Registration Authority

REGISTRATION AUTHORITY

POLICY

REFERENCE NUMBER SAMPLE1

APPROVING COMMITTEE(S) AND DATE Governance Committee

AUTHOR(S) / FURTHER INFORMATION Senior HR Manager

LEAD DIRECTOR Director of Health Standards

THIS DOCUMENT REPLACES

REVIEW DUE DATE March 2011

RATIFICATION DATE/DRAFT No March 2009

VALIDATION SIGNATURE

This policy is individual to NHS Sample Organisation.

NHS Sample Organisation does not accept any liability to any third party that adopts or amends this policy.

© NHS Sample Organisation.

NHS Sample Organisation is committed to ensuring that, as far as it is

reasonably practicable, the way we provide services to the public and

the way we treat our staff reflects their individual needs and does not

discriminate against individuals or groups on the basis of their age,

disability, gender, race, religion/belief or sexual orientation.

Should a member of staff or any other person require access to this

policy in another language or format (such as Braille or large print) they

can do so by contacting the communications department or the relevant

policy holder. NHS Sample Organisation will do its utmost to support and

develop equitable access to all policies.

Managers are responsible for ensuring staff within their area of

responsibility are aware of NHS Sample Organisation policies and that

staff adhere to them.

Managers are responsible for ensuring that a system is in place for their

area of responsibility that keeps staff up to date with new policy

changes.

Staff are responsible for ensuring they are familiar with policies, know

where to locate the documents on the NHS Sample Organisation’s website,

and seek out every opportunity to keep up to date with them

Independent contractors are expected to identify a lead person to be

responsible for ensuring staff employed within their practice are aware

of NHS Sample Organisation policies.

CONTENTS

1 INTRODUCTION

Scope

Principles

2 REGISTRATION AUTHORITY POLICY

Governance

Board Level Responsibility

RA Manager Responsibility

Sponsor Level Responsibility

RA Agent Responsibility

Staff Responsibility

3 IMPLEMENTATION

Incident reporting

Management and Use of RA Equipment

Local Support Processes for CfH Application Users

Process for Monitoring Compliance

4 REFERENCE DOCUMENTS

5 GLOSSARY

1. INTRODUCTION

1.1 The National Programme for IT (NPfIT) is a core part of Connecting for Health

which will rationalise and improve the use of IT in the NHS to provide greater

benefit to both patients and clinicians over the next 7 to 10 years.

1.2 As part of this programme the NHS Care Records Service is being developed

to provide a live, interactive patient record service accessible 24 hours a day,

seven days a week, by health professionals working across all health sectors.

1.3 With the introduction of the NHS Care Records Service (NHS CRS)

applications it is of paramount importance that patients of the NHS are

confident that their medical records are being appropriately kept secure and

confidential in line with the NHS Care Records Guarantee.

1.4 To deliver this programme the country has been divided into 5 sectors, each

with a Local Service Provider who will develop and implement the required

local IT systems to support the national programme. Initially these systems will

only be accessible from individual organisations. Future plans will enable the

sharing of core elements of patient information held in these systems to

provide the National Care Records Service.

1.5 In order to support the key strategic direction as detailed in the PCT’s IT

Strategy, the legacy systems, inherited from three predecessor organisations,

needed to be replaced with a single patient information system to support the

whole PCT. The migration from the legacy information systems to the Care

Records Service took place in November 2006.

1.6 The security and confidentiality of all of the systems provided through the

NPfIT is paramount and therefore the PCT has to conform to the stringent

national access procedures.

Scope

1.7 In order for staff to have access to the National Programme for Information

Technology (NPfIT) applications being implemented by Connecting for Health

(CfH), they need to be registered on to the Spine User Directory. The

registration process for the National Programme has to meet the current

Government requirements and will be applied nationally.

1.8 All the NPfIT applications use a common security and confidentiality approach.

This is based upon the users organisation/s role/s, area/s of work and

business function. The primary method by which users will be enabled to

access an NPfIT application is via a Smartcard issued during the Registration

Process.

1.9 Once an applicant has been successfully registered they will have a User ID,

Passcode and Smartcard – which will permit their access to the appropriate

application/s and information. The process of gaining access to the National

Programme applications is called National Programme Registration. A

Registration Authority which is required to conform to the National Registration

Policy operates the Registration Process at a local level.

1.10 This document describes the policy for the operation of the Registration

Authority (RA) within NHS Sample Organisation (hereafter known as the

SAMPLE ORGANISATION) and the procedures are identified in the Registration Authority Procedures document.

Principles

1.11 The policy sets out the governance arrangements for RA and will be adhered

to by:-

SAMPLE ORGANISATION Board Members and Senior Practice Staff

SAMPLE ORGANISATION Caldicott Guardian

All users of the SAMPLE ORGANISATION RA Service

SAMPLE ORGANISATION Human Resources personnel

SAMPLE ORGANISATION IT Services personnel

SAMPLE ORGANISATION/Practice Confidentiality Specialists including Caldicott Guardians

Local Health Community IT Support Service and Help Desk personnel.

1.12 This document will be published within SAMPLE ORGANISATION and made available to all

NPfIT Application users.

1.13 The local procedures listed below are necessary to support the National

Policies and Procedures and are contained in a separate document,

Registration Authority Procedures. They comply with Information Governance

arrangements and specify the following:

Identification and Appointment of RA Team Members

Registration of RA Manager

Registration of RA Agents

Registration of Sponsor

Registration of NPfIT Application Users

Management of NPfIT Application Users

Management of RA/User Smartcards

Management of RA/User Passcodes

Management of RA/User Profiles.

1.14 The use of the word staff in this document means, people who are directly

employed by, or contracted to provide service to, or are part of an agreement

with SAMPLE ORGANISATION.

2. REGISTRATION AUTHORITY POLICY

2.1 SAMPLE ORGANISATION has a Registration Authority to manage the distribution and use of

Smartcards.

2.2 The Registration Authority is responsible for providing a secure, accountable and

authoritative service in line with National Registration Processes.

The SAMPLE ORGANISATION Registration Authority is made up of the following personnel:

Registration Authority Manager

Registration Sponsors

Registration Agents

The RA provides the following:

User Registration

Role Profile maintenance

Adding Role Profiles

Changing Role Profiles

Deactivating Role Profiles

Revocation and cancellation of Smartcards

User Suspension

Passcode resetting

Changes to Shared Secrets

Smartcard renewal and exchange.

Governance

2.3 The Registration Authority (RA) is responsible for ensuring that all aspects of

registration services and operations are performed in accordance with

National Policies and Procedures. It is responsible for providing arrangements

that will ensure tight control of the issue and maintenance of Smartcards,

whilst providing an efficient and responsive service that meets the needs of

users. The Registration Authority is responsible for the governance

arrangements in place at hosted organisations such as LaSCA and CaLCIS

and this policy will apply to those organisations.

Board Level Responsibility

2.4 The Registration Authority has the responsibility for providing a secure,

accountable and authorative service. In line with National Registration

Processes the senior responsible officer for Connecting for Health (CfH)

activities is the Chief Executive who delegates initial responsibility to the

Caldicott Guardian. The Caldicott Guardian audits and maintains the

protection of confidentiality of patient and service user information and enables

appropriate information sharing.

2.5 The Guardian plays a key role in ensuring that the NHS, Councils with Social

Services responsibilities and partner organisations satisfy the highest practical

standards for handling patient identifiable information. Acting as the

‘conscience’ of an organisation, the Guardian actively supports work to

facilitate and enable information sharing and advice on options for lawful and

ethical processing of information as required.

2.6 The Caldicott Guardian also has a strategic role, which involves representing

and championing Information Governance requirements and issues at Board

or management team level and, where appropriate, at a range of levels within

the organisation’s overall governance framework. This role is particularly

important in relation to the implementation of the National Programme for IT

and the development of Electronic Health and Social Care Records and

Common Assessment Frameworks.

RA Manager Responsibility

2.7 The RA Manager is responsible for the setting up of the RA agents and all

policies and procedures concerning RA. These must be agreed with the

SAMPLE ORGANISATION Executive Management Team. The RA Manager is responsible for auditing RA processes and compliance with procedures.

Sponsor Level Responsibility

2.8 A Sponsor is a designated individual who assists the RA with the registration

of all staff that require digital certificates for use with registered and approved

NPfIT applications, by sponsoring requests to the RA for the issue of such

certificates. Sponsors will typically be at managerial level within SAMPLE ORGANISATION and

must have responsibility for the staff they are nominating.

2.9 Sponsors cannot be self appointed, they cannot delegate their responsibilities,

nor can they sponsor other sponsors.

They have specific responsibilities:

Identification of the type and levels of access to information an end

User requires to complete their job via a CfH application

Ensure that the identity of the applicant has been verified by the

Registration Authority

Grant access to healthcare information on behalf of the SAMPLE ORGANISATION.

Sponsors will be held accountable to SAMPLE ORGANISATION.

Ensure that when a Smartcard user leaves the NHS the Smartcard is

destroyed.

2.10 The SAMPLE ORGANISATION Executive Management Team or the Caldicott Guardian will

identify and approve Sponsors. An RA Manager acting on behalf of and under

instruction from the SAMPLE ORGANISATION Executive will register Sponsors. Sponsors will be

staff with sufficient seniority to understand and accept the responsibility

required. Registration Sponsors are responsible to the RA Manager for the

accuracy of the information on the RA forms.

2.11 Sponsors must sign/authorise RA forms for the identification of staff, role

assignment, amendment and revocation.

2.12 The areas of responsibility with respect to NPfIT application user access

should be clearly defined for each Sponsor.

RA Agent Responsibility

2.13 Registration Agents will ensure that all Inter-Trust agreements are followed

and adhered to (i.e. service level agreements). Agreements with General

Practitioners and, in the future, Dentists and other independent contractors

and/or voluntary organisations will be adhered to.

2.14 Only the job roles for SAMPLE ORGANISATION staff and associated independent contractors are to be entered by SAMPLE ORGANISATION RA Agents. The RA Agents of other local RA organisations are responsible for adding or removing the roles and business functions applicable when SAMPLE ORGANISATION staff work across the areas covered by other Trusts.

2.15 All incidents, misuses, anomalies and problems will be reported to the RA

Manager.

Staff Responsibility

2.16 Staff have a duty to keep patient information secure and confidential.

2.17 Smartcards provide users with the level of access to healthcare information that

is required as part of their healthcare role. Smartcards must be kept safe and be

used appropriately.

2.18 Smartcard users must:

Treat their Smartcard like their credit or debit card and keep in a safe

locked place, separate from their passcode when not in use

Never tell anyone their passcode

Never allow anyone else to use their Smartcard

Never leave their Smartcard unattended

Do not write their passcode on your Smartcard

Do not write passcode anywhere or share with anyone

Never leave their Smartcard in the Smartcard reader when they are not

actively using it

Report the loss, theft or damage of their Smartcard immediately to their

Sponsor and local Registration Authority so they can cancel their card and

replace it as soon as possible and to complete an incident report form

Read understand and sign the declaration on the RA01 form to agree their

responsibilities

3. IMPLEMENTATION

Incident Reporting

3.1 Any member of staff may report incidents where they feel that there is a risk to

patient health, confidentiality or SAMPLE ORGANISATION reputation. Incidents should be

reported to the RA Manager and Sponsor and the PCT Incident Form must be

completed immediately and sent to the Head of Health Standards.

Examples of incidents are:

Smartcard or application misuse.

Smartcard theft/loss

Non-compliance of local or national RA policy.

Any unauthorised access of NPfIT applications.

Any unauthorised alteration of patient data.

3.2 The RA Manager will consider all incidents reported. Any incidents

considered significant will be escalated to the PCT Director or Practice

Manager, Associate Director of HR and/or the SAMPLE ORGANISATION Caldicott Guardian depending on the nature of the incident. A major breach of security will also

be reported by the RA Manager to the Local Service Provider and Connecting

for Health to ensure any risks resulting from the event can be taken into

account and mitigated against.

3.3 A significant incident is an isolated incident or a series of less significant

incidents that could lead to a serious degradation of healthcare or information

security. The Executive Team/SAMPLE ORGANISATION Board and Caldicott Guardian will consider incidents reported to them and decide whether SAMPLE ORGANISATION/Practice systems or working practices should be reviewed as a result.

3.4 Incidents which involve a breach of security or which demonstrate that a User

may not be considered trustworthy must also be reported to the Senior HR

Manager/Practice Manager and Caldicott Guardian by the RA Manager so that

any disciplinary measures required may be taken. The Senior HR/RA

Manager will decide which other members of staff need to be involved (e.g.

Line Manager, IT Service Desk Manager or IT Training Manager).

Management and Use of RA Equipment

3.5 The RA Manager, on behalf of the SAMPLE ORGANISATION, is responsible for ensuring that adequate numbers of Smartcards are available and for maintaining the