AIS Protocol

Protocol

Scans, identity

1. The data of each and every scan of medicine packages by any end user must be passed to the NMVO without any modification.
2. Each and every scan must contain the data of the end user involved. Pseudonyms other than provided by NMVO or IDs and records that do not contain the end user data are not sufficient.

Certificates

3. Each end user shall have its own certificate implemented beteen the NMVS and the end user. The end user may assign this to a Service Provider This must be implemented in such a manner, that the NMVO can make sure at all times, without the intervention of a service provider or other third parties (a) which end user is the sender of each data package is and (b) the response from the NMVS is sent to the right end user. It is not sufficient for NMVO to be reliant on schedules or other types of input from service providers or other third parties for matching pseudonyms or other codes with actual end users and their locations.
(For those Service Providers that work via a single or a limited amount of certificates with so-called subusers, an improvement plan shall be put in place in order to reach the standard set outin the first sentence of this clause, taking into account efforts required to reach this objective.)

Software development

4. NMVO manages the development and maintenance of the NMVS software.
5. NMVO will share any development and maintenance issues with the Service Providers if deemed relevant to the Service Provider.
6. NMVO will share and provide for any data, procedures, test environments that are necessary for the Service Providers to implement necessary changes.
7. In case a change is urgent, NMVO shall notify the Service Providers of this and the Service Providers shall work with NMVO on swift adapatation of software and systems.

Interface versions

8. From time to time, new versions of interfaces are created to further safeguard and develop the proper functioning of the NMVS. Service Providers are required to implement these new versions within the timeframe set by NMVO. In most cases this timeframe will be sufficient for Service Providers to make the necessary changes. In case a timely implementation is not feasible, NMVO shall, to a certain extent, NMVO shall give the option to work with a previous version of the interface, while a new version is live. However, implementation of new versions may require urgency. In that case NMVO shall notify the Service Providers of this and the Service Providers shall work with NMVO on swift adapatation to the new versions.
9. In regular intervals, NMVO shall organise (online, hybrid or live) meetings with the Service Providers in order to exchanges information on the development of the software, new versions, performance, issues and so on.

Quality assurance

10. The NMVS, being critical for medicine safety and the entire pharmateucial trade column, is required to maintain the highest quality standards. Service Providers shall be expected to meet these requirements as far as relevant to their connection with the NMVS and within the boundaries of reasonability and proportionalism.
11. On a regular basis, NMVO conducts quality assurance procedures as regards software and systems of the Service Providers relevant for the NMVS including but not limited to base line tests. Co-operation of the Software Providers is essential for proper execution of the quality assurance procedures.
12. In case points of improvement are found, NMVO consults with the Service Provider in order to create, in good faith, an improvement plan. Failing agreement on an improvement plan, NMVO is authorized to issue instructions in order to reach a situation compliant with applicable regulations, agreements and this protocol.
13. Service Providers will be required to co-operate with quality assurance procedures.
14. Confidential information exchanged in the framework of quality assurance activities shall be treated as such by NMVO and not be shared with third parties, except if required by virtue of law.

Proper functioning of the NMVS, software performance

15. It is NMVO’s legal obligation to maintain proper functioning of the NMVS in line with regulations.
16. The end users, being the Service Providers’ customers, are obliged to work with the NMVS in accordance with regulations.
17. NMVO is committed to maintain the NMVS in such a way that end users can connect with the NMVS and that the can do so using Service Providers.
18. NMVO procures to keep the connection of the NMVS to any connecting parties safe and to provide for data protection and protection of commercially sensitive information, all in accordance with the law. The same is required of any party connected to the NMVS, including the end users and the Service Providers.
19. NMVO maintains the system in such a way, that all data which the end users are obliged to exchange with the NMVS can actually be transferred to the NMVS in a manner in accordance with legislation.
20. NMVO maintains the system in such a way that the performance is in line with the regulations in terms of response times, uptime and so on.
21. Service Providers shall perform testing activities in a dedicated testing environment only.

Legal & Compliance

22. The Service Provider needs to make sure it is aware of all obligations of its customers (as far as these are end users) under the relevant legislation and agreements in place between such customer and NMVO. The Service Provider is to take these obligations into account when performing under its assignment from the customer.
23. Service Provider is regarded as the end user’s proxy for dealing with the NMVS in according with relevant legislation. Under circumstances, this could mean that any non-compliance of the Service Provider with legislation, this protocol, other agreements or instructions, best practices and orders provided by authorities, is aldso deemed to be a non-compliance by the end user.
24. At any time, NMVO is authorized to consult with the end user directly on its performance regarding the NMVS, whether the end user is connected to the NMVS via a Service Provider or not.
25. In case of a non-compliance that can be solved by the Service Provider (whether or not in commission with the end user(s) connected to the Service Provider), NMVO consults with the Service Provider in order to create, in good faith, an improvement plan. Failing agreement on an improvement plan, NMVO is authorized to issue instructions in order to reach a situation compliant with applicable regulations and agreements.
26. It is acknowledged that the national authority (Inspectie Gezondheidszorg en Jeugd) has the authorities provided by law. Excercising these autohorities may impact the relationship between NMVO and the Servide Provider and the way the NMVS is configured and managed. At all times, instructions by the national authority shall prevail over this protocol.
27. Although this protocol takes into account all applicable regulations, a conflict may arise between this protocol and regulations. At all times, the regulations shall prevail.

Suspension, escalation, time out

28. NMVO can immediately suspend the connection of the NMVS with the Service Provider in case of acute jeopardy to the NMVS, the security of the connection, the security of personal or company data or other acute situations.
29. In case of a non-acute adverse situation that hinders or jeopardizes the good operation of the NMVS or any non-compliance with regulations, agreements or this protocol, NMVO will use a so-called escalation procedure ensuring remedy of the adverse situation or the non-compliance. The escalation procedure must be used diligently and proportionally.
30. Failing the remedy of an acute situation, a non-acute adverse situation and/or a non-compliance with regulations, agreements or this protocol, NMVO may interrupt the connection of the NMVS with the Service Provider (“time-out”) until sufficient remedy is in place. This may also lead to a report of non-compliance to the national authority.