To ensure that the purchasing of Information Technology (I.T.) equipment within NHS Fife:
· is consistent with the Audit Scotland’s report on ‘Equipped to Care’ March 2001;
· is consistent with NHS Fife eHealth policies and strategies;
· is consistent with NHS IS Information Policy;
· is consistent with any relevant Health Department Letter (HDL) or Chief Executive Letter (CEL)
· assists management in controlling eHealth expenditure;
· assists in the control of the I.T inventory
NHS Fife sites or in NHS Fife employees own homes when equipment is located within people’s own home.
Staff who procure any I.T. hardware, software or services will:
· establish the need to purchase the equipment item, by initiating a needs assessment and exploring current equipment inventories;
· examine the risks associated with purchase i.e. data protection, cost implication of licenses;
· consider value for money;
· identify maintenance requirements;
· identify training issues and communicate the issues raised with their Line Manager;
· consult with eHealth Infrastructure Department before ordering;
· obtain sign off/approval from eHealth Infrastructure Department before purchase;
3.2 Budget Holder
The budget holder will:
· ensure all relevant documentation is complete and give authority to proceed with the purchase after liaison with and the approval of the eHealth Department;
· complete the appropriate form, either the Equipment Request Form (5.2) or Endowment Request Form (5.3), complying with NHS Fife Financial Operating Procedures, Section 11(a) – Tendering, Contracting & Purchasing;
· ensure all relevant documentation is completed and forwarded to the department’s budget holder;
· forward the Computer System Request (CRS01) form and Equipment Request Form (ERF) to the eHealth Infrastructure Department for approval;
3.3 The eHealth Administration Team
The eHealth Administration Team will:
· ensure that adequate information has been provided to allow the procurement of equipment;
· order Equipment from vendor;
· accept delivery of the equipment into their store;
· inform eHealth Infrastructure Department of delivery;
· store the equipment until it is required for installation by the eHealth Infrastructure Department;
3.4 eHealth Infrastructure Department
The eHealth Infrastructure Department will ensure that the procurement of all I.T. equipment will:
· require the eHealth Business Manager to approve or reject submitted Computer System Request (CSR01) forms;
· be dealt with according to the eHealth Change Management Policy of the eHealth Infrastructure Department;
· be configured for use by an appropriately trained member of NHS Fife staff or other trained partner agency staff;
· be used only in the appropriate environment for the designed use;
· be commissioned and maintained in a safe and reliable way, and in good condition;
· be replaced in compliance with statutory requirements, other guidelines, maintainability, and changes in practice or advances in technology;
· be decommissioned and disposed of in accordance with the Condemnation of I.T. Hardware Procedure;
· be checked against delivery receipt and asset tagged;
· forward the approved CSR01 form and the ERF to the Finance department for authorisation.
3.5 Corporate Services Department (Freedom of Information Contact)
Any requests for information under the Freedom of Information Act will be dealt with under the NHS Fife FOI Statement and Review Procedure FOI - 1.
The Management, Retention, Storage and Destruction of all Business and Administrative Records Policy (GP/R4) includes minimum retention periods for all categories of recorded information.
Health Records Retention and Destruction Policy (GP/R8) covers health records.
4 OPERATIONAL SYSTEM
4.1 General Procurement Principals
The following general principles will be applied in all I.T. purchasing:
· the Financial Operating Procedures which govern the procurement of all goods and services within NHS Fife;
· all purchases will be suitable for the purpose for which they are acquired;
· all purchases will be of an acceptable quality;
· purchasing will be sufficiently flexible to allow rapid response to operational requirements and to enable the organisation to take advantage of business opportunities arising from new I.T products or services;
· all purchases will have technical approval from the Head of eHealth (or delegated authority) and financial authority approval from the budget holder to whom costs will be charged;
· all products or services purchased will be on the approved products list unless specific permission is given to purchase non-approved products.
· All solutions purchased will comply with the eHealth Security Policy.
4.2 Procedure for Purchasing I.T Equipment on the Standard List
The eHealth Infrastructure Department will maintain a list of standard hardware and software products including PCs, printers and mobile devices. All products on the standard list will have technical approval as defined in this policy.
All I.T Equipment will be delivered to the eHealth Infrastructure Department via the Area Distribution Centre and not directly to the user. The reasons for this are:
· The eHealth Infrastructure Department will check the correct goods have been delivered;
· Where appropriate, the goods can be checked, if necessary tested and set-up. This may involve several steps. Typical activities include:
Ø Setting up standard software;
Ø Installing the required software application;
Ø Creating a network address;
Ø Adding virus protection;
Ø Adding security features (software or hardware);
Ø Asset tagging.
In some cases it may be necessary for items to be delivered direct to site, particularly if bulky or heavy. In this case the requester will inform the eHealth Infrastructure Department of all items delivered directly to site so that it can be set up and recorded in the I.T. inventory system.
Software licences must be checked for quantity, any corporate discounts confirmed and any necessary registration or site licence agreement compliance procedures carried out.
4.3 Procedure for Purchasing Non-standard Equipment Software and Services
If the purchase required is part of a capital development project an eHealth Programme Lead will be assigned to manage those aspects of the project. All I.T. costs, including the cost of additional eHealth staffing if required, will be charged to the capital development project. The project sponsor will assign a named user contact.
A Request For Change (RFC) must be submitted to Change Management. The case should state:
· What is required;
· Why it is needed, i.e. what business need will be met;
· When it will needed, implications of missing target dates;
· Estimated costs and budgetary limits;
· Name and designation of budget holder who will authorise expenditure.
The initial RFC will be assessed. If the request is straight forward, it will be passed to an eHealth Support Engineer (eHSE) for technical approval and to provide a detailed quote. All other requests will be referred to the Change Advisory Board (CAB) for technical approval. At this stage a more detailed business case may be requested. For example if:
· It is expensive;
· It has technical implications for other parts of the system;
· It has wider organisational implications;
· Special implementation is required;
· It is likely to generate additional support requirements.
· It has Information Governance implications
All solutions purchased will comply with the Boards eHealth Security Policy.
Appeals against this process can be made to the NHS Fife eHealth Board.
4.4 Special Controls for Procurement of Computer Systems
4.4.1 All Database/Systems
Before a system or database project goes into the detailed planning and implementation stages, the following details need to be set out in a Project Brief and considered by the NHS Fife eHealth Programme Team. The following details will be required:
220.127.116.11 Before project start:
Ø proposed System Manager;
Ø proposed location of the system – standalone or on a network;
Ø scale/scope/purpose and usage expected of the database/system ;
Ø assessment of potential Network traffic impacts (Number of users and frequency of access);
Ø proposed eHealth Lead.
18.104.22.168 Before go live:
Ø pilot/run tests to check impact on other network users;
Ø agree support and system management and security arrangements;
Ø agreement of protocols for taking the system out of use if the network goes prove unable to support the system;
Ø a System Security Policy and Secure Operating Procedure will be developed and agreed;
Ø a Operational Support Guide (OSG) document will be developed and agreed. This, however, is considered a “living” document and is expected to change and be developed over the life of the system. However all OSG documents will be expected to contain a basic level of detail prior to the system go-live.
22.214.171.124 Access Databases Issues:
Ø NHS Fife does not support the creation of additional or further development of existing Access databases to its environment;
Ø Access databases are essentially “desktop” databases and do not perform well over networks;
Ø if hosted on networks, they need to be specially configured and even then can clog the system/bandwidth;
Ø this very often leads to major performance problems for all users of the network (email, internet access, H and S Drives) including those users not using the database;
Ø other organisations hosting services for our staff will not install Access Databases (with several users) on their networks for this reason;
4.5 I.T. Equipment purchased out with the Procurement Policy
Failure to follow this policy and procedure when purchasing I.T. equipment or software may lead to said purchase not being authorised for use by NHS Fife and therefore may be a waste of public money and resources. This may occur if it is incompatible with the infrastructure or it is at variance with the standards currently allowed and agreed. Even if the purchase is eventually agreed for installation it may not be given a high priority as the eHealth Infrastructure Department will already have priorities set for known purchases which will take precedence.
4.5.2 Potential Breaches
These steps should be followed on discovery of a potential breach of the policy i.e. nothing has yet been purchased but someone has tried to purchase I.T. hardware or software:
· The discoverer should inform the eHealth Service Desk of the potential breach;
· This should then be assigned to the Delivery Team;
· Delivery Team will follow up with the person attempting to make the purchase and ensure they understand and use the correct procedure;
· If the correct procedure is followed from this point then no further action need be taken.
4.5.3 Actual Breaches
The following steps should be followed on discovery of an actual breach of the policy i.e. I.T. hardware or software has actually been purchased without the policy being followed:
· The discoverer should inform the eHealth Service Desk of the actual breach;
· This should then be assigned to the Delivery Team;
· An NHS Fife Incident/Near Miss Reporting form shall be completed;
· Delivery Team will follow up with the person who has made the purchase to ascertain the facts;
· This will then be reported to the Head of eHealth who will follow this up with the Director of the department in question with a request for action to be taken to ensure it does not happen again;
· The Head of eHealth may also inform Counter Fraud Services depending on the seriousness and value of the purchase to ensure there has been no fraudulent activity. (Refer to Financial Operating Procedures). The Director of Finance would be informed of any such breach;
· If the policy is breached repeatedly by the same Directorate then the Director of Finance will be informed and will take this up with the Chief Executive.
Managers or staff who fail to comply with the guidance detailed in these Standards could be subject, following full investigation, to disciplinary action up to and including dismissal. If through their actions or omissions managers or staff are found to be in contravention of either these Standards or their legal responsibilities, NHS Fife reserves the right to take legal action, if necessary. Where staff suspect, or are aware of non-compliance with these Standards, they should report any such instances to their line manager, their local Human Resources contact point or the Director of Finance or Assistant Director of Finance (Management Accounting).
5 RISK MANAGEMENT
NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.
The unauthorised disclosure of NHS Fife Data in any medium, except as required by an employee’s job responsibilities is expressly forbidden, as is the access or use of any NHS Fife Data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.
It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.
6 RELATED DOCUMENTS
Equipment Request Form
Endowment Request Form
Equipped to Care - Good Practice Guide to Managing Equipment in NHS (www.audit-scotland.gov.uk/publications)
NHS Fife I.T. Security Policy
GP/I6 eHealth Change Management Policy
All supplementary NHS Fife Information Security Policies
NHS Fife FOI Statement and Review Procedure FOI - 1
The Management, Retention, Storage and Destruction of all Business and Administrative Records Policy - GP/R4
Health Records Retention and Destruction Policy - GP/R8
Auditor General’s ‘Equipped To Care – Managing Medical Equipment in the NHS in Scotland’ 2001;
MDA’s ‘Equipped To Care – The Safe use of Medical Devices in the 21st Century’ 2000;
Capital Equipment and Works Programme (procedure for the identification of annual capital equipment and works programme) – General Policy Manual, policy no. C5, NHS Fife.
The NHS Fife Standing Financial Instructions. Section F11 – ‘Tendering, Contracting & Purchasing’.
Equipment Inventory Policy – General Policy Manual, policy no. E14.3, NHS Fife
Computer Misuse Act (1990)
Data Protection Act (1998)
Human Rights Act (1998)
Freedom of Information (Scotland) Act (2002)
NHSS Information Security Policy Framework July 2015
- Computer System Request Form - CSR01
- Endowment Request Form
- Equipment Procurement Flow Chart
- Equipment Request Form - ERF
- GP/I4 - ehealth Procurement Policy - EQIA