SCAL user guide

All third-party developers and supplier organisations of products and systems that connect with NHS APIs and services must be assured by us.

If the service you are connecting to is not covered by our digital assurance process, you will need to complete the SCAL.

You can download an example SCAL assessment Excel document, but you will need to complete one that is tailored to the digital service you require.

The precise onboarding process can vary but the following steps outline the typical process:

1. Confirm your use case
   Review the API documentation to determine if your product requires a use case declaration.

2. Request the SCAL template
   Contact NHS England using our supplier enquiry form, giving:

   • your organisation name

   • your product name

   • the APIs or services you wish to onboard

   • any API-specific details from the specifications

3. Get or confirm your ODS code
   This unique identifier is required throughout the onboarding process. You can search for an existing code using the ODS data search and export service.

4. Check for HSCN requirements
   Most APIs are available on the internet. Some APIs require access via the Health and Social Care Network.

5. Complete the Data Security and Protection Toolkit (DSPT)
   This is mandatory for all products accessing NHS patient data.

6. Manage clinical risk
   Ensure your product complies with the relevant standards (this can be DCB0129 or DCB0160).

7. Check medical device status
   If your product qualifies as a medical device, ensure legal compliance.

8. Pass technical and security tests
   Includes solution assurance and penetration testing.

9. Register for support
   Sign up with the NHS Service Desk and join the Developer Community.

10. Submit the SCAL and sign the connection agreement
    Once reviewed and accepted, your product can go live.

The first time you complete a SCAL, you must provide the following in the 'supplier and product information' sheet:

• Information about your organisation and product
• Declarations of compliance

Each time you need to onboard the same product with another NHS service, we will return your SCAL. You must review and update the 'supplier and product information' sheet.

The SCAL includes a separate sheet for each service your product interfaces with. Each sheet contains declarations about compliance and risk management, including the specific technical conformance requirements for the NHS service. You must update these sheets if there are any significant changes to the product, or when we notify you of new or changed requirements for a service that you previously implemented.

You usually complete a SCAL document during product development, then submit it to start technical conformance. Note that submission may differ depending on the service, and we will provide guidance on the exact process.

We review your responses to the SCAL questions iteratively and raise any questions with you. 

Once we have confirmed that your SCAL document is complete and accepted, you will retain the final version. You should provide it to all end-user organisations (EUOs) that implement your product.

To complete your onboarding using the SCAL process, you must meet the following key requirements for clinical safety and information governance and security.

Clinical safety

You must comply with the DCB0129 Clinical Risk Management standard, which ensures safe development and maintenance of health IT systems. This is a legal requirement under the Health and Social Care Act 2012.

Note: Compliance must come from your organisation – it cannot be delegated to an end user organisation.

If you are operating as an end user organisation, you must have a clinical risk management process that conforms to the DCB0160 standard. 

Information governance and security

If you access NHS patient data and systems, you must use the Data Security and Protection Toolkit (DSPT) to assure end-user organisations that you follow good data security practices and handle personal information correctly.

The DSPT is an online self-assessment that helps you check how well you meet the National Data Guardian’s data security standards. You must complete the DSPT for the current reporting year by the deadline and meet the required NHS England standards for all your products that connect to NHS England services.

If you cannot meet a requirement

If any part of the SCAL turns red when completed, you’ll need to explain why and provide mitigation details.

Let us know immediately so we can review and agree next steps before you continue onboarding.

You need to understand the following roles and responsibilities to meet the obligations and conformance criteria of the assurance process.

Supplier (developer)

The organisation that is responsible for:

• developing the product that interfaces with an NHS England Spine Service or API, used by healthcare professionals or end-user organisations (this can include an EUO developing a product in-house)

• completing the SCAL

• accepting a legally binding Connection Agreement

End user organisation (EUO)

The organisation that is:

• using the supplier’s product in direct patient care

• responsible for undertaking local assurance, risk management and acceptance of the product

• responsible for complying with an acceptable use policy provided by the developer

NHS England

The organisation that is responsible for:

• reviewing the relevant sections of the SCAL for completion and progressing exceptions

• guiding the supplier on how to complete the SCAL

• providing a certificate or statement of technical conformance following successful completion of the defined testing process

• issuing the legal agreements

• approving developer onboarding to the live service