Security and confidentiality

SUS is a repository for Person Confidential Data (PCD) and access is strictly controlled. The protection of PCD information is a priority for the NHS and compliance is taken very seriously. To support this SUS utilises a robust Information Governance framework which ensures that data is always protected from unauthorised access.

Providers of NHS-funded care (including independent sector organisations) do not require Section 251 approval (special regulations to set aside the common law duty of confidentiality for defined medical purposes) to access SUS where they are accessing information relating to their own patients. They are able to view all records relating to their patients but are not able to view information relating to patients for whom they have not provided care.

Access to SUS is managed via Role Based Access Control (RBAC). Under RBAC, new SUS users are issued with a:

• smartcard 
• passcode
• Unique User Identity (UUID)
• NHS care records service smartcard

These elements allow the management of user access to be monitored effectively, ensuring that data is kept secure and can only be accessed by the appropriate party. SUS can provide access to identifiable patient confidential data (referred to as ‘clear’ data) or pseudonymised data (referred to as ‘pseudo’ data) depending on a user’s access rights.

Where access to pseudonymised data is appropriate, elements that could identify a patient are replaced with pseudonym values in order to protect privacy and conform to data protection rules

To gain access to SUS, new users should approach their local Registration Authority (RA). The NHS Digital Registration Authority service can also provide regional or national support.

N3 is a secure national broadband network service for the NHS. A secure N3 connection is required to access SUS via Spine.

SUS data is only directly available to NHS organisations, their information suppliers, or independent sector providers of NHSfunded care

Smartcards to access SUS are limited to 3 per organisation. Smartcards should never be shared with any other users.

In exceptional circumstances, an organisation that can provide a valid business reason to increase their smartcard limit can raise a ‘SUS user limit request’ via the national service desk. Deactivation SUS automatically removes the user licence of any users who have not.

Deactivation

SUS automatically removes the user licence of any users who have not accessed SUS for 3 months. Users must contact the national service desk to restore access.

To access SUS, individuals must have an NHS Care Records service smartcard with the correct business functions (access rights) assigned by the local Registration Authority (RA).

SUS provides data outputs in both identifiable and pseudonymised form, depending on the access rights of the user. A combination of the user organisation and assigned Business Functions determines what type of data can be accessed.

The SUS Role Based Access Control (RBAC) assignment guide lists the business functions that should be assigned to SUS users based on their role within the organisation. Local RA personnel should review this when granting RBAC rights.  Learn more about Smartcards and RBAC. 

RBAC determines what a user’s role requires them to do, based on the information assigned to their smartcard. SUS then allows access to the relevant functionality and data based on that information.

After completing the registration process, users must register one or more User Role Profiles (URP) and have Business Functions assigned by their local RA. This will grant access to the appropriate applications on the Spine.

Smartcards are issued directly to an individual user by an RA (Registration Authority) using confirmation of their identity. Sharing of smartcards is strictly prohibited.

RA guidance

For more detailed RA information about configuring user smartcards using RBAC, please refer to the SUS RBAC assignment guide. 

Pseudonymisation

Pseudonymisation is the de-identification of identifiable patient-centric data item values through the use of substitute values. Pseudonymised data can be linked and used for secondary purposes, such as trend analysis and peer comparison, without using identifiable data items.

Pseudonymisation of patient information enables:

• the legal and secure use of patient data for secondary purposes
• NHS business needs to be met without using identifiable data
• the continued effectiveness of NHS business processes in supporting the day-to-day operation of the NHS