Registration Authority policy

Purpose of Document

National IT systems for health and care need to ensure that users of these systems are identified correctly and are given appropriate access. This is achieved by identity verification and creating a national digital identity for each user. The process to doing this uses local ‘Registration Authorities’ which consist of people and processes who are trained to create identities and grant access. This policy covers these services and applies to all organisations and their staff carrying out such activity.

This Registration Authority Policy Version 2.5 replaces the Registration Authority Policy Version 2.4 issued on 22 May 2020.

As part of the NHS Digital Identity & Access Management Service, this version 2.5 of the RA Policy has been updated to support the modern delivery of health and social care across boundaries and in multiple locations whilst ensuring staff have access to appropriate, up to date, clinical information at the point of need. Details of the project aims, and developments can be found at https://digital.nhs.uk/services/identity-and-access-management. The key elements of the policy that have been updated in this version 2.5 relate to:

• The strengthening of GPG45. How to prove and verify someone’s identity as the standard to which NHSD aspires to for access to NHS national systems and data
• Providing additional detail on GPG44: Using authenticators to protect an online service
• The extension of RA hosting status to non-NHS organisations providing direct health and care, subject to a revised application process
• The planned withdrawal of the COVID-19 emergency guidance
• The introduction of a ring-fenced remote, online self-service registration trial for the creation of a digital identity
• The establishment of a centralised RA function to support organisations unable to access RA services

Throughout this document the term ‘NHS Smartcard’ refers to both physical and virtual versions of smartcards save where otherwise specified. Where your organisation allows the use of a personal device for work purposes (bring-your-own-device), use of some Virtual Smartcard solutions will be subject to your organisation’s device management policies and meeting the minimum required solution specification.

This document lays out the RA Policy requirements which every organisation that has a Registration Authority needs to adhere to. It is based on the original Department of Health (DH) Gateway document (reference number 6244) ‘Registration Authorities: Governance Arrangements for NHS Organisations’, UK GDPR requirements, and RA good practice guidance. The document also reflects recent commissions from NHSX to allow non-NHS Health and Care organisations providing direct care to become RA ‘hosting’ (i.e., can run their own RA service) subject to meeting soon to be published requirements and assessment criteria. The RA Policy also reflects current best practice around Identity & Access Management as informed by the National Cyber Security Centre which covers what needs to be considered in identity verification and security requirements in relation to authentication to clinical systems and other systems which hold personal information. This includes:

• Good Practice Guide 43 – Requirements for Secure Delivery of Online Public Services
• Good Practice Guide 44 – Using authenticators to protect an online service
• Good Practice Guide 45 – How to prove and verify someone's identity

Background

This document outlines:

• The RA hierarchy and the principle of delegated authority to local organisations to run their RA.
• The requirements for creating a nationally verified digital identity.
• The roles and responsibilities within organisations that run their own Registration Authority activity
• Requirements in relation to authentication, and authentication methods including Smartcards and other approved devices
• The requirement to develop and implement a local RA Policy.
• Failure to comply with RA Policy requirements.
• Service updates and what this means

Terminology

“Authorised Devices” means an alternative to smartcards, a device as approved by FIDO 2 Consortium that provides Assured Level 3 Authentication. These additional authentication methods must meet the National Institute of Systems and Technology (NIST SP800 - 63 Digital Identity Guidelines, available at https://pages.nist.gov/800-63-3), this describes the cryptographic strength of authentication methods that is required to access special category data. In addition, devices and authentication methods need to meet FIDO 2 standards for how devices utilise the required cryptography (available at https://fidoalliance.org) and must be accredited by the FIDO alliance.

“Data Protection Laws” means applicable legislation protecting the fundamental rights and freedoms of individuals, in respect of their right to privacy and the processing of their personal data, as amended from time to time, including Regulation (EU) 2016/679, 'the General Data Protection Regulation' ("GDPR") and the Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003, together with decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, data protection authorities and other applicable Government authorities;

“Authentication Token” means Physical Smartcards, Virtual Smartcards, Authorised Devices and iPad Devices which enable healthcare professionals to access clinical and personal information appropriate to their role and the type of Identity Solution.

“iPad Device” means a tablet computer developed by Apple

“Physical Smartcards” means an approved physical card. Physical Smartcards are supplied by the authorised supplier(s) of cards to NHS Digital and are similar to chip and PIN bank cards.

“RA Agent” means an individual who has undertaken appropriate training who is authorised to undertake identity verification, identity creation, creation and assignment of authorisation tokens and assign access rights to a user. In addition, they can perform a range of administrative tasks to maintain good RA records and processes

“RA Agent ID Checker” means an individual who has undertaken appropriate training who is authorised to undertake identity verification and identity creation.

“RA Manager” means an individual appointed by the Executive Management Team of an organisation to set up and run the organisations Registration Authority processes and procedures. In addition, they are responsible for ensuring good governance and report annually to the organisation’s EMT on RA activity. In addition, they are required to undertake appropriate training to discharge these responsibilities and arrange training for all other RA team members. They are also authorised to undertake identity verification, identity creation, creation and assignment of authorisation tokens and assign access rights to a user.

“Registration Authority (RA)” means NHS Digital as the single national Registration Authority and all other organisations that run a local Registration Authority on a delegated authority basis from NHS Digital.

“Sponsor” means an individual appointed by the Executive Management Team of an organisation who is authorised to request and approve that digital identities be created and appropriate and specific access assigned to staff within the organisation

“Virtual Smartcards” means a solution that provides access functionality, but the card itself may be stored on a device, approved for use by NHS Digital and or its partners.

In Public Key Infrastructure (PKI) terms there is a single Registration Authority (NHS Digital). All organisations that run a local Registration Authority do so solely on a delegated authority basis from NHS Digital.

As NHS Digital is the single Registration Authority it needs to assure itself that organisations are operating appropriately and discharging their duties in an effective and consistent fashion. This RA Policy outlines the minimum national requirements to provide such assurance: as such deviation from this RA Policy due to a local preference is not permitted. In addition, RA Managers are required to read and comply with RA operational guidance available at https://digital.nhs.uk/services/care-identity-service/registration-authority-users

The original DH Gateway document (DH 6244) ‘Registration Authorities: Governance Arrangements for NHS Organisations’ outlines some of the requirements for delegated authority to local organisations to run their own RA activities. This RA Policy outlines the full range of mandatory requirements for an organisation undertake RA activity. The mandatory requirements in relation to organisational set up and appropriate governance oversight are:

1. There needs to be a Board/Executive Management Team (EMT) level individual who has overall accountability in the organisation for RA activity. The responsible individual must report annually to the organisation on this activity.
2. RA Managers are appointed by the Board/EMT, and this appointment is confirmed in an official document (e.g., minute, letter of appointment, email from SRO etc.) which must be held by everyone appointed to these positions and be made available for inspection when required.
3. RA Managers within organisations running their own RA activity are accountable for the running of RA activity in their organisation. They need to set up the systems and processes that ensure that the policy requirements contained in this document are met and local processes meet these requirements and cater for local organisational circumstances (NOTE: deviation from these policy requirements due to a local preference is not permitted).
4. RA Managers and Agents need to keep up to date with national policy requirements, initiatives, and changes. To do this, it is mandatory that their email address is entered as part of their personal details held within the database of registered users (The Spine User Directory).
5. RA Managers have a line of professional accountability to uphold good RA practice to NHS Digital.
6. The Registration Authority and, where different, employing organisation must
   • have sufficient governance, processes and oversight in place to comply with the Data Protection Laws, including (but not limited to) providing fair processing information to all users, the NHS Code of Practice on confidential information, as amended from time to time, and the Care Record Guarantee; and
   • be registered for the Data Security Protection Toolkit and have a current latest status rating of at least ‘standards met’.

NHS Digital’s strategic aim is to create a single, non-repudiated, trusted, digital identity for health and care workers. This is pivotal to enabling national access to health and care information in a secure way.

NHS Digital, as the single Registration Authority for health and social care, needs to be assured that users who have a digital identity created are subject to the same minimum standards of identity verification, to prove the individual has ownership of the identity irrespective of which local organisation creates the identity. This is vital as the identity created is a national identity and must be trusted by each organisation where an individual is required to access the National Spine to access data. To achieve this, an identity is required to be verified to the Cabinet Office and Government Digital Service Good Practice Guide 45 – ‘How to prove and verify someone’s identity’. This provides assurance that the identity is valid across any organisation an individual works within.

To ensure this, the following requirements in creating a digital identity for accessing national services are mandatory:

1. Identity must be verified (subject to the requirements of section 5 below) either:
   • a. In-person, in a face-to-face meeting.
   • b. Or remotely and digitally, through the online self-service registration solution, or until rescinded sometime in 2022/2023 by following the emergency guidance for video registration. Please see this guidance at Registration authorities and smartcards - NHS Digital).
   In both instances, it must be done by examining original identification evidence documents provided by the health and care worker and checking that the identity relates to the individual who presents the documents.
2. For in-person verification, the person verifying the identity must be trained to do so. In Registration Authority terms this means that individuals holding the roles of RA Managers and RA Agents must perform in-person checks at face-to-face meetings since part of their responsibilities and requirements are that they are trained to carry out this activity. The RA Manager is responsible for training all other RA staff who will conduct in-person ID checking to ensure that appropriate standards exist, and they can evidence good ID checking as part of the Data Security and Protection Toolkit requirements.
3. Remote, online verification using the self-service registration solution will require a health and care worker to provide digital images of original identification evidence documents, a photo compliant with the Home Office Passport Photo Requirements and undergo to a face scan. Under the control and purview of NHS Digital authorised 3 rd Party suppliers will verify the digital identity and provide the result to NHS Digital (more details can be found here).
4. The documents that can be used to verify an identity face to face have been jointly determined by NHS Digital and NHS Employers and the list is contained in the NHS Employers ‘Verification of Identity Checks’ standard which can currently be found at https://www.nhsemployers.org/your-workforce/recruit/employment-checks/identity-checks. However, GPG 45 processes and NHS Employers guidance, around managed risk, allow for additional documents to be considered provided they meet the GPG45 evidence category requirements.
5. For the online, remote self-service registration a limited subset of the identification evidence documents will be accepted to ensure compliance with GPG45 and levels 3 and 4 identity requirements.
6. Any changes to a person’s core identity attributes (Name, Date of Birth or National Insurance Number), irrespective of whether their identity was verified in-person or remotely, need to go through the face-to-face check with a person holding an RA role and provide appropriate documentary evidence.
7. Different types of Authentication Tokens meet different levels of security classification. For further information see https://digital.nhs.uk/services/care-identity-service/registration-authority-users. The local Registration Authority and, where different, employing organisation must ensure that the Authentication Token provided to a user is appropriate for that user’s role.
8. NHS Smartcards (or other AAL3 (Authenticator Assurance Levels) mechanisms) can only be issued to individuals who have a national verified digital identity. This is also the case for processes that are used to issue temporary access to an individual – they need to have a verified identity first.
9. GPG 45 outlines four levels of identity assurance. NHS Identity will support these four levels of identity assurance. In practice NHS Identity will combine the level 3 and level 4 identity requirements. Level 4 being a level 3 identity with the addition of a biometric indicator. A level 3 or level 4 identity is required to access clinical, sensitive and person identifiable information. Level 1 and 2 identities will be able to be registered but are aimed at people who do not need access to the types of information that requires a level 3 or 4 identity.
10. Users must be able to easily access support and report and receive assistance with any operational issues, thefts, losses or unauthorised uses of Authentication Tokens, requirements for PIN/password resets, and terminations of Authentication Tokens.

To discharge the responsibilities delegated from NHS Digital in relation to Registration Authority activity there are requirements each organisation undertaking RA activity must meet in relation to roles and responsibilities within the local organisation. These are as follows:

1. The Board/EMT person accountable for RA activity within the organisation must be overtly identified and named. Part of this ensures that the RA Manager knows who to raise issues with.
2. The Board/EMT individual must report to the Board/EMT annually on RA activity and must sign off on RA Data Security and Protection Toolkit submissions.
3. The RA Manager is responsible for running the governance of RA in the organisation. As such they must agree and sign off on local operational processes and guidance and should assure themselves regularly that these processes are being adhered to (NOTE: local processes must comply with this national policy process and guidance set out by NHS Digital). They are also responsible for registering RA staff in their own organisations and any RA Managers in organisations they provide RA services to, or manage RA services within (e.g., child organisations.) They are also responsible for ensuring the effective training of RA Agents and Sponsors within their organisation.
4. There are a range of RA related roles in the Registration Authority software, Care Identity Services, to allow the RA Manager to delegate certain aspects of RA activity. These include Advanced RA Agents, RA Agents (ID checking only) and Local Smartcard Administrators. However, these delegated permissions do not extend to any of the areas covered in point 3 above. This is explained in the following table.

5. Identity checking must be carried out by those holding an RA role – RA Managers and the RA Agent roles.

A full list of RA Policy responsibilities for RA Managers, RA Agents and RA Sponsors is contained at Appendices 1-3 of this document

NHS Digital will allow a range of Virtual Smartcards in addition to centrally issued physical NHS Smartcards. These Virtual Smartcards will include approved mobiles, approved tablets, approved devices/operating systems and other approved peripherals and authentication methods. These additional authentication methods must meet the National Institute of Systems and Technology (NIST SP800 – 63 Digital Identity Guidelines for a Authentication Assurance Level 3 authentication, available at https://pages.nist.gov/800-63-3), this describes the cryptographic strength of authentication methods that is required to access sensitive data. In addition, devices and authentication methods need to meet FIDO 2 standards for how devices utilise the required cryptography (available at https://fidoalliance.org) and must be accredited by the FIDO alliance. Any device or authentication method that meets both standards will be acceptable for authenticating to national clinical systems and the choice of device that meets these standards is down to the local organisation.

NHS Smartcards and other approved devices and authentication methods enable an individual to access sensitive patient data, and therefore how they are issued and ensuring safe receipt and appropriate use are of vital importance. As a result, the following are mandatory requirements:

1. NHS Smartcard, device or other approved authentication method issued to anyone holding RA roles (RA Manager, Advanced RA Agent, RA Agent and RA Agent – ID Checking) must be handed over to that individual in a face-to-face encounter. This is because RA staff have significant powers in relation to the system and they are entrusted with much of the delegated responsibilities from NHS Digital – therefore it is vital that risks are minimised in the process of the Smartcard/Security Key getting to or a device being linked to the right person. It is also a Public Key Infrastructure requirement for these reasons.
2. Local organisations must assure themselves that they have a robust and secure process in place to ensure that the NHS Smartcard, device, or other approved authentication method reaches all non-RA end users for whom it is intended. This is important to avoid individuals potentially gaining access to patient data when they are not the person entitled to do so.
3. Organisations should ensure that their infrastructure is secure, in particular ensuring they meet the warranted environment specification issued by NHS Digital available at https://digital.nhs.uk/services/spine/spine-technical-information warranted-environment-specification-wes
4. Only the end user for whom the NHS Smartcard, device or other approved authentication method is intended should know their passcode for their NHS Smartcard/Device, no-one else should, including RA staff. If anyone else knows the end user’s passcode it breaches the NHS Smartcard/Authorised Device terms and conditions of use and the Computer Misuse Act 1990.
5. When NHS Smartcards and other approved devices and authentication methods users leave an organisation should have their access assignment end dated in that organisation. However, unless it can be reasonably foreseen that they will not require access in another organisation in the future, leavers should retain their physical Smartcard or virtual Smartcard if this is stored on their personal mobile phone. Users of other authentication devices or methods will return these devices to their organisation before they leave.
6. It is mandatory that users are presented with and accept the Terms & Conditions of Smartcard/Authorised Device use. This reminds them of their responsibilities and obligations, including not sharing the card, leaving the card unattended, and not disclosing their passcode to others.
7. RA staff (RA Managers, Advanced RA Agents and RA Agents) are reminded that it is their responsibility to ensure that users comply with these terms and conditions. This reminds them of their responsibilities and obligations, including not sharing the Smartcard, leaving the card unattended, and not disclosing their passcode to others.

It is a mandatory requirement that organisations that run local RA activity have a local policy outlining their approach. The following are mandatory requirements within the local organisation’s policy.

1. The name of the Board/EMT accountable person and the RA Manager within the organisation must be named within the policy. The policy needs to outline the governance requirements placed upon these individuals. The local organisation’s policy must be updated to reflect any changes to the named individuals.
2. The policy must describe how access rights will be granted and revoked in a timely way, ensuring that requirements for staff to be able to access electronic records in a timely way can be met and that individuals do not retain access within an organisation once they have left that organisation.
3. The policy must not contradict the mandatory requirements contained within this national RA Policy. At a minimum the local policy must cover:
   • i. Governance arrangements
   • ii. A demonstration of the adherence to this RA Policy requirements in relation to the verification of identity
   • iii. Roles & responsibilities
   • iv. NHS Smartcard and other approved devices use
4. The local policy must be formally signed off by the organisation at an appropriately senior level, e.g., the EMT, the IG Committee on a delegated authority basis, etc.

Where NHS Digital is notified of significant breaches to this RA Policy, they will consider the situation and take appropriate remedial action. This will include discussing the situation with the organisation but may result in discussions with regulatory or professional bodies depending upon the seriousness of the situation.

Good Practice Guides

The Good Practice Guides (GPG) were written by the Government Digital Service (GDS) with contributors from across the public and private sectors – including the National Cyber security Centre (NCSC).

Good Practice Guide (GPG) 45

Good Practice Guide 45, How to prove and verify someone’s identity, guidance aligns with these international standards and regulations

• Digital ID and Authentication Council of Canada (DIACC) Pan Canadian Trust Framework Model
• the EU electronic identification and trust services (eIDAS) regulation
• ISO/IEC 29115
• NIST 800-63

It does not explain the practical ways someone’s identity can be checked, what tools or processes should be used should be based on what’s appropriate for the service.

It promotes consistency of checking across different organisations or services and supports the checking of someone’s identity:

• digitally
• over the phone
• by post
• by email
• face to face

Good Practice Guide (GPG) 44

Good Practice Guide (GPG) 44, Using authenticators to protect an online service, helps an organisation choose the authenticator that will give the right level of protection for the service.

Allowing non-NHS Health and Care organisations to run their own RA services

An application process will be developed to allow non-NHS providers of direct Health & Care services. This may be organisations that are currently unable to secure an RA service on cost or logistics grounds or because of a change in their legal status. An application process and terms and conditions are currently being developed and further information will be shared with the RA community and such organisations soon.

Emergency Guidance re Video Registration

The emergency guidance was implemented in 2020 in response to the pandemic, it’s likely that this will be withdrawn in the 2022 / 23 financial year. There will then be two options for registration: face to face registrations and using the online self-service registration solution. This change will not be enacted until the online self-service registration solution is widely available.

Online Self-service Registration Solution

This service will initially be a limited offering available to those organisations working in partnership with NHS Digital in the development of the service:

• RA Managers, RA Agents and RA Sponsors of those organisations participating in the trial shall invite new employees to complete the online journey.
• The acceptable identity evidence documentation shall be limited to a subset of the documentation listed in the NHS Employers Identity Check Standard.
• Digital identities created via the self-service solution shall meet Level 3 or 4 of GPG 45.
• Any changes to a person’s core identity attributes (Name, Date of Birth or National Insurance Number), irrespective of whether their identity was verified in-person or remotely, need to go through the face-to-face check with a person holding an RA role and provide appropriate documentary evidence

The online self-service solution will not be a replacement for the face-to-face identity verification process with a Registration Authority but will be available alongside this as an option for organisations with an RA function. When the identity is created those organisations with an RA function will then issue Smartcards (or other approved authentication tokens) and assign access rights.

The establishment of a centralised RA function to be used by organisations unable to access an RA service due to cost, logistics or scale

This function will be developed alongside the online self-service registration service. For organisations which do not have an RA service or cannot access one, this centralised service will manage the issuing of Smartcards (or other approved authentication tokens) and assign access rights for those organisations and their users. Further details of this service, when it will be introduced and criteria for using it will be published in 2022/2023.

• RESPONSIBLE for running RA process and governance in their organisation – RA Managers CANNOT DELEGATE THIS
• Responsible for the development of local processes that meet policy and guidance for the creation of digital identities, production of smartcards, assignment of security device, assignment of access rights, modifications to access and people, removal of access rights in a timely fashion where there is no business justification for the rights to be retained and certificate renewal and card unlocking
• Implements RA Policy and RA processes locally adhering to RA Policy
• Assign, sponsor and register RA Agents and RA Sponsors
• Train RA Agents and RA Sponsors and ensure they are competent to carry out their roles and adhere to policy and process – If an RA Hosting organisation with a child hosting organisation – need to train RA Manager at next level down
• Facilitate the process for agreeing the organisations access control positions
• Responsible for auditing
• Responsible for ensuring users are compliant with the terms and conditions of Smartcard usage and other registered devices
• Verifies user’s ID to GPG45 Level 3 or 4, when they register users
• Ensuring leavers from an organisation have their access rights removed in a timely way
• Responsible for the security of (old) paper-based RA records
• Ensure all service issues are raised appropriately locally and nationally

• Verify users ID to GPG45 Level 3 or 4
• Register users and provide them with NHS Smartcards and other registered devices
• Grant users access assignment
• Renew NHS Smartcard certificates for users if self-service functionality not used
• Responsible for ensuring users at the time of registration or assigned a role in the organisation comply with the terms and conditions of NHS Smartcard/Authorized Security Device usage
• Ensuring leavers from an organisation have their access rights removed in a timely way
• Adhere to local processes that meet policy and guidance for the creation of digital identities, production of NHS Smartcards, allocation and registration of other approved devices, assignment of access rights, modifications to access and people and certificate renewal and card unlocking

• Can raise requests for new users or in the case of the online self-service registration solution invite a new user to complete the user journey. Approve users’ assignment to access control positions, or,
• Directly assign users under position management
• Unlock NHS Smartcards and renew NHS Smartcard certificates for non-RA staff
• DO NOT verify users ID