SMART Card Practice Service Policy

1. Introduction

The purpose of the Smartcard Policy is to:

Inform individuals of their responsibilities.

Monitor compliance.

Inform individuals of the process of dealing with misuse (Disciplinary Action).

Purpose and Aims

To set out the required actions to ensure users comply with Terms and Conditions of Smart Card use .

2. Background and Current Position

Smart Cards provide more robust security, which is critical when handling sensitive medical information. Whilst paper records are generally in one place at a time, access to electronic information can be provided on a much wider basis. We must ensure all access is appropriate.

Usernames and passwords are easily shared, sometimes knowingly, sometimes not. Even with the best policies, processes and education in place, this still happens. A Smart Card is harder to share as it can only be in one place at one time. People are more familiar with protecting cards (i.e. credit cards). NHS Smart Cards will also require a PIN code, so both the card and code need to be entered to gain access.

Do not let anyone else use your Smart Card. Sharing a Smart Card and PIN number (or password) is illegal under the Computer Misuse Act 1990. It is also potentially fraudulent and could be harmful to patients. New computer systems will be used to prescribe and dispense drugs and it is critical that there is an accurate record of who has done this. Sharing a Smart Card will be a disciplinary matter.

3. How do I get my smartcard?

Once it has been identified that you require a Smart Card in order to perform your role within BrisDoc, you will need to provide the following paperwork:

Two pieces of photographic evidence i.e. Passport / driving licence

One piece of evidence with your current address. The evidence must have been issued within the past 3 months i.e. financial statement

One piece of photographic evidence and 2 pieces of address evidence.

You will also need to have a head and shoulders photograph taken.

4. How often does this have to be updated?

The full process only has to be done once. As new systems in the National Programme are implemented, you do not have to be issued with a new card. The access your role gives you can be updated using your existing card.

If you move from one NHS organisation to another, you can keep the same card, only the access you get needs to be updated by the new organisation and removed from the existing organisation. If you leave the NHS altogether, then the card must be returned and destroyed.

Your Smart Card certificate will need renewing after a period – usually every couple of years. You will need to arrange a meeting, face-to-face, with the Smart Card sponsor (UIM) within your service to confirm the identity of the Smart Card User and to allow you to set your own password. For security reasons this can only be done by the owner of the card.

assist_renewal_of_certificates.pdf

5. What if I forget my PIN code?

If you enter the wrong code several times your card will ‘lock’ in the same way usernames do when you enter the wrong password. There are designated people who can ‘unlock’ your card please contact your line manager or Shift Manager

The practice SMART card administrator can then add your details not the system and your SMART card will be issued by the SC &W (South Central and West )Commissioning Support Unit (CSU)

The SMART card will arrive ‘locked’ and will need to be unlocked by the Practice SMART card administrator when it arrives.

You can also unlock your own SMARD Card. You need to register with the self-service unlock process

self_service_-_registration_and_unlock_process (2).pdf

6. Principles and processes

Informing individuals of their responsibilities

When you receive your card, it will come with a leaflet explaining the terms of use

Fundamentally these are:

Smartcards must only be used by the person named on the Smartcard;

Never be shared;

Be used every time the Practice’s Clinical System is accessed;

Be removed from the Keyboard’s cardholder when the user finishes their work on the computer; (On occasions it is necessary for clinicians to keep their Smart card in the keyboard for purposes of remote working. If this is necessary, their consulting room door must remain locked)

Be kept safe at all times (cardholders on neck cords / clips have been issued to ensure safe keeping).

Guidance for smartcard and authentication users – NHS Digital

Breaches of the Terms and Conditions can occur in the following situations:

Where a card has been shared.

Where a card has been left in a machine and access left open. (If working from home a member of staff may need to keep their card in a machine within the practice. This must be agreed by the Practice management beforehand.

Where a card continues to be used after a member of staff has left and the card has not been cancelled.

Monitoring Compliance

All staff will be encouraged to report any card sharing or access left open, to their Line Manager. The identity of the individual(s) involved will be noted and further investigation undertaken as determined by the relevant Manager and/or SIRO.

Requests for changes to access are only processed on authority of nominated individuals, so a false change request is highly unlikely. However, should any such request come to light, SC&W CSU will report the details to the BrisDoc Service in order that appropriate action can be taken.

Monitoring reports

SC&WCSU will provide a list of active users once a quarter. This list will be used to identify any users whose access is no longer required. However, this is as a fallback to SC&WCSU being informed of individuals who no longer require access at the point in time that this is determined.

In addition, SC&WCSU: can provide the following:

Date card last used

User Activity Report

These can be either as random monitoring or as part of evidence in any investigation.

Reporting and auditing – NHS Digital

7. Process for dealing with Misuse (Disciplinary Action)

Whilst action is at the discretion of the management, any of the following situations will generally lead to disciplinary action:

Deliberate card sharing
Repeat breaches (even minor), i.e.’ regularly leaving their card in the machine to be used by others, without express permission by Management team for working from home purposes.
Any malicious activity, including suspected actions
Falsification of a change request.

Should such a situation arise, the relevant Manager will instigate an investigation within the remit of the Company Workforce policies.

Depending on the situation, BrisDoc will request reports from the Smart Card system to be provided by the SC&WCSU.

The Standard Operating Procedure

Employed staff:

The Practice smart card administrator will set up the card with the information provided by the applicant.
The SMART card will be delivered to the practice.
The Smart card will be unlocked by the administrator.
The SMART card will be synchronised with EMIS on the first use.
The SMARD card owner will then undertake full responsibility for the card as set out above.

Agency / locum staff

The existing card owned by the locum will be issued with a ‘position’ on the NHS Spine so that the SMART Card is connected to the practice.
The SMART Card will be synchronised at the site by an administrator or the staff member themselves.
If a staff member doesn’t have a SMART card and it is essential for their role, one will be issued as detailed above.
If not essential or only ‘one off’ cover, the staff member will be given tasks that do not require SMART card access.

8. Unlocking your own Smart Card

If you ‘lock’ your SMART Card, you can unlock it yourself once you have registered with self-service unlock. See instructions in link below. A practice administrator can do this for you if unable to do so yourself.

cis-self-service-unlock-leaflet-final.pdf

Hints and Tips for Sponsors

Y:\!SECURE\Practice Manager\Broadmead\Smart cards\Smart Card hints and tips v5.pdf

Guidance for RA sponsors and local card administrators – NHS Digital

Guidance for registration authority managers, agents, and ID checkers – NHS Digital