Registration authority smart cards policy and procedure

1. Introduction
2. Purpose
3. Scope
4. Authentication tokens (smartcards)
5. Accountability
6. Registration authority services
7. Registration authority process
8. Temporary access cards (TAC)
9. Incident reporting
10. Audit
11. Training
12. Equality impact assessment screening
13. Links to an associated documents
14. References
15. Appendices

1 Introduction

NHS national IT systems which are used for accessing health records need to ensure that users of these systems are identified correctly and are given appropriate access.

This is achieved by identity verification and creating a national digital identity for each user wishing to access the NHS care records service using the care identity management (CIM) provided by NHS digital.

The process of doing this uses local registration authorities which consist of organisations with people and processes who are trained to create identities and grant access.

It is a mandatory requirement that any organisations who are identified by NHS digital as a local registration authority and provide local RA activity have a clear policy outlining governance and processes.

In line with the above, this policy details the RA processes for Rotherham Doncaster and South Humber NHS Foundation Trust (the trust) as a delegated local registration authority and user of the care identify management (CIM).

This policy follows the guidance provided by the National Registration Authority Policy (opens in new window) issued by NHS Digital in 2022.

The guidance within this policy is based on the original Department of Health (DH) gateway document ‘Registration authorities: Governance arrangements for NHS organisations’, the NHS care record guarantee, GDPR requirements and RA good practice.

It also reflects current best practice around Identity & Access Management as informed by the National Cyber Security Centre which includes:

• Building and operating a secure online service (public sector) (opens in new window) March 2022
• Introduction to identity and access management(opens in new window)

2 Purpose

The purpose of the registration authority is to distribute smartcards that will ensure employees or individuals providing patient care directly or indirectly have timely access to NHS CRS compliant applications (and information) in accordance with their role.

As a registration authority, the trust must:

• have sufficient governance, processes, and oversight in place to comply with Data Protection Laws, including (but not limited to) providing fair processing information to all users, the NHS Code of Practice on confidential information, as amended from time to time, and the Care Record Guarantee
• be registered for the data security protection toolkit and have a current latest status rating of at least ‘standards met’
• be maintaining 100% compliance with information governance training and the GDPR code of conduct
• ensure that all RA members and users are adequately trained and familiar with the local and national RA processes

The trust registration authority (RA) is made up of an RA manager, RA advanced agents, local RA agents, RA unlockers and RA sponsors, who have defined roles. These are outlined in appendix A.

3 Scope

This policy relates to registration authority systems and processes and is applicable to any employees within the trust who require access to CRS compliant applications, for example, Systmone via smartcard access.

This policy also covers anyone who is required to undertake work within the trust and requires access to CRS compliant applications, for example, agency staff, and students.

4 Authentication tokens (smartcards)

The trust is required to be a registration authority to manage the distribution and use of approved authentication tokens, for example, smartcards.

The primary purpose of NHS smartcards is to provide identification and system authentication to local informatics applications.

Smartcards provide access to applications via the NHS care records service (CRS) and the electronic staff record (ESR) and govern the level of access individuals are allowed within each system.

5 Accountability

The director of people and organisational development has accountability for developing the policy and maintaining an overview of the process. Should the RA manager change, it is the responsibility of the director of people and OD on behalf of the chief executive and Senior Leadership team, to notify the responsible person at the Health and Social Care Information Centre (HSCIC) of this change.

The director of people and OD is also the information asset owner (IAO) in relation to all aspects of the registration authority. The director of people and OD, on behalf of the Executive Management team is responsible for confirming in writing to the RA function, the appointment of any RA managers or sponsors.

Registration authority manager is the designated trust lead for the registration authority process. The trust RA manager is the head of human resources (workforce and transactional services). The RA manager is accountable to the director of people and organisational development.

Registration authority sponsors are appointed and entrusted to act on behalf of the trust in determining who should have what access and maintaining the appropriateness of that access.

Sponsors are appointed on behalf of the Executive Management team by the director of people and organisational development. The nominated sponsor will then arrange a meeting with the RA team to receive RA sponsor training on CIM, either with an RA advanced agent or RA manager. Once the training has been completed sponsor rights will be processed, presenting the letter from the director of people and organisational development.

Registration authority agents are responsible to the RA manager for ensuring that the national and local processes are followed and for the accurate input of information on RA forms onto the NHS spine NCRS smartcard management service.

6 Registration authority services

The following services are available across all directorates and corporate services:

• user registration
• position based access control (PBAC)
• creating and editing PBAC (central RA only)
  • adding role and position profiles
  • changing role and position profiles
  • deactivating role and position profiles
  • adding and removing workgroups
• revocation and cancelling of smartcards
• user suspension
• PIN and passcode resetting
• smartcard renewal of certificates and exchange
• issue of new or replacement smartcard
• temporary access cards (TAC)

7 Registration authority process

7.1 Position based access (PBAC)

RA sponsors will ensure that appropriate access to healthcare records is maintained via PBAC which provides the trust with a distinct governance process and allows consistency across all clinical services.

PBAC’s can only be created and edited or removed by the RA manager with authorisation from the clinical systems manager and information governance manager.

7.2 New starters

Where staff are recruited to a role which requires access to National CRS Applications it is important that the following points are considered:

• checks on an applicant’s ID are made via the apply for care ID service during the recruitment onboarding. Apply for care ID service verifies documentation by an NHS digital ID checker. Once their identity has been verified, a profile will be created for them in CIM, and they will receive a smartcard to enable them to access national systems and services
• employees must digitally sign to acknowledge that they have read and understood the policies and procedures governing the use of smartcards and CRS applications. Users will be required to enter their passcode in CIM upon first registration to confirm they have read and agree to the terms and conditions. In instances where the RA team issue a card locked, a temporary passcode will be issued to enable users to agree, and the card will then be reset to a locked state and given to the user
• all smartcards will be issued ‘locked’ unless the employee has completed their mandatory training in relation to information governance
• new starters following our standard recruitment process will be issued a physical card once the apply for care ID approval is complete as part of the recruitment onboarding
• PBAC’s will be assigned to the new starter by the local RA sponsors on appointment in the role

New starters who have not come through the standard recruitment process are advised to contact the RA manager for further instruction.

7.3 Leavers and revocation

When staff are leaving, the following points must be considered:

• if the employee is transferring to another NHS related location for example, GP practice, acute trust. they may retain the smartcard, but their trust profile must be removed
• employees leaving the NHS will have their certificate(s) revoked and the PBAC assigned to them in CIM removed. It is the responsibility of the local RA teams and sponsors to remove all PBAC positions assigned on the persons last day. Future end dates can be given on a PBAC in advance of an individual leaving the organisation. The Central RA team as part of the IG toolkit run monthly leavers report to audit local RA teams and sponsors to make sure the PBAC’s have been removed in a timely manner

There are occasions when it is necessary to deactivate a smartcard by revoking the smartcard certificate. Reasons for this include:

• the smartcard is lost or stolen
• there has been some other security breach associated with the smartcard or smartcard certificate
• the user is no longer employed by an NHS organisation

Revocation tasks should be carried out by the local RA teams in your directorate immediately.

7.4 Changes to existing user access

If there are changes to a staff member’s job role or PBAC requirements the local RA sponsor should review the staff member’s level of access immediately in CIM and remove or add the appropriate PBAC required for the staff member.

Some examples are listed below:

• changes to job title
• changes to access requirements (for example, prescribing)
• changes to department
• changes to site(s) or base location

7.5 Locums, agency, bank and external users

Temporary staff filling roles may also need access to NHS CRS application as part of their role. The following points should be considered:

• staff working as part of a team may not need a smartcard to fulfil the role. A smartcard should only be issued to temporary or bank staff members if access to one or more NHS CRS applications is a key requirement of the role or roles they will be fulfilling
• some temporary staff may already hold a smartcard and will only require the PBAC to be added with a contractual end

Any external users (staff employed by another organisation excluding agency) need to follow the external user route to get clinical system access with or without a smartcard.

PBAC access for external users should not be added by RA sponsors within the care groups, this must go through the Workforce Systems team. The external user form and guidance around the process is on the staff Intranet under registration authority and smartcards. The External User process is governed by the Information Governance team and trust caldicott guardian.

7.6 Lost, stolen and broken smartcards

Lost, stolen or damaged smartcards should be reported as soon as is practicable by contacting either your local RA team or the Central Workforce Systems team. Where a smartcard is lost, stolen or a security breach, the staff member is to complete a form on the incident reporting system (IR1) and will be escalated to the RA manager and executive director. (IR1 system (opens in new window))

Once notified an RA sponsor or agent will arrange to have the smartcard certificates revoked as soon as possible as detailed in section 5.6.2 leavers and revocation.

When an issued smartcard becomes unusable or it is lost or stolen the smartcard certificate must be revoked, as detailed in the Leavers and Revocation section. Revocation renders the Smartcard useless.

If the smartcard holder’s identity can be verified at a face to face meeting a new Smartcard may be issued. If the identity cannot be verified, the applicant will be required to produce appropriate documentary evidence.

8 Temporary access cards (inpatient only)

Temporary access cards (TAC) are available in inpatient areas across the trust, to mitigate the risk of smartcard users not being able to access clinical systems out of hours or in emergency settings. TAC cards can only be used by users who have already verified their national digital identity. TAC cards have pre-assigned access, for example, general nurse, doctor, or general healthcare assistant.

The Workforce Systems team maintain a TAC database that traces all cards used across the trust and is maintained quarterly.

Once a TAC card is issued to a ward area, they are provided with a TAC card log sheet (see appendix B) and TAC guide to follow (see appendix C).

TAC cards must be kept in a locked and secure environment within your department. TAC Cards should only be used in an emergency when a clinical professional is not able to access the patient data system.

The TAC cards should be signed in and out in your ward area by completing the manual TAC Log.
Managers should review the TAC Card Log daily and act if TAC Cards are not returned within a reasonable time period (72 hours normally). The ward manager should contact the Workforce Systems Team to cancel the TAC card if it is not returned or compromised.

The RA manager as part of the quarterly internal audit documents the usage of TAC cards in each area and reports to each care group the findings.

9 Incident reporting

Incidents may be reported by any member of staff where they feel that there is a risk to patient health, confidentiality, or trust reputation.

Incidents should be reported via the IR1, using the trust data security and protection breaches and information governance incident reporting policy, which will then be shared with the RA manager. If it is suspected that a smartcard is being misused, then it should be reported to your line manager and RA manager who may request that the certificate associated with the smartcard be suspended or revoked as appropriate.

Examples of incidents are:

• smartcard or application misuse
• smartcard theft and lost smartcard
• non-compliance of local or national RA policy
• any unauthorised access of CRS applications
• any unauthorised alteration of patient data
• unauthorised and inappropriate access to patient information

The RA manager will consider all incidents reported to them and appropriate action. Any incidents considered significant will be escalated within the appropriate directorate and to the trust data protection officer and caldicott guardian depending on the nature of the incident. A major breach of security will also be reported by the RA manager to the HSCIC (if appropriate) to ensure any risks resulting from the event can be considered and mitigated against.

Any incidents involving breaches of security or demonstrate that a smartcard user may not be considered trustworthy may result in a disciplinary sanction, including dismissal.

10 Audit

The management and use of Smartcards will be subject to internal audit to ensure that national and local policies are being followed. Internal audit is conducted by the RA manager and IG manager to support the quarterly audit report and annual IG toolkit.
This will include:

• smartcards are handled securely by users
• access to CRS applications and records is controlled appropriately
• unused smartcards are stored safely, and appropriate records are kept
• PBAC role allocation and de-allocation is performed appropriately
• random checking of PBAC roles with those requested by the sponsor
• appropriate use of TAC cards
• verification that accesses assigned to individuals is accurate and access is promptly removed which is no longer required
• verification that individuals are aware of the terms and conditions of NHS smartcard usage
• audit the trust IR1 system for reports of incidents involving the RA service, RA users, Smartcard breaches or misuse

A quarterly internal report will be sent to each directorate by the RA manager, actioning all the above audit requirements and TAC card usage.

11 Training

The training requirements are outlined within the role responsibilities attached as appendix A.

12 Equality impact assessment screening

To access the equality impact assessment for this policy, please email rdash.equalityanddiversity@nhs.net to request the document.

12.1 Privacy, dignity and respect

The NHS Constitution states that all patients should feel that their privacy and dignity are respected while they are in hospital. High Quality Care for All (2008), Lord Darzi’s review of the NHS, identifies the need to organise care around the individual, ‘not just clinically but in terms of dignity and respect’.

As a consequence the trust is required to articulate its intent to deliver care with privacy and dignity that treats all service users with respect. Therefore, all procedural documents will be considered, if relevant, to reflect the requirement to treat everyone with privacy, dignity and respect, (when appropriate this should also include how same sex accommodation is provided).

12.1.1 Indicate how this will be met

Policy does not relate to patients.

12.2 Mental Capacity Act

Central to any aspect of care delivered to adults and young people aged 16 years or over will be the consideration of the individuals capacity to participate in the decision making process. Consequently, no intervention should be carried out without either the individuals informed consent, or the powers included in a legal framework, or by order of the court.

Therefore, the trust is required to make sure that all staff working with individuals who use our service are familiar with the provisions within the Mental Capacity Act (2005). For this reason all procedural documents will be considered, if relevant to reflect the provisions of the Mental Capacity Act (2005)to ensure that the interests of an individual whose capacity is in question can continue to make as many decisions for themselves as possible.

12.2.1 How this will be met

All individuals involved in the implementation of this policy should do so in accordance with the guiding principles of the Mental Capacity Act (2005) (section 1).

13 Links to any other associated documents

• Data security and protection breaches or information governance incident reporting policy

14 References

• NHS Digital National Registration Authority policy
• National Cyber Security Centre guidance
• Data Protection Act 2018 (CPA)
• General Data Protection Regulation (GDPR)

15 Appendices

15.1 Appendix A Roles and responsibilities

15.1.1 Registration authority manager

The primary responsibilities of the registration authority manager are defined below.

• responsible for maintaining RA governance across the trust, this cannot be delegated
• ensures implementation of the trust RA policy and processes in line with national guidance
• responsible for the development of local processes that meet policy and guidance for the creation of authentication tokens, digital identities, production of smartcards, assignment of security device, assignment of access rights, modifications to access and people, removal of access rights in a timely fashion where there is no business justification for the rights to be retained and certificate renewal and card unlocking
• assign, sponsor and register RA agents and sponsors
• train RA agents and sponsors, ensuring they are competent to carry out their roles and adhere to policy and process
• facilitate the process for agreeing the organisations access control positions
• responsible for undertaking appropriate audits
• responsible for ensuring users are compliant with the terms and conditions of Smartcard usage and other registered devices
• verifies user’s ID to GPG45 Level 3 or 4 (opens in new window)
• ensuring leavers from the trust have their access rights removed in a timely way
• responsible for the security of (old) paper-based RA records
• ensure all service issues are appropriately raised both locally and nationally

15.1.2 Registration authority sponsors

Sponsors will be identified by the trust, or the caldicott guardian as being suitable persons by virtue of their status and role. Sponsors will be registered by an RA manager or RA agent on behalf of the trust in accordance with instructions given by the trust. Sponsors will be staff with sufficient seniority to understand and accept the responsibility required. Registration sponsors are responsible to the RA manager for the input of accurate information on CIM Requests, if CIM is unavailable sponsor may submit paper documentation.

Sponsors are responsible for granting on behalf of the trust, who can access what healthcare information, ensuring that users are given the minimum appropriate level of access needed to perform their job. Sponsors will be held accountable by the trust for their actions. Sponsors are responsible to the trust to ensure only appropriate access to CRS applications is granted.

Sponsors will:

• be familiar with the different types of position based access control (PBAC) to approve
• ensure the appropriate Workgroup is added for SystmOne access
• ensure that access profiles submitted to a registration authority follow PBAC material published by suppliers, on the RA website, or developed locally, and the implications of approving the access profiles
• be familiar with the applications they sponsor Users for via briefing material from the application providers
• complete face to face training with the RA manager and have access to the role specific presentations on NHS Digital website (opens in new window)
• must always be compliant with mandatory training in relation to information governance and data security
• also be able to unlock smartcards and allow users to reset their PIN pass codes

Sponsors will also:

• initiate requests to registration authority personnel through the RA form process for staff registrations and position and role assignments
• renew a user’s smartcard certificate (where applicable) and reset passcodes, only where confident of the user’s identity
• the smartcard user’s identity will be confirmed by the photograph on their smartcard or via their account recovery passcode. Should it be found that a card has been unlocked without appropriate training, this will be escalated to the relevant manager and may result in disciplinary action
• ensure that the position/role profile associated with a user is appropriate
• inform the RA manager of problems associated with user access levels
• ensure that the trust incident report process is fully complied with for all instances where smartcards have either been lost, misplaced, or stolen

Regularly review, at least annually, to confirm that all staff remaining in employment with the organisation are performing the same duties and have appropriate access levels assigned for their job role(s) and make requests to amend access rights in a timely manner, as appropriate.

15.1.3 Registration authority agents

The local care group RA agents will be responsible for the issuing, registering and maintenance of the smartcards and their functionality They will be responsible for reporting all incidents, misuses, anomalies, and problems to the RA manager and where relevant the caldicott guardian. The RA agents are responsible for cleaning their printers monthly using the equipment supplied by the RA manager, thus optimising the performance of the printer.

RA agents can be registered and issued with agent smartcards provided their role as RA agent has been authorised/sponsored by the RA manager.

RA Agents will

• ensure that all RA forms and associated information is maintained and securely stored according to national policy
• ensure that all activities relating to the registration authority agent function are following the trust’s information governance policies and procedures
• only renew a user’s Smartcard certificate if confident of the User’s identity, their identify will be confirmed by
  • the photograph on their smartcard or via their account recovery passcode
  • if the identity cannot be verified, the applicant is required to produce documentary evidence to the RA.as detailed in appendix A
  • if the identity still cannot be verified, the incident is reported to the RA manager. It may be necessary to cancel or revoke the locked NHS smartcard
• unlock a user’s smartcard and reset logon passcodes
• ensure their contact details including email address and telephone numbers are recorded in the spine user directory
• perform CIM requests
• ensure smartcard users comply with the terms and conditions by issuing the RA leaflets and running reports to confirm all staff have signed the electronic terms and conditions
• advise smartcard users to register with the CIM self-service function

15.1.4 The smartcard user

The user is responsible for ensuring that if the card is lost or stolen this is reported as soon as possible to their line manager or to a member of the Registration Authority team. The sponsor should then raise a request for a new card via CIM which the user can then arrange to collect from their local RA team. The applicant must also complete an incident reporting form or safeguard form.

The user is responsible for ensuring that they only use the smartcard to access the levels within an IT application for which they have a legitimate reason. The trust monitors compliance with the policy and terms and conditions of smartcard usage and unauthorised access will be considered as a breach of conduct and may result in disciplinary proceedings, including disciplinary action and dismissal. The applicant is responsible for keeping their PIN codes or pass codes confidential and must not share these, their smartcard or leave their card unattended at any time.

Incidents should be reported by any member of staff where they feel that there is a risk to patient, health, confidentiality, or trust reputation.

15.1.5 All users

All user are responsible for their own compliance with information governance principles and for the safe and authorised use of smartcards. All employees are expected to familiarise themselves with the relevant information governance policies and undertake regular mandatory and statutory training updates. Staff not issued with smart cards should never use those issued to other people and have a duty to report any misuse which they become aware of

15.2 Appendix B TAC card log sheet

• TAC card log sheet

15.3 Appendix C TAC card guide

15.3.1 Temporary access cards (TAC)

TAC smartcards must be kept in a locked and secure environment within your department. TAC cards should only be used in an emergency when a clinical professional is not able to access the patient data system.

The TAC cards should be signed in and out in your ward area by completing the manual TAC Log.

Managers should review the TAC card Log daily and take action if TAC cards are not returned within a reasonable time period (72 hours normally). The ward manager should contact the RA team to cancel the TAC card if it is not returned or compromised.

• Email: rdash.workforcesystems@nhs.net
• Telephone: 03000 211338

15.3.2 SystmOne

When a TAC card is used to access SystmOne you must login as normal. When setting up your profile details you must complete the ‘event details’ under staff ‘event done by’ unknown and type your name in the box, as shown below:

15.4 Appendix D Temporary access card process

15.4.1 Create TAC

1. RA creates TAC.
2. Card identity services set TAC attributes including name and image.

15.4.2 Issue TAC

1. User requests for TAC as own card unavailable.
2. Sponsor search for user.
3. Card identity services verify users National digital identity and confirm photo is a true likeness.
4. Sponsor issues TAC (manually logs for example, spreadsheet) and unlocks the TAC.
5. User sets and confirm passcode.

15.4.3 Revoke TAC

1. User returns card after given period.
2. Sponsor locks TAC by incorrectly entering passcode three times.
3. Sponsor updates manual log.

---

Document control

• Version: 6.
• Unique reference number: 258.
• Approved by: Corporate policy approval group.
• Date approved: 4 April 2024.
• Name of originator or author: Workforce systems manager.
• Name of responsible individual: Executive director of people and organisational development.
• Dateissued: 2 May 2024.
• Review date: 31 May 2027.
• Target audience: All employees of the trust, students and external individuals who require access to the relevant systems as defined under the scope of the policy.