To ask the Secretary of State for Health
(1) which (a) clinical and (b) administrative staff codes will have access to the NHS Care Records database;
(2) how (a) the audit trail, (b) role-based access and (c) legitimate relationships operate when smartcards are shared between NHS personnel; and what security measures are in place to protect patient confidentiality when smartcard access is shared.
Access to the national health service care records service (NHS CRS) is determined by local NHS organisations using policies, processes and technology provided by NHS Connecting for Health. In general only staff who are working as part of a team that is providing a patient with care—that is, those having a legitimate relationship with the patient—will be able to see a patient's health record.
Because of the differences that exist between and within organisations in the duties and responsibilities of individual staff within their work teams, access is not uniquely determined by profession, specialism or grade. Users are vetted and sponsored by their local organisations for specific access appropriate to their job role and area of work. Stringent proof of identity is required along with the endorsement of the local sponsor, a senior member of staff, for the receipt of a smartcard, a secure token that, together with a passcode, confirms the identity of a user at the time of access.
NHS organisations must undertake to observe strict conditions to ensure the NHS CRS is used appropriately, and the user is required to sign up to a set of conditions for use of the smartcard. The obligations and conditions are complemented by the various existing codes of conduct and professional responsibilities by which all NHS staff are bound. These obligations and conditions are assessed on a regular basis with the organisation, and the user is subject to local and national checking through audit trails and alerts.
Actions that do not conform to these obligations and conditions, which includes the sharing of smartcards, are dealt with locally. Sharing of information between members of a team has happened routinely prior to the introduction of smartcards. However, though there is no evidence that smartcards have been shared beyond members working as part of a team that legitimately needs access to a patients record, we recognise that the sharing of smartcards can undermine the assurance that patient confidentiality will always be appropriately respected. Staff who breach patient confidentiality are subject to professional disciplinary measures. Offending doctors and nurses will be reported to their professional regulatory bodies and may face additional disciplinary action, including removal of their licence to practice.
Arrangements known as role-based access controls will limit what a member of staff can do within the system and consequently which parts of a record he or she can see. Access to record content will therefore be controlled by a member of staff's relationship with the patient, and by what they need to see to do their jobs. Senior clinicians within an organisation will also be able to see patient records when assuring the quality of care provided by their staff, but other access will only be authorised when required or permitted by law.