ITGUI02 Request and Assessment of Smartphone Apps by Provide Community

Request and Assessment of Smartphone Apps

Version: V2

Ratified by: Technology Programme Group

Date ratified: 14/04/2022

Job Title of author: Assistant Director IT

Reviewed by Committee or Expert Group Technology Programme Group

1. Guidance Overview

The Technology Team support the use of safe apps where this supports the work of our services. The Technology Team will maintain a central store of approved apps, which will be deployed to Provide smartphones or made available for users to download. Access to other apps stores such as Apple App Store, Google Play and Windows Store is prohibited and may be blocked.

All applications must be assessed before being made available, this will involve an initial check by the Service Desk and if all criteria is met, submission to the Digital Technology Group for a decision on adoption. A Data Protection Impact Assessment (DPIA) must have been approved by the IG Team.

Note: An app being approved does not mean it will be fully supported and as such support arrangements should always be considered prior to starting to use a new app.

2. Assessment Criteria

Apps will be assessed on the following criteria:

• Terms of use of and licencing of the App Service Desk to check that the licence agreement allows commercial use.

• Size of the App Service Desk to establish the size of the App, storage space is limited so larger apps may require additional consideration.

• Purpose

The requestor should advise why the app is required, is there benefit for Provide services? Apps must be for work purposes.

• Security

How safe is the app? Does it need to encrypt data? What does it need access to? All apps must meet Provide’s IG requirements. Some apps may require access to other data such as contacts and photos; this should be noted and only approved if necessary for the purpose of the app.

• Data consumption

How much data will the app consume? This may not always be known but should be investigated. Apps that consume large amounts of data may be rejected.

• Cost

Is there one and if so, where is the budget for this? This must be established before the adoption of the app is considered.

• Ease of distribution

Apps need to be made available through the Provide App store, this will usually require .apk files to be available. Exceptions can be made to this for small projects where specific users can be identified in advance.

• Similar Apps

Apps should only be approved where there is not an available app for the requested purpose or this app is to replace the currently available one.

• Clinical Safety

Where the app is giving clinical advice or processing clinical information, clinical safety must be assured.

3. Process for Requesting and Approving Apps

User requests the app through the self-service portal, they will need to answer:

• Name of the app

• Where the app is available from

• Why the app is required

• What information will be recorded in the app

• What the cost of the app is

The requesting service will need to supply a completed Data Privacy Impact Assessment (DPIA) if the app will be used to store or process sensitive information, patient/service user data or information about Provide Group staff If there is any doubt as to if this applies, stage 1 of the DPIA should be completed to determine this and supplied with the request.

The Service Desk will check all items above have been supplied by the requestor, if they have not the call will be closed and requestor advised to raise a new request once all details are available. If all details have been supplied, the process continues to step 3.

The Service Desk will check the following details and record these in the Service Desk request:

• Responses given by the requestor.

• If the licence agreement allows commercial use and use for the requested purpose.

• Typical size of the app.

• That if patient and sensitive data will be recorded that this is encrypted to appropriate standards and is stored in-line with our requirements.

• Estimate on the amount of data the app may consume.

• Can the app be easily distributed or made available?

• If there are similar apps available

• That there is a clear benefit, where the app is for an individual, limited group of staff or the requirement is not fully understood, the requirement will be checked with the requestor’s line manager.

If the application licensing agreement prohibits commercial use, the request will automatically be rejected.

The Service Desk will assess the supplied and collected details against the criteria for new apps and will either:

• Record the rejection reason in the Service Desk request and close the request

• Recommend the app for consideration by the Technology Programme Group (TPG) and refer the call to the Technology Team representative for this group.

A Technology Team representative (usually the Service Desk Manager) for the TPG will present the case at the TPG who will make a decision. If there are queries regarding the purpose of the application, the requestor will be requested to be present at TPG.

If the members of the TPG require guidance on clinical safety and accuracy of guidance given by the app, the Clinical Expert Group (CEG) will be asked to review the app form a clinical safety perspective. The CEG may choose to invite the requestor and/or TPG representative to support their decision-making.

The Technology Team representative for the TPG will update the Service Desk request with the outcome from the TPG and CEG where appropriate, this will be either:

• Rejected - Rejection reason will be recorded in the Service Desk request and request closed.

• Recommend the app for Implementation – The request will be assigned to Infrastructure.

The Technology Team will add the app to the app store or distribute to all devices if appropriate.

Once added and tested, the request will be re-assigned to the Service Desk who will inform the requestor and arrange for the addition to be communicated to all staff.