Approved authentication tokens privacy notice and terms and conditions for NHS Care Identity Service 2 (NHS CIS2) and Care Identity Service (CIS) users

Version 2.4 – published 26 April 2021

The following terms have the following meanings in this privacy notice:

• “Authorised Devices¹” means an alternative to smartcards, a device as approved by FIDO 2 Consortium that provides Assured Level 3 Authentication.
• “Authentication Token” means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of Authentication Token.
• “CIS” is the existing system which supports NHS Smartcards over the Health and Social Care Network (HSCN).
• “CIS2” (formerly NHS Identity) supports new authentication methods and tokens available over the internet.
• “iPad Device” means a tablet computer developed by Apple.
• “Physical Smartcards” means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards. 
• “Registration Authority (RA)” means NHS Digital as the single national Registration Authority and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS Digital. 
• “Virtual Smartcards” means a solution approved for use by NHS Digital that provides access functionality, but the card itself may be stored on a device.

NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. We exist to help patients, clinicians, commissioners, analysts and researchers. Our goal is to improve health and social care in England by making better use of technology, data and information.

NHS Digital is the single national RA (as per public key infrastructure (PKI) terms) - local RAs are organisations that run registration authority services on a delegated authority basis from NHS Digital.

Find out more about NHS Digital

Local RAs are organisations (that are usually part of the NHS and with a remit beyond running RA services), that carry out the identity checks of applicants to create their national verified digital identity and assign access permissions as approved by the employing organisation’s policy. Find your local RA.

Every RA must adhere to the NHS RA Policy at all times. The NHS RA Policy is subject to revision from time to time.

Mentions of "us" and "we" mean NHS Digital and all local RAs and "you" means anyone using the NHS Spine.

This privacy notice details the personal data processed in relation to CIS2 and CIS. In relation to this processing NHS Digital and local RAs are joint controllers (alongside the Secretary of State as detailed below). 

Both NHS Digital and local RAs may also process data about you in connection with provision of other services, you can find details about these on NHS Digital’s and local RAs’ websites.

We provide Care Identity Service 2 (CIS2) and Care Identity Service (CIS) as separate related services which interact. CIS2 is aimed at new authentication methods and tokens accessed over the internet. CIS supports NHS Smartcards over HSCN. In time, there are plans to provide NHS Smartcard authentication over the Internet. Both CIS2 and CIS will continue to run interacting with each other. The expectation is that CIS will eventually be retired.

We will collect your personal data, some of which you provide in your application to this service, some of which is collected by cookies when you access NHS Spine applications and some of which we generate. 

The personal data we collect from you or your access is:

• title
• names
• date of birth (DoB)
• 1 or more ID evidence document numbers and date of issue
• address identification evidence source and date of issue
• photo image

The personal data we generate is the access profile(s) assigned to you by your local RA, based upon your role and responsibilities and as approved by your employing organisation’s policy.

We collect this personal data from you to enable you to use the CIS2 and CIS service to prove your identity and be issued with an Authentication Token. This will allow you to access NHS Spine with appropriate role-based access to systems and data.

NHS Spine applications include: EPS, GP to GP, GPES, GPITF, NHS e-RS, SCR, SUS+, Spine CIS, Spine CIS2.  Find these in our Services A-Z.

Collecting this information also allows us to manage our service, so that we can:

• manage and improve the service
• provide data in support of the service

NHS Digital is directed by the Secretary of State for Health and Social Care, under powers conferred by the Health and Social Care Act 2012 and regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013.

The relevant directions are the Health and Social Care Information Centre (Spine Services) (No.2) Directions 2014, and the Novation of Information and Technology Contracts from DH to NHS Digital: Electronic Prescription Service, Health and Social Care Network, N3, NHS Choices, NHS e-Referral Service, Secondary Uses Service (SUS), Spine (Named Programmes) Directions 2016.

As NHS Digital processes personal data under the legal direction from the Secretary of State, then the organisations are joint controllers for data protection purposes. Acting under NHS Digital’s delegated authority local RAs are also joint controllers with NHS Digital. The legal bases under the Data Protection Act 2018/General Data Protection Regulation (GDPR) for the processing is explained here.

RA processing of personal data:

GDPR Article 6(1)(c) – the ‘processing is necessary for compliance with a legal obligation to which the controller is subject’

RA processing of special category data (sensitive personal data):

GDPR Article 9(2) (h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.

Data Protection Act 2018, schedule 1, part 1, paragraph 2, sub paragraph (2), sub paragraph (f) – ‘the management of health care systems or services or social care systems or services’.

Secretary of State processing of personal data:

GDPR Article (6)(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

We only collect, use and share your information when we have an appropriate legal basis to do so.

This data will be processed by:

• local RA’s for the purposes of validating your identity, managing your Authentication Token and ensuring that you are given appropriate access to NHS Spine applications, or applications that utilise the NHS Spine authentication
• NHS Digital to record your use of the NHS Spine applications
• NHS Digital for disclosure and auditing of access to systems, such as to the Summary Care Record (SCR) and in accordance with any complaint, investigation or as required by appropriate legislation

Local RA’s will exchange details with your employing organisation about your access profile (such as what systems you have access to) in order to provide the RA service.

How your employing organisation uses your personal data will be detailed in their own privacy notice. You should read this so that you are clear on how your personal information is managed.

If you use some Approved Authentication Tokens the suppliers of these will register (or de-register) you as a user in their system, acting as a processor for NHS Digital. In order to do this we will share the UUID, first name, last name and work email address that you have already provided to us as part of the basic user registration process you underwent to establish an NHS nationally verified digital identity.

In addition, such suppliers may also collect and process personal data about your usage, acting as independent controllers. How such suppliers use your personal data will be detailed in their own privacy notice, no personal data is shared back to us. You should read this privacy policy so that you are clear on how your personal data is managed.

If you use Virtual Smartcards:

Entrust: The RA will register (or de-register) you as a user in Entrust’s Cloud-based Multi-Factor Authentication platform Intellitrust, with Entrust acting as a processor for NHS Digital. In order to do this we will share the UUID, first name, last name and work email address that you have already provided to us as part of the basic user registration process you underwent to establish an NHS nationally verified digital identity. 

To form the basis for the virtual smartcard, you must download and register the Entrust Datacard IdentityGuard Mobile Smart Credential (Entrust App) on your smartphone. Then Entrust’s ‘Intellitrust‘ platform downloads a certificate onto your smartphone which completes the process. The Entrust App itself does not collect, use, save, or have access to any of your personal information when you download or use it.

We may need to share your personal data if we are required to do so by law.

We take the security of your personal information very seriously. We have set up security measures, policies and procedures to make sure your personal information is protected.

We protect your personal information by:

• training staff to understand data and security protection
• ensuring security and confidentiality policies are in place for our staff who have access to personal information
• monitoring our service
• following good practice guidance provided by the National Cyber Security Centre
• using legally binding agreements with all organisations that we appoint to process your personal information

We store your personal information for as long as is reasonably necessary and legally justifiable. The length of time we store your information for will depend on legal, regulatory or technical requirements. In any event, we follow the Records Management Code of Practice for Health and Social Care (2016). The retention periods are explained here.

Your data will:

• be held throughout your time as an active user and will be retained for up to 40 years after your NHS verified digital identity has been closed, at which point it will be subject to review
• not be transferred out of the European Economic Area
• not be used for any automated decision making

You have the right to access your data. As an active Authentication Token holder, you can view your data in My Profile within CIS2 and CIS. If you can no longer access CIS2 and CIS for any reason, please contact your local RA. Once you are no longer working in healthcare, you can make a subject access request to NHS Digital (see contact details below).

You have the right to rectify inaccuracies in your data. You should update your own contact details within My Profile in CIS2 and CIS. In case of difficulties, if your personal details have changed or you need to make other amendments please contact your local RA.

You have the right to complain (see the contact details below).

You do not have the right to erase your data, object to it being recorded, transport it elsewhere, withdraw consent to its capture or use, or restrict its processing. This is because the capture and processing of this data is necessary for a statutory requirement and the provision of the service. NHS Digital is also legally bound to record this data. Once you leave health and social care, your local RA will close your user profile. This may be reopened if you return to working within health and social care.

For all operational enquiries, including Authentication Token and access assignment, always contact your local RA.

See how NHS Digital looks after your information

To ask any question or make a complaint about how your data is used, you can contact NHS Digital on 0300 303 5678 (9am to 5pm Monday to Friday excluding bank holidays) or email enquiries@nhsdigital.nhs.uk.

You can also write to:

Data Protection Officer
NHS Digital
The Leeds Government Hub
7&8 Wellington place
Leeds
LS1 4AP

If you have concerns or complaints about our information rights practices, you can report them to the Information Commissioner’s Office on 0303 123 1133 (9am to 5pm Monday to Friday excluding bank holidays) or use live chat at ico: Make a complaint

You can also write to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Our privacy notice may change. The latest version of our privacy notice is available on our website and through your CIS2/CIS account. We will inform you through your CIS2/CIS account if we make any material changes to our privacy notice, and will also send an email notification to all RA managers.

Version 2.4 – Published 26 April 2021

These terms and conditions cover your use of Care Identity Service 2 (CIS2) and Care Identity Service (CIS). See the terms applicable to the use of the website on which these terms are hosted.

The following terms have the following meanings in these terms and conditions:

• “Authorised Devices²” means an alternative to smartcards, a device as approved by FIDO 2 Consortium that provides Assured Level 3 Authentication.
• “Authentication Token” means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of identity solution.
• “CIS” is the existing system which supports NHS Smartcards over the Health and Social Care Network (HSCN).
• “CIS2” (formerly NHS Identity) supports new authentication methods and tokens available over the internet.
• “iPad Device” means a tablet computer developed by Apple.
• “Physical Smartcards” means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards. 
• “Registration Authority (RA)” means NHS Digital as the single national Registration Authority and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS Digital.
• “Virtual Smartcards” means a solution that provides access functionality, but the card itself may be stored on a device, approved for use by NHS Digital and or its partners.

NHS Digital is the single national RA (as per public key infrastructure (PKI) terms), local RA’s are organisations that run Registration Authority services on a delegated authority basis from NHS Digital.

Find out more about NHS Digital.

Local RAs are organisations (that are usually part of the NHS and with a remit beyond running RA services), that carry out the identity checks of applicants to create their national verified digital identity and assign access permissions as approved by the employing organisation’s policy. Find your local RA.

Every RA must adhere to the NHS RA Policy at all times. The NHS RA Policy is subject to revision from time to time.

These terms and conditions are between you and all Registration Authorities who provide Registration Authority services to you.  

Mentions of "us" and "we" mean NHS Digital and all local RAs and "you" means anyone using the NHS Spine.

By clicking on the ‘Accept Terms and Conditions’ button at the bottom of this declaration, you the applicant confirm the following:

1. You understand and accept that your personal data will be used by us as described in the privacy notice for users of CIS2 and CIS. Each user must have their identity assured and verified to the relevant standard applicable at the time of registration. This is currently Good Practice Guide GPG45 (or recognised successor) on the identity proofing and verification of an individual to a minimum of Level 3. This requirement may be refreshed from time to time.
2. You confirm that the information which you provide in the process of your application is accurate. You agree to notify your local Registration Authority immediately of any changes to this information.
3. You understand and accept that the Authentication Token, (with the exception of personal devices) issued to you is the property of/licensed to the health and social care bodies providing it to you, and you agree to use it only in the normal course of your employment or contract arrangement.
4. You agree that you will check the operation of your Authentication Token promptly after you receive it. This will ensure that you have been granted the correct access profiles. You also agree to notify your local Registration Authority promptly if you become aware of any problem with your Authentication Token or your access profiles.
5. You understand that the suppliers of some Virtual Smartcards/other Approved Authentication Tokens may process personal data about you as an independent Controller, and may have applicable privacy policies and terms and conditions. You will be presented with these as part of download/registration and are responsible for reviewing and abiding by these.
6. You agree that you will keep your Authentication Token private and secure and that you will not permit anybody else to use it or to establish any session with the NHS Spine applications. You will not share your Passcode with any other user. You will not write your Passcode down, nor use any kind of electronic storage (media or otherwise) to store it, for example by using a programmable function key on a keyboard. You will take all reasonable steps to ensure that you always leave your workstation secure when you are not using it by removing your physical Smartcard, ensuring your virtual Smartcard has disconnected or locking your Authorised Device or iPad Device. If you lose your Smartcard, Authorised Device or iPad Device or if you suspect that your Authentication Token has been stolen or used by a third party, you will report this to your local Registration Authority as soon as possible.
7. You agree that you will only access the NHS Spine application by using an Authentication Token approved by NHS Digital. You agree that your use of the Authentication Token, the NHS Spine applications and all patient data shall be in accordance with the NHS Confidentiality Code of Practice and (where applicable) in accordance with your contract of employment or contract of provision for service (whichever is appropriate) and with any instructions relating to the NHS Spine applications which are notified to you.
8. You agree not to maliciously alter, neutralise, circumvent, tamper with or manipulate your Authentication Token, NHS Spine applications components or any access profiles given to you.
9. You agree not to deliberately corrupt, invalidate, deface, damage or otherwise misuse any NHS Spine applications or information stored by them. This includes, but is not limited to, the introduction of computer viruses or other malicious software that may cause disruption to the services or breaches in confidentiality.
10. You acknowledge that your access may be audited. You understand and accept that your Authentication Token may be revoked, or your access profiles changed at any time without notice if you breach this Agreement; if you breach any guidance or instructions notified to you for the use of the NHS Spine applications or if such revocation or change is necessary as a security precaution. You also understand and accept that if you breach this Agreement this may be brought to the attention of your employer (or governing body in relation to independent contractors) who may then take appropriate action (including disciplinary proceedings and/or criminal prosecution).
11. You understand and accept that the Registration Authority’s sole responsibility is for the administration of access profiles and the issue of Authentication Token for the NHS Spine applications. The Registration Authority is not responsible for the availability of the NHS Spine applications or applications which use NHS Spine authentication or the accuracy of any patient data.
12. You understand and accept that you, or your employer, shall notify your local Registration Authority at any time should either wish to terminate this Agreement and to have your Authentication Token revoked, such as on cessation of your employment or contractual arrangement with health care organisations or other relevant change in your job role.
13. You understand and accept that we may unilaterally change these terms and conditions from time to time, and unless otherwise stated these will be effective from publication. The latest version of our privacy notice is available on our website and through your CIS2/CIS account. We will inform you through your CIS2/CIS account if we make any material changes to these terms and conditions, and will also send an email notification to all RA managers.
14. You understand and accept that these terms and conditions form a binding Agreement between yourself and all Registration Authorities who provide Registration Authority services to you. Non-compliance may also be treated as a disciplinary matter by your employer.
15. You understand and accept that this Agreement is governed by English law and that the English courts shall settle any dispute under this Agreement.