IGSOP01 Registration Authority Smartcards Procedure by Provide Community

Registration Authority (Smartcards) Procedure

Version: V6

Ratified by: Technology Programme Board

Date Ratified: 14/11/2023

Job Title of Author: Information Governance and IT Projects Manager

Reviewed by Sub Group or Expert Group: Technology Programme Board

1. Purpose

This document outlines the actions to be performed in relation to the creation and operation of the registration function within the organisation. Staff who are going to be involved in the registration function need to be familiar with this document and its obligations.

Senior Managers, Human Resources, Information Technology, Caldicott Guardian, and RA personnel who are going to be involved in the registration function need to be familiar with this document and its procedures.

These Procedures are performed in accordance with the NHS Digital RA Policy.

2. Roles and Responsibilities

There are a number of roles referred to in these procedures:

• The Applicant -The member of staff applying for the smartcard

• The Sponsor -Approves and defines the required smartcard access rights for the applicant. They can also assist users with unlocking of smartcards and reissue certificates to smartcards that have not already expired.

• The RA Agent - Grants access to the applicant by creating the smartcard and by addition or modification of access rights to the smartcard.

• The Local Smartcard Administrator (LSA) – Can assist users with unlocking their smartcard and re-issue certificates to cards that have not expired only*.

• The HR Department – first point of contact for new staff joining the organisation. Responsible for requesting ID and sharing this with the RA Agent as well as the staff members photograph

*LSA’s cannot re-issue certificates to sponsors smartcards.

3. Pre-Requisites to Smartcard Issuance

A pre-requisite to smartcard registration is completion of the Information Security Policy declaration; users are also required to have access to the organisations network via a unique system login.

All staff being issued a smartcard for the purpose of accessing SystmOne, must complete SystmOne training before using their smartcard. RA Agent or Sponsor to ensure that a start date is added which coincides with the date for SystmOne training.

4. Logistics for Smartcard Registration

The current estimated time of each registration is 20 - 30 minutes (Additional time may also be required to explain the use of the Smartcard. The process requires that the user has a ‘face-to-face’ meeting with the HR/Work Force Solutions/RA Agent so that

the required documentation can be checked, the photograph taken, passcodes entered by the user and the card printed and issued.

Remote smartcard registration – emergency guidance for Registration Authorities

Guidance for Registration Authority (RA) service providers and Registering Organisations when completing RA smartcard registrations using video conference facilities

This process will apply when face-to-face registration meetings and the use of identity checkers are not possible

Please refer to appendix 6 for guidance.

5. The Process of Registration

For an individual member of staff to be registered for access to the system a number of steps have to be performed:

• Human Resources/Workforce Solutions teams perform the ID checks and create the profiles on CIS. For external staff who do not join via HR/WFS teams, the RA team will perform the ID checks and create the profiles on CIS.

• HR/WFS must raise a call through the Technology Service desk for the applicant requesting smartcard and/or ID badges to be printed by RA team.

• The Applicant must make an appointment to attend a face to face meeting with an HR/WFS teams or RA Agent (for external staff) bringing along with them Identification (See Personal Identity Documents Section) to process their application.

• The HR/WFS teams or RA Agent (for external staff) will complete the registration on CIS, entering the Identification Information, uploading a photograph of the applicant and confirming their identity. The ID checks are designed to:

• Determine that the identity is genuine and relates to a real person; and

• Establish that the individual owns and is rightfully using that identity prior to applicant being registered.

• Where the applicant is a new member of staff joining the organisation, their HR photograph will be utilised. This photograph is saved onto CIS for the purpose of identification and administration;

• The RA Agent then prints the smartcard with the Applicant’s photograph, name and UUID;

• During the printing process the applicant will be requested to create a password for use with the card. The requirement for this password 6 to 8 characters (ideally alpha numeric).It is important that the applicant makes no written copies of the passwords or discloses to the RA Agent;

• The applicant is advised on how to get support if they have any difficulties in accessing the National Spine Applications and changes in circumstances (i.e. role changes etc) when they are issued with the Smartcard;

• Applicant advised to test card whilst with RA Agent. This involves putting in Passcode and signing up the terms and conditions. If terms and conditions are not presented the RA Agent advises applicant to read and accept when they are presented at a later date.

• The applicant is advised of the process for lost, stolen and faulty Smartcard’s (e.g. If stolen, the user must inform their Sponsor and the RA immediately so that the card can be invalidated). The card should be treated like a Credit Card;

The position and SystmOne Workgroup required for the applicant will be added to the applicant’s profile. as per HR/WFS details provided within the request raised on the IT Portal.

For external staff, this must be authorised by the sponsor and can either be facilitated by:

The sponsor logging back on to CIS following the face to face meeting and raising a request OR the sponsor can specify which Position and Workgroup they would like to be assigned when raising the initial request by entering this in the “Notes” section at the bottom of the registration Page or in the initial service desk call

Please note that the RA Agent will not add any access without written confirmation from the relevant Sponsor, if the role of the new starter and/or department is not specified within the HR/WFS request.

Where position and workgroup are specified in the service desk call, the RA Agent must enter in the Service Desk call in the notes section after ticking the “Proceed without sponsor approval”

Available Positions and Workgroups for assignment are listed on CIS. Alternatively, a list of positions are maintained on the RA Pages on the Staff Intranet.

Photographs

The photograph assigned to the user’s profile which is printed on the Smartcard must adhere to the following standards:

• Photograph must be as per the below diagram

• Photograph must meet passport standards and be taken against a plain background with adequate lighting and be cropped to match the diagram below.

• For further information please see the Home Office Passport Photo Requirements https://www.gov.uk/photos-for-passports

The technical guidance for photographs that are captured by or imported to CIS must meet the following specification:

1. Size matches or exceeds the minimum size (420 x 525 pixels)

2. Should the captured size exceed the maximum size then the captured image should be re-sized to the maximum (i.e. 630 x 788 pixels)

On completion of the registration process of the user, the photograph of the user should be destroyed by RA staff or Sponsors. There is no requirement for RA staff or Sponsors to retain copies of the photograph once imported into Care Identity Service.

Personal Identification Documents

The teams that verify the RA Agents, HR Team, WFS must follow the NHS Employment Check Standards when verifying an applicant’s identity. These are listed in Appendix 4. Standards are updated from time to time and these are communicated on the NHS Employers Website:

http://www.nhsemployers.org/your-workforce/recruit/employment-checks/nhsemployment-check-standards/identity-checks

RA’s must familiarise themselves with any guidance and changes communicated.

RA Agents are not permitted to retain copies of identification documents. Identification documents scanned and shared by HR are to be deleted after registration of the applicant is completed.

Only RA Agents or members of HR/WFS who have the HR ID Checker position are able to verify an applicant’s identity via a face to face appointment. Sponsors or Local Smartcard Administrators are unable to undertake this role.

6. Access Control Positions and SystmOne Work Groups

Smartcard Positions simplify the way that Smartcard access rights to TPP SystmOne and other smartcard enabled systems are provided. Instead of the access rights for each job being ascribed individually every time someone starts work or moves into a new job, jobs are assigned to access control positions that carry a set of approved access rights. These rights are assigned automatically (subject the sponsor raising a request) to staff as they move into a job, and rescinded as they leave. If staff move to jobs associated with a different access control position, their access rights are altered accordingly.

Assignable Access Control Positions

Certain Positions can be assigned by sponsors to Applicants on CIS without needing approval from the RA Agent. These are listed on the Positions Spreadsheet on the Staff Intranet.

Non Assignable Access control positions can still be requested by the sponsor in CIS, however these will assigned to an RA Agent to Approve before these are assigned to a user’s smartcard.

Assignable SystmOne Workgroups

SystmOne workgroups can also be assigned directly by Sponsors through CIS, without needing approval from the RA Agent. Sponsors can only assign workgroups that are under their control (i.e. only those workgroups that relate to the area(s) that they work in). This is enforced by the CIS System.

Where a sponsor wishes an applicant to be assigned a Workgroup not under their control then they must raise a request with the RA team by logging a call through the technology Service Desk. An RA Agent will then seek authorisation from the relevant service sponsor and assign the workgroup where authorisation is received.

Workgroups will usually only be assignable to sponsors within the service that the workgroup relates. There are some exceptions such as in the Care Coordination centre where staff require a large number of workgroups to be assigned to their access.

Changes to Access Control Positions

Because of the way that Smartcard Positions are assigned, any changes requested to a position will impact a large number of users which may or may not be appropriate.

In order to satisfy Governance requirements, any changes requested will be sent to the Position Based Access Control (PBAC) group for approval. This group consists of representation from Clinical Services, SystmOne Support Team, Information Governance and Knowledge Management team

7. Door Access and Follow Me Printing

Smartcards are increasing being used for door access and secure printing across the organisation. In order for staff to utilise their smartcard for the purpose they must be issued with a Series 5 or above smartcard that have a Radio Frequency Identification (RFID) chip installed. This can be determined by the first two numbers on the back of the smartcard.

Door Access codes are added through the Paxton access control system and not CIS.

Where door access is required to be added to a staff members smartcard this can be performed during the issuance of the smartcard by the RA Agent. The following conditions must be met in order for door access to be added to a smartcard:

1. A call must be logged with the Technology Service Desk requesting access

2. If the requested door access codes match the applicant’s registered work base then the codes will be added by the RA Agent at time of registration

3. If the requested door access does not match or multiple locations are requested then the RA Agent will refer to the Health, Safety and Resilience Manager for authorisation.

4. Staff requesting door access added for Headquarters must either have their work base defined as HQ or be working at HQ for a minimum of 3 days a week. Where this is not the case then authorisation will need to be sought from the Health, Safety and Resilience Manager.

Staff are able to register their smartcard on the Follow Me Printing themselves by swiping their card on the Print device and entering their Windows user name and login.

Staff requiring a smartcard for these purposes only must have the “NON SYSTMONE USER” Position applied to their smartcard only.

8. Forgotten Smartcard Passcodes/Unlocking of Smartcards

Staff who have forgotten their Smartcard Passcode or have locked their smartcard* can use the smartcard self-unlocking service if they registered for this previously, otherwise will need to request an assisted unlock by their LSA or Sponsor. If this is not possible then they will need to raise call with the Technology Service Desk for an RA Agent to reset their passcode/unlock their card. Staff will need to book an appointment to bring their smartcard in for unlocking. There is no functionality within CIS to allow for the remote unlocking or resetting of Smartcard Passcodes,(excepting the selfunlocking service.)

*Smartcards are automatically locked after incorrectly entering their Passcode three times

When resetting a passcode or unlocking a smartcard for a user the RA Agent or Sponsor must arrange a face to face meeting where the users identity is verified and the passcode reset/ card unlocked. The users identity should be confirmed by:

• The photograph on their NHS Smartcard

• If the Identity cannot be verified the user is required to produced documentary evidence (See Appendix 4)

• If the identity still cannot be verified, the incident is reported to the IG Manager and raised on Datix for possible investigation. It may be necessary to cancel or revoked the locked NHS Smartcard.

Assisted Unlocking of Smartcards

The process below provides an overview of the workflow in CIS when a RA, Sponsor or LSA assists the user to unlock their Smartcard and reset the Passcode in the event the user forgets their Passcode or has incorrectly entered their Passcode three times

CIS Workflow for Assisted Unlocking of Smartcards

Self Unlocking of Smartcards

Users can now unlock their own smartcard. Staff will need to register for the service in advance, as it is not possible to do so when a card is already locked. The procedure for registering and accessing the selfunlock service is described in Appendix 5.

Staff are encouraged to register to self-unlock to avoid having to come into Provide Headquarters to have their smartcard unlocked where a local sponsor or LSA cannot be located.

9. Passcodes Changes and Certificate Renewal

Although it is not enforced by the system, it is good practice to change your smartcard passcode regularly as you would any other system password. This can be done through the Care Identity Service (CIS) Portal. In addition if you think that your passcode has been compromised you must also change it

Smartcard certificates are set to expire after 2 years.

The CIS Portal is also used to collect/renew expired certificates. Users will be prompted once per day 90 days prior to certificates expiring. Once certificates have expired, an appointment must be made with an RA Agent for them to be re-issued to the card. This cannot be performed by the user or the user’s Sponsor

Self-Renewal of Certificates

Sponsor, LSA Assisted Certificate Renewals

CIS Assisted renewal of certificates workflow

10. Lost Stolen Misplaced Damaged and Forgotten Smartcards

When a Smartcard is reported Lost/Stolen/Misplaced/Damaged then:

• The smartcard user must inform their line manager and raise a request on the Technology Service desk for the card to be cancelled.*

• The Lost/Stolen/Misplaced Smartcard will be cancelled via CIS by an RA Agent.

• A suitable appointment will be arranged with the end user for a replacement card to be issued by an RA Agent

• Where the user is unable to attend for a face to face meeting with the RA Agent, the replacement smartcard will be issued locked and will be sent to the user’s sponsor to perform an assisted unlock for the user*

*Where an end user is a Sponsor, LSA or RA Agent then the end user must present for the card to be issued. The replacement card cannot be put in the post.

Users are required to carry their smartcards with them at all times or keep in a secure locked location (as they would a bank or credit card). If a smartcard is lost/stolen/broken/misplaced/ forgotten then under no circumstances should another individual’s card be used. If this occurs it may lead to disciplinary action.

All lost/ stolen/ misplaced cards must be incident reported following the organisation’s Incident reporting policy and a call logged with the RA Support team through the Technology Service desk.

Persistent lost/misplaced/broken/forgotten cards may result in the user being charged for the replacement card. The current cost of cards is £5.00 each. This cost will be passed on to the User’s department if they repeatedly lose/misplace/break or forget their cards. Line Managers will also be made aware.

SystmOne passwords will not, except in exceptional circumstances, be issued to allow access to SystmOne should a user lose or forget their smartcard. Where a password is issued it will be at the discretion of the Systems Team, taking into account a number of factors such as the proximity of the user to the RA service or the location at which they have left their smartcard and maintaining clinical safety. Passwords will only be issued for a maximum of 72 Hours.

With the dynamic nature of change within the Local Health Community it is important that registered individuals can have their profiles changed quickly. The process for change is set out below and illustrated in the flow chart, which follows. This process requires that Sponsors logs onto CIS to request these changes or logged through the Technology Service Desk*

Instances where changes may be required include:

• Where a staff member changes their name (e.g. Marriage, Divorce or through Deed Poll). They will be required to present the documentation to the RA Agent before changes are made.

• Changes are required to a user’s access rights. This must be authorised by a sponsor.

• Removal of access rights, which are no longer appropriate to the designated user. This must be authorised by a sponsor.

*All requests for changes must be authorised by the sponsor

12. Leavers

When staff leave the organisation, the following points need to be followed:

• All Provide roles and profiles in CIS pertaining to the employee must be deactivated as soon as possible

• If the User is transferring to an NHS related location e.g. another community provider, a hospital Trust, GP Practice, CCG etc. then the user is allowed to retain the Smartcard but the profile in this organisation must be removed;

• Staff permanently leaving the organisation/ NHS must have their profile on CIS closed which will cancel their certificates, revoke access and destroy the card. The card must be handed to the RA Agent or put in confidential waste facilities.

• The RA Agent must be notified giving as much notice as possible by a request raised on CIS by their sponsor or a call being logged with the Technology Service Desk

• The required actions must be taken as soon as possible once the finish date of the member of staff is known.

• The Human Resources team provides a monthly list of leavers to the RA Team. This list is checked to ensure that access has been revoked by the sponsor.

• Sponsors should revoke access themselves through CIS when a staff member leaves their team or when access is no longer appropriate.

• If a staff member movesbetween Provide departments, thenthe same procedure must be followed to close down their access for the department they are leaving.

• Volunteer leavers will be notified to the RA team by their sponsor. The sponsor will provide the RA team with the details of the volunteer leaving and which service they were assigned to. At that point the RA team will remove the access from the smartcard and if relevant and the card has been surrendered, it will be destroyed and removed from the spine.

A leavers list will be sent on a monthly basis by the Volunteer Coordinator

Short Team Leave (up to 6 months)

Where leave is expected to be between one and six months and the user intends to return after this period, it is recommended that user’s organisational access are removed the day they leave but the user must retain their NHS Smartcard. CIS should be used to identify the positions assigned and must be end dated as appropriate. Users can be reinstated their access when they return by assigning the user to the position again.

If prior to the end of the leave, RA has been advised by HR that the user has ceased to provide their services, then the user’s end assignment date to positions in CIS for that service needs to be amended.

Long Term Leave (Over 6 months)

Users who are planning to take sabbaticals should only have their position assignment end dated in CIS and retain their NHS Smartcard.

Maternity Leave

In the case of maternity leave it is still acceptable for the user to retain their NHS Smartcard whilst they remain in the employment of the organisation (even if it is unpaid maternity leave). Summary of Leavers Processes

Re-Opening a User

Users that have been closed using the Close user workflow can be reopened subsequently in CIS. This may be required where users have been closed by mistake, or returned to work in the organisation.

In CIS, the reasons when reopening a user consist of

1. Returned from long leave

2. Closed by mistake

3. Joined back

4. Other

RA staff must reconfirm identification where reasons 1, 3 or 4 from the above list are selected.

13. Issuing Smartcards to Non-Employed Staff

Contractors

The organisation will ensure all contractors who need to use National Spine Applications are aware of their responsibilities defined in the Information Security Policy and Confidentiality Code of Conduct Policies including the process to be taken in cases of a breach and liability issues.

Temporary / Locum/ Bank Staff

Temporary or locum staff will normally be expected to hold smartcards if they have worked for other NHS organisations. If a smartcard needs to be issued to the individual, the sponsor will only be able to vouch for their position and workgroup. The individual will need to provide the necessary documentation to prove their identity as described.

All Temporary and Agency staff must have an end date set on their position assignment in CIS for one calendar month in the future. Where services have a number of temporary staff they may set expiry dates to be co-terminus. This means that you can set an expiry dates for the same day of each month

For example:

Starts in service Position end date Why?

Staff Member 1 1st of February 1st of March

Staff Member 2 12th of February 1st of March Start date is before the middle of the month therefore expiry date is 1st of the next month

Staff Member 3 19th of February 1st of April Expiry Date is past the middle of the month therefore expiry date will be set for the 1st of the month after next.

In the scenario above the sponsor of the service will need to log on to CIS before or on the 1st of each month to review and renew any access that is still required.

See Appendix 3 for full process.

Students

Students carrying out university placements within the organisation will normally be issued with a smartcard. Students will be required to complete SystmOne Training before using their smartcard to access SystmOne.

Students are to be assigned the following position in CIS: Student Practitioner

Volunteers

Volunteers who will be carrying out roles that require access to Systmone can be issued with a smartcard but only for the period that they are assigned to a particular role and team. As with the Temporary and Locum staff they will need to be created on CIS as a new user by the sponsor, the position and team confirmed and they will need to produce the relevant ID at the point where a smartcard is issued. The end date to the position needs to be added to any Systmone access.

14. Contingencies

It is expected that some users may turn up without a request being raised by HR/WFS or their manager, or may not be able to meet the requirements for proving their identity or that there may be other unforeseen issues that prevent registration.

Incomplete Registrations

If staff present to the RA Agent with without the appropriate request being raised by their sponsor/HR/WFS/Manager

RA Smartcards will not be issued to staff without the appropriate identification being presented to verify identity (See Appendix 4)

Problems with CIS

Where there are problems with sponsors accessing CIS to complete a registration, business continuity plans will be invoked and the RA team will accept the paper registration forms which are available on the staff intranet.

Hardware Issues

If problems are experienced with printing Smartcards when an applicant meets with the RA Agent, then the RA Agent will perform all the steps that they are able to, The smartcard can then be printed and sent to the applicant’s sponsor for unlocking and issuance to the applicant which negates the need for them to return at a later date. Any cards sent in the post must be sent “Locked”. Confirmation from the sponsor or applicant must be received that the card has been received.

User Unable to attend to collect Smartcard

For new registrations it is the requirement under National RA Policy that the applicant attends in person to receive their smartcard, so that the RA Agent can verify their identity before issuing the smartcard. The RA team will work with the applicant to find a mutually agreeable time. Where there are issues in attending Colchester.

Where a replacement smartcard is required (e.g. Lost, Stolen, Broken) and the applicant is unable to attend to receive their card, then the Smartcard can be issued locked and sent either to the user’s sponsor who will then assist the user to unlock their smartcard or it can be sent directly to the user (at their base or home address) and the user will follow the “unlocking your own smartcard” process.

Where smartcards are sent in the post, the sponsor or the user will be required to confirm that the smartcard has been received. If the card is not received or the confirmation has not been received after 7 days then the Smartcard will be cancelled and a new card will need to be sent out.

15. Smartcard Training and Guidance

Training and guidance on smartcard usage is delivered through a variety of mechanisms. This includes Local Induction, Corporate induction, SystmOne Generic training and updates in the Staff Newsletter. E-Learning training is mandatory for Sponsors, Local Smartcard Administrators and RA Agents to Complete.

The RA team also deliver adhoc face to face training to sponsors and LSA’s where appropriate.

The RA Agents can provide one to one training where a need is identified.

16. Handling of Equipment and Documents

Equipment

RA equipment will initially be held in IT and will then be the responsibility of the RA Agent it is issued to, with overall responsibility being maintained by the IG Manager Access to RA associated equipment will at all times be controlled. RA equipment is indicated within the Asset Register of the organisation and available for printing and auditing at any time. Such equipment will be the subject of discrete Risk Management exercise and the IT Department will reference them within their asset register

The Agent on behalf of the organisation will be responsible for ensuring that adequate numbers of Smartcards are available and maintaining the Smartcards throughout their useful life. The IT Manager will ensure that there is sufficient computer equipment to support all users of smartcard enabled applications (including those for registration). All RA equipment will be subject to policies and procedures governing the management and control of Provide Assets.

Cards

Access to unused Smartcards will at all times be controlled. Unused smartcards must be kept in a secure locked location and accessible to authorised users only. Spot checks are performed to ensure that staff are using smartcards securely and findings are reported where necessary to the Finance and Risk Committee and Quality and Safety Committee.

Documents

CIS is an electronic system and negates the need for the use of Paper Forms. The RA Team will not accept paper forms except in those circumstances mentioned in these procedures to ensure Business Continuity.

Where Business continuity plans are invoked and paper forms are processed these must be scanned into Windip and the paper copies put into the Confidential Waste bins.

17. Confidentiality of Information

All personal data held by the RA relating to the registration operations (e.g., personnel checks, personal identification documentation, Certificate Holder Agreements, etc.) are considered to be sensitive information and must be protected in accordance with the Data Protection Act (1998). Protection measures are as follows:

• Storage must be locked, secure, and limited in access to those individuals in the RA function who are actively processing registration information;

• The information captured can only be used in relation to the process of registration and must not be used for any other purpose.

• RA Agents are bound by the requirement to maintain the confidentiality of personal information provided to them as part of the authentication process;

• RA Agents should log details of the evidence that has been used i.e. Passport number, Driving Licence number in CIS

• Copies of Identification should not be made and retained. Where electronic copies of Identification are being shared by the HR team to facilitate the identity checks these must be deleted once identity checks by the RA agent have been performed.

Further guidance can be obtained from the Provide Information Security Policy.

18. Handling Issues and Incidents

In line with the organisation’s Information Security policy any suspected breach must firstly be reported to a line manager who will inform the RA Agent. In cases where this is not appropriate the RA Agent should be contacted directly. Any breach must be reported via Datix following the organisations Incident reporting procedures.

Incidents will be reviewed on a quarterly basis by the Quality and Safety Committee

Any issues or incidents meriting card revocation or disciplinary action will need to be addressed immediately in line with Provide Disciplinary policy.

19. Monitoring and Review

A review of these procedures will be supported and informed by analysis of breaches of confidentiality

This Procedure must be reviewed when any of the following conditions are met:

• The adoption of these Procedures highlights errors or omissions in its content;

• Where other policies/strategies/guidance issued by the organisation conflict with the information contained herein;

• Changes to RA System and/or smartcard enabled systems.

• Organisational changes.

• Where the procedural or guidance framework of the NHS evolves/changes such that revision would bring about improvement; and

• 2 years elapse after approval of the current version.

20. Glossary of Terms

Account Recovery Password

If a registered User forgets their Smartcard Passcode, an RA can confirm their identity through the Account Recovery Passcode. This is set by the User during the registration meeting and known by them only.

Applicant

An applicant is an individual who is in the process of registering to become an authorised User of the NHS CRS and other National Programme for IT applications.

Authentication

RA policy supports two- factor authentication of the User, proving their identity beyond reasonable doubt as required by the government security standard of e-GIF Level 3, this requires:

• Something you have (the Smartcard)

• Something you know (the Passcode to unlock the Smartcard)

Caldicott Guardian

The Caldicott Guardian’s key responsibilities are to oversee how staff use personal health information and to ensure that patient’s rights to confidentiality are respected.

Care Identity Service (CIS)

The Care Identity Service or CIS for short is the online system developed by NHS Digital used to register applicants for a smartcard and perform maintenance tasks such as issuing smartcards, amending access and renewing smartcard certificates.

Certificates

Smartcards contain ‘certificates’ which are vital in maintaining the security of who can access the NHS CRS and other National Programme for IT applications. They are electronic, encrypted ‘keys’ that maintain a required level of security programmed to expire after two years, controlling who has access to NHS CRS applications and safeguarding them from being ‘cracked’ over time.

Health and Social Care Information Centre (HSCIC)

The national provider of information, data and IT systems for health and social care.

eGIF

Electronic-Government Interoperability Framework. This provides guidance on the level of security that is necessary for the NHS CRS.

Job Role

A Job Role, as defined by the national Baseline policy, is a pre-defined group of Activities that help the IT application to identify what functionality a User will be allowed to access in the NHS CRS which they need to perform their role.

Legitimate Relationship

The relationship between a patient and NHS CRS User that identifies that the NHS CRS Smartcard holder can access that particular patient’s medical record.

Local Service Provider (LSP)

Local Service Provider of Information Technology

National Care Records System (NCRS)

National IT System storing patient care records

Pass-code/PIN

The pass-code/PIN entered into the computer when logging onto the system. This allows the system to identify that the person using the Smartcard is the person to whom the card is registered. This is to be kept secret at all times

Registration Authority

The Registration Authority ensures that all aspects of Registration adhere to National Policies and Procedures. .It is also responsible for ensuring tight control over the issue of Smartcards and the security of information.

RA Manager

The RA Manager is responsible for the overall running of the RA process in the organisation. The RA Manager sits within NELCSU*.

RA Agent

RA Agents are responsible for checking candidate’s credentials and issuing Smartcards and day to day running of the RA Process.

RA Sponsor

The RA Sponsor confirms that candidates are eligible and in need of a Smartcard and assigns the level of access to information to the candidate via the Job Role.

Position Based Access Control (PBAC)

The RA Sponsor assigns pre-defined positions to Users. These positions denote which access rights are available to the user.

Smartcards

The cards used to gain access to the relevant systems. Operated by a chip and PIN system these have the User’s name and photograph printed on them in conjunction with a Unique User ID Number (UUID). They do not contain the name of their Organisation enabling the card to be transferred from organisation to organisation.

Smartcard Reader

Used to read the Smartcard and validate the User’s Passcode so that the User can be authenticated with the Spine. All Smartcard readers also have the capability to write to Smartcards for certificate renewal and Passcode maintenance.

User

Staff members and other Health Care Professionals issued with Smartcards to access National Health Care Systems.

Unique User ID Number (UUID)

A 12 digit Identifying number assigned to each User account, also printed on Smartcard.

Verification Passcode

Passcodes are set by the User during the Registration meeting and are known only to them. The Verification Passcode is currently used by the NHS CRS and other National Programme for IT programme such as Choose and Book –the Booking Management Service. Its use is defined by the application supplier.

Workgroup

A Workgroup links access to a SystmOne Unit. Assigning a workgroup to a smartcard provides access to the corresponding SystmOne unit.

21. References

1. Registration Authorities Operational and Process Guidance – Health and Social Care Information Centre (HSCIC)

2. HSCIC – RA Policy

3. NHS Employment Check Standards

Appendix 1: Key Contacts

For the most up to date list of contacts please consult the intranet pages

Smartcard Sponsors and Unlockers - Provide Community Platform

Appendix 2: Instructions for Looking up Codes for Smart Cards in SystmOne

Log into SystmOne in the normal way, go to setup and then users and policy, and then RBAC Staff Roles, this will then bring up a full list of the staff roles and the codes. You only need to provide the code beginning with R, for example R8001.

To look up activity codes to give staff access rights into the system you need to go again to Users & Policy and then click on RBAC Business Functions and this will bring up a list of activity codes. The codes start with a B, for example, B0312.

To look up the work group codes, when you are in SystmOne, press F4 and this will bring up the following list:

You can click on the work group you are looking for and it will give you the work group ID in the right hand side of the screen.

You can also add the work groups to your favourites to save you searching every time. To do this right click on the work group name:

Click on Add to Favourites and it will add the work group to you favourites list. To access the favourites list click on the favourites tab and this will open up the favourites list:

Appendix

3: Process for Temporary and Agency Staff

Appendix 4: Acceptable Documentary Evidence for Proof of Identity

(NHS Employers Requirements)

List 1: Acceptable photographic personal identification

Employers should, in the first instance, always try to obtain photographic documents to verify a person’s identity and this should be compared with the applicant’s likeness by conducting a face-to-face meeting. Acceptable documents of photographic personal identification include:

• UK (Channel Islands, Isle of Man or Irish) passport or EU/other nationalities passport

• passports of non-EU nationals and other valid evidence relating to their immigration status and permission to work*

• UK full or provisional photo-card driving licence – where relevant to the position being recruited to, additional information may be sought about any penalties or restrictions through the DVLA's on-line 'Share Driving Licence Service'.

• EU/other nationalities photo-card driving licence (valid up to 12 months up to the date of when the individual entered the UK and providing that the person checking is confident that non-UK photo-card driving licences are bona fide)

• Biometric Residence Permit (formerly known as identity cards for foreign nationals) (UK)*

• HM Armed Forces Identity card

• ID cards carrying the PASS accreditation logo (UK and Channel Islands), for example a UK Citizen ID card. This card can be applied for by residents of the UK and is verifiable with similar security marks to UK passports and driving licences.

Any other document that is not listed above, for example organisational ID cards, must not be accepted.

*For further information about immigration, please refer to the Right to Work check document of the NHS Employment Check Standards.

What to do if no acceptable photographic identification documents are available

If an individual genuinely cannot provide any form of acceptable photographic personal identification as outlined within List 1 above, then the following combination of documentary evidence should be requested:

• two documents confirming their current address from List 2

• two forms of non-photographic personal identity from List 3; and

• a passport sized photograph of themselves.

Each of the documents provided should be from a different source and photographs must be endorsed on the back with the signature of a person of some standing in their

community. A person of some standing in their community may be a magistrate, medical practitioner, officer of the armed forces, teacher, lawyer, bank manager or civil servant who has known them for at least three years.

The photograph should be accompanied with a signed statement from that person, stating the period of time they have known the applicant. Always check that signature provided in the statement matches the one on the back of the photograph, and that it contains a legible name, address and telephone number so that information can be verified.

List 2: Acceptable confirmation of address documents

Acceptable documents for confirmation of address include:

• utility bill (gas, water, electricity or land-line telephone), or a certificate from a utility supplier confirming the arrangement to pay for the services on pre-payment terms at a fixed address. More than one utility bill may be accepted if these are from two different suppliers. Utility bills in joint names are also permissible (UK)*

• local authority tax statement – for example, a council tax statement (UK and Channel Islands)**

• UK full or provisional driving licence – if not already presented as a personal photographic identity

• UK full driving licence (old-style paper version), old-style provisional driving licences are not acceptable

• most recent HM Revenue & Customs tax notification (i.e. tax assessment, statement of account, notice of coding but not a P45 or P60)**

• financial statement such as bank, building society, or credit card statement* (UK and EEA. Non EEA statements must not be accepted)

• credit union statement (UK)*

• mortgage statement from a recognised lender** (UK and EEA – non EEA statements must not be accepted)

• local council rent card or tenancy agreement*

• benefit statement, book or card; or original notification letter from the Department of Work and Pensions (DWP) confirming the rights to benefit – for example, child allowance, pension (UK)**

• confirmation from an electoral register search that a person of that name lives at the claimed address.**

Providing documentary evidence for previous addresses may be difficult if your check covers a long period of time, therefore you may wish to carry out an electronic identity database search, for example a check against the electoral register.

Any gaps in residence details should be handled sensitively and probed at the interview stage. There may bemany reasons as to why this cannot be accountedfor, such asforeign residence or travel

Consider the time period – if less than three months you may decide that it is unnecessary or disproportionate to confirm activities during that period.

If a gap in residency is more than a period of three consecutive months or a period of six cumulative months, you should ask the individual to provide relevant documentation to cover the period in question, for example checking the individual’s passport or other documentation to prove their stay in those countries. If the individual has been living abroad, ask them to provide confirmation of address such as a tenancy agreement or a bank statement.

List 3: Acceptable non-photographic proof of personal identification Documents

Acceptable non-photographic documents include:

• full birth certificate (UK and Channel Islands) issued after the date of birth by the General Register Office or other relevant authority, for example registrars

• full birth certificate issued by UK authorities overseas, such as embassies, high commissions and HM Forces

• UK full old-style paper driving licence – old-style provisional driving licences are not acceptable

• work permit/residency permit (UK) valid up to the expiry date

• adoption certificate (UK and Channel Islands)

• marriage or civil partnership certificate (UK and Channel Islands)

• divorce, dissolution or annulment papers (UK and Channel Islands)

• gender recognition certificate

• deed poll certificate

• firearms certificate/license (UK, Channel Islands and Isle of Man)

• police registration document

• certificate of employment in the HM Forces (UK)

• benefit statement, book or card or original notification letter from the Department of Work and Pensions (DWP) confirming the legal right to benefit for example, child allowance, pension**

• a document from a local/central government authority or local authority giving entitlement such as Employment Services, Job Centre, Social Security Services (UK and Channel Islands)*

• most recent tax notification from HM Revenue and Customs (i.e. tax assessment, statement of account, notice of coding, P45 or P60 (UK and Channel Islands).**

*All documents must be dated within the last six months, unless there is good reason for it not to be, for example where there is clear evidence that the individual was not living in the UK for three months or more. These documents must contain the name and address of the applicant

** All documents must be dated within the last 12 months. Not denoted means that the document can be more than 12 months old.

Acceptable documents for those who have recently left full time education (16 to 19 year-olds)

When appointing someone who has recently left full-time education you should ask for one piece of personal photographic evidence; or where this is genuinely not possible, a passport sized photograph which is endorsed by a person of some standing in their community as indicated in the section above; and a combination of two of the documents listed below:

• a grant or student loan agreement from a local education authority (UK)

• full birth certificate (UK and Channel Islands) issued after the date of birth by the General Register Office or other relevant authority, for example registrars

• full birth certificate issued after the date of birth by UK authorities overseas, such as embassies, high commissions and HM Forces

• National Insurance (NI) number or proof of issue of an NI number – the majority of individuals will be automatically issued with a NI number at the age of 16 and this will be a HR requirement for employment

• a letter from their headteacher or college principal can be requested, verifying their name and other relevant information for example, address or date of birth (UK)

• a document from a local/central government authority or local authority giving entitlement such as Employment Services, Job Centre, Social Security Services (UK and Channel Islands)*

• a qualification certificate.

Acceptable documents for refugees and asylum seekers

Refugees are people who have had a positive decision on their claim for asylum under the 1951 United Nations Convention Relating to the Status of Refugees (the Refugees Convention). Individuals who do not meet the Refugee Convention’s criteria for refugee status may quality either for humanitarian protection (granted for a period of five years), or discretionary leave to remain (granted up to a period of three years). It is important for employers to refer to the Right to Work Check document of the NHS Employment Check Standards in relation to a refugee’s right to work and reside freely in the UK.

Refugees will not normally have a passport and are unlikely to have copies of other official documents, such as birth certificates or photo identity cards. Whengranted leave to remain in the UK, a refugee will be issued with an Immigration Status Document (ISD) by the Home Office, which will indicate their refugee status. This document can be used to verify both their identity and their right to work in the UK. They may also have a travel document which can be accepted to verify their identity.

Appendix 5: Registering for Self-Unlocking of Smartcards

Unlocking Your Own Smartcard

You will need to register for the service in advance, as it is not possible to do so when your card is already blocked.

Please follow the procedure below to register your card for self-service:

1. Log into your smartcard as usual.

2. Click on the NHS Card Services icon on your desktop: https://portal.national.ncrs.nhs.uk/portal/

3. Click on Launch Care Identity Service

4. You will be taken to your dashboard.

5. On the right hand side will be a link called My Profile. Click onto the link and your profile will load.

6. Scroll down the page to the self-service section.

7. Click on the Register button and an information page will launch which you need to read.

8. Now click open the link and it will ask you to input your passcode. This is the pin number you use when you insert your Smartcard.

9. The next page lists security questions that require answers to authenticate you when you use the service. Please try to use questions and answers you can easily remember.

10. Now you will be asked for your NHS email account details so that the service can send you a once only security code that you will need to input.

11. The security code will be sent to your email account but is only valid for 15 minutes so please input that code carefully and exactly as it is given to you. Please note that you cannot copy and paste this.

12. You will then receive a message telling you that you are active for self-service.

13. When you next lock yourself out of your Smartcard you need to use the following link to activate the card unlocking facility: https://uim.national.ncrs.nhs.uk/selfservicewebapp/unlockCardStart

14. You can find a link on the staff intranet under the links section on the home page. It’s called Smartcard Self Unlock Portal.

Appendix 6: Remote smartcard registration – emergency guidance for Registration Authorities

About the process

This process applies via revised guidance, to all registrants, where a face to face meeting is not possible.

During the coronavirus (COVID-19) pandemic, it replaces the standard registration process and involves a method of establishing the registrant’s identity through the remote provision of:

• identity document

• an image file suitable for use as a passport-compliant photograph

• confirmation that the image is a true likeness of the registrant

This process is to be used by Service Provider Registration Authority (RA) Agents acting on behalf of Registering Organisations whenever they need to register a new member of staff.

It allows for user access to be rescinded and/or users de-registered in a managed way when normal conditions return.

Prerequisites

Registration Authority (RA) Service Providers will:

• distribute this guidance to the relevant staff in all organisations for which they have registration responsibilities

• agree with their Registering Organisations the appropriate video conference channel(s) for video calls (VCs) taking into account availability, security and costpossible channels include Microsoft Teams, Slack, Zoom, Webex, Jabber and FaceTime

• agree with their Registering Organisations appropriate locations that they will allow when registering for their organisations - locations need to be sufficiently private, for example registrants' homes

• ensure that their Registration Authority staff are aware of these procedures and the specific arrangements with the organisations for which they have registration responsibilities

Remote registration process - stage 1 (before the video call)

The Registration Authority (RA) Agent for the Registration Authority (RA) Service Provider receives a request for smartcard registration via existing channels and processes. It is essential that the registrant provides their email address, preferably an NHS or other secure email address if available. Otherwise judgement is to be exercised by the Registration Authority (RA).

In response to the registration request, the Registration Authority (RA) Agent asks the registrant to provide the following items by email, again, by NHSmail or other secure email if available:

• organisation for first registration (if not already specified in the request)

• full name

• date of birth

• national insurance number

• scan of one photographic identity document(s) - needs to be a valid passport or driving licence

• image file suitable for use as a passport-compliant photograph

• mobile phone number (required later to text the smartcard passcode)

In the email, the Registration Authority (RA) Agent gives the registrant their mobile number to confirm the receipt of the smartcard and receive its passcode once posted. In the unlikely event that the registrant does not have any photographic identity documents the Registration Authority (RA) Agent will decide which document(s) from the NHS Employers options (for users with no photographic ID) should be asked for. Once the required documents have been received, the Registration Authority Agent contacts the Registrant to arrange the video meeting and explain the process.

Remote registration process - stage 2 (the video call)

The Registration Authority (RA) Agent:

• text messages a set of randomly generated numbers each time to the registrant who is asked to read it out - this binds the telephone number to the individual on the video call and establishes the number to text the smartcard passcode to (see below)

• asks the registrant to show their scanned photographic identity document for the Registration Authority (RA) Agent to check against the live image of the registrant

Assuming that the video call image of the registrant matches the image on the scanned identity document, the video call process is complete, and the Registration Authority (RA) Agent can terminate the video call and continue the registration process.

Remote registration process - stage 3 (after the video call)

The Registration Authority (RA) Agent creates/completes the registrant’s identity in the Care Identity Service (CIS)

In order to flag the entry as a COVID-19 record the Registration Authority (RA) Agent enters the following data:

• choose UK passport as the photographic evidence – enter 000000000 in the passport number field and the date 1 April 2025 in the expiry date field

• go to non-photo ID and select ‘TAC1’ and ‘TAC2’ (Temporary Access Card) as the two sources of non-photo ID (used for creation of temporary access cards in other situations) and enter 1 March 2020 as date of issue

The Registration Authority Agent:

1. prints the smartcard for the registrant, unlocked with a randomly generated 6-digit passcode obtained from a service such as https://www.random.org/integersets/, and records the passcode securely.

2. arranges for delivery of the smartcard to the registrant.

3. texts the smartcard’s 6-digit passcode to the registrant (using the registrant’s previously recorded mobile number), when they call to say that the smartcard has been received.

4. assigns access to the registrant using the normal process.

Additional information

What to do if an existing user locks their card or the certificates expires

Without face to face contact the only option is to print a new unlocked card as per process above and send to the user – and cancel the locked or expired card.

What happens when you need to rapidly move pharmacy staff to other pharmacies

It has been agreed that wider use of the Role Based Access Control (RBAC) 'National Locum Pharmacy Agency' code and position (FFFFF) can be used, but it is important that RAs keep a log of users given this access for exceptional reasons so that it can be revoked as appropriate at some point in the future.