Smartcards provide secure access to the NHS Spine, its applications, systems and information for identified users across GP Practices, Pharmacies, OOH/111 services, BHR CCG staff and some Independent Sector Healthcare providers thus supporting patient care, confidentiality and privacy. There are approximately 4200 Smartcard users across nearly 300 different organisations within the BHR CCG area.
All Smartcard users have a duty to keep patient information secure and confidential.
All Smartcard users must comply with the RA01 Part A Terms and Conditions of Smartcard Use, The NHS Care Record Guarantee, The Data Protection Act (1998), Computer Misuse Act, other professional Codes of Conduct, contractual requirements and a range of other legislation, policies and procedures.
All users sign up to the RA01 Terms and Conditions when they first register for their card and also agree to these when they first log in with their Smartcard and with every subsequent login. People must abide by the Terms and Conditions as in doing so they are protecting patients’ confidentiality and privacy, abiding by the Law and also protecting themselves, for example by not allowing other people to do things in their name.
It is the card-holders responsibility if someone uses or accesses information via their card; audit trails are kept of Smartcard access and usage. Not abiding by the Terms and Conditions means that users will be breaking the law. If we visit your organisation we are required to undertake spot checks and alert you to any issues.
Measures taken in the case of non-compliance or breach range from re-training, verbal and written notification or warnings, investigation, suspension of card access, withdrawal of card and formal disciplinary processes up to and including dismissal. Serious governance breaches can lead to prosecution under the Data Protection Act (1998) or an action for civil damages which could result in costs, and a loss of reputation and patient trust; the Information Commissioners Office can also impose fines of up to £500,000.
Suspected Smartcard misuse must be reported to the RA and in line with incident reporting policies and procedures and depending on the severity of the allegation an investigation may be required. Suspected misuse may be reported to Line Managers, Practice Managers or the Caldicott Guardian and the Smartcard may be suspended or revoked.
A pharmacist who worked for South West Essex Primary Care Trust was prosecuted by the Information Commissioner’s Office (ICO) under section 55 of the Data Protection Act and fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs after unlawfully accessing medical records.
The BHR CCG RA Team is 4 people strong and consists of Raymond Adeniyi (RA Manager), Janis Webb (RA Officer), Selma Momoh and Dawn Endean (RA Agents). We have offices at the following locations:
St Edwards Way
Romford, RM1 3AE
Appointments only Mon - Fri: 9.30am - 4.30pm Tel: 020 3416 5900
Unit 3, Bourne Court
Appointments only : Monday, Wednesday and Friday 9am - 4.30pm Tel: 020 3416 5900
calls can be logged via:
CCG IT Service Desk
Tele: 020 3416 5900
We try to provide as quick, effective and efficient service as we can, however as we support nearly 300 organisations, we can’t always provide an instant service.
The following process are used for Smartcard Requests, Incidents, Registrations, Updates, etc.
RA01 Part A – Terms and Conditions of Smartcard Use. Terms and Conditions are accepted online via CIS.
Create User – Sponsor to log a Service Request with the Service desk and raise the New user request (Pre-Register User) online via CIS - Capturing the user’s basic information like title, full names, dob, National Insurance number, contact number and a note about the request e.g. Service Desk Call ref and position to be assigned user)
If unable to logon to CIS: Sponsor to email request to service desk (firstname.lastname@example.org) providing user details, contact information and role to be assigned for processing by the RA Team.
Assign/Amend/Remove Position – Used to add/amend/remove the relevant organisation position to a Smartcard profile. (NB extra codes can no longer be added to a user’s profile and have to be added to the position and therefore to all people assigned to that position - see Positions below).
Sponsor log a Service Request with the Service desk and raise the modify position assignment request online via CIS for RA to grant. If unable to logon to CIS: Sponsor to email request to service desk (email@example.com) stating Position assignments/changes to be actioned by the RA (including joining or leaving an organisation, adding, changing or removing positions). It is important that Sponsors request the removal of users when they leave an organisation.
Lost Cards – Lost or damaged Smartcards should be reported to the RA Team or ICT Service Desk as soon as is practicable and the lost/damaged Smartcard will be revoked and replaced as soon as possible. In the case of loss or theft, the RA Service must be informed so that checks may be made to ensure that the Smartcard has not been misused.
Change of Name - Minor changes and changes in identity (e.g. Name Change) requires a face to face check appointment to record changes (proof of name change is also required).
Smartcards now use Position Based Access Profiles (PBAC) whereby the access rights in an organisation are built around job types and all staff with a specific job type are assigned to that position. PBAC provides the facility for global updates, for example, if a new function/activity is required for a group of users this can be applied to the relevant Position(s) and cascades to all users assigned to that Position, however if an individual user requires a specific set of access rights the extra codes can’t be assigned to just that person, instead a new position has to be created and the person moved into that position.
Smartcard management features available to practices include unlocking blocked cards, changing passcodes, renewing unexpired certificates and repairing cards (renewing cards where the certificates have already expired). Sponsors will be able to change PINS, unlock Smartcards or undertake assisted renewals of certificates (i.e. for cards that haven’t expired). LSA (Card unlockers)/managers with smartcard unlocker rights can also change PINS, unlock and renew about to expire cards.
Users are encouraged to register for smartcard self –unlock service via self service centre. A service request should be raised if unable to perform this function to be actioned by the RA. All practices have nominated sponsors and possibly additional Smartcard unlockers, if these people aren’t available then, contact the RA Team or the ICT Service Desk. The Sponsor or card unlocker must be familiar with the person whose card they are managing. Additional Smartcard codes may need to be added to positions to allow access to the card management functionality.
Access to the card management functions require specific versions of Java and Internet Explorer, GP IT Support may need to update your PC if there are problems accessing the functions.
See document Smartcard Management Processes for further information.