Question to the Department of Health and Social Care:

To ask His Majesty's Government what steps they have taken to ensure that patient records and personal data are only accessible to those who need to view them, and to ensure connections between software systems in health facilities include suitable control measures for this risk.

National IT systems must ensure that users can be identified correctly, and are given appropriate access. This is achieved using identity verification capabilities, including creating a national digital identity for each authorised user.

Each local National Health Service organisation which requires access to the national IT systems is required to set up its own local Registration Authority (RA) which consists of people and processes who are trained to create identities and grant access for their staff to the national IT systems. NHS England has published the RA Policy requirements with which every local NHS organisation that has an RA must comply. This reflects current best practice for identity and access management as informed by the National Cyber Security Centre (NCSC) guidance.

The RA Policy also allows non-NHS health and care organisations providing direct care to run their own RA service. RA hosting is subject to meeting requirements and assessment criteria, which are soon to be published.

The RA process includes the use of RA codes, assigned to professional users’ smartcards to give them access to the correct information within national IT systems.

The RA codes which are assigned for a specific user will allow that user to create and process referrals appropriately depending on their job role.

Local organisations which have an RA function are required to have an RA audit policy and conduct annual audits on NHS Smartcard usage as part of their RA governance. RA Managers (those responsible for administering the RA function within an organisation) must implement a process to run the RA reports on a regular basis.