Approved authentication tokens privacy notice and terms and conditions for NHS Care Identity Service 2 (NHS CIS2) and Care Identity Service (CIS) users

Version 2.5 – Published 24/08/2022

The following terms have the following meanings in this privacy notice:

• “Authorised Devices¹” means an alternative to smartcards, a device as approved by FIDO2 Consortium that provides Assured Level 3 Authentication.
• “Authentication Token” means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of Authentication Token.
• “CIS” is the existing system which supports NHS Smartcards over the Health and Social Care Network (HSCN).
• “CIS2” (Formerly NHS Identity) supports new authentication methods and Authentication Tokens available over the internet
• “iPad Device” means a tablet computer developed by Apple.
• "NHS Spine"  means a series of infrastructure services such as authentication which allows the NHS to electronically communicate, securely and confidentially.
• “Physical Smartcards” means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards
• “Registration Authority (RA)” means NHS Digital as the single national Registration Authority (for England) and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS Digital.
• "Apply for Care ID" means a solution enabling your identity to be verified remotely to support creation of a verified digital identity within CIS and CIS2.
• “Virtual Smartcards” means a solution approved for use by NHS Digital that provides access functionality, but the token itself may be stored on an authorised device.

NHS Digital was set up by the Department of Health and Social Care in April 2013 and is an executive non-departmental public body that provides national information, data and IT systems for health and care services. We exist to help patients, clinicians, commissioners, analysts and researchers. Our goal is to improve health and social care in England by making better use of technology, data and information.

NHS Digital is the single national RA (as per public key infrastructure (PKI) terms), local RAs, are organisations that run Registration Authority services on a delegated authority basis from NHS Digital. 

Find out more about NHS Digital

Local RAs are organisations (that may be part of the NHS or authorised third parties providing NHS services and with a remit beyond running RA services), that carry out the identity checks of applicants to create their national verified digital identity and assign access permissions as approved by the employing organisation’s policy. Find your local RA.

Every RA must adhere to the NHS RA Policy at all times. The NHS RA Policy is subject to revision from time to time.

Mentions of "us" and "we" mean NHS Digital and all local RAs and "you" means anyone using CIS, CIS2 and NHS Spine.
This privacy notice details the personal data processed in relation to CIS2 and CIS.  In relation to this processing NHS Digital and local RAs are joint controllers (alongside the Secretary of State as detailed below). 

Both NHS Digital and local RAs may also process data about you in connection with provision of other services, you can find details about these on NHS Digital’s and local RAs’ websites.

We provide Care Identity Service 2 (CIS2) and Care Identity Service (CIS) as separate related services which interact.  CIS2 is aimed at new authentication methods and Tokens accessed over the internet including Authorised Devices and iPad Devices.  CIS supports Physical Smartcards and Virtual Smartcards over HSCN.  In time, there are plans to provide NHS Smartcard authentication over the Internet.  Both CIS2 and CIS will continue to run interacting with each other.  The expectation is that CIS will eventually be retired. 

We will collect your personal data, some of which you provide in your application to this service, some of which is collected by cookies when you access NHS Spine applications and some of which we generate. 

The personal data we collect from you when you apply to use CIS and CIS2 (regardless of method) is: title, names, DoB, 1 or more ID evidence document numbers and date of issue, address identification evidence source and date of issue, photo image.

In addition if you are using Apply for Care ID you need to provide digital images of your original identification evidence documents, a photo compliant with the HM Passport Office Photo Requirements and undergo to a face scan so we can undertake a liveness check.  We will collect and process images of your identity documents and liveness video, your address and postcode and a confidence score in order to verify your identity prior to creating a verified digital identity within CIS and CIS2.  

Every time your Authentication Token is used, we collect audit data and event log details of what you have accessed and actioned and when and link these to your access profile.

The personal data we generate is the access profile(s) assigned to you by your local RA, based upon your role and responsibilities and as approved by your employing organisation’s policy. 

We collect this personal data from you to enable you to use the CIS2 and CIS service to prove your identity and be issued with an Authentication Token.  This will allow you to access NHS Spine with appropriate role-based access to systems and data. 

NHS Spine applications include the following:  EPS, GP to GP, GPES, GPITF, NHS e-RS, SCR, SUS+, Spine CIS, Spine CIS2.   Find these in our Services A-Z.

Collecting this information also allows us to manage our service, so that we can:

• manage and improve the service
• provide data in support of the service

NHS Digital is directed by the Secretary of State for Health and Social Care, under powers conferred by the Health and Social Care Act 2012 and regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013

The relevant directions are the Health and Social Care Information Centre (Spine Services) (No.2) Directions 2014, and the Novation of Information and Technology Contracts from DH to NHS Digital: Electronic Prescription Service, Health and Social Care Network, N3, NHS Choices, NHS e-Referral Service, Secondary Uses Service (SUS), Spine (Named Programmes) Directions 2016.

As NHS Digital processes personal data under the legal direction from the Secretary of State, then the organisations are joint controllers for data protection purposes.  Acting under NHS Digital’s delegated authority local RAs are also joint controllers with NHS Digital. The legal bases under the Data Protection Act 2018 / General Data Protection Regulation (GDPR) for the processing is explained here.

RA processing of personal data:

GDPR Article 6(1)(c) – the ‘processing is necessary for compliance with a legal obligation to which the controller is subject’

RA processing of special category data (sensitive personal data):

GDPR Article 9(2) (h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.

Data Protection Act 2018, schedule 1, part 1, paragraph 2, sub paragraph (2), sub paragraph (f) – ‘the management of health care systems or services or social care systems or services’.

Secretary of State processing of personal data:

GDPR Article (6)(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

We only collect, use and share your information when we have an appropriate legal basis to do so.

This data will be processed by:

• by local RAs for the purposes of validating your identity, issuing and managing your Authentication Token and ensuring that you are given appropriate access to NHS Spine applications, or applications that utilise the NHS Spine authentication
• by NHS Digital to record your use of the NHS Spine applications
• by NHS Digital for disclosure and auditing of access to systems , such as to the Summary Care Record (SCR) and in accordance with any complaint, investigation or as required by appropriate legislation.

Local RA’s will exchange details with your employing organisation about your access profile (i.e. what systems you have access to) in order to provide the RA service.  For Apply for Care ID we will provide to the registration authorities your name, address where an authenticator may be posted, position in your organisation and the type of authenticator requested, as collected by the service for the purpose of fulfilling your request for an authenticator.

How your employing organisation uses your personal data will be detailed in their own privacy notice.  You should read this so that you are clear on how your personal information is managed. 

If you use some Approved Authentication Tokens, the suppliers of these will register (or de-register) you as a user in their system, acting as a processor for NHS Digital.   In order to do this we will share the Unique User Identity (UUID), First Name, Last Name and work email address that you have already provided to us as part of the basic user registration process you underwent to establish an NHS nationally verified digital identity.  In addition, such suppliers may also collect and process personal data about your usage, acting as independent controllers. How such suppliers use your personal data will be detailed in their own privacy notice, no personal data is shared back to us.  You should read this privacy policy so that you are clear on how your personal data is managed.  

We use third party providers to deliver the Apply for Care ID identity verification services, who are subject to a contract with us, required to meet our security and privacy standards, and act under instruction and as data processors for, NHS Digital.   These third-party providers process your personal address and postcode information and images of your identity documents and liveness video, and create a confidence score during the Apply for Care ID process for an identity in order to verify your identity prior to creating a verified digital identity within CIS and CIS2.If you use Virtual Smartcards:

Entrust: The RA will register (or de-register) you as a user in Entrust’s Cloud-based Multi-Factor Authentication platform Intellitrust, with Entrust acting as a processor for NHS Digital.   In order to do this, we will share the UUID, First Name, Last Name and work email address that you have already provided to us as part of the basic user registration process you underwent to establish an NHS nationally verified digital identity.  

To form the basis for the virtual smartcard, you must download and register the Entrust Datacard IdentityGuard Mobile Smart Credential (Entrust App) on your smartphone. Then Entrust’s ‘Intellitrust‘ platform downloads a certificate onto your smartphone which completes the process.  The Entrust App itself does not collect, use, save, or have access to any of your personal information when you download or use it. 

We may need to share your personal data if we are required to do so by law.

We take the security of your personal information very seriously. We have set up security measures, policies and procedures to make sure your personal information is protected.

We protect your personal information by:

• training staff to understand data and security protection
• ensuring security and confidentiality policies are in place for our staff who have access to personal information
• monitoring our service
• following good practice guidance provided by the National Cyber Security Centre
• using legally binding agreements with all organisations that we appoint to process your personal information

We store your personal information for as long as is reasonably necessary and legally justifiable. The length of time we store your information for will depend on legal, regulatory or technical requirements. In any event, we follow the Records Management Code of Practice - NHSX (2021). The retention periods are explained here.

Your data (title, names, DoB, 1 or more ID evidence document numbers & date of issue, address identification evidence source and date of issue, photo image and access/audit records) will

• be held throughout your time as an active user and will be retained for up to 40 years after your NHS verified digital identity has been closed, at which point it will be subject to review
• not be transferred out of the European Economic Area
• not be used for any automated decision making

If you use Apply for Care ID, we will temporarily store images of your identity documents and liveness checks (as images) accompanied by a confidence scoring and your personal address and postcode information, this will not be retained longer than it is needed. For normal operational conditions this data captured during the identity verification process will only be retained for a limited number of days, configurable to meet operational need, but will never be unlimited.

We (including all processors) securely store and process your information in the UK and other suitable locations. We will make sure your information is given the level of protection required by law and NHS policies.

You have the right to access your data.  As an active Authentication Token holder, you can view your data in My Profile within CIS2 and CIS. If you can no longer access CIS2 and CIS for any reason, please contact your local RA. Once you are no longer working in healthcare, you can make a subject access request to NHS Digital (see contact details below).

You have the right to rectify inaccuracies in your data. You should update your own contact details within My Profile in CIS2 and CIS. In case of difficulties, if your personal details have changed or you need to make other amendments, please contact your local RA.

You have the right to complain (see the contact details below).

You do not have the right to erase your data, object to it being recorded, transport it elsewhere, withdraw consent to its capture or use, or restrict its processing. This is because the capture and processing of this data is necessary for a statutory requirement and the provision of the service. NHS Digital is also legally bound to record this data. Once you leave health and social care, your local RA will close your user profile. This may be reopened if you return to working within health and social care. 

For all operational enquiries, including Authentication Token and access assignment, always contact your local RA contact your local RA.

See how NHS Digital looks after your information

To ask any question or make a complaint about how your data is used, you can contact NHS Digital on 0300 303 5678 (9am to 5pm Monday to Friday excluding bank holidays) or email enquiries@nhsdigital.nhs.uk.

You can also write to:

Data Protection Officer
NHS Digital
The Leeds Government Hub
7 & 8 Wellington place
Leeds
LS1 4AP

If you have concerns or complaints about our information rights practices, you can report them to the Information Commissioner’s Office on 0303 123 1133 (9am to 5pm Monday to Friday excluding bank holidays) or use live chat at ICO concerns.

You can also write to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Our privacy notice may change. The latest version of our privacy notice and through your CIS2 / CIS account. We will inform you through your CIS2 / CIS account if we make any material changes to our privacy notice, and will also send an email notification to all RA managers.

Version 2.5 – Published 24/08/2022

These terms and conditions cover your use of Care Identity Service 2 (CIS2) and Care Identity Service (CIS).  Terms applicable to the use of the website on which these terms are hosted are available See the terms applicable to the use of the website on which these terms are hosted.

The following terms have the following meanings in these terms and conditions:

• “Authorised Devices²” means an alternative to smartcards, a device as approved by FIDO2 Consortium that provides Assured Level 3 Authentication
• “Authentication Token” means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of Identity Solution.
• “CIS” is the existing system which supports NHS Smartcards over the Health and Social Care Network (HSCN).
• “CIS2” (Formerly NHS Identity) supports new Authentication methods and Tokens available over the Internet.
• “iPad Device” means a tablet computer developed by Apple
• "NHS Spine" means a series of infrastructure services such as authentication which allows the NHS to electronically communicate, securely and confidentially.
• “Physical Smartcards” means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards
• “Registration Authority (RA)” means NHS Digital as the single national Registration Authority and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS Digital.
• “Virtual Smartcards” means a solution that provides access functionality, but the card itself may be stored on a device, approved for use by NHS Digital and or its partners.

NHS Digital is the single national RA (as per public key infrastructure (PKI) terms), local RAs are organisations that run Registration Authority services on a delegated authority basis from NHS Digital.  

Find out more about NHS Digital.

Local RAs are organisations (that are usually part of the NHS or third parties providing NHS services and with a remit beyond running RA services), that carry out the identity checks of applicants to create their national verified digital identity and assign access permissions as approved by the employing organisation’s policy.  Find your local RA.

Every RA must adhere to the NHS RA Policy at all times. The NHS RA Policy is subject to revision from time to time.

These terms and conditions are between you and all Registration Authorities who provide Registration Authority services to you.  

Mentions of "us" and "we" mean NHS Digital and all local RAs and "you" means anyone using CIS, CIS2 and NHS Spine.
By clicking on the ‘Accept Terms and Conditions’ button at the bottom of this declaration, you the applicant confirm the following:

1. You understand and accept that your personal data will be used by us as described in the privacy notice for users of CIS2 and CIS  privacy notice for users of CIS2 and CIS. Each user must have their identity assured and verified to the relevant standard applicable at the time of registration.  This is currently Good Practice Guide GPG45 (or recognised successor) on the identity proofing and verification of an individual to a minimum of Level 3. This requirement may be refreshed from time to time.

2.  You confirm that the information which you provide in the process of your application is accurate. You agree to notify your local Registration Authority immediately of any changes to this information.

3. You understand and accept that the Authentication Token, (with the exception of personal devices) issued to you is the property of / licensed to the health and social care bodies providing it to you, and you agree to use it only in the normal course of your employment or contract arrangement.

4. If you wish to use Apply for Care ID you must have an internet connection and an appropriate device for access, like a smartphone. We do not guarantee that Apply for Care ID will always be available, or that access to it will be error free. 

5. We may suspend, stop, remove, update or change CIS, CIS2 or Apply for Care ID without notice at any time.

6. You agree that you will check the operation of your Authentication Token promptly after you receive it. This will ensure that you have been granted the correct access profiles. You also agree to notify your local Registration Authority promptly if you become aware of any problem with your Authentication Token or your access profiles.

7. You understand that the suppliers of some Virtual Smartcards / other Approved Authentication Tokens may process personal data about you as an independent Controller, and may have applicable privacy policies and terms and conditions. You will be presented with these as part of download/registration and are responsible for reviewing and abiding by these.

8. You agree that you will keep your Authentication Token private and secure and that you will not permit anybody else to use it or to establish any session with the NHS Spine applications. You will not share your passcode with any other user. You will not write your passcode down, nor use any kind of electronic storage (media or otherwise) to store it, for example by using a programmable function key on a keyboard. You will take all reasonable steps to ensure that you always leave your workstation secure when you are not using it by removing your Physical Smartcard, ensuring your Virtual Smartcard has disconnected or locking your Authorised Device or iPad Device. If you lose your Physical Smartcard, device on which a Virtual Smartcard is stored, Authorised Device or iPad Device or if you suspect that your Authentication Token has been stolen or used by a third party, you will report this to your local Registration Authority as soon as possible.

9. You agree that you will only access the NHS Spine application by using an Authentication Token approved by NHS Digital. You agree that your use of the Authentication Token, the NHS Spine applications and all patient data shall be in accordance with the NHS Confidentiality Code of Practice and (where applicable) in accordance with your contract of employment or contract of provision for service (whichever is appropriate) and with any instructions relating to the NHS Spine applications which are notified to you.

10. In respect of each service or product accessible through NHS Spine you agree that you will follow any instructions or conditions for use provided in respect of such service or product.  

11. You agree not to maliciously alter, neutralise, circumvent, tamper with or manipulate your Authentication Token, NHS Spine applications components, the Apply for Care ID service or any access profiles given to you.

12. You agree not to deliberately corrupt, invalidate, deface, damage or otherwise misuse any NHS Spine applications or information stored by them or the Apply for Care ID service. This includes, but is not limited to, the introduction of computer viruses or other malicious software that may cause disruption to the services or breaches in confidentiality.

13. You acknowledge that your access may be audited. You understand and accept that your Authentication Token may be revoked, or your access profiles changed at any time without notice if you breach these terms and conditions; if you breach any guidance or instructions notified to you for the use of the NHS Spine applications or if such revocation or change is necessary as a security precaution. You also understand and accept that if you breach these terms and conditions this may be brought to the attention of your employer (or governing body in relation to independent contractors) who may then take appropriate action (including disciplinary proceedings and/or criminal prosecution).

14. You understand and accept that the Registration Authority’s sole responsibility is for the administration of access profiles and the issue of Authentication Token for the NHS Spine applications. The Registration Authority is not responsible for the availability of CIS, CIS2, the NHS Spine applications or applications which use NHS Spine authentication or the accuracy of any patient data.

15. You understand and accept that you, or your employer, shall notify your local Registration Authority at any time should either wish to terminate these terms and conditions and to have your Authentication Token revoked e.g. on cessation of your employment or contractual arrangement with health care organisations or other relevant change in your job role.

16. We own or have the right to use all intellectual property rights ("NHS IPR") used for the provision of CIS, CIS2 and Apply for Care ID. This includes rights in copyright, patents, database rights, trademarks and other intellectual property rights.  You have permission to use CIS, CIS2 and Apply for Care ID for the sole purposes described in these terms and conditions. You need written permission from us or any other owner of NHS IPR to use these items in any other way.

17. Unless permitted by law or under these terms and conditions, you will:

• not copy CIS, CIS2 or Apply for Care ID except where such copying is incidental to normal use
• not rent, lease, sub-license, loan, translate, merge, adapt, vary or modify CIS, CIS2 or Apply for Care ID
• not combine or incorporate CIS, CIS2 or Apply for Care ID with any other programs or services
• not disassemble, decompile, reverse-engineer or create derivative works based on any part of CIS, CIS2 or Apply for Care ID
• comply with all technology control or export laws that apply to the technology used by CIS, CIS2 or Apply for Care ID

18. You understand and accept that we may unilaterally change CIS, CIS2, Apply for Care ID and these terms and conditions from time to time, and unless otherwise stated such changes will be effective immediately they become available. The latest version of these terms and conditions will be accessible and in your CIS2 / CIS account.  We will inform you through your CIS2 / CIS account if we make any material changes to these terms and conditions, and will also send an email notification to all RA managers.

19. Although we make reasonable efforts to provide, maintain and update a robust CIS, CIS2 and Apply for Care ID service, they are provided 'as is'. To the extent allowed by law we make no expressed or implied representations, warranties or guarantees that your access to, or use of, CIS, CIS2 or Apply for Care ID will be unbroken or completely secure.

20. We will not be liable or responsible for any loss or damage caused by a virus, denial of service attack or any other harmful material that may infect your device, equipment, programs, data or other proprietary material due to your use of CIS, CIS2 or Apply for Care ID.

21. Nothing in these terms and conditions excludes or limits our liability for i) death or personal injury as a result of our negligence, ii) fraud or fraudulent misrepresentation or iii) any other liability which cannot be excluded or limited under English law.

22. Subject to the previous paragraph we will not be liable or responsible for any

• loss or damage not caused by our breach of these terms and conditions
• business loss
• loss or damage arising from an inability to access or use CIS, CIS2 or Apply for Care ID
• indirect or subsequent losses that were not foreseeable to both you and us when you started using CIS, CIS2 or Apply for Care ID

23. Business loss includes loss of profits, revenue, contracts, savings, data, goodwill and wasted expenditure. Loss or damages are ‘foreseeable’ when they are an obvious result of our breach of these terms and conditions. Loss or damages are also 'foreseeable' if they were considered by you and us when you began using CIS, CIS2 or Apply for Care ID.

24. Each of the sections within these terms and conditions operate separately. If any section is invalid or unenforceable pursuant to applicable law, it will be superseded by a valid and enforceable provision that most closely matches the intent of the original. This includes warranty disclaimers and exclusions, and limits of liability. The remainder of these terms and conditions shall continue in effect.

25. If we delay in enforcing these terms and conditions, we can still enforce them later. If we do not insist right away that you follow the requirements within these terms and conditions, or we delay in taking steps against you if you break them, this will not prevent us from taking steps against you or prevent your need to follow the requirements at a later date.

26. You understand and accept that these terms and conditions form a binding agreement between yourself and all Registration Authorities who provide Registration Authority services to you.  Non-compliance may also be treated as a disciplinary matter by your employer.

27. You understand and accept that these terms and conditions are governed by English law and that the English courts shall settle any dispute under these terms and conditions.