You are here: Home Services & Applications Registration Authorities and Smartcards

Registration Authorities and Smartcards

Smartcard guidance

(Gateway reference number: 17790)

Smartcards are required by primary care contractors to access and use IT systems and services essential to the provision of patient care.

PCTs' processes for primary care contractors to access Smartcards need to be maintained. In some areas, failure to provide sufficient registration authority capacity is having a detrimental impact on the delivery of services, such as the Electronic Prescription Service.

Action

PCT chief executives are reminded of their trust's responsibility to ensure adequate registration authority facilities for the purpose of issuing Smartcards until the end of March 2013.

Download

Registration Authorities: Governance Arrangements for NHS Organisations (PDF 38Kb)

Access Controls - Smartcards

Related links

NHS Care Record Guarantee

NHS systems and related services like Choose and Book or the Electronic Prescription Service increasingly use a common approach to protect the security and confidentiality of every patient's personal and healthcare details. NHS electronic staff records also use this common approach to protect the security and confidentiality of staff employment records. Please see the Electronic Staff Record website for further information.

That approach includes a rigorous identity check of all those who may have access to those records, and careful control of what access any individual should have. The NHS has set out the principles that will govern how patient information in particular is held in the NHS, and the way it can be shared.

These are set out in the NHS Care Record Guarantee which is reviewed by an independent body, the National Information Governance Board, at least every twelve months.

Registration Authorities

Organisations that deliver NHS care and need to access patient information within NHS systems and other national services must set up Registration Authorities to manage this process. The roles and responsibilities of Registration Authorities are defined by NHS policy. Their key tasks are first to verify the identity of all healthcare staff who need to have access to sensitive data, and second to establish and provide only the degree of access they need to do their jobs.

The identity check is to a very high standard (the government recommended standard 'e-GIF Level 3') and includes a mandatory face-to-face meeting. It requires the individual to provide at least three forms of evidence (photo and non-photo), including proof of address. Once their identity is confirmed healthcare staff are issued with a Smartcard and a passcode by the Registration Authority. They have to use their Smartcard and passcode each time they log on to access and use information.

The Registration Authority will also determine the level of access the individual should have. That information is on a data base which is interrogated every time the individual logs on, and the appropriate access is granted. In this way the individual has no way of changing the level of access that they have been granted.

Smartcards

asmartcard.jpg

Smartcards and passcodes are similar to a chip and PIN credit or debit card, but are more secure, as there is no account information on the Smartcard and the passcode is more complex. A user's Smartcard is printed with their name, photograph and unique user identity number. The photograph is stored centrally, and is always available for an organisation to verify that the Smartcard holder is indeed the person to whom it was issued. All NHS healthcare staff know that it is a disciplinary offence to tamper with Smartcards, share passcodes, or use a Smartcard that doesn't belong to them, and that they may lose their jobs if they do so. Individuals are granted access to patient information based on their work and level of involvement in patient care. This means that, for example, someone working in an administrative role rather than a clinical one might only be able to see the demographic information needed to process an appointment, not the full clinical record.

Increasingly with new applications Registration Authorities will also be able to determine which records an individual might routinely be able to access. Some healthcare staff might on rare occasions need to access data for a patient they don't routinely expect to see – those in A&E for example - and they are specifically enabled to do so.

Most however only need to see data on patients with whom they have a "legitimate relationship" and Registration Authorities will be able to set boundaries around the records of groups of patients for particular users, for the duration of an episode of care.

As more new systems are introduced, every time someone accesses a patient's record, it is being recorded, along with how they used it and this will form an important audit trail which cannot be provided with paper records.

Staff will also continue to be bound by their own professional codes of conduct, local regulations and contractual requirements, the Data Protection Act and the NHS Code of Confidentiality.

There will be occasions when NHS care is provided outside the NHS or is provided jointly, with a local authority for example, and staff, in order to provide that care, will need access to information as would NHS healthcare staff. They have to go through exactly the same steps as NHS healthcare staff to get that access, and are subject to all the same controls, requirements and sanctions as NHS healthcare staff.

Queries on the role of Registration Authorities, Smartcards and process, can be directed to cfh.accesscontrol@nhs.net

NHS Smartcard Working Group report

Towards the end of 2010, an NHS Smartcard Working Group was set up to look at barriers to and options for improving the take up and use of Smartcards by healthcare professionals. This was in response to a recommendation made by Professor Sir Bruce Keogh, as chair of a Ministerial review into the content of the Summary Care Record (SCR) in October 2010.

The NHS Smartcard Working Group, chaired by Dr Charles Gutteridge, DH National Clinical Director for Informatics, met twice and produced the following report (PDF, 549.6kB) of their review including 12 recommendations which NHS Connecting for Health accepted and agreed to take forward.  This table (PDF, 30.7kB) provides a summary of the activity and progress made against each recommendation.

Smartcards - innovative, extended use. NHS Lincolnshire case study

In line with recommendations 2 and 9 of the Smartcard Working Group report, a case study has been produced highlighting extended use of the NHS Smartcard.

This shows how NHS Lincolnshire has implemented extended use of Smartcards for a range of innovative uses and the benefits they have seen. 

In addition, it includes a menu of solutions to provide organisations with a more informed view when considering this type of solution. 

Download Smartcards - innovative, extended use. NHS Lincolnshire case study.  (PDF, 270.5kB)