AIS Protocol
Preamble
- The Netherlands Medicines Verification System (NMVS) is part of a European system designed to help prevent medicine falsifications. Each and every medicine package must be verified via this system. This makes the NMVS and the related systems across Europe vital in the regular medicine chain, all the way from marketing to the moment medicines are provided to the patient. The operation by the NMVO of the Netherlands Medicines Verification Organisation (NMVS) must meet the highest standards and it is essential that it answers strictly to all applicable rules.
- Manufacturers, pharmacies and wholesalers (“end users”) active in the Netherlands, are obliged to connect to the NMVS.
- The basis of this obligation is the Delegated Regulation of the European Commission 2016/161 and underlying directives. According to this legislation, each pharmacy and wholesaler is obliged to scan each medicine package in order for the NMVS to check for possible medicine falsifications. NMVO has an agreement with each end user setting out additional rules regarding the NMVS and working with NMVO.
- In most cases, end users assign the technical part of these obligatory tasks to Information System Service Providers (“Service Providers”). The Service Providers take care of establishing and maintaining the connection to the NMVS and make sure that the relevant data are transferred to the NMVS in accordance with legislation.
- It is NMVO’s policy to allow Service Providers to connect to the NMVS in order for them to arrange that end users meet their obligations under the relevant legislation.
- NMVO has established this protocol in order to create a clear framework for working with Service Providers.
Protocol
Scans, identity
1. The data of each and every scan of medicine packages by any end user must be passed to the NMVO without any modification.
2. Each and every scan must contain the data of the end user involved. Pseudonyms other than provided by NMVO or IDs and records that do not contain the end user data are not sufficient.
Certificates
3. Each end user shall have its own certificate implemented beteen the NMVS and the end user. The end user may assign this to a Service Provider This must be implemented in such a manner, that the NMVO can make sure at all times, without the intervention of a service provider or other third parties (a) which end user is the sender of each data package is and (b) the response from the NMVS is sent to the right end user. It is not sufficient for NMVO to be reliant on schedules or other types of input from service providers or other third parties for matching pseudonyms or other codes with actual end users and their locations.
(For those Service Providers that work via a single or a limited amount of certificates with so-called subusers, an improvement plan shall be put in place in order to reach the standard set outin the first sentence of this clause, taking into account efforts required to reach this objective.)
Software development
4. NMVO manages the development and maintenance of the NMVS software.
5. NMVO will share any development and maintenance issues with the Service Providers if deemed relevant to the Service Provider.
6. NMVO will share and provide for any data, procedures, test environments that are necessary for the Service Providers to implement necessary changes.
7. In case a change is urgent, NMVO shall notify the Service Providers of this and the Service Providers shall work with NMVO on swift adapatation of software and systems.
Interface versions
8. From time to time, new versions of interfaces are created to further safeguard and develop the proper functioning of the NMVS. Service Providers are required to implement these new versions within the timeframe set by NMVO. In most cases this timeframe will be sufficient for Service Providers to make the necessary changes. In case a timely implementation is not feasible, NMVO shall, to a certain extent, NMVO shall give the option to work with a previous version of the interface, while a new version is live. However, implementation of new versions may require urgency. In that case NMVO shall notify the Service Providers of this and the Service Providers shall work with NMVO on swift adapatation to the new versions.
9. In regular intervals, NMVO shall organise (online, hybrid or live) meetings with the Service Providers in order to exchanges information on the development of the software, new versions, performance, issues and so on.
Quality assurance
10. The NMVS, being critical for medicine safety and the entire pharmateucial trade column, is required to maintain the highest quality standards. Service Providers shall be expected to meet these requirements as far as relevant to their connection with the NMVS and within the boundaries of reasonability and proportionalism.
11. On a regular basis, NMVO conducts quality assurance procedures as regards software and systems of the Service Providers relevant for the NMVS including but not limited to base line tests. Co-operation of the Software Providers is essential for proper execution of the quality assurance procedures.
12. In case points of improvement are found, NMVO consults with the Service Provider in order to create, in good faith, an improvement plan. Failing agreement on an improvement plan, NMVO is authorized to issue instructions in order to reach a situation compliant with applicable regulations, agreements and this protocol.
13. Service Providers will be required to co-operate with quality assurance procedures.
14. Confidential information exchanged in the framework of quality assurance activities shall be treated as such by NMVO and not be shared with third parties, except if required by virtue of law.
Proper functioning of the NMVS, software performance
15. It is NMVO’s legal obligation to maintain proper functioning of the NMVS in line with regulations.
16. The end users, being the Service Providers’ customers, are obliged to work with the NMVS in accordance with regulations.
17. NMVO is committed to maintain the NMVS in such a way that end users can connect with the NMVS and that the can do so using Service Providers.
18. NMVO procures to keep the connection of the NMVS to any connecting parties safe and to provide for data protection and protection of commercially sensitive information, all in accordance with the law. The same is required of any party connected to the NMVS, including the end users and the Service Providers.
19. NMVO maintains the system in such a way, that all data which the end users are obliged to exchange with the NMVS can actually be transferred to the NMVS in a manner in accordance with legislation.
20. NMVO maintains the system in such a way that the performance is in line with the regulations in terms of response times, uptime and so on.
21. Service Providers shall perform testing activities in a dedicated testing environment only.
Legal & Compliance
22. The Service Provider needs to make sure it is aware of all obligations of its customers (as far as these are end users) under the relevant legislation and agreements in place between such customer and NMVO. The Service Provider is to take these obligations into account when performing under its assignment from the customer.
23. Service Provider is regarded as the end user’s proxy for dealing with the NMVS in according with relevant legislation. Under circumstances, this could mean that any non-compliance of the Service Provider with legislation, this protocol, other agreements or instructions, best practices and orders provided by authorities, is aldso deemed to be a non-compliance by the end user.
24. At any time, NMVO is authorized to consult with the end user directly on its performance regarding the NMVS, whether the end user is connected to the NMVS via a Service Provider or not.
25. In case of a non-compliance that can be solved by the Service Provider (whether or not in commission with the end user(s) connected to the Service Provider), NMVO consults with the Service Provider in order to create, in good faith, an improvement plan. Failing agreement on an improvement plan, NMVO is authorized to issue instructions in order to reach a situation compliant with applicable regulations and agreements.
26. It is acknowledged that the national authority (Inspectie Gezondheidszorg en Jeugd) has the authorities provided by law. Excercising these autohorities may impact the relationship between NMVO and the Servide Provider and the way the NMVS is configured and managed. At all times, instructions by the national authority shall prevail over this protocol.
27. Although this protocol takes into account all applicable regulations, a conflict may arise between this protocol and regulations. At all times, the regulations shall prevail.
Suspension, escalation, time out
28. NMVO can immediately suspend the connection of the NMVS with the Service Provider in case of acute jeopardy to the NMVS, the security of the connection, the security of personal or company data or other acute situations.
29. In case of a non-acute adverse situation that hinders or jeopardizes the good operation of the NMVS or any non-compliance with regulations, agreements or this protocol, NMVO will use a so-called escalation procedure ensuring remedy of the adverse situation or the non-compliance. The escalation procedure must be used diligently and proportionally.
30. Failing the remedy of an acute situation, a non-acute adverse situation and/or a non-compliance with regulations, agreements or this protocol, NMVO may interrupt the connection of the NMVS with the Service Provider (“time-out”) until sufficient remedy is in place. This may also lead to a report of non-compliance to the national authority.
This protocol is adopted by the NMVO board on March 21, 2023.
This protocol may, from time to time, be adjusted according to developments in regulations, agreements, authority instructions or authority points of view, best practices and adjustment of NMVO’s policies.