Privacy notice

This privacy notice details the personal data processed in relation to Care Identity Service 2 (CIS2) and Care Identity Service (CIS). In relation to this processing NHS England and local RAs are joint controllers (alongside the Secretary of State as detailed below). All users of CIS, Care Identity Management (CIM), CIS2 and NHS Spine are covered by this privacy notice.

Both NHS England and local RAs may also process data about you in connection with provision of other services, you can find details about these on NHS England’s and local RAs’ websites.

This Care Identity Service Privacy Notice 3.0 replaces the Care Identity Service Privacy Notice Version 2.5 issued on 24 August 2022.

This version covers minor updates for some new features.

The following terms have the following meanings in this privacy notice:

• “Apply for Care ID” means a solution enabling your identity to be verified remotely to support creation of a verified digital identity within CIS and CIS2.
• “Authorised Devices¹” means an alternative to smartcards, a device as approved by FIDO2 Consortium that provides Assured Level 3 Authentication and that NHSE have tested and accepted as an Authorised Device.

• “Authentication Token” means Physical Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal data appropriate to their role and the type of Authentication Token.
• “CIM” (Care Identity Management) is the system to manage a user’s Authentication Tokens, access permissions, and identity information

• “CIS” is the existing system which supports NHS Smartcards over the Health and Social Care Network (HSCN), and includes the signing operations done locally on the Smartcard.
• “CIS2” (Formerly NHS Identity) supports new authentication methods and Authentication Tokens available over the internet, and includes the Digital Signature Service which performs cloud-based signing operations for services that have integrated.
• “iPad Device” means a tablet computer developed by Apple.
• “NHS Spine” means a series of infrastructure services such as authentication which allows the NHS to electronically communicate, securely and confidentially.
• “Physical Smartcards” means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS England and are similar to chip and PIN bank cards
• “Registration Authority (RA)” means NHS England as the single national Registration Authority (for England) and all other organisations that provide local Registration Authority services on a delegated authority basis from NHS England.

NHS England is the single national Registration Authority - RA (as per public key infrastructure (PKI) terms), local RAs, are organisations that run Registration Authority services on a delegated authority basis from NHS England.

Find out more about NHS England.

Local RAs are organisations (that may be part of the NHS or authorised third parties providing NHS services and with a remit beyond running RA services), that carry out the identity checks of applicants to create their national verified digital identity and assign access permissions as approved by the employing organisation’s policy. Find your local RA.

Every RA must adhere to the NHS RA Policy at all times. The NHS RA Policy is subject to revision from time to time.

Mentions of "us" and "we" mean NHS England and all local RAs and "you" means anyone using CIS, CIM, CIS2 and NHS Spine.

We provide Care Identity Service 2 (CIS2) and Care Identity Service (CIS) as separate related services which interact. CIS2 is aimed at new authentication methods and Authentication Tokens accessed over the internet including Authorised Devices and iPad Devices. CIS supports Physical Smartcards over HSCN. Through CIS2, NHS Smartcard authentication is available over the Internet. Both CIS2 and CIS will continue to run interacting with each other. The expectation is that CIS will eventually be retired. 

We will collect your personal data, some of which you provide in your application to these services, some of which is collected by cookies when you access NHS Spine applications and some of which we generate. 

The personal data we collect from you when you apply to use CIS and/or CIS2 (regardless of method (ie face to face or via AfCID)) is: title, names, date of birth, ID evidence document numbers and date of issue, address identification evidence source and date of issue, photo image.

In the following circumstances we also collect additional information:

• If you are using Apply for Care ID you need to provide digital images of your original identification evidence documents, a photo compliant with the HM Passport Office Photo Requirements and undergo to a face scan so we can undertake a liveness check. We will collect and process images of your identity documents and liveness video, your address and postcode and a confidence score in order to verify your identity prior to creating a verified digital identity within CIS and CIS2.
• If you choose to use self-service smartcard unlock facial recognition, you will undergo a face scan so we can undertake a liveness check and compare this against your recorded photo image.

Every time your Authentication Token is used, we collect audit data and event log details of what you have accessed and actioned and when, and link these to your access profile.

The personal data we generate is the access profile(s) assigned to you by your local RA, based upon your role and responsibilities and as approved by your employing organisation’s policy. 

We collect this personal data from you to enable you to use the CIS2 and CIS service to prove your identity and be issued with an Authentication Token, and to subsequently use that Authentication Token. This will allow you to access NHS Spine with appropriate role-based access to systems and data. 

NHS Spine applications include, but are not limited to, the following: EPS, GP to GP, GPES, GPITF, NHS e-RS, SCR, SUS+, PDS, NHS Spine, CSMS, DoS, Screening Services, CIS, CIS2.  Find these in our Services A-Z.

Collecting the information described above also allows us to manage our service, so that we can:

• manage and improve the service
• provide data in support of the service
• improve and refine our data models
• enhance the accuracy, relevance, and performance of our services

NHS England is directed by the Secretary of State for Health and Social Care, under powers conferred by the Health and Social Care Act 2012 and regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013.

The relevant directions are the Health and Social Care Information Centre (Spine Services) (No.2) Directions 2014, and the Novation of Information and Technology Contracts from DH to NHS England: Electronic Prescription Service, Health and Social Care Network, N3, NHS Choices, NHS e-Referral Service, Secondary Uses Service (SUS), Spine (Named Programmes) Directions 2016.

As NHS England processes personal data under the legal direction from the Secretary of State, then these organisations are joint controllers for data protection purposes. Acting under NHS England’s delegated authority local RAs are also joint controllers with NHS England. The legal bases under the Data Protection Act 2018 / UK General Data Protection Regulation (GDPR) for the processing is explained here.

Processing of personal data:

UK GDPR Article 6(1)(c) – the ‘processing is necessary for compliance with a legal obligation to which the controller is subject’

Processing of special category data (sensitive personal data):

UK GDPR Article 9(2) (h) – ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.

Data Protection Act 2018, schedule 1, part 1, paragraph 2, sub paragraph (2), sub paragraph (f) – ‘the management of health care systems or services or social care systems or services’.

We only collect, use and share your information when we have an appropriate legal basis to do so.

This data will be processed by:

• by local RAs for the purposes of validating your identity, issuing and managing your Authentication Token and ensuring that you are given appropriate access to NHS Spine applications, or applications that utilise the NHS Spine authentication
• by NHS England to record your use of the NHS Spine applications
• by NHS England for disclosure and auditing of access to systems, such as to the National Care Records Service (NCRS) and in accordance with any complaint, investigation or as required by appropriate legislation.
• by NHS England to improve our services as described above.

Local RA’s will exchange details with your employing organisation about your access profile (i.e. what systems you have access to) in order to provide the RA service. For Apply for Care ID NHS England will provide to your local RA(s) your name, address where an Authentication Token may be posted, position in your organisation and the type of authenticator requested, as collected by the service for the purpose of fulfilling your request for an authenticator.

How your employing organisation uses your personal data will be detailed in their own privacy notice. You should read this so that you are clear on how your personal data is managed. 

We use third party providers to deliver the Apply for Care ID identity verification services, who are subject to a contract with us, required to meet our security and privacy standards, and act under instruction and as data processors for, NHS England.  These third-party providers process your personal address and postcode information and images of your identity documents and liveness video, and create a confidence score during the Apply for Care ID process for an identity in order to verify your identity prior to creating a verified digital identity within CIS and CIS2.

We use third party components to capture liveness video and to compare with your recorded photo image, and create a confidence score during self-service smartcard unlock facial recognition.

We may need to share your personal data if we are required to do so by law.

We take the security of your personal data very seriously. We have set up security measures, policies and procedures to make sure your personal data is protected.

We protect your personal data by:

• training staff to understand data and security protection
• ensuring security and confidentiality policies are in place for our staff who have access to personal data
• monitoring our service
• following good practice guidance provided by the National Cyber Security Centre
• using legally binding agreements with all organisations that we appoint to process your personal data

We store your personal data for as long as is reasonably necessary and legally justifiable. The length of time we store your information for will depend on legal, regulatory or technical requirements. In any event, we follow the Records Management Code of Practice - NHS Transformation Directorate (2023). The retention periods are explained here.

Your data (title, names, DoB, ID evidence document numbers & date of issue, address identification evidence source and date of issue, photo image and access/audit records) will

• be held throughout your time as an active user and will be retained for up to 40 years after your NHS verified digital identity has been closed, at which point it will be subject to review;
• not be transferred out of the UK or European Economic Area;
• not be used for any automated decision making.

If you use Apply for Care ID, we will temporarily store images of your identity documents and liveness checks (as images) accompanied by a confidence scoring and your personal address and postcode information, this will not be retained longer than it is needed. For normal operational conditions this data captured during the identity verification process will only be retained for a period of 30 days. This is configurable to meet operational need, but will never be unlimited.

If you use self-service smartcard unlock facial recognition, we will temporarily store liveness checks (as images) accompanied by a confidence scoring for no longer than it is needed. For normal operational conditions this data captured during the identify check will only be retained for a period of 1 day. This is configurable to meet operational need, but will never be unlimited.

We (including all processors) securely store and process your information in the UK or European Economic Area. We will make sure your information is given the level of protection required by law and NHS policies.

You have the right to access your data. As an active Authentication Token holder, you can view your data in My Profile within CIS2 and CIS. If you can no longer access CIS2 and CIS for any reason, please contact your local RA. Once you are no longer working in healthcare, you can make a subject access request to NHS England (see contact details below).

You have the right to rectify inaccuracies in your data. You should update your own contact details within My Profile in CIS2 and CIS. In case of difficulties, if your personal details have changed or you need to make other amendments, please contact your local RA.

You have the right to complain (see the contact details below).

You do not have the right to erase your data, object to it being recorded, transport it elsewhere, withdraw consent to its capture or use, or restrict its processing. This is because the capture and processing of this data is necessary for a statutory requirement and the provision of the service. NHS England is also legally bound to record this data. Once you leave health and social care, your local RA will close your user profile and remove your access, although will retain personal data as detailed in section 7 above. This may be reopened if you return to working within health and social care. 

For all operational enquiries, including Authentication Token and access assignment, always contact your local RA contact your local RA.

To ask any question or make a complaint about how your data is used, you can contact NHS England on 0300 303 5678 (9am to 5pm Monday to Friday excluding bank holidays) or email [email protected]

You can also write to:

Data Protection Officer
NHS England
The Leeds Government Hub
7 & 8 Wellington Place
Leeds
LS1 4AP

If you have concerns or complaints about our information rights practices, you can report them to the Information Commissioner’s Office on 0303 123 1133 (9am to 5pm Monday to Friday excluding bank holidays) or use live chat at ICO concerns.

You can also write to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Our privacy notice may change from time to time. The latest version of our privacy notice will be published here and is accessible through your CIS2 / CIS account. If we make any material changes to our privacy notice we will inform you through your CIS2 / CIS account and we will also send an email notification to all RA managers.