Access and authorisation

The SUS Portal should only be accessed by users who already have access to data directly from SUS and should only be used for the purposes for which users are authorised. The SUS Portal supports the following business functions

• B0163 - Access PbR Extracts (Clear view)
• B1505 - Access SEM (Standard Extract Mart) Extracts (Clear view)

Access is controlled using Role Based Access Control (RBAC). RBAC uses role information assigned to a Smartcard to determine permitted functionality and access levels.

A Registration Agent (RA) is responsible for issuing and assigning functionality (business functions) and system access levels to Smartcards. In most cases the local RA will be a member of the IT or information governance department within the user’s organisation.

To access SUS+ a user must have a Spine Smartcard.

A Spine Smartcard is assigned by the local Registration Agent (RA) to a user when these requirements have been met:

• face-to-face meeting with local RA
• RA verification of user’s identity with photo ID and proof of address
• completion of the relevant local Smartcard application procedure

Information is provided in either pseudonymised (‘pseudo’) or patient confidential data (PCD) (‘clear’) form. Which one of these is applicable to a user is dependent on their legal rights to view the data. As a general rule all organisations can see the activity for which they are responsible. Where a user does not have a right to view ‘clear’ data, ‘pseudo’ data is made available. Although pseudonymised data protects a patient’s identity it can still be used for record linkage as the data has been pseudonymised centrally.

Access is enabled via the NHS Smartcard system which uses Role Based Access Controls (RBAC).

Unique user ID

Each user has a Smartcard with a Unique User ID (UUID). In the RBAC system this UUID is associated with any number of User Role Profiles (URP).

User Role Profiles (URP)

A user role profile contains:

• role identifier (three level codes)
• organisation code
• business functions

This information is used to determine the functionality available to the user. Only business function codes and organisation code within a single URP are used to determine the access rights granted to the user for each session. Therefore, if a user has multiple URPs, they will be asked to select which URP they want to use when logging in.

The business functions assigned to the smartcard determine what the user can see within the system and what functionality is available.

The business function codes shown in this section are the most common codes used for access.

Access to identifiable or Patient Confidential Data (PCD) should be minimised for secondary purposes, even within a single organisation. To comply with information governance rules, users are not allowed to view ‘clear’ and ‘pseudo’ records simultaneously during a session using a single URP.

RAs should never assign Business Functions for ‘pseudo’ data and ‘clear’ data within the same URP. There is no business need for an individual to access both types of data for one functional area. There should therefore be no need for an RA to artificially create 2 URPs for a user simply to access one area of functionality.

A user can have several Business Functions within each URP but certain combinations are not allowed. Some Business Functions are only applicable to users in certain types of organisation. There are no technical constraints to prevent incorrect codes or forbidden combinations being assigned, but, if a forbidden combination of Business Functions and/or Organisation codes are detected the user will be denied access using that URP.

Access ‘clear’ and ‘pseudo’ data on the same URP is not allowed. This is because having access to both would constitute a security risk as the user would be able to decipher the pseudonymisation key. An RA should therefore never assign Business Functions granting clear and pseudo data access within a single URP.

The organisation code is used to restrict which data can be seen within reports and is also used as part of the check for forbidden code combinations.

Where data is restricted by the organisation code, this does not necessarily mean that only data from the organisation in the URP can be seen by the user when logging in with that URP. Organisational relationships are held that can allow an organisation to see appropriate data from all of the other organisations for which it is responsible (where the required agreements are in place).

Register with the Organisation Data Service (ODS) and inform NHS England to configure and recognise the shared service. 

Independent Sector Providers (ISP) can process data for themselves as the parent or head quarters of the organisation and other child or satellite sites within the same overall ISP organisation. An ISP wishing to do this must 

• register with the Organisation Data Service (ODS) and
• inform NHS England and recognise the shared service

ISPs must register using the Independent Sector Registration form. 

Interchange submission monitoring is available to all users that have an access business function, regardless of whether it allows access to PCD or pseudo data.

Each organisation is permitted 3 user licenses to access the portal. In exceptional circumstances, an organisation that can provide a valid business reason to increase their limit can raise a user limit request with National Service Desk.