Blog / Compliance... What?

Doug Kidd: February 17, 2020

As the Compliance Officer for NES Digital Service (NDS), the team creating the National Digital Platform for health and social care in Scotland, one of the first questions I was asked on joining was "what does a Compliance Officer do?"  My response was a slightly muffled "make sure the platform and the applications NDS develop meet legal requirements and NHS Scotland guidance."  A bit vague, but this was only day 2 and I hadn’t really got my head around the overall landscape.

Four months into the role and feeling more settled, I now have a framework to work from.  A framework that is being used to create our first products.  It requires the collaboration of colleagues to work successfully, has mandatory and optional items and will change over time to fill gaps, add and remove items as regulations or guidance change.  It’s also aligned to the qualities of an NDS product.  Our framework will help to protect the privacy of patient data that enters into NDS processes.

Compliance diagram

At first glance it looks relatively straightforward.  Only 19 boxes to work through and, hey presto, you’re compliant.  If only things were that easy…

However, each box comes with a different level of work and complexity that should not be underestimated.  For example:

  • Generating the ‘Information Asset Register’ (IAR) entry, under the NDS/NES Standard category above, is simple. An ‘information asset’ is a body of information that is managed as a single unit so it can be understood, shared and protected efficiently. The IAR lists all information assets, including who owns the asset, its business purpose and access restrictions.  This only requires my time, and a reviewer.
  • The System Security Policy (SSP), under NHSS/SG Guidance above, which documents the security risks, threats, design and controls for an application, takes time and involves the collaboration of NDS Engineering colleagues. Seeking NES formal review and sign off adds to the overall effort required.
  • If the software being developed is classed as a medical device, such as an app that makes an automated diagnosis based on an image taken by the app, then a whole new level of complexity is entered into involving regulators.

Some boxes hide a wider set of things to consider.

  • Equality Impact Assessment covers not just equalities but human rights, inequalities, the Fairer Scotland Assessment and the welfare and rights of children and young people.

So now when I get asked "what does a Compliance Officer do?" I can confidently state "make sure the platform and the applications NDS develop meet legal requirements and NHS Scotland guidance."  The same statement as on day 2 (!) but with a framework to back it up.


For the latest news on our work helping improve health and social care across Scotland, follow NDS on Twitter and Linkedin.


Related posts

Return to all blogs