Version 2.5 – Published 24/08/2022
These terms and conditions cover your use of Care Identity Service 2 (CIS2) and Care Identity Service (CIS). Terms applicable to the use of the website on which these terms are hosted are available See the terms applicable to the use of the website on which these terms are hosted.
The following terms have the following meanings in these terms and conditions:
- “Authorised Devices2” means an alternative to smartcards, a device as approved by FIDO2 Consortium that provides Assured Level 3 Authentication
- “Authentication Token” means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of Identity Solution.
- “CIS” is the existing system which supports NHS Smartcards over the Health and Social Care Network (HSCN).
- “CIS2” (Formerly NHS Identity) supports new Authentication methods and Tokens available over the Internet.
- “iPad Device” means a tablet computer developed by Apple
- "NHS Spine" means a series of infrastructure services such as authentication which allows the NHS to electronically communicate, securely and confidentially.
- “Physical Smartcards” means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards
- “Registration Authority (RA)” means NHS Digital as the single national Registration Authority and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS Digital.
- “Virtual Smartcards” means a solution that provides access functionality, but the card itself may be stored on a device, approved for use by NHS Digital and or its partners.
NHS Digital is the single national RA (as per public key infrastructure (PKI) terms), local RAs are organisations that run Registration Authority services on a delegated authority basis from NHS Digital.
Find out more about NHS Digital.
Local RAs are organisations (that are usually part of the NHS or third parties providing NHS services and with a remit beyond running RA services), that carry out the identity checks of applicants to create their national verified digital identity and assign access permissions as approved by the employing organisation’s policy. Find your local RA.
Every RA must adhere to the NHS RA Policy at all times. The NHS RA Policy is subject to revision from time to time.
These terms and conditions are between you and all Registration Authorities who provide Registration Authority services to you.
Mentions of "us" and "we" mean NHS Digital and all local RAs and "you" means anyone using CIS, CIS2 and NHS Spine.
By clicking on the ‘Accept Terms and Conditions’ button at the bottom of this declaration, you the applicant confirm the following:
1. You understand and accept that your personal data will be used by us as described in the privacy notice for users of CIS2 and CIS privacy notice for users of CIS2 and CIS. Each user must have their identity assured and verified to the relevant standard applicable at the time of registration. This is currently Good Practice Guide GPG45 (or recognised successor) on the identity proofing and verification of an individual to a minimum of Level 3. This requirement may be refreshed from time to time.
2. You confirm that the information which you provide in the process of your application is accurate. You agree to notify your local Registration Authority immediately of any changes to this information.
3. You understand and accept that the Authentication Token, (with the exception of personal devices) issued to you is the property of / licensed to the health and social care bodies providing it to you, and you agree to use it only in the normal course of your employment or contract arrangement.
4. If you wish to use Apply for Care ID you must have an internet connection and an appropriate device for access, like a smartphone. We do not guarantee that Apply for Care ID will always be available, or that access to it will be error free.
5. We may suspend, stop, remove, update or change CIS, CIS2 or Apply for Care ID without notice at any time.
6. You agree that you will check the operation of your Authentication Token promptly after you receive it. This will ensure that you have been granted the correct access profiles. You also agree to notify your local Registration Authority promptly if you become aware of any problem with your Authentication Token or your access profiles.
7. You understand that the suppliers of some Virtual Smartcards / other Approved Authentication Tokens may process personal data about you as an independent Controller, and may have applicable privacy policies and terms and conditions. You will be presented with these as part of download/registration and are responsible for reviewing and abiding by these.
8. You agree that you will keep your Authentication Token private and secure and that you will not permit anybody else to use it or to establish any session with the NHS Spine applications. You will not share your passcode with any other user. You will not write your passcode down, nor use any kind of electronic storage (media or otherwise) to store it, for example by using a programmable function key on a keyboard. You will take all reasonable steps to ensure that you always leave your workstation secure when you are not using it by removing your Physical Smartcard, ensuring your Virtual Smartcard has disconnected or locking your Authorised Device or iPad Device. If you lose your Physical Smartcard, device on which a Virtual Smartcard is stored, Authorised Device or iPad Device or if you suspect that your Authentication Token has been stolen or used by a third party, you will report this to your local Registration Authority as soon as possible.
9. You agree that you will only access the NHS Spine application by using an Authentication Token approved by NHS Digital. You agree that your use of the Authentication Token, the NHS Spine applications and all patient data shall be in accordance with the NHS Confidentiality Code of Practice and (where applicable) in accordance with your contract of employment or contract of provision for service (whichever is appropriate) and with any instructions relating to the NHS Spine applications which are notified to you.
10. In respect of each service or product accessible through NHS Spine you agree that you will follow any instructions or conditions for use provided in respect of such service or product.
11. You agree not to maliciously alter, neutralise, circumvent, tamper with or manipulate your Authentication Token, NHS Spine applications components, the Apply for Care ID service or any access profiles given to you.
12. You agree not to deliberately corrupt, invalidate, deface, damage or otherwise misuse any NHS Spine applications or information stored by them or the Apply for Care ID service. This includes, but is not limited to, the introduction of computer viruses or other malicious software that may cause disruption to the services or breaches in confidentiality.
13. You acknowledge that your access may be audited. You understand and accept that your Authentication Token may be revoked, or your access profiles changed at any time without notice if you breach these terms and conditions; if you breach any guidance or instructions notified to you for the use of the NHS Spine applications or if such revocation or change is necessary as a security precaution. You also understand and accept that if you breach these terms and conditions this may be brought to the attention of your employer (or governing body in relation to independent contractors) who may then take appropriate action (including disciplinary proceedings and/or criminal prosecution).
14. You understand and accept that the Registration Authority’s sole responsibility is for the administration of access profiles and the issue of Authentication Token for the NHS Spine applications. The Registration Authority is not responsible for the availability of CIS, CIS2, the NHS Spine applications or applications which use NHS Spine authentication or the accuracy of any patient data.
15. You understand and accept that you, or your employer, shall notify your local Registration Authority at any time should either wish to terminate these terms and conditions and to have your Authentication Token revoked e.g. on cessation of your employment or contractual arrangement with health care organisations or other relevant change in your job role.
16. We own or have the right to use all intellectual property rights ("NHS IPR") used for the provision of CIS, CIS2 and Apply for Care ID. This includes rights in copyright, patents, database rights, trademarks and other intellectual property rights. You have permission to use CIS, CIS2 and Apply for Care ID for the sole purposes described in these terms and conditions. You need written permission from us or any other owner of NHS IPR to use these items in any other way.
17. Unless permitted by law or under these terms and conditions, you will:
- not copy CIS, CIS2 or Apply for Care ID except where such copying is incidental to normal use
- not rent, lease, sub-license, loan, translate, merge, adapt, vary or modify CIS, CIS2 or Apply for Care ID
- not combine or incorporate CIS, CIS2 or Apply for Care ID with any other programs or services
- not disassemble, decompile, reverse-engineer or create derivative works based on any part of CIS, CIS2 or Apply for Care ID
- comply with all technology control or export laws that apply to the technology used by CIS, CIS2 or Apply for Care ID
18. You understand and accept that we may unilaterally change CIS, CIS2, Apply for Care ID and these terms and conditions from time to time, and unless otherwise stated such changes will be effective immediately they become available. The latest version of these terms and conditions will be accessible and in your CIS2 / CIS account. We will inform you through your CIS2 / CIS account if we make any material changes to these terms and conditions, and will also send an email notification to all RA managers.
19. Although we make reasonable efforts to provide, maintain and update a robust CIS, CIS2 and Apply for Care ID service, they are provided 'as is'. To the extent allowed by law we make no expressed or implied representations, warranties or guarantees that your access to, or use of, CIS, CIS2 or Apply for Care ID will be unbroken or completely secure.
20. We will not be liable or responsible for any loss or damage caused by a virus, denial of service attack or any other harmful material that may infect your device, equipment, programs, data or other proprietary material due to your use of CIS, CIS2 or Apply for Care ID.
21. Nothing in these terms and conditions excludes or limits our liability for i) death or personal injury as a result of our negligence, ii) fraud or fraudulent misrepresentation or iii) any other liability which cannot be excluded or limited under English law.
22. Subject to the previous paragraph we will not be liable or responsible for any
- loss or damage not caused by our breach of these terms and conditions
- business loss
- loss or damage arising from an inability to access or use CIS, CIS2 or Apply for Care ID
- indirect or subsequent losses that were not foreseeable to both you and us when you started using CIS, CIS2 or Apply for Care ID
23. Business loss includes loss of profits, revenue, contracts, savings, data, goodwill and wasted expenditure. Loss or damages are ‘foreseeable’ when they are an obvious result of our breach of these terms and conditions. Loss or damages are also 'foreseeable' if they were considered by you and us when you began using CIS, CIS2 or Apply for Care ID.
24. Each of the sections within these terms and conditions operate separately. If any section is invalid or unenforceable pursuant to applicable law, it will be superseded by a valid and enforceable provision that most closely matches the intent of the original. This includes warranty disclaimers and exclusions, and limits of liability. The remainder of these terms and conditions shall continue in effect.
25. If we delay in enforcing these terms and conditions, we can still enforce them later. If we do not insist right away that you follow the requirements within these terms and conditions, or we delay in taking steps against you if you break them, this will not prevent us from taking steps against you or prevent your need to follow the requirements at a later date.
26. You understand and accept that these terms and conditions form a binding agreement between yourself and all Registration Authorities who provide Registration Authority services to you. Non-compliance may also be treated as a disciplinary matter by your employer.
27. You understand and accept that these terms and conditions are governed by English law and that the English courts shall settle any dispute under these terms and conditions.