Connecting to HSCN

Summary

The HSCN Connection Agreement sets out the things HSCN customers must do before and whilst using HSCN.

The HSCN Connection Agreement

The Connection Agreement replaces the N3 Information Governance Statement of Compliance (IGSoC). In doing this, the arrangements for being able to use HSCN are separated from those relating to accessing data or systems available on HSCN.

Every organisation that wishes to use HSCN must complete a Connection Agreement. By "use HSCN", we mean 'send or receive data across HSCN'.

The HSCN Connection Agreement is organisation-centric. Each organisation needs to sign and submit only one Connection Agreement no matter how many locations or HSCN connections they have or use.

See a copy of the HSCN Connection Agreement. Please note this downloadable copy is for information purposes only. To submit a copy of the HSCN Connection Agreement for your organisation please follow the process below.

Signing the connection agreement

The HSCN Connection Agreement should be signed by an individual in a senior role in your organisation. Signing this agreement will also mean that your organisation is ready to be connected to the HSCN once you've identified an HSCN supplier.

The HSCN Connection Agreement can be signed online using via the HSCN Portal. To register for an account, please complete the self service registration process. You will need to know your Organisation Data Service (ODS) code and the contact details of the person to sign the Connection Agreement.

ODS codes are used to uniquely identify organisations within the health and social care sector. You can search for existing ODS codes using the ODS Portal (Transition Network/HSCN connection required). Register for an ODS code if you don't already have one.

When you've signed the Connection Agreement online you'll receive an automated confirmation email with a copy of the signed Connection Agreement attached.

Connection Agreement search

The HSCN Connection Agreement Search tool is available at https://crm.digital.nhs.uk/hscnconnectionagreementsearch/.

This tool allows you to check whether an organisation has signed an HSCN Connection Agreement; a mandatory requirement for connecting to HSCN. You can search for individual organisations by name or up to 100 organisations at a time by ODS code.

Existing Transition Network customers

An invitation to sign the HSCN Connection Agreement will have been sent to your organisations' nominated HSCN point of contact from NHS Digital. The email invitation includes instructions on how to register an account and submit a Connection Agreement using the online portal.

If you've not received an invitation then please complete the self service registration process now. You'll need to know your organisation’s ODS code and the contact details of the person who will sign the Connection Agreement. You can search for your ODS code using the ODS Portal (Transition Network/HSCN connection required).

Signing a Connection Agreement is a mandatory requirement for continuing to use the Transition Network ahead of your migration to HSCN and should be prioritised by your organisation as such.

HSCN Access Policy

The HSCN Authority (NHS Digital) has a policy which governs access to HSCN. Your organisation’s compliance with this policy is automatically determined during the course of the self service registration process.

Essentially, you must confirm that you agree with the “Acceptable Use” statement and specify, at a high level, what sorts of services your organisation offers. Depending on the information which you submit you will either be automatically approved or your application to sign an HSCN Connection Agreement (and thereby gain access to HSCN) will be paused pending manual approval by the HSCN Authority.

Who needs to complete a Connection Agreement?

The guidance below is intended to help you to understand the different types of Connection Agreement available and judge whether your organisation needs to sign a HSCN Connection Agreement.

The different kinds of Connection Agreement

There are three types of HSCN Connection Agreement:

  1. Standard - most HSCN users will sign this Connection Agreement
  2. Organisations representing other HSCN Consumers  - such as CCGs representing GPs
  3. IT service providers - organisations acting as data processors

In addition, for each type there are "1 Part" and "2 Part" sub-types:

  1. The 1 Part Connection Agreement relates to the use of HSCN only.
  2. The 2 Part Connection Agreement relates to the use of both the Transition Network (formerly N3) and HSCN.

The combination of these three types and two sub-types means that there are six possible variations of the HSCN Connection Agreement. 

The HSCN Portal will automatically present the correct type and sub-type for you to sign based on NHS Digital's understanding of your organisation. If for any reason you do not believe this is correct, please contact enquiries@nhsdigital.nhs.uk to discuss this.

Important note: if your organisation currently uses the Transition Network (formerly N3) then you need to sign a 2 Part Connection Agreement as soon as possible regardless of your HSCN migration plans/timelines.

Does my organisation need to sign a Connection Agreement?

All organisations using, or with access to HSCN will need to sign a Connection Agreement (subject to the "Shared Connection" scenario below). 

Answer the questions presented in Figure 1 below to ascertain whether your organisation needs to sign a Connection Agreement. Further information regarding the "Shared Connection Scenario" is given in the following section.

Figure 1. Connection Agreement business rules

Figure1. Connection Agreement Business Rules

The "Shared Connection Scenario" explained

If, for any reason, one or more other organisations use your HSCN connection, such as members of a community of interest network (CoIN), then you are responsible for ensuring that they are bound to the terms and conditions set out in the Connection Agreement. Clauses 4.2.2.1 and 4.2.2.2 in the Connection Agreement (paraphrased here) represent a choice that you can make about how to manage this:

  1. Ensure that any other organisations using your connection have signed the Connection Agreement (this is choice 4.2.2.1)
  2. Enter into a legally binding agreement with the organisations that use your connection with terms and conditions identical to those set out in the Connection Agreement (this is choice 4.2.2.2)

If you opt for 4.2.2.2 then the organisations using your connection do not need to sign a Connection Agreement. They will, however, need to enter into a legally binding agreement with your organisation which the HSCN Authority reserves the right to audit at any time.

Figure 2 below depicts a scenario in which an organisation has opted to follow clause 4.2.2.1. In this scenario an agreement exists between the HSCN Authority and both Org 1 and Org 2.

Figure 2. Scenario 4.2.2.1

Figure 2, Scenario 4.2.2.1

Figure 3 below depicts a scenario in which an organisation has opted to follow clause 4.2.2.2. In that scenario an agreement exists between:

  1. The HSCN Authority and Org 1
  2. Org 1 and Org 2

The "local" agreement between Org 1 and Org 2 means that Org 2 does not need to enter directly into an agreement with the HSCN Authority i.e. by signing the HSCN Connection Agreement. The risks and responsibilities associated with this option are held by Org 1. If, in future, Org 2 wants to procure its own HSCN connection then it must sign an HSCN Connection Agreement. The "local" agreement between Orgs 1 and 2 will not be sufficient for Org 2's chosen CNSP who is obliged to ensure that its customers have signed a Connection Agreement before delivering a live service.

Figure 3. Scenario 4.2.2.2

Figure 3. Scenario 4.2.2.2

Information Governance and data security

A Data Security and Protection Toolkit (DSPT) or an Information Governance Toolkit (IGT) is no longer a requirement to access HSCN.

However, all organisations that process health and care data are still required to meet the requirements of the DSPT and to provide evidence for this through an annual submission. This means that a current IGT or a DSPT is still required to access our national applications such as the NHS e-Referral Service (ERS), Personal Demographics Service (PDS) and Secondary Uses Service (SUS).

The DSPT is the successor framework to the IGT.

More information can be found at https://www.dsptoolkit.nhs.uk

Data security - what HSCN does and doesn't do

HSCN is a private network, designed as a reliable business resource to carry information, which is only available to certain organisations. This is very different from a 'secure' network.

HSCN doesn't provide security to prevent loss, tampering, authenticity or inappropriate usage of the information it carries or the systems or services available through it.

This means that if patient data or personal data is being transmitted across HSCN, then encryption must be used. It also means that if you provide systems or services over HSCN, it's your responsibility to secure them and to make decisions about who can access those systems or services.

The National Cyber Security Centre provides useful information on encryption and how to protect your data in transit.

Please note, in the context of this information, that HSCN Suppliers are obliged to operate their networks in line with the requirements set out in the Communications-Electronics Security Group (CESG) Assured Services (Telecoms) [CAS(T)] scheme.

More about the Connection Agreement

The Connection Agreement sets out a collaborative way of working, which means:

  • HSCN customers acknowledge responsibility for securing information - practically, this means that patient data should always be encrypted when being sent across any network, including the HSCN
  • ownership and responsibility for the use of the HSCN connection sits at a senior level within the organisation
  • HSCN customers give enough information to allow us to understand which organisations are using each HSCN connection
  • if there are organisations that haven't signed a Connection Agreement, then those organisations cannot route information to or from the HSCN - practically, this means making arrangements with your supplier to prevent this, for example by adding access restrictions to firewalls
  • HSCN customers provide security contact details so we can work with those customers if we detect or suspect a cyber incident or malicious activity across that HSCN connection
  • NHS Digital's Data Security Centre will work with HSCN customers to resolve issues - however, as the HSCN is an important business resource, NHS Digital does retain the right to restrict access in exceptional circumstances

The Connection Agreement also:

  • sets out arrangements that could apply in the event of a dispute with your supplier - these arrangements are designed to make dispute resolution simpler and more cost effective in the unlikely event that a dispute occurs
  • meets Data Protection responsibilities:
    • by clarifying the relationship between HSCN customers, NHS Digital and its service providers, such as the internet content checking service provider
    • by satisfying the Data Protection duty of data controllers to have written agreements with those parties that may process their data

Continuing to use N3 after 1st April 2017 until migration to HSCN

The N3 network became the Transition Network on 1st April 2017.

For N3 customers the Connection Agreement extended the provisions to the Transition Network from 1st April 2017. We call this the "2-part Connection Agreement". It includes data protection and data security obligations. It is necessary to complete the Connection Agreement as the N3 Access Agreement between the N3SP and the N3 customer ceased on 1st April 2017.