Skip to main content
HSCN consumer handbook: contents

Service levels and incident severity classification


This page defines each service failure severity level. It also describes the complaints and escalations policy network providers should have in place, and who has responsibility for data security over the network.

Service levels 

CN-SPs shall comply with the minimum service levels set out in the HSCN CN-SP Service Management Requirement Addendum.

These service levels apply during the service hours contracted between the HSCN consumer and the CN-SP.

Incident severity classification

The following incident severity definitions shall be used as incident severity setting guidance.

Higher severity service incidents (HSSIs), sometimes referred to by suppliers as 'major incidents', are incidents that cause a serious interruption of business activities. For each severity level, the resolution time SLA may differ if the HSCN consumer has selected an alternate HSSI fix level in its Customer Service Specification Template under Crown Commercial Services framework RM3825.

Escalations and complaints

CN-SPs shall operate escalation and complaints processes, and these shall comply with the following principles:

  1. The party raising the escalation or complaint shall be kept informed of progress at an appropriate interval, as agreed with the party raising the escalation.
  2. All escalations and complaints shall be managed to an appropriate conclusion with agreed remedial actions to prevent reoccurrence.
  3. Escalations and complaints shall not be closed without the agreement of the party that raised them.
  4. Details of all escalations and complaints shall be retained on the audit trail for a period of two years.
  5. Activity should be undertaken by the party against whom the complaint was made in order to minimise the re-occurrence of the issues underlying reported escalations and complaints.

Data security

HSCN is a hybrid wide area network that provides both private and internet connectivity. The network benefits from security features implemented throughout HSCN to help detect, and prevent, malicious activity. It uses state of the art technology that offers enhanced protection to all HSCN consumers. The Cyber Security Operations Centre (CSOC) will contact organisations upon detection of any suspicious looking traffic that indicates a local compromise.

The network does not feature encryption by default. Data controllers remain responsible for implementing appropriate security, including encryption, to protect the data they are responsible for. CN-SPs must also support the use of encrypted traffic or could provide this functionality themselves as part of an overlay to the HSCN access circuits.

Your organisation must have signed the appropriate HSCN Connection Agreement with NHS Digital before migrating to HSCN. Therefore, you are bound to its terms and conditions relating to ownership of data and data security over HSCN.

The Information Governance Toolkit (IGT) has been replaced by the Data Security and Protection Toolkit (DPST). It is not necessary to complete a DPST assessment to gain access to HSCN. However, all organisations that have or require access to NHS patient data and systems must use this toolkit at least annually, to provide assurance that they are practising good data security and that personal information is handled correctly.

Data Controllers are responsible for providing security to prevent loss, tampering or inappropriate usage of their information. This includes the systems or services used to process and transmit their information.

This means that if patient data or personal data is transmitted across HSCN (or indeed any other network), then encryption must be used. It also means that if you provide systems or services over HSCN, it’s your responsibility to secure them and to make decisions about who can access those systems or services.

The National Cyber Security Centre have provided guidance on encryption and how to protect your data in transit.

Please note, in the context of this information, that CN-SPs must operate their networks in line with the requirements set out in the Communications-Electronics Security Group (CESG) Assured Services (Telecoms) CAS(T) scheme.

Last edited: 2 August 2019 2:29 pm