output: web

diff --git a/pages/overview/overview_msg_architecture_sequencing.md b/pages/overview/overview_msg_architecture_sequencing.md
@@ -22,5 +22,5 @@ For subscribers to detect and handle out-of-order messages the NEMS has included
 
 ## Which Method To Use
 
-Individual event type support for out-of-order message handling and which method is the most appropriate to detect an out-of-order message will be set at a national level, as part of the formal event definition. Additional information on which elements to populate for message sequencing can be seen on the [Generic Requirements](explore_genreic_event_requirements.html) page, within the resource population guidance section for the `MessageHeader` resource.
+Individual event type support for out-of-order message handling and which method is the most appropriate to detect an out-of-order message will be set at a national level as part of the formal event definition and included within the requirements for each event message type. Additional information on which elements to populate for message sequencing can be seen on the [Generic Requirements](explore_genreic_event_requirements.html) page, within the resource population guidance section for the `MessageHeader` resource.
 
diff --git a/pages/overview/overview_release_notes.md b/pages/overview/overview_release_notes.md
@@ -7,6 +7,28 @@ permalink: overview_release_notes.html
 summary: Summary release notes of the versions released in National Events Management Service Implementation Guide
 ---
 
+## 2.0.1-Beta (09/08/2019) ##
+
+[Event Message Sequencing](overview_msg_architecture_sequencing.html)
+- Improved wording around where the type of sequencing indicator will be defined for each event message to make it more clear that it will be defined per event type.
+
+[Generic Publication API Guidance](publication_general_api_guidance.html)
+- Added guidance around batch verification of NHS Numbers not being suitable to meet the NEMS requirements
+
+[Generic Subscription API Requirements](subscription_general_api_guidance.html)
+- Added guidance around batch verification of NHS Numbers not being suitable to meet the NEMS requirements
+
+[Receiver Information Governance](receiver_ig.html)
+- Moved requirements from DPIA into specification around data retention
+- Moved requirements from DPIA into specification around data being received only being used for Direct Care
+- Moved requirements from DPIA into specification around lawful basis of receiving data about a patient
+
+[Subscription Information Governance](subscription_ig.html)
+- Page added for IG requirements on the subscriber
+- Moved requirements from DPIA into specification around data being received only being used for Direct Care
+- Moved requirements from DPIA into specification around legitimate relationships for subscribers
+- Moved requirements from DPIA into specification around lawful basis of receiving data about a patient
+
 
 ## 2.0.0-Beta (22/07/2019) ##
 

diff --git a/pages/publication/publication_general_api_guidance.md b/pages/publication/publication_general_api_guidance.md
@@ -13,6 +13,7 @@ Any NHS Numbers included in an event message sent to the NEMS Publication API, M
 
 Information on how to verify an NHS Number against the Spine PDS is available on the [Spine Core specification](https://developer.nhs.uk/apis/spine-core/pds_overview.html).
 
+**Note:** The Demographics Batch Service (DBS) should not be used as it will not meet the requirement above.
 
 ## Endpoint Registration
 

diff --git a/pages/receiver/receiver_ig.md b/pages/receiver/receiver_ig.md
@@ -9,6 +9,12 @@ summary: "IG Requirements for receivers of event messages"
 
 The following requirements must be met by receiving organisations in order to meet the information governance (IG) requirements of the NEMS. These requirements are aimed at making sure that data is available to Data Protection Officers, Caldicott Guardians and IG leads if it is required.
 
+
+### Data Use
+
+Any data which is received via the NEMS SHALL only be used for the purposes of direct care.
+
+
 ### Auditing
 
 The provider system must audit all event messages it attempts to process, even if the event message is discarded. The auditing done within a receiving systems must contain enough information to:
@@ -39,4 +45,14 @@ The subscribing organisation receiving events MUST ensure that a legitimate care
 For IG purposes the event receiving organisation MUST have:
 - processes in place for managing legitimate relationships
 - processes in place for managing legitimate relationships which have expired
-- be able to prove the existence of a legitimate relationship on enquiry.
+- be able to prove the existence of a legitimate relationship on enquiry.
+
+
+### Lawful Basis
+
+Data received MUST only be used where there is a lawful basis for use of the data.
+
+
+### Data Retention
+
+Data received via the NEMS SHALL be kept no longer than is necessary for the purposes for which it is being processed.
diff --git a/pages/subscriptions/explore_create_subscription.md b/pages/subscriptions/explore_create_subscription.md
@@ -11,6 +11,7 @@ summary: ""
 
 In addition to the guidance on this page the guidance and requirement on the [Generic Subscription API Requirements](subscription_general_api_guidance.html) page SHALL be followed when using the NEMS subscription API.
 
+
 ## Creating a Subscription ##
 
 To create a subscription, a client MUST:

diff --git a/pages/subscriptions/subscription_general_api_guidance.md b/pages/subscriptions/subscription_general_api_guidance.md
@@ -18,6 +18,8 @@ Any NHS Numbers included within a subscription sent to the NEMS Subscription API
 
 Information on how to verify an NHS Number against the Spine PDS is available on the [Spine Core specification](https://developer.nhs.uk/apis/spine-core/pds_overview.html).
 
+**Note:** The Demographics Batch Service (DBS) should not be used as it will not meet the requirement above.
+
 
 ## Endpoint Registration
 
@@ -57,13 +59,3 @@ The supported MIME-types for the Subscription API are:
 
 Where the MIME-type is not supplied the NEMS will default to `application/xml+fhir;charset=utf-8`
 
-
-## Audit
-
-Providers using the subscription API MUST audit all interactions with the API, including `Create`, `Read` and `Delete`.
-
-The audit data MUST include:
-
-- who or what triggered the subscription create, read or delete
-- the date and time when the subscription was created / read / deleted
-- details about the subscription such as the event type, the start and end dates for the subscriptions if included and the NHS Number the subscription was for
diff --git a/pages/subscriptions/subscription_ig.md b/pages/subscriptions/subscription_ig.md
@@ -0,0 +1,37 @@
+---
+title: Subscription Information Governance
+keywords:  messaging, publication
+tags: [fhir,messaging,publication]
+sidebar: overview_sidebar
+permalink: subscription_ig.html
+summary: "IG Requirements for subscribing to event messages in the NEMS"
+---
+
+The following requirements MUST be met by subscribing organisations in order to meet the information governance (IG) requirements of the NEMS. These requirements are aimed at making sure that data is not shared when it should not be and that a record of shared data is available to Data Protection Officers, Caldicott Guardians and IG leads if it is required.
+
+## Data Use
+
+Subscriptions SHALL only be create in order to receive data for the purpose of direct care.
+
+
+## Legitimate Relationship
+
+The organisation creating a subscription MUST ensure that a legitimate care relationship exists with the patient which is the focus of the subscription and be able to prove the existence of a legitimate relationship on enquiry.
+
+The organisation MUST also have processes in place for managing legitimate relationships which have expired or changed.
+
+
+## Lawful Basis
+
+Subscriptions MUST only be created where the subscribing organisation has a lawful basis for use of the data they will receive.
+
+
+## Audit
+
+Providers using the subscription API MUST audit all interactions with the API, including `Create`, `Read` and `Delete`.
+
+The audit data MUST include:
+
+- who or what triggered the subscription create, read or delete
+- the date and time when the subscription was created / read / deleted
+- details about the subscription such as the event type, the start and end dates for the subscriptions if included and the NHS Number the subscription was for
Original file line number	Diff line number	Diff line change
Expand Up		@@ -22,5 +22,5 @@ For subscribers to detect and handle out-of-order messages the NEMS has included

		## Which Method To Use

		Individual event type support for out-of-order message handling and which method is the most appropriate to detect an out-of-order message will be set at a national level, as part of the formal event definition. Additional information on which elements to populate for message sequencing can be seen on the [Generic Requirements](explore_genreic_event_requirements.html) page, within the resource population guidance section for the `MessageHeader` resource.
		Individual event type support for out-of-order message handling and which method is the most appropriate to detect an out-of-order message will be set at a national level as part of the formal event definition and included within the requirements for each event message type. Additional information on which elements to populate for message sequencing can be seen on the [Generic Requirements](explore_genreic_event_requirements.html) page, within the resource population guidance section for the `MessageHeader` resource.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -13,6 +13,7 @@ Any NHS Numbers included in an event message sent to the NEMS Publication API, M

		Information on how to verify an NHS Number against the Spine PDS is available on the [Spine Core specification](https://developer.nhs.uk/apis/spine-core/pds_overview.html).

		Note: The Demographics Batch Service (DBS) should not be used as it will not meet the requirement above.

		## Endpoint Registration

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -11,6 +11,7 @@ summary: ""

		In addition to the guidance on this page the guidance and requirement on the [Generic Subscription API Requirements](subscription_general_api_guidance.html) page SHALL be followed when using the NEMS subscription API.


		## Creating a Subscription ##

		To create a subscription, a client MUST:
Expand Down