DOCUMENT TITLE: |
Registration Authority Policy and Procedure |
DOCUMENT NUMBER: |
ELHT/F26 v2.1 |
DOCUMENT REPLACES: |
ELHT/F26 v2.0 |
LEAD EXECUTIVE DIRECTOR DGM: |
Director of Informatics |
AUTHOR(S): |
RA Manager |
TARGET AUDIENCE: |
All Trust Personnel |
DOCUMENT PURPOSE: |
To ensure East Lancashire NHS Trust adhere to and comply with the NHS Digital National Registration Authority Policy |
To be read in conjunction with: |
NHS Digital Registration Authority Policy |
SUPPORTING REFERENCES: |
|
Committee/Group |
Date |
|
Consultation |
Information Governance Steering Group |
January 2024 |
Approval Committee |
Information Governance Steering Group |
January 2024 |
|
Document approved date |
24/04/2024 |
|
Next review date |
August 2026 |
|
Amendments |
Updated the version number and type to reflect changes in responsibility within the organisation from the HR team to the Informatics Team |
1.1. The Registration Authority is the governance framework within which NHS organisations can register individuals as users of the NHS Care Records Service (CRS) and other IT services, ensuring maintenance of confidentiality and security of patient information. Having a common and rigorous approach to how users are registered and given access to the NHS CRS and other services is an integral part of the Trust’s governance requirements.
1.2. The NHS Smartcard is the card issued to the user by the Registration Authority and contains an electronic chip that is used to access the NHS CRS and other spine-enabled applications, along with a PIN. The chip itself does not contain any personal information, providing only a secure link between the NHS CRS and the database holding the users information and access rights. The combination of Smartcard and PIN helps protect the security and confidentiality of patient information.
1.3. As more national applications and clinical systems are released in line with NHS Digital policies, the RA function and the NHS smartcard plays an increasingly vital role in the continued development of information security and patient care; Both of which constitute core aspects of the Trust’s stated vision and values.
1.4. The process of gaining access to these National Applications, e.g. ERS, Secondary User Services (SUS) and Summary Care Record, is carried out by the Registration Authority using an Integrated Identity Management (IIM) interface, which combines the benefits of the Electronic Staff Record (ESR) with the RA’s system ‘Care Identity Service’ (CIS). The benefits of system integration are stated within this policy. The registration process is operated at a local level by the Trust’s Registration Authority (RA) which is required to conform to the National Registration Policy and Practices identified below.
1.5. Unauthorised access, modification, transfer, disclosure, or deletion of computer held records are criminal offences under the Computer Misuse Act 1990. An offender is liable to a fine, five years’ imprisonment, or both. Such offences will constitute gross misconduct and may result in summary dismissal. Unauthorised access, modification, transfer, disclosure, or deletion of manual records may be subject to disciplinary action as may misuse of the Trusts’ E-mail and Internet services.
1.6 This policy describes procedures for the operation of the Registration Authority (RA) within the Trust.
This document describes procedures for the operation of the Registration Authority (RA) within East Lancashire Hospitals NHS Trust.
The use of the word staff in this document means, people who are directly employed by, or contracted to provide service to, or are part of an agreement with the East Lancashire Hospitals NHS Trust.
The East Lancashire Hospitals NHS Trust needs a Registration Authority to manage the distribution and use of Smartcards.
The East Lancashire Hospitals NHS Trust will comply fully with the latest published National Policies and Procedures identified in the following documents:
· Registration Authorities Setup and Operation (available from: https://digital.nhs.uk/services/registration-authorities-and-smartcards)
· Registration Policy and Practices for Level 3 Authentications (available from http://systems.digital.nhs.uk/rasmartcards/docs/)
- The NHS Confidentiality Code of Practice (www.dh.gov.uk)
· CIS Acceptable Use Policy, Terms and Conditions (available from http://systems.digital.nhs.uk/rasmartcards)
The procedures covered in this document are the local support procedures necessary to support the National Policies and Procedures:
- Identification and Appointment of RA Team Members
- Registration of RA Manager
- Registration of RA Agents
- Registration of Sponsors
- Registration of HSCIC Application Users
- Management of HSCIC Application Users
- Management of RA/User Smartcards
- Management of RA/User PIN/Pass-codes
Management of RA/User Profiles
1.1. The Registration Authority is the governance framework within which NHS organisations can register individuals as users of the NHS Care Records Service (CRS) and other IT services, ensuring maintenance of confidentiality and security of patient information. Having a common and rigorous approach to how users are registered and given access to the NHS CRS and other services is an integral part of the Trust’s governance requirements.
1.2. The NHS Smartcard is the card issued to the user by the Registration Authority and contains an electronic chip that is used to access the NHS CRS and other spine-enabled applications, along with a PIN. The chip itself does not contain any personal information, providing only a secure link between the NHS CRS and the database holding the users information and access rights. The combination of Smartcard and PIN helps protect the security and confidentiality of patient information.
1.3. As more national applications and clinical systems are released in line with NHS Digital policies, the RA function and the NHS smartcard plays an increasingly vital role in the continued development of information security and patient care; Both of which constitute core aspects of the Trust’s stated vision and values.
1.4. The process of gaining access to these National Applications, e.g. ERS, Secondary User Services (SUS) and Summary Care Record, is carried out by the Registration Authority using an Integrated Identity Management (IIM) interface, which combines the benefits of the Electronic Staff Record (ESR) with the RA’s system ‘Care Identity Service’ (CIS). The benefits of system integration are stated within this policy. The registration process is operated at a local level by the Trust’s Registration Authority (RA) which is required to conform to the National Registration Policy and Practices identified below.
1.5. Unauthorised access, modification, transfer, disclosure, or deletion of computer held records are criminal offences under the Computer Misuse Act 1990. An offender is liable to a fine, five years’ imprisonment, or both. Such offences will constitute gross misconduct and may result in summary dismissal. Unauthorised access, modification, transfer, disclosure, or deletion of manual records may be subject to disciplinary action as may misuse of the Trusts’ E-mail and Internet services.
1.6 This policy describes procedures for the operation of the Registration Authority (RA) within the Trust.
The Registration Authority (RA) is an official or committee within the East Lancashire Hospitals NHS Trust with appropriate organisational authority who are responsible for ensuring that all aspects of registration services and operations are performed in accordance with National Policies and procedures (See section 1). They are responsible for providing arrangements that will ensure tight control over the issue and maintenance of electronic Smartcards, whilst providing and efficient and responsive service that meets the needs of the users
The Registration Authority has the following responsibilities
- Ensuring that the National Registration processes are adhered to in full as identified in NPfIT -NCR-DES-0294.02 Registration Policy and Practices for Level 3 Authentications, NPfIT -FNT-IMD-IME-0182.02 Registration Authorities Setup and Operation and this document
- Ensuring that the online application forms are appropriately used
- Ensuring that any local processes developed to support the National Registration processes are adhered to in full
- · Ensuring that there is sufficient availability of resource to operate the registration processes in a timely and efficient manner to meet their organisational responsibilities
- Ensuring that the RA team members are adequately trained and familiar with the local and national RA processes
- Ensuring that an indexed and secure audit trail is maintained of applicants registration information and profile changes
- All completed application forms and associated documents are kept secure in an area where the RA’s and HR team have access, in line with HSC 1999/053 which stipulates the retention duration for HR type records.
- Ensure RA members are familiar with and understand Registration Policy and Practices for Level 3 Authentications Registration authorities and smartcards - NHS Digital
- Registration Authorities Setup and Operation and this document.
- Ensure Sponsors are familiar with and understand User Registration - Sponsor Briefing (available from https://digital.nhs.uk/services/registration-authorities-and-smartcards)
- Notification of the creation and revocation of RA managers (including their e-mail address) by emailing the RA Lead at NHS Digital (mailto:enquiries@nhsdigital.nhs.uk)
- Ensuring that there are sufficient Smartcards and Smartcard issuing and maintenance equipment for the organisation.
- Ensure sponsors identified via the Executive have the business function of “sponsor” associated with the appropriate organisation job profile/s.
- All East Lancashire Hospitals NHS Trust RA Members will have sufficient training to carry out their RA tasks in accordance with National Policies and Procedures. They will be individuals capable of trust as they will be handling sensitive information covered by The Data Protection Act. They will be key players in ensuring the NHS Code of Confidentiality https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/Confidentiality_-_NHS_Code_of_Practice.pdf Acceptable Use Policy, Terms and Conditions
The East Lancashire Hospitals NHS Trust Registration Authority is made up of the following personnel:
- Registration Authority Managers
- Registration Agents
The services available will be:
- User Registration
- Role Profile maintenance
- adding Role Profiles
- changing Role Profiles
- deactivating Role Profiles
- Revocation and cancelling of Smartcards
- User Suspension
- PIN/Pass-code resetting
- Smartcard renewal and exchange
The above services will be available during the East Lancashire Hospitals NHS Trust Informatics team Core hours, 08:00 to 17:00 Monday to Friday, not bank holidays.
4.1. Incident Reporting
Incidents may be reported by any member of staff where they feel that there is a risk to patient health, confidentiality or East Lancashire Hospitals NHS Trust reputation. Incidents should be reported, using the East Lancashire Hospitals NHS Trust Incident Procedure, to the RA Manager.
Examples of incidents are:
- Smartcard or application misuse.
- Smartcard theft.
- Non-compliance of local or national RA policy.
- Any unauthorised access of NHS Digital applications.
- Any unauthorised alteration of patient data.
The RA manager will consider all incidents reported to them. Any incidents considered significant will be escalated to the East Lancashire Hospitals NHS Trust Board, HR and/or the East Lancashire Hospitals NHS Trust Caldicott Guardian depending on the nature of the incident. A major breach of security will also be reported by the RA manager to the LSP and NHS Digital to ensure any risks resulting from the event can be taken into account and mitigated against.
A significant incident is an isolated incident or a series of less significant incidents that could lead to a serious degradation of healthcare or information security. The East Lancashire Hospitals NHS Trust Board and Caldicott Guardian will consider incidents reported to them and decide whether East Lancashire Hospitals NHS Trust systems or working practices should be reviewed as a result.
Incidents involving breaches of security or demonstrate that a User may not be considered trustworthy should also be reported to HR and Caldicott Guardian by the RA Manager so that any disciplinary measures required may be taken. HR will decide which other members of staff need to be involved (e.g. line manager, IT Manager).
Incidents will be reported by using the designated Informatics team on 01254 732052. In the event of failure or unavailability of applications this should also be reported to the Informatics Servicedesk on 83135.
4.2 Registration Authority Manager
The RA Manager is selected by the East Lancashire Hospitals NHS Trust Executive and is responsible for the set up and day to day running of the East Lancashire Hospitals NHS Trust RA service. The RA Manager must ensure that all RA procedures are carried out in accordance with local and national policy.
4.2.1 RA Manager Reporting
RA Managers will report significant incidents to the East Lancashire Hospitals NHS Trust Board as per section 3.1 Incident Reporting.
4.2.2 Appointment of RA Managers
The Board has identified the RA Manager/s for the East Lancashire Hospitals NHS Trust as follows.
Janette Procter 82997 (01254 732997)
4.3 Registration Sponsors
Sponsors are appointed and entrusted to act on behalf of the East Lancashire Hospitals NHS Trust Executive team in determining who should have what access and maintaining the appropriateness of that access.
They have two specific responsibilities:-
o Identification of the type of access to information a user needs via Information applications – the organisation they belong to and their Role Profile.
o Unlocking smartcards and renewing certificates for non-RA staff ensuring correct security checks are adhered to
Sponsors are responsible for granting on behalf of the East Lancashire Hospitals NHS Trust, who can access what healthcare information. Sponsors will be held accountable by the East Lancashire Hospitals NHS Trust for their actions. Sponsors are responsible to the East Lancashire Hospitals NHS Trust Executive to ensure only appropriate access to Applications is granted.
Sponsors will be identified by the East Lancashire Hospitals NHS Trust Executive, or the Caldicott Guardian as being suitable persons by virtue of their status and role. Sponsors will be registered by an RA Manager or Agent on behalf of the East Lancashire Hospitals NHS Trust Executive in accordance with instructions given by the East Lancashire Hospitals NHS Trust Executive. Sponsors will be staff with sufficient seniority to understand and accept the responsibility required. Registration Sponsors are responsible to the RA Manager for the accuracy of the information on the access request forms.
The RA Manager will publish and maintain the list of sponsors and it will be available in the Informatics Team office.
4.4 Appointment of Registration Sponsors
Sponsors will be selected from East Lancashire Hospitals NHS Trust staff.
The East Lancashire Hospitals NHS Trust has approved the following process for appointing the Registration Sponsors:
Currently East Lancashire Hospitals NHS Trust sponsors will be:
o Business Managers
o Health Centre Building Managers
o Departmental Heads
o Team Leaders
o Medical Secretarial Supervisors
o IM&T training teams and Out of Hours staff
All Sponsors are required to provide documentary evidence to prove their identity. . Registration Sponsors are responsible for making sure that application users are given the minimum appropriate level of access needed to perform their job.
The areas of responsibility with respect to NHS Digital Application user access should be clearly defined for each Sponsor
4.5 Sponsor Reporting
Registration Sponsors and Agents will report any RA related incidents, using the East Lancashire Hospitals NHS Trust incident reporting procedure to the RA Manager. Additionally Sponsors and RA Agents will report any operational difficulties especially where these have patient healthcare implications to the RA Manager. Under the following circumstances a report should be made to the Caldicott Guardian: Mrs. Rineke Schram, Medical Director, East Lancashire Hospitals NHS Trust.
4.6 Registration Agents
Registration Agents are responsible to the RA Manager for ensuring that the National and local processes are followed and for the accurate input of information on RA applications onto the NHS Digital Care Identity Service RA Agents will usually be from HR or IT.
Registration Agents will ensure that all inter-Trust agreements are followed and adhered to. All incidents, misuses, anomalies and problems will be reported to the RA Manager
RA Agents – Informatics team 82052/83135
4.7 All Staff
All Smartcard users must adhere to the regulations set out in the National Terms and Conditions document in regards to the registration process and Smartcard usage
All Trust staff have a duty to keep patient and staff information secure and confidential. The Smartcard provides users with the level of access to healthcare information they require as part of their Healthcare role. All users must keep their Smartcard safe and use it appropriately. To summarise when using a smartcard users should;
- Always keep their Smartcard safe and secure
- Never tell anyone their smartcard PIN
- Never allow anyone else to use their Smartcard
- Never leave their Smartcard unattended
- Never leave their Smartcard in the card reader when not actively using it
- Immediately report its loss, theft or damage to the Registration Authority Team
Breach of the terms and conditions of issue and/or of Trust procedures relating to smartcard usage may lead to disciplinary action.
RA responsibilities should be managed as an organisation Information Asset, by the assigned Information Asset Owner (IAO), or equivalent. The IAO will further ensure that individuals assigned RA responsibilities, have sufficient skills and access to knowledge to perform their roles, that there are procedures to ensure all Smartcards and access profiles are issued appropriately and that RA equipment (hardware and software) and consumables meet current specifications, are adequately maintained, subject to business continuity and contingency planning needs, and are securely stored
|
Standard / Process / Issue |
Method |
By |
Committee |
Frequency |
|
There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority |
RA SOP Guidance
-RA Quarterly
-RA Intranet Info pages
|
RA Manager
RA Manager RA Manager
|
Steering Group
Steering Group
Steering Group |
Ongoing
Quarterly
Ongoing |
The Registration Authority will continually promote the compliancy of smartcard use and improve the necessary processes and procedures through the measures stated in the tables above. Any breaches of security identified through the above measures will be investigated in accordance with the Trust’s Disciplinary Policy.
We will ensure that processes supporting the identification, registration and management of staff will be integrated with other East Lancashire Hospitals NHS Trust processes as appropriate.
All our RA policies and procedures will be auditable by internal auditors as well as external auditors. Audits would typically cover:
- the issuance of Smartcards
- the management of Smartcards
- the profiles associated with users in relation to what they do
- the use of Smartcards
- the use of information applications
- identity management
- security of supplies and equipment
6.1 Starters
As part of normal induction processes new staff required to use Information Applications will be:
- Introduced to the relevant Sponsor who will identify the appropriate role profile for the user and take them through the East Lancashire Hospitals NHS Trust RA processes required. This could be how to become registered or, if the User already holds a Smartcard issued by another East Lancashire Hospitals NHS Trust, adding the necessary Role Profile/s.
- Trained on the aspects of Information Application use relevant to their role/s. (This guidance must be written as well as verbal)
- Trained on the National and East Lancashire Hospitals NHS Trust RA processes.
Where full registration is required; the Applicant will be required to bring suitable forms of identification with them.
Where staff are recruited to a role which requires access to National Information Applications it is important that the following points are considered:
- checks on an applicant’s ID are made during recruitment to ensure that RA Level 3 identification requirements can be met
- offers of employment are dependent on the applicant’s ability to meet and continue to meet all requirements for application access
- induction processes include the issuing of Smartcards (where the applicant is not an existing Smartcard holder) and adding of the appropriate role profile(s)
- staff should be trained sufficiently prior to the use of Smartcards and/or NHS Digital Applications
- Staff must electronically acknowledge that they have read and understood the policies and procedures governing the use of Smartcards.
- All Application Users must have sufficient training to carry out their Application tasks without risk.
All the above processes will be integrated into the standard employment processes of the East Lancashire Hospitals NHS Trust, as much as possible to prevent duplication.
6.2 Leavers
When staff are leaving, the following points must be considered:
- All East Lancashire Hospitals NHS Trust role profiles in the NHS Digital Care Identity Service pertaining to the employee must be deactivated as soon as is practical.
- If the User is transferring to another NHS related location e.g. GP practice, Acute Trust etc. and they can provide details/proof then the current registration details will be copied and sent to the new location – the user is allowed to retain the Smartcard but their East Lancashire Hospitals NHS Trust profile in this organisation is removed.
- Staff permanently leaving the NHS should have their certificate revoked and the Smartcard issued to them should be destroyed (Examples of permanently leaving would include retirement, leaving for employment in a non-NHS job or taking up full-time education etc.)
- The RA Manager must be notified by giving as much notice as possible by relevant sponsor or line manager.
- The required actions must be taken as soon after the staff member leaves as possible.
- The RA Manager will run a monthly leavers report and revoke Smartcard access to staff who are listed as leaving the Trust.
6.3 Contractors
The East Lancashire Hospitals NHS Trust will ensure all contractors who need to use the NHS Digital/Trust applications are bound to the Data Protection Act and The NHS Confidentiality Code of Practice (www.dh.gov.uk). This will include the process to be taken in cases of a breach and liability issues.
The RA Manager, on behalf of the East Lancashire Hospitals NHS Trust, will be responsible for ensuring that adequate numbers of Smartcards are available and maintaining the Smartcards throughout their useful life. The Informatics Manager will ensure that there is sufficient computer equipment to support all users of NHS Digital/Trust applications (including those for registration). All RA equipment will be subject to policies and procedures governing the management and control of East Lancashire Hospitals NHS Trust Assets.
Doc. Ref:
(Equipment Management Policy ELHT/C63)
8.1 Registration Forms
Registration forms are no longer in use and all request are via ELHT informatics online portal
8.1.1 Application
The online application form is used to record the registration of new NHS Digital/Trust Application Users and should contain the information required to register the user on CIS.
The online application has 3 sections:
- Section 1 Applicant details
- Section 2 Sponsor Name (from an approved list of trust sponsors)
- Section 3 Details of access required
The online application requires an electronic verification of terms and conditions from the user and authorisation of access from the sponsor. Electronic forms are stored securely on the trust service desk system.
8.1.2 Amendment to roles
The online form is used to record changes made to an existing Application User’s Role Profile(s). This will be necessary whenever employee Application related roles start or end in the East Lancashire Hospitals NHS Trust.
Whenever a change to a User’s Role Profile is identified the relevant Sponsor must be requested to authorise the changes required. The following are examples of when Role Profile changes would be needed:
- A Medical Admissions Secretary changes departments
- A Senior Nurse covers a colleague’s role as a Nursing Manager during a period of sick leave.
- An Administrator takes on an extra job in a different department.
- A Junior Doctor’s assignment in a department comes to end.
Once the relevant Sponsor has authorised the change(s) on the online form this shall be processed by the RA team. Should there be any problems with the form these will be referred to the Sponsor.
One RA has completed the changes the sponsor will be notified electronically.
8.1.3 Leavers
The online form is used to record revocations. Whenever it is necessary to revoke a certificate associated with a Smartcard an online form must completed and electronically verified by the Sponsor. Sponsor should only do this when it has been confirmed by HR the user has left the organisation or in the case of disciplinary action, on the express request by HR. Once complete the RA team for action
The RA team need to cross check revocations with HR to prior to making any changes to ensure they revoke the access of the correct user and be especially diligent.
Smartcards should be retained by the East Lancashire Hospitals NHS Trust and then destroyed as soon as is practical after the staff member has finished.
8.1.4 User amendments
The online form is used to record user amendments. Name changes must be verified by an RA agent prior to changing the CIS system
8.2 Smartcards
Smartcards should be treated with care and protected to prevent loss or damage.
8.2.1 East Lancashire Hospitals Trust name on Smartcards
Organisation Names are no longer printed on the Smartcard
8.2.2 Lost, Stolen and Broken Smartcards
Lost and damaged Smartcards should be reported to the Informatics Team as soon as is practicable by the member of staff whom the card belongs by contacting them 01254 732052/733135. Once notified that a Smartcard has been lost or damaged the RA based Agents will arrange to have the lost/damaged Smartcard revoked and replaced (see below) as soon as possible. In the case of loss or theft the RA Manager must be informed so that checks may be made to ensure that the Smartcard has not been misused.
When an issued Smartcard becomes unusable or it is lost or stolen the Smartcard certificate must be revoked, see section 6.2 Leavers and Revocation. Revocation renders the Smartcard useless.
As long as the Smartcard holder’s identity can be verified at a face to face meeting a new Smartcard may be issued.
If there is any difficulty verifying the user’s identity the user’s Sponsor must be contacted and the users identity verified. It is vital that the Sponsor’s identity can be relied upon when contacting them to verify the user’s identity.
8.2.3 PIN/Pass-code unlocking/changing
Users who have forgotten their PIN/Pass-code or suspect that it may be known by another or who have been locked out of Nhs Digital/Trust Applications because of three failed login attempts; should report the problem to the RA Team as soon as is practicable by contacting the Informatics Team on 01254 732052/733135.
Once notified the RA based Agents will arrange to have the PIN/Pass-code changed with the user. This task must be carried out by a Registration Agent or Sponsor. The Smartcard holder must be present.
8.2.4 Smartcard misuse
A staff member must report suspected Smartcard misuse in line with East Lancashire Hospitals NHS Trust incident reporting policy and procedure. Depending on the severity of the allegation an investigation maybe required. If it suspected that a Smartcard is being misused then it should be reported to HR who may request that the certificate associated with the Smartcard should be suspended or revoked as appropriate.
If Smartcard misuse by an East Lancashire Hospitals NHS Trust staff member is discovered the appropriate disciplinary measures must be taken. The RA Manager will consult with HR and the matter must proceed using East Lancashire Hospitals NHS Trust Disciplinary Processes.
8.3 Profiles
What a user is able to access is based on the information in the profile.
Whenever there is a temporary and permanent change in the way a person works, a review of the person’s NHs Digital/Trust Application access must be carried out. If there are significant changes to the staff member’s role the relevant Role Profile on the NHS Digital Spine User Database must be requested via a suitable Sponsor. Examples of changes that would necessitate such changes are changes to a person’s:
- Job Title
- Access requirements
- Department
- Site(s)
- Work Group
Where new roles are being added or roles are being changed the Registration Sponsor of the relevant work area will complete the online request form which is used to update the user’s profile. When a particular role comes to an end the profile must be updated by deactivating the role as soon as is practical after the role has ceased.
Where the user is leaving the NHS please refer to section 6.2 Leavers and Revocation.
New roles should be added to the User’s NHs Digital User Directory entry a short while (a maximum of three days) prior to the start of the new role so that the profile is available for use. (Also see Section 6.1 Registration Forms)
8.4 Leavers and Recovations
During the leaving process HR will establish whether the User is leaving the NHS permanently (retirement, education or a non-NHS job) or joining another NHS organisation. Where the User is moving to another organisation HR will notify the RA Manager who will arrange for any Role Profiles associated with East Lancashire Hospitals NHS Trust to be deactivated.
There are occasions when it is necessary to deactivate a Smartcard by revoking the Smartcard certificate. Reasons for this include:
- The Smartcard is lost or stolen
- There has been some other security breach associated with the Smartcard or Smartcard certificate.
- The user is no longer employed by an NHS organisation
Revocation tasks can only be carried out by RA Team Members.
Where the revocation is needed due to a staff member leaving the NHS HR will inform the RA Manager accordingly so that the correct actions can be taken (Spine User Directory and/or CMS).
Where the revocation has been requested by HR because of security related events the RA Manager will authorise the appropriate action and inform the following staff as appropriate:
The HR Manager
The relevant Sponsor(s)
The RA User
Revocation renders the Smartcard useless.
Revocation can only be carried out by Registration Managers and Agents on the request of HR.
8.5 Locums, Agency and Bank Personnel
Temporary staff filling roles may need access to NHS Digital/Trust records as part of their role. The following points should be considered:
- staff working as part of a team may not need a Smartcard to fill the role
- some temporary staff could already be enrolled and will only require a role profile added
temporary staff who are Smartcard holders may not have sufficient training in the use of the particular NHS Digital/Trust Application needed to be accessed
NHS Digital Application Users who need support should contact the Informatics servicedesk on 83135
The management and use of Smartcards will be subject to internal and external audit to ensure that national and local policies are being followed. Specifically, Auditors will look to confirm that:
- Smartcards are handled securely by Users
- RA documents are used and stored appropriately
- Access to NHs Digital/Trust Applications and Records is controlled appropriately
- Unused Smartcards are stored safely and appropriate records are kept
- PBAC role allocation and de-allocation is performed appropriately
- Random checking of PBAC roles with those requested by the sponsor
To aid audit the following records will be maintained:
- the number of Smartcards held
details of Smartcards issued
Registration Authority Managers at:
Informatics Department
EPR HUB
Royal Blackburn Hospital
Haslingden Road
Blackburn.
Lancs
BB2 3HH
Measuring and monitoring compliance with the effective implementation of this procedural document is best practice and a key strand of its successful delivery. Hence, the author(s) of this procedural document has/have clearly set out how compliance with its appropriate implementation will be measured or monitored. This also includes the timescale, tool(s)/methodology and frequency as well as the responsible committee/group for monitoring its compliance and gaining assurance.
|
Aspect of compliance being measured or monitored. |
Individual responsible for the monitoring |
Tool and method of monitoring |
Frequency of monitoring |
Responsible Group or Committee for monitoring |
|
Compliance with the standards set out in this policy. |
RA Manager |
System access monitored and leavers reports actioned in a timely manner |
Monthly |
IG steering Group
|
Equality Impact Assessment Screening Form
|
Department/Function |
System Support |
|
Lead Assessor |
Carl Faircloughr |
|
What is being assessed? |
Registration Authority Policy and Procedure |
|
Date of assessment |
13/07/2023 |
|
What groups have you consulted with? Include details of involvement in the Equality Impact Assessment process |
Equality of Access to Health Group ☐ Staff Side Colleagues ☐ Service Users ☐ Staff Inclusion Network/s ☒ Personal Fair Diverse Champions ☐ Other (Inc. external orgs) ☒ e-health Board |
1) What is the impact on the following equality groups?
|
Positive: ➢ Advance Equality of opportunity ➢ Foster good relations between different groups ➢ Address explicit needs of Equality target groups |
Negative: ➢ Unlawful discrimination, harassment and victimisation ➢ Failure to address explicit needs of Equality target groups |
Neutral: ➢ It is quite acceptable for the assessment to come out as Neutral Impact. ➢ Be sure you can justify this decision with clear reasons and evidence if you are challenged |
|
Equality Groups |
Impact (Positive / Negative / Neutral) |
Comments ➢ Provide brief description of the positive / negative impact identified benefits to the equality group. ➢ Is any impact identified intended or legal? |
|
Race (All ethnic groups) |
Neutral |
|
|
Disability (Including physical and mental impairments) |
Neutral
|
|
|
Sex |
Neutral |
|
|
Gender Reassignment |
Neutral
|
|
|
Religion or Belief |
Neutral |
|
|
Sexual Orientation |
Neutral |
|
|
Age |
Neutral |
|
|
Marriage and Civil Partnership |
Neutral |
|
|
Pregnancy and maternity |
Neutral |
|
|
Other (e.g. caring, human rights) |
Neutral |
2) In what ways does any impact identified contribute to or hinder promoting equality and diversity across the organisation? N/A
3) If your assessment identifies a negative impact on Equality Groups you must develop an action plan to avoid discrimination and ensure opportunities for promoting equality diversity and inclusion are maximised.
➢ This should include where it has been identified that further work will be undertaken to further explore
➢ the impact on equality groups
➢ This should be reviewed annually.