SCR Information Governance (IG) Controls

System Compliance
Only systems that comply with the SCR compliance requirements are able to connect to the Spine and gain access to send information to, or retrieve information from, the Summary Care Record. The Spine will only accept interactions from systems that are registered in the Spine Directory Service as Accredited Systems. Prior to this registration, the compliance process ensures compliance with the Information Governance controls including: Authentication, Role Based Access Control (RBAC), Audit, Legitimate Relationships (LR), Consent, and IG Alerts1. These controls are described below.

User authentication requires the user to be registered by a Registration Authority using eGIF level 3 standards, and to authenticate to the system by using their smartcard together with a Personal Identification Number (PIN). Thus all users of Spine systems must have been granted access by the Registration Authority.

Role Based Access Control
The user registration process associates the user with one or more roles. If the user has more than one role, then, at authentication time, they must select the role that they are currently operating in.

A particular role is associated with activities (mapped to Business Functions), allowing the user to perform some tasks. Without the associations, users are denied access to those business functions. In the context of the Summary Care Record, the main activities allow the user to:

update the SCR;
retrieve information from the SCR;
create a Legitimate Relationship (see below); or
change the SCR Consent Preference.
It is the responsibility of the Registration Authority to ensure that the activities available to each user are appropriate to their working position.

The RBAC control is enforced at run time by the local system.

Audit records are kept for each significant event by each system that participates in an update or retrieval process. For user initiated actions, the identifier of the user, and the identifier for their selected role, is recorded for each event.

These audit log records, taken together with the information content held within the databases, can provide a full record of which authenticated users gained access to, or updated, the Summary Care Record, and which information was requested to be viewed.

Legitimate Relationships
All access to the Summary Care Record by users of local systems is governed by Legitimate Relationships (LRs). The relationship is between the patient, as identified by their NHS Number, and a group of users or an individual user. The user therefore may have an LR with the patient either directly, or by virtue of being a member of the group of users.

LRs with the patient are normally created as part of a registration or referral process. In some circumstances, a user may need to gain access when an LR has not been created by the system and the user may grant access to a colleague, or the user may claim a relationship for herself or himself (a Self Claimed LR).

Because the creation of a Self-Claimed LR can be carried out by an individual acting alone, a privacy officer is made aware of this event by the generation of an Alert.

Consent - The Summary Care Record Consent Preference
Local Opt-out Flag
When a patient chooses not to have a Summary Care Record, at present the record of the decision is only held in a GP system, and the control is enforced by the GP system software. The control operates in three logical places:

If no record yet exists, a blank GP Summary is created and therefore no clinical information exists in the Summary Care Record. (The blank Summary contains text explaining the patientís choice.)
If a GP Summary already exists, then a new Ďblankí GP Summary replaces the existing GP Summary. (The blank summary contains text explaining the patientís choice.)
Other GP Summaries (ones that are replaced or potentially withdrawn) are not available to users. For existing GP Systems (those using the older query interfaces), this protection is under local system control.
Information Governance Alerts
IG Alerts are generated when:

a Self-Claimed LR is created;
a patient record is accessed without the patientís permission and their SCR Consent Preference is the default (ask for permission to view).

Alert Viewer
The Alert viewer enables Alert details to be viewed and progress on investigating the event that raised the Alert to be tracked. It is available to Privacy Officers who have the necessary Role Based Access activity codes. (LRs are not required to access the Alert information.)

The Privacy Officer is able to investigate whether the local record of patient care, and the action that triggered the alert, are compatible with acceptable usage.

The Privacy Officer can view details of the Alert that include the reason for the access, from a fixed list of reasons.

© Crown Copyright. 2009