NHS Connecting for Health ceased to exist on 31st March 2013. This website is therefore not being updated. For up to date information about systems and services visit the Health and Social Care Information Centre website at www.hscic.gov.uk/systems

You are here: Home Services & Applications Registration Authorities and Smartcards

Registration Authorities and Smartcards

Registration Authorities – Operating Guidance 2013-2014

The Operating Guidance for Registration Authorities (PDF, 165.8kB) from 1st April 2013 has now been published.  

This document is relevant for any organisations involved in the provision or delivery of Registration Authority services.  It explains the future RA model given the changing organisational structure of the NHS, resulting from the Health and Social Care Act 2012.

For queries contact cfh.accesscontrol@nhs.net

Forward notice of invitation to local authorities, independent sector and other non-NHS organisations to host Registration Authorities (RA)

Following the change to policy to permit local authorities, independent sector and other non-NHS organisations to host Registration Authorities (RAs) further information and guidance will be published shortly to invite organisations to apply to become a pilot RA. The guidance will explain the criteria in respect of governance, operation and external monitoring and audit required by a RA and how HSCIC will be selecting pilot RAs.

Read full notice.

Access Controls - Smartcards

Related links

NHS Care Record Guarantee

NHS systems and related services like Choose and Book or the Electronic Prescription Service increasingly use a common approach to protect the security and confidentiality of every patient's personal and healthcare details. NHS electronic staff records also use this common approach to protect the security and confidentiality of staff employment records. Please see the Electronic Staff Record website for further information.

That approach includes a rigorous identity check of all those who may have access to those records, and careful control of what access any individual should have. The NHS has set out the principles that will govern how patient information in particular is held in the NHS, and the way it can be shared.

These are set out in the NHS Care Record Guarantee which is reviewed by an independent body, the National Information Governance Board, at least every twelve months.

Registration Authorities

Organisations that deliver NHS care and need to access patient information within NHS systems and other national services must set up Registration Authorities to manage this process. The roles and responsibilities of Registration Authorities are defined by NHS policy. Their key tasks are first to verify the identity of all healthcare staff who need to have access to sensitive data, and second to establish and provide only the degree of access they need to do their jobs.

The identity check is to a very high standard (the government recommended standard 'e-GIF Level 3') and includes a mandatory face-to-face meeting. It requires the individual to provide at least three forms of evidence (photo and non-photo), including proof of address. Once their identity is confirmed healthcare staff are issued with a Smartcard and a passcode by the Registration Authority. They have to use their Smartcard and passcode each time they log on to access and use information.

The Registration Authority will also determine the level of access the individual should have. That information is on a data base which is interrogated every time the individual logs on, and the appropriate access is granted. In this way the individual has no way of changing the level of access that they have been granted.



Smartcards and passcodes are similar to a chip and PIN credit or debit card, but are more secure, as there is no account information on the Smartcard and the passcode is more complex. A user's Smartcard is printed with their name, photograph and unique user identity number. The photograph is stored centrally, and is always available for an organisation to verify that the Smartcard holder is indeed the person to whom it was issued. All NHS healthcare staff know that it is a disciplinary offence to tamper with Smartcards, share passcodes, or use a Smartcard that doesn't belong to them, and that they may lose their jobs if they do so. Individuals are granted access to patient information based on their work and level of involvement in patient care. This means that, for example, someone working in an administrative role rather than a clinical one might only be able to see the demographic information needed to process an appointment, not the full clinical record.

Increasingly with new applications Registration Authorities will also be able to determine which records an individual might routinely be able to access. Some healthcare staff might on rare occasions need to access data for a patient they don't routinely expect to see – those in A&E for example - and they are specifically enabled to do so.

Most however only need to see data on patients with whom they have a "legitimate relationship" and Registration Authorities will be able to set boundaries around the records of groups of patients for particular users, for the duration of an episode of care.

As more new systems are introduced, every time someone accesses a patient's record, it is being recorded, along with how they used it and this will form an important audit trail which cannot be provided with paper records.

Staff will also continue to be bound by their own professional codes of conduct, local regulations and contractual requirements, the Data Protection Act and the NHS Code of Confidentiality.

There will be occasions when NHS care is provided outside the NHS or is provided jointly, with a local authority for example, and staff, in order to provide that care, will need access to information as would NHS healthcare staff. They have to go through exactly the same steps as NHS healthcare staff to get that access, and are subject to all the same controls, requirements and sanctions as NHS healthcare staff.

Queries on the role of Registration Authorities, Smartcards and process, can be directed to cfh.accesscontrol@nhs.net

Smartcards - innovative, extended use. NHS Lincolnshire case study

NHS Lincolnshire implemented extended use of Smartcards for a range of innovative uses and the benefits they have seen. 

In addition, it includes a menu of solutions to provide organisations with a more informed view when considering this type of solution. 

Download Smartcards - innovative, extended use. NHS Lincolnshire case study.  (PDF, 270.5kB)