NHS England Digital Standards
NHS England Digital Standards
The UK GDPR layer tells you what the law requires. NHS England’s digital standards layer tells you what NHS infrastructure requires. These are separate but interrelated: DSPT compliance demonstrates the security posture required for NHS contracts; NHS number usage is both a technical interoperability requirement and a data quality obligation; clinical safety standards are contractual requirements that carry legal weight.
A vendor building for the NHS faces obligations from both layers simultaneously. This page covers the NHS-specific technical obligations. For the overarching legal framework, see UK GDPR and Health Data. For the FHIR profile layer, see UK Core FHIR Profiles.
Data Security and Protection Toolkit (DSPT)
The DSPT is the NHS’s annual self-assessment framework for data security and protection. If your system accesses NHS patient data or connects to NHS infrastructure, you are almost certainly required to complete it.
Who must complete it
Any organisation that has access to NHS patient data or systems — including GP practices, NHS Trusts, independent providers, and third-party suppliers — must complete the DSPT annually. NHS contracts now routinely require DSPT compliance as a contractual condition; failure to achieve a passing standard can result in contract termination.
The 10 data security standards
The DSPT maps to the National Data Guardian’s 10 data security standards:
- People — staff are aware of and understand their data security obligations
- People — staff can identify threats and respond to them
- People — personal data is accessible only to those who need it
- Process — NHS IT systems are only accessible by authorised staff
- Process — data is securely transferred
- Process — continuity planning includes data security
- Technology — vulnerabilities are managed
- Technology — IT systems are protected from cyber attack
- Technology — systems are kept up to date
- Technology — problems are detected and resolved quickly
Standards 7–10 essentially map to Cyber Essentials Plus requirements. NHS England strongly recommends achieving Cyber Essentials Plus certification as part of DSPT evidence.
Assessment levels
- Standards Exceeded: highest level; recommended for large suppliers
- Standards Met: required minimum for NHS contracts involving patient data
- Approaching Standards: not sufficient for NHS contract award; improvement plan required
- Entry Level: organisations new to the toolkit; not sufficient for patient data access
Submission is annual; the toolkit opens each April and closes in June. Missing the deadline without an extension triggers escalation to commissioning bodies.
Clinical safety: DCB0129 and DCB0160
Separate from the DSPT but equally contractual: clinical safety standards DCB0129 (for health IT manufacturers) and DCB0160 (for health IT deploying organisations) require formal clinical risk management processes. Any health IT system that could affect clinical decision-making must have a Clinical Safety Officer (CSO), a Clinical Risk Management File, and a Hazard Log. This is a hard requirement for systems deployed into NHS clinical pathways — it is not optional and cannot be delegated.
NHS number
The NHS number is the de facto national patient identifier for England, Wales, and the Isle of Man (Scotland uses CHI number; Northern Ireland uses H&C number). It is a 10-digit number with a check digit (Luhn variant).
When you are required to use it
All health and social care providers in England have a legal duty under the Health and Social Care (Safety and Quality) Act 2015 to use the NHS number as the primary identifier when sharing patient information. Systems that share patient data with other NHS organisations must use and propagate the NHS number. Systems that do not share externally have more flexibility, but best practice is to trace and store it.
Personal Demographics Service (PDS)
PDS is the national register of NHS patients — demographics (name, date of birth, address, gender) and NHS number. Any verified NHS number lookup goes through PDS.
PDS FHIR API: NHS England has published a PDS FHIR R4 API. It supports patient search by demographic parameters (surname, date of birth, gender, postcode) and lookup by NHS number. The API uses NHS login or CIS2 authentication depending on the use case.
The critical distinction is traced vs verified:
- Traced: the NHS number has been matched to a patient record by demographic search — confidence level depends on the number of demographic attributes matched
- Verified: the NHS number has been confirmed by the patient’s GP or a spine transaction — highest confidence
For clinical systems sharing data to other NHS organisations, a traced NHS number is the minimum expectation. For high-stakes sharing (e.g., emergency access, medication dispensing), a verified NHS number is expected.
NHS number in FHIR
In UK Core FHIR resources, the NHS number appears as an identifier slice with system https://fhir.nhs.uk/Id/nhs-number. The extension:nhsNumberVerificationStatus extension on the identifier slice records whether the number is traced, verified, or unverified. Omitting this extension is a common validation failure.
Care Identity Service (CIS2) — workforce identity
CIS2 is NHS England’s identity platform for the healthcare workforce. It replaced the legacy Spine Security Broker (SSB) and smartcard infrastructure with an OAuth2/OIDC-compatible platform.
Workforce users authenticate with their NHS smartcard or a linked mobile credential. The CIS2 token carries role-based access information (RBAC) — the job role, activity codes, and organisation codes that determine what systems and data the user is authorised to access.
For system-to-system integrations where no human user is involved, Backend Services authentication (equivalent to SMART Backend Services) is used instead — a client credentials grant with signed JWTs.
Integration pattern: Systems connecting to NHS England FHIR APIs must implement CIS2 authentication for user-facing access and NHS England’s Backend Services JWT pattern for automated pipelines. The exact authentication mechanism required varies by API — check the specific API’s access model in the NHS England developer documentation.
NHS login — patient-facing identity
NHS login is the patient-facing identity and authentication service for NHS digital services, including the NHS App. It implements OpenID Connect over OAuth2.
Verification levels
NHS login uses three verification levels:
| Level | What it means | Typical use |
|---|---|---|
| P0 | Email verified only | Low-sensitivity services |
| P5 | Photo ID checked against a database (not in-person) | Standard health app access |
| P9 | Photo ID verified in-person or via GP linkage | Access to GP record, prescription ordering |
Most health apps requiring access to NHS clinical data require P5 minimum; access to the full GP record requires P9. Building for P9 requires patients to have linked their NHS login to their GP record — the linkage process is driven via the NHS App.
When to use NHS login vs your own identity
If your app accesses NHS-held patient data (via NHS England FHIR APIs, GP Connect, etc.), you are expected to use NHS login as the patient identity provider. NHS England APIs for patient-facing access are scoped to NHS login tokens. Building your own patient identity system for NHS data access is not a supported pattern.
NHS England FHIR APIs
NHS England has published a growing catalogue of FHIR R4 APIs on their developer portal. Key APIs relevant to most integrations:
Personal Demographics Service (PDS) FHIR API
Patient demographics and NHS number lookup and verification. The starting point for most patient identity workflows.
Electronic Prescription Service (EPS) FHIR APIs
Prescribing and dispensing workflow. Covers prescription creation (Prescribing API), nomination management, and dispensing claim submission. Uses UK Core medication profiles with dm+d codes.
GP Connect
A suite of APIs for accessing GP patient records from other care settings:
- GP Connect Access Record (HTML) — structured HTML view of GP record
- GP Connect Access Record (Structured) — FHIR R4 structured data (medications, allergies, immunisations, consultations)
- GP Connect Appointments — cross-organisational appointment management
- GP Connect Send Document — structured document delivery to GP systems
GP Connect requires NHS England assurance and a clinical safety case before go-live. It is not open for unrestricted API registration.
National Record Locator (NRLF)
A pointer index — stores references to patient documents and structured records held across organisations, enabling cross-organisational retrieval. Uses DocumentReference resources.
Summary Care Record (SCR) API
Medication, allergies, and adverse reactions from the national Summary Care Record — a minimal shared record for emergency and urgent care use.
Access model summary
| API | Patient access | Workforce access | System access |
|---|---|---|---|
| PDS | NHS login | CIS2 | Backend Services JWT |
| EPS | NHS login | CIS2 | Backend Services JWT |
| GP Connect | NHS login | CIS2 | Backend Services JWT |
| NRLF | — | CIS2 | Backend Services JWT |
Onboarding as an NHS supplier
Connecting to NHS England APIs is not self-service. The process:
- Register on the NHS developer portal and complete the API onboarding form
- Integration environment testing — NHS England provides sandbox and integration environments; thorough testing is expected before production access is granted
- Clinical safety assessment — DCB0129 evidence (Clinical Risk Management File, Hazard Log) may be required depending on the API
- DSPT compliance — Standards Met level required; evidence must be current
- IG (Information Governance) review — the NHS organisation you are partnering with must complete a Data Sharing Agreement or DPIA with you named as the processor
- Production onboarding — NHS England reviews technical and IG evidence before granting production credentials
The timeline for NHS API onboarding is routinely underestimated. Allow 3–6 months for a new API integration that requires full clinical safety and IG review. APIs with lighter onboarding (like PDS search) can be faster.
Devolved nations
NHS England’s standards apply to England. Devolved health systems have their own infrastructure:
| Nation | Health authority | Key differences |
|---|---|---|
| Scotland | NHS Scotland / NHSScotland Digital | Uses CHI number (Community Health Index) instead of NHS number; different EPR landscape (EMIS/Vision less dominant) |
| Wales | NHS Wales / DHCW | NHS number is used; DHCW runs the national architecture; Welsh language requirements apply |
| Northern Ireland | Health and Social Care NI | Uses H&C number; different governance structure; HSCNI infrastructure separate from NHS England |
Systems deployed across UK nations must handle multiple identifier systems and cannot assume NHS number is universal.
See also
- UK GDPR and Health Data — legal framework for UK health data processing
- UK Core FHIR Profiles — FHIR profile conformance for NHS APIs
- FHIR SMART on FHIR — OAuth2/OIDC mechanics underlying CIS2 and NHS login