Local organisations will need to undertake a risk assessment to identify systems which need to conform to the NHS Number Information Standards. It is expected that not all systems within an organisation will need to conform.

This assessment will need to consider the following criteria for any system that holds service user demographics:

• Does the system act as a master index to flow service user identifiable data and NHS Numbers to other systems?
• Does the system need to transfer information between organisations?
• Will the NHS Number ever be required to be stored against service user identifiable data in the system (e.g. for audit purposes)?

If the answer to any of the above questions is yes, then it is an applicable system and must comply with the principles and with the standards where these have been published by ISB.

Local organisations will need to formally assess the priority in which they address changes to applicable systems, taking account of timescales, costs, and business and clinical risks. Where an organisation determines that an applicable system will not be changed, the reasons must be clearly documented and signed off within project governance as a project exception.

This section of the implementation toolkit provides tools to help organisations assess system conformance and undertake risk assessments. There is also an example of where a Trust updated an existing change control policy to cover the NHS Number Information Standards.

• Supplier Progress
• Tracking System Conformance
• Change Control