Connecting to HSCN
The HSCN Connection Agreement sets out the things HSCN customers must do before and whilst using HSCN.
The Connection Agreement replaces the N3 Information Governance Statement of Compliance (IGSoC). In doing this, the arrangements for being able to use HSCN are separated from those relating to accessing data or systems available on HSCN.
Every organisation that wishes to use HSCN must complete one. By "use HSCN", we mean 'sending or receiving data across HSCN'.
The HSCN Connection Agreement is organisation-centric. Each organisation needs to sign and submit only one Connection Agreement no matter how many locations or HSCN connections they have or use.
Information Governance and data security
A current Information Governance Toolkit (IGT) is no longer a requirement to access HSCN. However, all organisations that handle patient data are still required to meet the requirements of the IGT and to provide evidence for this through an annual submission. This means that a current IGT is still required to access NHS Digital's National Applications such as NHS e-Referral Service (ERS), Personal Demographics Service (PDS) and Secondary Uses Service (SUS).
There's currently a programme of work underway to update the IGT. This will increase its relevance for senior managers and its accessibility for small organisations.
The updates will:
- focus on the new data security standards recommended by the National Data Guardian
- increase the focus on timely reporting of incidents
- reduce administrative burden on NHS organisations
More information can be found at https://www.igt.hscic.gov.uk/.
HSCN is a private network, designed as a reliable business resource to carry information, which is only available to certain organisations. This is very different from a 'secure' network.
HSCN doesn't provide security to prevent loss, tampering, authenticity or inappropriate usage of the information it carries or the systems or services available through it.
This means that if patient data or personal data is being transmitted across HSCN, then encryption must be used. It also means that if you provide systems or services over HSCN, it's your responsibility to secure them and to make decisions about who can access those systems or services.
The National Cyber Security Centre provides useful information on encryption and how to protect your data in transit.
Please note, in the context of this information, that HSCN Suppliers are obliged to operate their networks in line with the requirements set out in the Communications-Electronics Security Group (CESG) Assured Services (Telecoms) [CAS(T)] scheme.
More about the Connection Agreement
The Connection Agreement sets out a collaborative way of working, which means:
- HSCN customers acknowledge responsibility for securing information - practically, this means that patient data should always be encrypted when being sent across any network, including the HSCN
- ownership and responsibility for the use of the HSCN connection sits at a senior level within the organisation
- HSCN customers give enough information to allow us to understand which organisations are using each HSCN connection
- if there are organisations that haven't signed a Connection Agreement, then those organisations cannot route information to or from the HSCN - practically, this means making arrangements with your supplier to prevent this, for example by adding access restrictions to firewalls
- HSCN customers provide security contact details so we can work with those customers if we detect or suspect a cyber incident or malicious activity across that HSCN connection
- NHS Digital's Data Security Centre will work with HSCN customers to resolve issues - however, as the HSCN is an important business resource, NHS Digital does retain the right to restrict access in exceptional circumstances
The Connection Agreement also:
- sets out arrangements that could apply in the event of a dispute with your supplier - these arrangements are designed to make dispute resolution simpler and more cost effective in the unlikely event that a dispute occurs
- satisfies Data Protection responsibilities:
- by clarifying the relationship between HSCN customers, NHS Digital and its service providers, such as the internet content checking service provider
- satisfying the Data Protection duty of data controllers to have written agreements with those parties that may process their data
Continuing to use N3 after 1st April 2017 until migration to HSCN
The N3 network became the Transition Network on 1st April 2017. N3 customers will notice no interruption of network service.
For current N3 customers, the Connection Agreement extends the provisions of the Connection Agreement to the use of the Transition Network from 1st April 2017. We call this the "2-part Connection Agreement". It includes data protection and data security obligations. It's necessary because the N3 Access Agreement between the N3SP and the N3 customer will cease on 1st April 2017.
We introduced a convenient online submission function in April 2017. During April 2017 your organisation's nominated point of contact for HSCN will receive an email invitation from NHS Digital, which will include instructions on how to submit a Connection Agreement using the online portal. If you've not received an invite or have a query about the Connection Agreement, please contact email@example.com.
When you've completed a Connection Agreement online you'll receive a confirmation email.
The HSCN Connection Agreement should be authorised by an individual in a senior role in your organisation. Signing this Agreement will also mean that your organisation is ready to be connected to the HSCN once you've identified an HSCN Supplier.
Submitting a Connection Agreement if you're a Clinical Commissioning Group (CCG), Commissioning Support Unit (CSU) or GP practice
HSCN Connection Agreement for CSUs, CCGs and GPs
The HSCN Connection Agreement sets out the things HSCN customers must do before and whilst using HSCN. This includes the continuing use of the Transition Network as of 1 April 2017.
The Connection Agreement sets out three important things:
- Cyber and data security - a set of obligations aimed at improving cyber and data security across the whole health and care sector. Within these obligations there's a requirement to provide NHS Digital with a nominated security contact for each organisation that uses HSCN. It's possible for the CCG to act as or nominate another party (for example, a CSU or IT provider) to be the security contact for each GP practice. It's important to note that as a data controller, responsibility for security of patient data remains with the individual GP practice.
- Third-party rights - provides rights for users of HSCN to seek redress against the providers of some services in HSCN in the event of the user suffering a loss through the action of the service provider. For example, if the Transition Network provider were to have a security breach that lost patient data (highly unlikely, it's never happened during 13+ years of N3), then those data controllers (such as practices and trusts) whose data had been lost would be able to seek financial redress against the provider of the Transition Network using the 'third-party rights' that the Connection Agreement confers.
- Commercial terms - the CSU, CCG or GP must use an approved HSCN Supplier and include some standard terms in the contract with the HSCN Supplier. Funding is available only for HSCN services provided by a supplier approved by the HSCN Programme - for example, services provided by a supplier that is an approved HSCN supplier by NHS Digital with some mandatory terms in that contract.
Signing the Connection Agreement on behalf of one or more CCG or GP practices
- CSUs/CCGs should download and sign the 2-part Connection Agreement [585.34KB] available from the HSCN website.
- Download and complete the Additional Information - CSU, CCGs and GPs [188.12KB] form, including the required information for each GP practice that the Connection Agreement covers.
- Send the Additional Information form and a scanned version of the Connection Agreement to firstname.lastname@example.org. If any further information is required this will be requested by email. Otherwise you'll receive confirmation of the acceptance of the Connection Agreement within 10 working days.
We'll process your submission and notify you of the outcome using the email address that the submission is made from. For security, we recommend using NHSmail to send your submission.
You should ensure that you inform each CCG/GP practice that the Connection Agreement has been signed on their behalf, together with either a copy of the Connection Agreement or the key terms set out above.