Registration Authority policy

1.1 Background

Users of national IT systems that support health and care services must be correctly identified and given appropriate access. This is done by creating and verifying a national digital identity for each user. Local Registration Authorities support this and consist of people and processes who create identities and manage access.

This policy forms part of the NHS England Digital Identity & Access Management Service. It supports the modern delivery of health and social care across boundaries and locations. It also makes sure that staff can access appropriate, up-to-date, clinical information at the point of need.

1.2 Purpose of document

This document explains national RA policy requirements. It outlines:

• the RA hierarchy and the principle of delegated authority to local organisations running their RA
• the requirements for creating a nationally verified digital identity
• the roles and responsibilities within organisations that run their own RA activity
• requirements relating to authentication and authentication methods using Smartcards and other approved devices
• the need to develop and implement a local RA policy
• what happens when an organisation fails to follow RA policy requirements
• requirements relating to temporary access and robot/non-human access

This policy reflects current best practice around Identity & Access Management as informed by the National Cyber Security Centre. This covers what needs to be considered when verifying an identity, as well as security requirements for authentication to clinical systems and other systems which hold personal information. This best practice includes:

• Good Practice Guide 43 - Requirements for secure delivery of online public services
• Good Practice Guide 44 - Using authenticators to protect an online service
• Good Practice Guide 45 - How to prove and verify someone’s identity

The policy is also based on:

• the original Department of Health Gateway document, ‘Registration Authorities: Governance Arrangements for NHS Organisations’ (reference number 6244)
• UK GDPR requirements

1.3 Scope

This policy applies to all local Registration Authorities and by extension, local organisations which run their own RA on a delegated basis from NHS England.

Policy requirements are specified according to the level of adherence:

• "Must" indicates an absolute requirement of the policy which cannot be deviated from
• "Must not" indicates an absolute prohibition of the policy
• "Should" indicates a requirement that may be deviated from in specific circumstances
• "Should not" indicates a requirement that may be accepted in specific circumstances
• "May" indicates a guidance and is not an absolute requirement

1.4 Terminology and acronyms

"Apply for Care ID" (AfCID) means the online service that is used by NHS staff to submit and verify their identity documents.

"Authorised Devices" means an alternative to physical smartcards: a device that provides Assured Level 2 or Level 3 Authentication. These additional authentication methods must meet the NIST SP800 - 63 Digital Identity Guidelines, which describe the cryptographic strength of authentication methods used to access special category data. For Assured Level 3 Authentication, devices and authentication methods must also meet FIDO2 standards for how devices use the required cryptography. They must also be accredited by the FIDO Alliance.

"Authentication Token" means Physical Smartcards and Authorised Devices which allow healthcare professionals to access clinical and personal information appropriate to their role and the type of identity solution.

"Care Identity Management" (CIM) means the service that allows RA Users to manage and assign permissions and authentication tokens to users.

"Care Identity Service" (CIS) means the service that allows users RA Users to manage end user access to patient and clinical data, including Care Identity Management and Apply for Care ID.

"Core identity attributes" means the fundamental attributes which make up an individual’s identity. These are name, date of birth or national insurance number.

"Data Protection Laws" means relevant legislation that protects the fundamental rights and freedoms of individuals regarding their right to privacy and the processing of their personal data. This also refers to decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, data protection authorities and other applicable Government authorities.

"Executive Management Team" (EMT) means a group of senior staff within an organisation that is responsible for the day-to-day operational management and governance of that organisation.

"Electronic Staff Record" (ESR) means the service provided by NHS Business Services Authority. This is used by NHSE to support the day-to-day management of staff records, including user access requests.

"NHSE" means NHS England.

"Public Key Infrastructure" (PKI) refers to a collection of tools, policies and procedures that help ensure the security of electronic transactions.

"Registration Authority Agent" (RA Agent) means an individual who has had appropriate training and is authorised to create and verify identities and assign authorisation tokens and access rights to a user. They can also perform a range of administrative tasks related to maintaining good RA records and processes.

"Registration Authority Agent ID Checker" (RA Agent ID Checker) means an individual who has had appropriate training who is authorised to undertake identity verification and creation.

"Registration Authority Manager" (RA Manager) means an individual appointed by the EMT of an organisation to set up and run its RA processes and procedures. They are responsible for ensuring good governance and annual reporting to the organisation’s EMT on RA activity. They must be trained to discharge these responsibilities and arrange training for all other RA team members. They can verify and create IDs and assign authorisation tokens and access rights to a user.

"Registration Authority" (RA) means NHS England as the single national RA. It also refers to all other organisations that run a local RA on a delegated authority basis from NHSE.

"Robotic Process Automation" (RPA) means the technology that allows for the automation of processes using automated robots.

"Sponsor" means an individual appointed by the EMT of an organisation who is authorised to request and approve that digital identities be created and that appropriate and specific access is assigned to staff within that organisation.

"Senior Responsible Officer" (SRO) means an individual in a senior leadership position within an organisation.

2.1 Registration Authority hierarchy

In PKI terms, NHSE is the single national Registration Authority and delegates the authority to run a local RA to other organisations.

Because of this, NHSE needs assurance that local organisations are operating appropriately and performing their duties effectively and consistently. This RA Policy outlines the minimum national requirements that must be followed at a local level and cannot vary. RA Managers must also read and follow the RA operational guidance.

2.2 Governance requirements

The mandatory governance requirements for organisations undertaking RA activities are as follows:

• The organisation must have a Board/EMT level individual who has overall accountability for the RA activity.
• This individual must report annually to the organisation on the RA activity.
• RA Managers are appointed by the Board/EMT. This appointment must be confirmed in an official document, such as minutes or a letter/email of appointment from the SRO.
• Every individual appointed to these positions must have a copy of the appointment evidence and make it available for inspection if asked.
• RA Managers are accountable for the running of RA activity in their organisation. They must set up systems and processes that ensure the policy requirements in this document are met.
• Any local processes must meet these policy requirements. Where catering for local organisation circumstances, these circumstances must not contradict the requirements set out in this document.
• RA Managers and Agents must keep up to date with national policy requirements, initiatives and changes. It is therefore mandatory to record their email address as part of their nationally verified digital identity.
• The Registration Authority and, where different, employing organisation must:
  • Have sufficient governance, processes and oversight in place to comply with Data Protection Laws. This includes, but is not limited to, providing fair processing information to all users. The RA should also ensure compliance with the NHS Code of Practice on confidential information and the Care Record Guarantee.
  • Be registered for the Data Security and Protection Toolkit and have a current latest status rating of ‘standards met’ as a minimum

Note that RA Managers are accountable to NHSE for upholding good RA practice in their organisation. Further information about roles and their specific responsibilities is found in section 3.2.

2.3 Creating and verifying a national digital identity

NHS England’s strategic aim is to create a single, accepted, trusted digital identity for health and care workers.

As the single national RA for health and social care, NHSE needs assurance that users are subject to the same digital standards of ID verification regardless of which organisation creates it.

This is vital as the identity created is a national identity and must be trusted by each organisation where an individual accesses data through the National Spine.

As such, general requirements are that:

• User identity verification must meet GPG 45 standards. This provides assurance that the identity is valid across any organisation the individual works within.
• The user’s identity must be created and verified using one of the following methods:
  • created manually in CIM and verified in a face-to-face meeting with the individual
  • created in CIS via a request from ESR
  • created and validated using Apply for Care ID
• Regardless of the verification method, users must provide original identification documents to the individual verifying their identity.

There are additional requirements relating to the way in which the user’s ID is verified.

2.3.1 Requirements relating to in-person verification

• The person verifying the user’s identity face-to-face must be trained to do so.
• The individual checking the identity must hold the role of RA Manager or RA Agent.
• The RA Manager must ensure that all other RA staff performing in-person ID checking receive the appropriate training.
• The RA Manager must ensure that appropriate checking standards exist. They also need to evidence good ID checking in line with the Data Security and Protection Toolkit standards.
• All individuals who check ID in a face-to-face setting should ensure that the ID documents checked meet the standard found here. However, GPG 45 and NHS Employers guidance around managed risk allow other documents to be considered if they meet GPG 45 evidence category requirements.

2.3.2 Requirements relating to remote verification

• Remote online verification, such as via Apply for Care ID, requires a health and care worker to:
  • provide digital images of original identification evidence documents
  • provide a photo of themselves that is compliant with the Home Office Passport Photo Requirements
  • undergo a face scan
• The service provider must then verify the digital identity and provide the result to NHSE.

2.3.3 For all verification methods

• A limited subset of identification evidence documents will be accepted to assure compliance with a GPG 45 assurance level of “High”.
• Where a user makes changes to their core identity attributes, the individual must provide appropriate documentary evidence. This evidence must be checked in a face-to-face meeting with a person holding a RA role.
• The local RA and, where different, employing organisation, must ensure that the Authentication Token provided to a user is appropriate for the user’s role. This is because different types of Authentication Tokens meet different levels of security classification. For more information, see the Registration Authority User’s Guide.
• NHS Smartcards or other AAL2 and AAL3 mechanisms must only be issued to individuals with a national verified digital identity. This is also the case for processes for issuing temporary access to an individual.
• Users must be able to easily access support; and report and receive assistance with:
  • operational issues
  • thefts
  • losses
  • unauthorised uses of authentication tokens
  • PIN/password resets
  • terminations of authentication tokens

2.4 Supported identity assurance levels

The Care Identity Service supports four levels of identity assurance outlined in GPG 45.In practice, CIS uses an identity verification standard of “High”. “High” is an enhanced version of a "Medium” identity, with the addition of a biometric indicator. You can find more information in the document in section 4.2

Users can create Level 1 and Level 2 identities where the individual does not need to access sensitive information. If the individual needs to access clinical or other sensitive data, then a Level 3 or Level 4 identity must be created.

In addition to the four levels of identity assurance under GPG 45, in specific circumstances Care Identity Service will allow for the creation of self-claimed identities.

These will be considered as part of the national digital identity set, although this will have restricted access via AAL2 mechanism (as an extension to 2.3.3) until the identity is verified in line with GPG45 standards.

2.5 Temporary access requirements

Organisations may need to issue temporary Smartcards to permanent and temporary staff, or to accommodate formal visits requiring access. Temporary access may also be granted to individuals in circumstances where the time taken to procure a Care Identity through formal channels would result in adverse impacts to patient care.

RA Users in an organisation must ensure that they appropriately manage temporary access to minimise the risk of unauthorised persons accessing sensitive and clinical data. Whilst NHSE recognizes that there is a need for flexibility in the way organisations manage temporary access, the following requirements are mandatory for all organisations:

• Temporary Smartcards must be issued on a time-limited basis and not used as a permanent substitute for regular Smartcard or other approved device/authentication methods issued as part of BAU circumstances.
• Temporary access cards must be issued in CIM and only bound to a TAC profile. This ensures access can be managed and recorded appropriately and that there is a clear audit trail.
• RA staff must ensure that temporary access cards are returned and disabled after the specified usage period has expired.
• Local organisations must take a risk-based approach to temporary access. Where it is unclear if temporary access is appropriate, they should use the relevant escalation routes to confirm.
• Local organisations must include details of the processes and controls concerning temporary access in their local RA policy.

You can find additional guidance around temporary access and Smartcards in the operational guidance document.

2.6 Requirements for robot profiles/non-human access

Organisations may use robot profiles to automate specific tasks. Robot profiles are created and assigned access as non-person specific user profiles via CIM, but have access levels that are specific to the task they are being created to do.

Organisations are responsible for ensuring that robot profiles are used in an appropriate manner and can be clearly differentiated from standard user profiles. As such, the following requirements are mandatory for all organisations using robot profiles:

• RA users must provide an e-mail address for the profile in the notes section of the access form. This allows NHSE and the organisation to identify a point of contact for any queries relating to the profile.
• Robot profiles must be created using CIS. This ensures that organisations can record and manage robot profiles appropriately and that there is a clear audit trail.
• Robot profiles must only be assigned access that is specific to the task they are assigned to do. Organisations should take a risk-based approach to access as defined by the Robotic Process Automation operational guidance.
• RA Users must not assign more than one robot identity per robot profile worker machine.
• RA Users creating robot profiles must follow correct naming conventions as specified in the Secure Robot Authentication Registration Authority Guidance document
• RA users must flag robot profiles using the “Robot” flag in CIM. This ensures they can be correctly identified and not mistaken for standard profiles.

NHSE actively monitors the use of robot profiles on a national level and reserves the right to terminate any RPA profile identified as operating contrary to the requirements in this policy.

You can find more information in the Secure Robot Authentication Registration Authority guidance document.

2.7 Requirements relating to NHS Smartcards and authentication methods

2.7.1 Requirements relating to physical smartcards

An NHS smartcard is the property of NHSE and moves with the user.

Organisations should not ask movers and leavers to return their physical smartcards as part of their local RA policy.

Where an individual leaves or moves to another organisation, the user must retain their smartcard for use in other organisations unless that user retires or is expected to leave the healthcare service permanently.

2.7.2 Principles concerning access to secure systems

This policy is informed by the need to reinforce a series of fundamental principles concerning how organisations grant access to secure systems, clinical data and sensitive information.

These principles influence the day-to-day governance and operations of organisations managing a local Registration Authority and are based on:

• practicing good hygiene regarding access management and promoting best practice
• ensuring that the technology and infrastructure remains up-to-date and adheres to NHSE’s Warrantied Environment Specification
• conducting regular access reviews and ensuring that access is removed or changed when a user moves organisation
• the principle of least privilege, ensuring that users only have the access they need to do their role
• ensuring that access is assigned appropriately

2.7.3 Requirements relating to legally closed organisations

RA users must proactively ensure that user access is removed in organisations that are no longer operational or legally closed.

The RA must complete RA operational closure activity within 6 months by migrating user access to a new organisation (if applicable) and then closing all user access in the old organisation as this prepares the organisation for operational closure in the directory.

2.7.4 Smartcard and authentication method requirements

NHSE allows a range of physical Smartcards, approved mobiles and tablets, devices/operating systems and other peripherals and authentication methods. Because the authentication methods and devices used can vary between organisations, there are a set of minimum mandatory requirements regardless of the method:

• All digital authentication methods must meet NIST SP800-63 Digital Identity Guidelines. These describe the cryptographic strength required from authentication methods used to access sensitive data.
• All devices and standards that are used for authentication must be accredited by the FIDO alliance.
• All RAs should support, with reasonable endeavours, NHSE-provisioned authenticators. This is because all RAs operate on a delegated authority basis from NHSE.

Any device or authentication method that meets both standards will be acceptable for authenticating to national clinical systems. Provided this is the case, the choice of device is left to the local organisation.

2.7.5 Requirements relating to safe receipt and use of Smartcards, devices and authentication methods

Smartcards, devices and authentication methods enable an individual to access sensitive patient data. As a result, how they are issued, ensuring safe receipt and appropriate use are of vital importance. The following are therefore mandatory requirements:

Smartcards, devices or other approved authentication methods issued to anyone holding RA Manager, RA(A)roles must be handed to that individual in a face-to-face encounter.

• Any risks related to the process of a Smartcard or Security key getting to the right person, or a device linked to that person, must be minimised.
• Local organisations must assure themselves that they have a robust and secure process in place to ensure that the NHS Smartcard, device or other approved authentication method reaches all non-RA end users for whom it is intended. This is important to avoid individuals gaining access to patient data when they are not entitled to.
• Organisations must ensure that their infrastructure is secure, in particular ensuring they meet the Warrantied Environment Specification and are compliant with Digital Security and Protection toolkit guidance issued by NHSE.
• The passcode for a non-temporary Smartcard/Device must only be known by the end user for whom it is intended. No one else, including RA staff, should know the passcode. If another individual knows the end user’s passcode, this is a breach of the Smartcard/Authorised Device terms & conditions and the Computer Misuse Act 1990.
• Users must be presented with the Terms & Conditions of Smartcard/Authorised Device use, which are accepted when a user authenticates for the first time. This reminds them of their responsibilities and obligations. These include not sharing their Smartcard/Authorised Device, leaving it unattended or disclosing their passcode to others. RA staff are reminded that it is their responsibility to ensure that users follow these terms & conditions.
• When users of Smartcards and other approved devices and authentication methods leave an organisation, they must have their access assignment end-dated in that organisation.
• Unless it is expected that they will not need access to another organisation in the future, leavers should retain their Smartcard.
• RA Users must ensure that the end user understands the authenticator terms & conditions. This is done by educating users about the practical implications of these terms & conditions.

2.8 Requirements relating to local RA Policy

There are several mandatory requirements that organisations running a local RA Activity must adhere to:

• Organisations that run a local RA activity must have a local policy outlining their approach
• The names of the organisations Board/EMT accountable person and RA Manager must be included within the policy. The policy must also outline the governance requirements placed on these individuals
• All users who hold a RA function must have a valid e-mail address recorded within Spine so that users can contact them in the event of a query or issue.
• Where there are changes to the named individuals, the local organisation’s policy must be updated to reflect these changes
• The local policy must not contradict the mandatory requirements contained within this national RA Policy.
• As a minimum, the local RA policy must cover:
  • governance arrangements
  • a demonstration of how the verification of identity meets the requirements specified in this RA Policy
  • roles and responsibilities
  • use of NHS smartcards and other approved devices
• The local policy must be signed off by the organisation at an appropriately senior level, such as the EMT or IG Committee on a delegated authority basis.

2.9 Policy enforcement

Where NHSE is made aware of breaches to this RA Policy, they will consider the situation and take appropriate remedial action. This will include discussing the situation with the organisation. It may also result in discussions with regulatory or professional bodies depending on the seriousness of the situation.

NHSE reserves the right to request that local organisations conduct an audit of their accesses or local policy. It also reserves the right to request a current version of the organisation’s local policy at any point in time.

The following roles are involved in the management and administration of RA within an organisation. These are:

• Board/EMT accountable individual
• RA Manager
• RA Agent
• RA Sponsor

The Board/EMT accountable individual and RA Manager have specific responsibilities in relation to RA activities. Details of RA Agent and RA Sponsor responsibilities can be found in the appendices.

3.1 Board/EMT accountable individual

The Board/EMT person holds overall accountability for RA activity within an organisation. Although they do not typically involve themselves in the day-to-day administration of RA activity, they have the following responsibilities:

• The Board/EMT person who is accountable for RA activity within the organisation must be overtly identified and named. This ensures that the RA Manager has a clear escalation point with which to raise issues.
• The Board/EMT individual must report to the Board/EMT annually on RA activity.
• The Board/EMT person must sign off on RA Data Security and Protection Toolkit submissions

3.2 RA Manager

The RA Manager is responsible for day-to-day management of RA activities in the organisation. As such:

• The RA Manager must agree and sign off on local operational processes and guidance, and assure themselves regularly that these processes are being adhered to.
• The RA Manager must accept overall accountability for registering RA Staff in their own organisations. They are also responsible for any RA Managers in organisations they provide registration services to, or manage registration services within.
• The RA Manager must ensure that RA Agents and RA Sponsors within their organisation receive effective training relevant to their roles.

RA Managers must ensure that identity checking is carried out by themselves or RA Agents

4.1 Regulatory documents

• The Data Protection Act 2018
• Regulation (EU) 2016/679, the ‘General Data Protection Regulation’ (GDPR)
• The Privacy and Electronic Communications Regulations 2003
• Computer Misuse Act 1990

4.2 Supporting policies

• NHS Code of Practice on confidential information
• Home Office passport photo requirements
• Warrantied Environment Specification

4.3 Additional guidance and resources

• Good Practice Guide 43: Requirements for secure delivery of online public services
• Good Practice Guide 44: Using authenticators to protect an online service
• Good Practice Guide 45: How to prove and verify someone’s identity
• NIST SP800 - 63: Digital Identity Guidelines
• FIDO Alliance certified products
• Registration Authority operational guidance
• Registration Authority users guide
• Secure robot authentication Registration Authority guidance
• Smartcards for temporary staff and visitors

RA Managers are responsible for:

• running RA processes and governance in their organisation - this responsibility cannot be delegated to another role.

• the development of local processes that meet policy and guidance for:
  • creating digital identities
  • issuing and managing smartcards
  • assigning and managing security devices
  • assigning and managing access rights
  • managing user profiles
  • reviewing access periodically and amending or removing access rights where required.
  • certificate renewal
  • card unlocking
  • implementing RA Policy and local processes which adhere to RA Policy
  • assigning, sponsoring and registering RA Agents and Sponsors
  • training RA Agents and RA sponsors, ensuring they are competent to carry out their roles and that they adhere to policy and process.
  • training RA Managers at the next level down, where their RA Hosting organisation has a child hosting organisation
  • facilitating the process for agreeing the organisation’s access control positions
  • auditing
  • making sure users are compliant with the terms and conditions of Smartcard usage and other registered devices
  • verifying users’ identities to GPG Level 3 or 4 standards
  • maintaining the security of old and paper-based RA records
  • ensuring all local and national service issues are appropriately raised

RA Managers may delegate some activities to other roles within the organisations. These delegated permissions do not extend to the points covered above. This is further explained below:

RA Agents are responsible for:

• verifying users’ identities to GPG Level 3 or 4 standards

• registering users and providing them with NHS Smartcards and other registered devices

• granting users’ access assignment

• renewing NHS Smartcard certificates for users if self-service functionality is not used

• making sure users comply with the terms and conditions of Smartcard/Authorised Security Device usage at the time they are registered or assigned a role in the organisation

• making sure leavers from an organisation have their access rights removed in a timely way

• following local processes that meet policy and guidance for:
  • digital identities
  • production of Smartcards
  • allocation and registration of other approved devices
  • assignment of access rights
  • modifications to access and people
  • certificate renewal
  • card unlocking

RA Sponsors:

• can invite a new user to complete the self-service journey

• approve users’ assignment to access control positions, or directly manage the assignment of designated assignable positions
• unlock smartcards and renew smartcard certificates for non-RA staff
• cannot verify users’ identities