trust informatics policy information governance ... · 2.0 objective the objective of this policy...

1

Trust Informatics Policy

Information Governance

Registration Authority (RA) Policy

Document Control

Document Title Registration Authority Policy

Author/Contact RA Manager

Document Reference 5492

Document Impact Assessed

Yes 13/08/2019

Version 5

Status Approved

Publication Date 13th August 2019

Review Date 12th August 2020

Approved by (Executive) Dr. J Hobbs (Caldicott Guardian)

23/01/2017

Ratified by (Relevant Group)

Information Governance Group

23/01/2017

Distribution: Royal Liverpool and Broadgreen University Hospitals NHS Trust-intranet Please note that the Intranet version of this document is the only version that is maintained.

Any printed copies must therefore be viewed as “uncontrolled” and as such, may not necessarily contain the latest updates and amendments.

Royal Liverpool and Broadgreen University NHS Hospital Trusts

EQMS 5492 V5 Registration Authority Policy Registration Authority Manager

2

Table of Contents 1.0 Introduction ......................................................................................... 3 2.0 Objective .............................................................................................. 3

3.0 Scope of Policy ................................................................................... 3 4.0 Policy.................................................................................................... 3

4.1 Registration Authority Responsibilities ............................................. 3 4.2 RA Manager ..................................................................................... 3 4.3 RA Agent ......................................................................................... 4

4.4 RA Sponsor ..................................................................................... 6 4.6 Users ............................................................................................... 7 4.7 Registration Authority Processes ..................................................... 7 4.8 Registration Authority Forms ........................................................... 8 4.9 Lost, Stolen and Damaged Smartcards ......................................... 10

4.10 Smartcard Unlocking ...................................................................... 10

4.11 Smartcard Misuse .......................................................................... 10 4.12 Smartcard Terms and Conditions .................................................. 11

5.0 Roles and Responsibilities ............................................................... 11 5.1 Managers and Staff........................................................................ 12

6.0 Associated documentation and references .................................... 13

7.0 Training & Resources ....................................................................... 13 8.0 Monitoring and Audit ........................................................................ 14

8.1 Monitoring arrangements for this policy ......................................... 14

9.0 Equality and Diversity ....................................................................... 14 9.1 Recording and Monitoring of Equality & Diversity .......................... 15

Appendix A - Glossary of terms ................................................................. 16 Appendix B – Smartcard Terms and Conditions ....................................... 17 Appendix C – Document History ................................................................ 21



3

1.0 Introduction NHS Digital have been involved in the development of a number of national computer applications, such as the Summary Care Records (SCR), e-Referral Service (e-RS)and the Electronic Staff Record (ESR), which require strict access controls, in order to maintain the confidentiality of the sensitive personal data (patient/staff records) held within each application. Access to these applications is via an electronic Smartcard which will permit the registered user access to the application/s and the appropriate information held on the application. The registration process for a Smartcard within the Trust is operated by the Registration Authority (RA), and is based on position based access control (PBAC).

2.0 Objective The objective of this policy is to ensure that all relevant staff understands the Trust’s RA requirements.

3.0 Scope of Policy

This policy applies to all Smartcard holders including all Registration Authority Agents, Sponsors and Users.

4.0 Policy 4.1 Registration Authority Responsibilities

The Registration Authority (RA) is a team within the Trust’s Workforce Team who are responsible for ensuring that all aspects of registration services and operations are performed in accordance with national policies and procedures. They are responsible for providing arrangements that will ensure tight control over the issue and maintenance of electronic Smartcards, whilst providing an efficient and responsive service that meets the needs of the users. All Incidents for the RA team should be logged with the IT Service Desk, on extension 5499.

The RA team is made up of the following personnel:

RA Manager

RA Agents

Sponsors

Local Smartcard Administrators

Users 4.2 RA Manager

The RA Manager is responsible for providing a comprehensive RA service. This includes establishing an RA team and developing robust RA procedures and processes.



4

Responsibilities include:

Ensuring that all RA forms (see section 4.7) are appropriately used.

Ensuring that any local processes developed to support the national registration processes are adhered to in full.

Ensuring that there is sufficient availability of resource to operate the registration processes in a timely and efficient manner to meet their organisational responsibilities.

Ensuring that the RA team members are adequately trained and familiar with the local and national RA processes.

Ensuring that an indexed and secure audit trail is maintained of a user’s registration information and profile changes.

All completed application forms and associated documents are kept secure in an area where the RA and HR team have access.

Ensure RA members are familiar with and understand Registration Policy and Practices.

Ensure Sponsors/Local SmartCard Administrators are familiar with and understand the user registration process

Ensuring that there are sufficient smartcards and smartcard issuing and maintenance equipment for the Trust.

Ensure Sponsors/Local SmartCard Administrators have the appropriate business function associated with the appropriate job profile/s.

4.3 RA Agent

RA Agents are responsible to the RA Manager for ensuring that the National and local processes are followed and for the accurate input of information on RA forms onto NHS Digital’s Spine User Directory and Card Management System. This system will replace all currently national Spine systems. RA Agents will ensure that all inter-Trust agreements are followed and adhered to. All incidents, misuses, anomalies and problems will be reported to the RA Manager.



5

The RA Agent is responsible for the:

Day to day support of the local Registration Authority.

Issuing Smartcards to users who have been sponsored and who have suitably proven identities in accordance with the National process (via the RA01 form; see section 5.2.1).

Updating a user’s Smartcard profile in accordance with the sponsors requirements (via the RA02 form; see section 5.2.2).

Ensuring that the National RA processes are adhered to within the Trust.

Escalating process, hardware and application problems to the local Strategic Health Authority.

Providing support on process, hardware and application problems.

Ensuring that all RA01 and RA02 forms and/or any other material which supports the issue/revocation of a Smartcard and the role profiles associated with that card, are retained in accordance with the National RA processes.

Ensure that all users (RA and non-RA) are registered and issued with a Smartcard containing a UUID and their photograph and are aware of their responsibilities relating to information governance and Smartcard use;

Ensure that users only have one Smartcard associated with their profile at any time. The issue of more than one Smartcard to a user is not permitted.

Ensure that all RA forms and associated information are maintained and securely stored.

Promptly report all incidents of misuse, anomalies or problems to the RA Manager.



6

Apply common sense checks and challenge the content of the RA forms they action, for example, checking that:

The registration request is from an

authorised Sponsor from their own organisation.

Auditing Smartcard usage around the Trust

and making sure that Smartcards are not being shared amongst staff.

Only use the Multiple Role Update

functionality in compliance with the local Registration Authorities procedures.

Renew a user’s Smartcard certificates only

if they are confident of the user’s identity.

4.4 RA Sponsor Sponsors are appointed and entrusted to act on behalf of the Trust in determining which users should have access as well as what level of access to an application and maintaining the appropriateness of that access.

Sponsors will be staff, who have the sufficient seniority to understand and accept the responsibilities required and will be identified by their departmental Directorate Manager. RA Sponsors are responsible to the RA Manager for the accuracy of the information on the RA01, RA02 and RA03 forms.

RA Sponsors and Agents will report any RA related incidents, using the Trust incident reporting procedure via the IT Service Desk, on extension 5499.

4.5 Local SmartCard Administrators Local SmartCard Administrators are appointed to act on behalf of the Trust in ensuring users access is maintained as consistently as possible. Administrators will be identified staff who act as a Local Administrator to unlock and update SmartCards. Local SmartCard Administrators will report any RA related incidents, using the Trust incident reporting procedure via the IT Service Desk, on extension 5499.



7

4.6 Users The term User encompasses all staff who, use a Smartcard but are not part of the Registration Authority Structure as identified above. A user will be issued with a Smartcards/job profile when they have been sponsored by a Sponsor and then set-up by the RA.

The User is responsible for:

Ensuring they keep their Smartcard secure.

Ensuring they keep their Smartcard pin code confidential.

Ensuring that no one else uses/has access to their Smartcard.

Reporting any loss, theft, or suspected misuse of their Smartcard to the Registration Authority, on extensions 5788/5789 or to the Information Security Officer, on extension 3671.

4.7 Registration Authority Processes New Starter Process

As all staff require SmartCards now to access ESR, the Trust is integrating the issuing of SmartCards into the Recruitment process. Once a New Starter has attended a sign-on session with recruitment, ID is checked and photo taken, the SmartCard can then be prepared and will remain locked, and the employee will set their own personal passcode upon starting in post. Alternatively, a New Starter can retrieve an RA01 & RA02 form from the Trusts intranet site, which can then be completed along with the Sponsor. These forms can then be taken to either the RA Office, 3rd Floor Derwent House or to an RA drop-in session on the ground floor of the Royal Liverpool Hospital site along with all the relevant ID. Forms and ID will then be checked by the relevant RA member of staff. The user can then attend another session to collect the completed card and set a passcode in person.

Leaver Process Sponsors must ascertain whether a user is leaving the NHS or joining another NHS organisation. The sponsor must then log an incident with the IT Service Desk, whereby an RA Agent will cancel the Smartcard. If the user is leaving the NHS, the Smartcard must be cancelled, destroyed and returned to the RA Office.



8

Contractor/Third Party Process The Trust will ensure all contractors who need to use a national application are bound to the Data Protection Act and The NHS Confidentiality Code of Practice. The Trust will form new contracts, where required, to ensure that these requirements are adhered to.

Incident Reporting

Incidents may be reported by any member of staff where they feel that there is a risk to patient health, confidentiality or Trust reputation. Incidents should be reported through the IT Service Desk for the attention of the RA Manager or directly to the Information Security Officer, on extension number 3671.

. Examples of incidents:

Smartcard or application misuse

Smartcard theft

Smartcard loss

Non-compliance of local or national RA policy

Any unauthorised access to Trust applications

Any unauthorised alteration of patient data

The RA Manager/Information Security Officer will consider all incidents reported to them. Any incidents considered significant will be escalated to the staff member’s manager. A significant incident is an isolated incident or a series of less significant incidents that could lead to a serious degradation of healthcare or information security. The Information Security Officer will consider incidents reported to them and decide whether Trust systems or working practices should be reviewed as a result. Incidents involving breaches of security or demonstrate that a user may not be considered trustworthy should also be reported to HR and the Information Security Officer by the RA Manager so that any disciplinary measures required may be taken. All smart card losses must also be reported to the RA, who will then notify the Information Security Officer. Members of staff loosing 3 smartcards will have a letter of concern sent to their line manager.

4.8 Registration Authority Forms To support the RA processes there are a number of RA forms which are used to capture and request information so a user’s access to the national applications can be managed. The use of these forms is mandatory for all local Sponsor and Registration Authority Staff.



9

RA01 The RA01 form is used to record the registration of new user. The RA01 form is held by the applicant until the RA Manager/Agent registers the applicant on NHS Digital’s Spine User Database. This system will replace all currently national Spine systems. Once registration is completed the RA01 form is retained by the RA Team and securely stored to be available for RA Managers/Agents/Sponsors/auditors as necessary.

RA02 The RA02 form is used to record changes made to an existing user’s job role profile(s). Whenever a change to a user’s role profile is identified, the relevant Sponsor must be requested to authorise the changes required. The following are examples of when role profile changes would be needed:

A user changes departments .

A member of staff is covering a different position due to a staff member’s period of sick leave.

A user is given additional tasks within their job role.

A staff members job role changes.

Once the relevant Sponsor has authorised the change(s) the RA02 form shall be processed by the RA. Should there be any problems with the form these will be referred to the signing Sponsor. Once the RA has completed the changes on the RA02 form, the form will be stored securely with the RA Team where the RA forms are logged, filed and available for RA Managers/Agents/Sponsors/Auditors as necessary.

RA03 The RA03 form is used to record revocations. Whenever it is necessary to revoke a certificate associated with a smartcard an RA03 form must be completed and signed by a Sponsor, RA Agent or RA Manager. This should only done when it has been confirmed by HR, that the user has left the organisation or in the case of disciplinary action, on the express request by HR.



10

Once the RA has completed the changes on the RA03 form it will be securely stored by the RA Team where the RA forms are logged and filed, to be available for RA Managers/Agents/Sponsors/Auditors as necessary.

RA05

The RA05 form is to be used when a user has changed their name. The form is to be completed by the user and given to an RA agent for processing. Proof of name change will be required and recorded on the RA05 prior to the new smartcard being released. Once the RA has completed the changes on the RA05 form. it will be securely stored by the RA Team where the RA forms are logged and filed, to be available for RA Managers/Agents/Sponsors/Auditors as necessary.

4.9 Lost, Stolen and Damaged Smartcards

Lost and damaged smartcards should be reported to the RA Team as soon as is possible via the IT Service Desk. Once notified that a smartcard has been Lost/Stolen an RA Agent will cancel. Please note this card will then be rendered unusable. An RA Agent will then reprint and arrange an appropriate appointment for collection of the replacement smartcard. Instances of lost smartcards are recorded and upon 3 losses a letter of concern will be sent to the users line manager. If there is any difficulty verifying the user’s identity the user’s Sponsor must be contacted and the users identity verified.

4.10 Smartcard Unlocking Users who have forgotten their Smartcard pin-code or suspect that it may be known by another user or they have been locked out of an application because of three failed login attempts, should report the problem to their sponsor or Local SmartCard Administrator who will be able to unblock and/or reset the pin-code. In the case the sponsor is unable to assist this should be logged via the IT Service Desk and an RA Agent will be in touch to resolve the issue.

4.11 Smartcard Misuse

A staff member must report an incident of suspected Smartcard misuse to the RA Manager or the Information Security Officer. If it is found that a Smartcard is being misused, then the certificate associated with that Smartcard will be suspended and the Smartcard will be revoked and the appropriate disciplinary measures will then be taken against the staff members involved.



11

4.12 Smartcard Terms and Conditions The smartcard terms and conditions (RA01 - Part A) issued to the user at the time of registration and signed for in RA01 - Part B should be retained by the end user for future reference. A copy of these can be found in Appendix A.

5.0 Roles and Responsibilities The Information Assurance Manager is responsible for this policy, and for the operational management of data protection within the Trust. The Deputy Director of Information and Patient Access Services is responsible for the overall information governance agenda. The Senior Information Risk Owner (SIRO) is the Chief Information Officer and is accountable for information risk within the Trust and advises the Board on the effectiveness of information risk management across the organisation. Operational responsibility for Information Security shall be delegated by the SIRO to the Trust’s Information Assurance Manager. All Information Security risks shall be managed in accordance with the Trust’s Risk Management Policy. The Data Protection Officer is responsible for ensuring that the Trust and its constituent business areas remain compliant at all times with Data Protection, Privacy and Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations. The Data Protection Officer shall:

Lead on the provision of expert advice to the organisation on all matters concerning the Data Protection Act, compliance, best practice and setting and maintaining standards

Provide a central point of contact for the Act both internally and with external stakeholders (including the Office of the Information Commissioner)

Communicate and promote awareness of the Act across the Trust

Lead on matters concerning individuals’ right to access information held by the Trust and the transparency agenda

The Caldicott Guardian is the Deputy Medical Director and is responsible for ensuring implementation of the Caldicott Principles and Data Security Standards with respect to Patient Confidential Data.



12

The Information Asset Owners (IAOs) are senior/responsible individuals involved in running the business area and shall be responsible for:

Understanding what information is held

Knowing what is added and what is removed

Understanding how information is moved

Knowing who has access and why

All Senior Managers, Heads of Department, Information Risk Owners and Directors, defined as Senior Responsible Owners (SROs), are individually responsible for ensuring that this policy and information security principles shall be implemented, managed and maintained in their business area. This includes:

Appointment of Information Asset Owners (IAO) to be responsible for Information Assets in their area(s) of responsibility

Awareness of information security risks, threats and possible vulnerabilities within the business area and complying with relevant policies and procedures to monitor and manage such risks

Supporting personal accountability of users within the business area(s) for Information Security

Ensuring that all staff under their management have access to the information required to perform their job function within the boundaries of this policy and associated policies and procedures

5.1 General Managers/Heads of Department/All Staff

General Managers/Heads of Department are responsible for ensuring that all staff within their departments are aware of:

This policy and its contents

How to obtain a copy if required

Their own responsibilities and obligations to comply with its procedures

To ensure that security breaches are investigated and reported in line with Trust procedures and within 72 hours of the incident occurring

The Deputy Medical Director (Caldicott Guardian) and Chief Information Officer (CIO) have senior responsibility reporting to the Trust Board. The Information Governance Group will oversee policy setting and implementation of this agenda.



13

Information Security and the appropriate protection of information assets is the responsibility of all users and individuals are expected at all times to act in a professional and responsible manner whilst conducting Trust business. All staff are responsible for information security and remain accountable for their actions in relation to NHS and other UK Government information and information systems. Staff shall ensure that they understand their role and responsibilities, and that failure to comply with this policy or result in a breach of data protection law and regulations may result in disciplinary action. This will be reinforced by yearly mandatory training. This policy is applicable to any contractors or external agencies that have cause to handle personal information on behalf of the Trust. They must therefore ensure that data protection standards are met. All care groups/departments have the responsibility to ensure their staff completes information governance training on an annual basis via the mandatory training programme as well as by other bespoke methods of training on request.

6.0 Associated documentation and references

This policy should be read in conjunction with all informatics policies found under Information Governance policies on the Trust website.

This document has been created in accordance with the following supporting documents:

Data Protection Act 2018

Network and Information Systems Regulations (NIS) 2018

General Data Protection Regulations (GDPR) 2016/679 The Computer Misuse Act 2000 ISO 27001 The Code of Practice for Information Security

Management This policy should be read in conjunction with policies found under Information Governance policies on the Trust website and include:

Information Assurance Policy

IG Incident investigation policy Personal Information and Confidentiality Policy Network Account and Password Management Policy

7.0 Training and Resources

The implementation of policies in this area will be carried out across the Trust by all involved staff and will be led by the Information Assurance Manager and associated teams. Information Governance elements will be included in standard Trust induction, core skills training programmes, specific data protection training packages and electronic learning packages.

http://rq6eqms01/lcgqeqms/Administrator/LoadDocADM.asp?ID=155&Ext=True&CCID=1







14

8.0 Monitoring and Audit The Information Governance Sub-Group is the Trust committee with responsibility for the ratification of Information Governance Policies and the approval of work programmes. This group has senior level representation, chaired by the Caldicott guardian, and supported from all appropriate areas to ensure the Trust steers this agenda appropriately. It receives regular reports from the Information Assurance Manager and responsible staff dealing with all aspects of the agenda as outlined above, and approves central returns required by the Data Security and Protection Toolkit via the NHS Digital website.

8.1 Monitoring arrangements for this policy This Policy will be reviewed bi-annually or more frequently if appropriate to take into account changes to legislation that may occur, and/or guidance from the Department of Health, the NHS Executive and/or the Information Commissioner.

Minimum requirement to be monitored

Process for monitoring, e.g audit

Responsible individual / group/ committee

Frequency of monitoring

Responsible individual / group / committee for review of results

Responsible individual / group/ committee for development of action plan

Responsible individual / group / committee for monitoring of action plan and implementation

Relevance of policy to Trust needs

Audit / Review

IGG Bi-annually IGG IGG IGG

9.0 Equality and Diversity Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment.

To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Equality Act 2010 this policy has been screened for relevance during the policy development process and a full equality impact analysis conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented.



15

This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust Interpretation and Translation Policy and the Accessible Publications Policy in the first instance.

The Trust will endeavour to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements.

9.1 Recording and Monitoring of Equality and Diversity

The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness.

Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact.

The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose.






16

Appendix A - Glossary of terms

Access Profile means the specific areas of NHS Care Records Service applications which the user is authorised to access.

Applicant means an individual who is in the process of registering to become an authorised user.

Application for registration means the RA01 Form, completed by an applicant and a sponsor.

Authorised user means a person who is authorised to use the NHS Care Records Service applications and has been issued a Smartcard.

Certificate means An X.509 public key certificate binds an identity and a public key. The public key together with the identity and related information are digitally signed with the private signing key of the Certification Authority that issues the certificate. The format of the certificate is in accordance with ITU-T Recommendation X.509.

Data Protection Act means the Data Protection Act 2018 as amended and supplemented from time to time.

NHS Care Records Service applications are those applications provided by CfH as part of the National Programme for Information Technology

Passcode means a alpha numeric set of characters used to permit access to NHS CRS functionality.

Personal Data means data from which an applicant can be identified, as defined in more detail in the Data Protection Act.

Registration Authority (RA) means any entity that is appointed by the Department of Health as being responsible for the identification and authentication of applicants.

Smartcard means the card issued to an authorised user which enables access to NHS Care Records Service applications.

User’s Unique ID Number means the number to the left of the photograph on the Smartcard, underneath the chip, also referred to as the UUID.

Smartcard Serial Number means the number on the back of the Smartcard which is the manufacturer’s card identifier.

Sponsor means the individual identified by the organisation who has been assigned to approve access to information and functionality of NHS Care Records Service applications



17

Appendix B – Smartcard Terms and Conditions

RA01 Short Form Conditions – Registration for NHS Care Records

Service application’s Smartcard

Please note:

This document should be read by everyone prior to completing an RA01 Short

Form and is going to be issued a Smartcard. If there are any queries

regarding this document please contact your Registration Authority.

Guidance

This document has a Glossary and you should reference it to ensure

you fully understand the terms used.

All applicants need to be aware that by signing the RA01 Short Form

they are committing to the obligations identified in this document and

those referenced by this document.

Once you accept these conditions, you need to have the RA01 Short

Form approved by a Sponsor. If you do not know who your Sponsor is

please contact your local Registration Authority.

If your application is successful, you will become an authorised user of

the NHS Care Records Service applications and will be issued with a

Smartcard. This will contain a digital certificate and has your

photograph printed on it along with your Unique User Identification

(UUID). Your Smartcard will provide you with access to certain patient

data in accordance with the access profiles approved by your

Sponsor(s) on a RA02 form.

These RA01 conditions contains a number of obligations relating to

your use of the Smartcard and the NHS Care Records Service

applications and you should review these sections carefully.

The personal data which you and your sponsor provide on the RA01

Short Form is required by your local Registration Authority to verify

your identity and to confirm that you are eligible for registration. All

personal data held about you and your sponsor will be processed in

accordance with the Data Protection Act.

You are not authorised to use NHS Care Records Service applications

unless a Smartcard has been issued to you.



18

If your job role changes and/or any of your access profiles require

amendment, you should contact your Sponsor who will need to

complete an RA02 Profile Additions and Modifications form. This is

available from any Registration Authority.

If your name changes you will need to complete and submit an RA05

Change of Details form and notify your local Registration Authority.

Notice to applicants on the collection of personal data

In accordance with the requirements of Department of Health, the personal

data (as defined in the Data Protection Act 2018) that the applicant provides

on the RA01 Short Form (together with any personal data processed in

relation to the applicant in support of their application) is collected for the

purpose of identifying the applicant and processing this application and

evaluating the applicant for suitability as an authorised user; if accepted, to

generate a personalised certificate and Smartcard for the authorised user and

for the purpose of managing the applicant's use of any NHS Care Records

Service applications .

In particular, this personal data will be used to validate and verify the

applicant’s identity to ensure that the applicant is correctly identified and

appropriately authorised for access. The personal data in relation to the

applicant will be processed by local Registration Authority/Authorities and may

be shared with other Registration Authorities for the purpose of processing

this application, in accordance with the requirements of the Data Protection

Act 2018 as amended and supplemented from time to time. This personal

data may also be used to ensure that accurate information can be recorded

regarding the applicant's use of systems.

In accordance with the Data Protection Act 2018, this personal data will neither be used nor disclosed for any other purpose other than where required by law, and will be retained in accordance with the Registration Authority’s data retention policy.

It is the applicant’s responsibility to ensure that their registered name is accurate and kept up-to-date. The applicant may contact their local RA or Sponsor in relation to any queries they may have in connection with this application.

By signing the declaration set out in the RA01 Short Form, I, the applicant:

1. consent to the collection and use of my personal data in the manner described in the "Notice to applicants on the collection of personal data" above. I also agree to provide any additional information and documentation required by the Registration Authority in order to verify my identity;



19

2. confirm that the information which I provide in this application is accurate. I agree to notify my local Registration Authority immediately of any changes to this information;

3. agree that the Smartcard issued to me is the property of the NHS and I agree to use it only in the normal course of my employment or contract arrangement;

4. agree that I will check the operation of my Smartcard promptly after I receive it. This will ensure that I have been granted the correct access profiles. I also agree to notify my local Registration Authority promptly if I become aware of any problem with my Smartcard or my access profiles;

5. acknowledge that I will keep my Smartcard private and secure and that I will not permit anybody else to use it or any session established with the NHS Care Records Service applications. I will not share my Passcodes

with any other user. I will not make any electronic or written copies of my Passcodes (this includes function keys). I will take all reasonable steps to ensure that I always leave my workstation secure when I am not using it by removing my Smartcard.. If I lose my Smartcard or if I suspect that it has been stolen or used by a third party I will report this to my local Registration Authority as soon as possible;

6. agree that I will only use my Smartcard, the NHS Care Records Service applications and all patient data in accordance with The NHS Confidentiality Code of Practice (as available on the www.dh.gov.uk site) and (where applicable) in accordance with my contract of employment or contract of provision for service (which ever is appropriate) and with any instructions relating to the NHS Care Records Service applications which are notified to me;

7. agree not to maliciously alter, neutralise, circumvent, tamper with or manipulate my Smartcard, NHS Care Records Service applications components or any access profiles given to me;

8. agree not to deliberately corrupt, invalidate, deface, damage or otherwise misuse any NHS Care Records Service applications or information stored by them. This includes but is not limited to the introduction of computer viruses or other malicious software that may cause disruption to the services or breaches in confidentiality.

9. acknowledge that my Smartcard may be revoked or my access profiles changed at any time without notice if I breach this Agreement; if I breach any guidance or instructions notified to me for the use of the NHS Care Records Service applications or if such revocation or change is necessary as a security precaution. I acknowledge that if I breach this Agreement this

may be brought to the attention of my employer (or governing body in relation to independent contractors) who may then take appropriate action (including disciplinary proceedings and/or criminal prosecution);



20

10. agree that the Registration Authority's sole responsibility is for the administration of access profiles and the issue of Smartcards for the NHS Care Records Service applications. The Registration Authority is not responsible for the availability of the NHS Care Records Service applications or the accuracy of any patient data.

11. acknowledge that I, or my employer, shall notify my local Registration Authority at any time should either wish to terminate this Agreement and to have my Smartcard revoked e.g. on cessation of my employment or contractual arrangement with health care organisations or other relevant change in my job role; and

12. acknowledge that these terms and conditions form a binding Agreement between myself and those organisations who have sponsored my role(s). I agree that this Agreement is governed by English law and that the English courts shall settle any dispute under this Agreement.



21

Appendix C – Document History

Version Date Comments Author

0.1 23/11/2010 Draft Document Created RA Manager

0.2 24/11/2010 Revisions Information Security Officer

0.3 10/01/11 Minor Revisions IGG group members

0.4 13/02/2012 Minor Revisions RA Manager

1.0 25/02/2013 Reviewed RA Manager

2.0 20/01/2014 Minor Revisions RA Manager / Information Security Officer

3.0 23/01/2017 Review RA Manager

4.0 20/07/2018 Doc control table - Distribution Text amended to follow Trust Policy Template.

Helen Vormawah

5.0 13/08/2019 Updated references to NHS Digital, DSPT

Information Assurance Manager

Review Process Prior to Ratification:

NAME OF GROUP/DEPARTMENT/SPECIALIST COMMITTEE

DATE

Information Governance Group Virtual meeting 05/01/11

Information Governance Group 25/02/2013



trust informatics policy information governance ... · 2.0 objective the objective of this policy...

Documents