Download original attachment
(Word document)
This is an HTML version of an attachment to the Freedom of Information request 'FOI Request'.

  • Policy

      1. No NHS or third-party organisation is allowed to receive or connect to any NHS CFH services, including the NHS CRS unless they have first signed an IGSoC or similar agreement (in the case of organisations such as other Government departments).

      2. The IGSoC must be submitted, in conjunction with the ASRs RA01 form (where appropriate and through the RA process) and acceptable Information Governance Toolkit submission. These must be approved by NHS CFH before access to services is granted.

      3. This policy is applicable to every individual legal organisation connecting to or using any NHS CFH service, including the NHS CRS.

      4. Intermediary organisations, providing a service to other organisations, which are dependent on services from NHS CFH, are also required to complete the IGSoC and to ensure that all services provided are covered under a separate IGSoC.

      5. Each completed and accepted IGSoC can cover only one individual legal organisation, unless one organisation is hosted by another and has its information governance policies and procedures set and monitored by the host and the host agrees that it is responsible for the hosted organisation's compliance and monitors it for such. Reference should be made to clause 3.1.6 to ensure compliance.

      6. The IGSoC applies to every service or facility delivered, or to be delivered, by NHS CFH, and its contracted Service Providers, or by NHS CFH compliant system suppliers to an ASR and for use by its Authorised Users.

      7. NHS CFH reviews system accesses and data processing involving any services provided by NHS CFH and its Service Providers, to ensure their acceptable usage and reliability in accordance with the terms and conditions of the IGSoC and Information Governance Toolkit.

    1. Legislation

      1. ASRs must have policies, systems, standards and procedures in place to ensure that they comply with all relevant UK and European legislation and be able to provide evidence, where appropriate, on demand.

    2. British and European Standards/Industry Best Practice

      1. ASRs should have achieved, or be working towards achieving; ISO27001 or other appropriate and relevant standards and best practice and be able to provide evidence, where appropriate, on demand.

    3. NHS Policy

      1. ASRs will comply with appropriate NHS policies and good practice guides, where relevant, and be able to provide evidence, where appropriate, on demand.

    4. NHS Connecting for Health Policy

      1. ASRs will meet NHS CFH standards at all times and comply with all relevant policies. ASRs must be able to provide evidence, where appropriate, on demand.

      2. Terms and Conditions

        1. General

          1. Use of services or facilities provided by the NHS CFH is for ASRs and their Authorised Users only, and in accordance with the requirements for those services.

          2. Organisations are not authorised to access NHS CFH services unless an IGSoC submission has been completed, submitted and approved by the NHS CFH IGSoC Team.

          3. By signing and submitting the IGSoC, the Authorised Signatory agrees to accept future versions of the IGSoC in order to continue receiving NHS CFH services.

          4. The ASR will be notified of changes to the IGSoC in advance of new versions becoming effective, using the email address provided on the initial IGSoC form or later notified in writing.

          5. This agreement may be terminated by either party at any time. The organisation may then have its services from NHS CFH ceased.

          6. The ASR is required to enforce, through local disciplinary or contractual measures, where necessary, the Information Governance standards and processes including, where appropriate, the registration process and adherence to conditions identified in the RA01 registration form signed by its Authorised Users.

          7. If there are any changes to the ASR's legal status, i.e. change to its name, merger with another organisation or anything that otherwise changes its legal status, the new organisation must resubmit an IGSoC.

          8. In the event that NHS CFH changes the conditions of being an ASR, it may require the organisation to reaffirm their compliance or otherwise with the relevant changes at that time.

          9. Contents of this IGSoC must not be altered or modified from their original state.

          10. Use of the Airwave service shall be in accordance with the Airwave Codes of Connection and Practice (as amended from time to time) and made available to Airwave users.

          11. The services provided by NHS CFH to the ASR must be used for accessing NHS CFH accredited systems and services and not for inappropriate browsing of other internal and internet systems.

          12. Inappropriate browsing of the Internet shall be defined by the ASR, through an Acceptable Usage Policy (AUP) made available to all local Authorised Users. Such policies shall indicate the scope and extent to which users may make use of these network services, including specific guidance on access to the Internet.

          13. Inappropriate browsing of internal systems shall be defined as anyone attempting unauthorised access to any system connected to the N3 environment without permission from that system owner.

        2. Information Governance

          1. The ASR should appoint a person to have responsibility for the security management of the ASR's network connection(s) and their locally connected systems.

          2. ASR shall manage their networks and connected systems in accordance with their Security Policy.

          3. NHS CFH services should be protected against unauthorised viewing and have sufficient inactivity timeout settings via the organisations security policy. This should be enforced through local policies and procedures.

          4. Access to NHS CFH infrastructure and connected systems are subject to appropriate access and authentication controls that meet the NHS CFH Information Governance standards (as amended from time to time). Those services not applicable to Smartcard access and authentication control, should have suitable policies, procedures, processes, controls and monitoring to ensure NHS CFH standards are met.

          5. The use of NHS CFH provided infrastructure or services for unauthorised advertising or other non-healthcare related activity is expressly forbidden and must not be undertaken.

          6. NHS organisations may make limited use of NHS CFH provided infrastructure to enable them to access services via the Internet as might normally be required to carry out such other business activities as are usual for providing care to patients, subject to such use being de minimus in terms of the resources consumed and of a nature not likely to bring the NHS into disrepute.

          7. NHS organisations with a substantial requirement for non-NHS commercial activities must make separate arrangements and not use the NHS CFH provided standard service or services for such purposes.

        3. Services covered

          1. Any and all types of communications, including wireless communications, used by the ASR associated with services delivered by NHS CFH and its contracted Service Providers or by NHS CFH compliant system suppliers.

        4. Information Governance Toolkit

          1. An Information Governance framework, appropriate to the organisation type, is delivered and periodically updated in the NHS Information Governance Toolkit and Registration Authority guidance.

          2. ASR must meet NHS CFH information governance requirements as identified in the NHS Information Governance Toolkit.

          3. The ASR undertakes to ensure that the activities of its Authorised Users are overseen by an appropriate Information Governance framework.

        5. Incident Reporting

          1. In the event of an identified or reported service problem or incident, relevant support staff may be required to investigate and resolve those problems by accessing the functions and data affected. All such problem management activity shall be subject to NHS CFH information governance controls.

          2. The ASR shall have a process for internal information security audit and management of alerts. This process should be tested for compliance at least twice in any twelve month period.

          3. Unauthorised access may be considered for appropriate legal action by the system owner. ASRs are strongly advised to provide network management facilities, e.g. caching and filtering, that permit the permission or prohibition and logging of internet usage for the purposes of providing auditing and appropriate reporting to line management as defined in the local AUP. Action against such reporting is a matter for local organisations. The ASR shall enforce this locally through their procedures.

          4. Each ASR shall ensure that, in the performance of its obligations under this IGSoC, it complies at all times with the Data Protection Act (1998).

          5. The ASR shall proactively take steps to ensure the quality, accuracy and integrity of information and the appropriate use of the NHS number, in accordance with DH and NHS CFH policy.

          6. The ASR acknowledge that, if required to process personal data (as the term `personal data' is defined in section 1(1) of the Data Protection Act 1998), in the course of providing the NHS CFH services, it shall do so only on the instruction of an appropriate Data Controller and shall maintain in place, having regard to the state of technological development and the cost of implementation, all appropriate measures, procedures and policies to protect the security and integrity of any such personal data.

          7. Any threat or security event affecting or potentially affecting the security of NHS CFH provided infrastructure or services must be immediately reported via the NHS CFH incident reporting arrangements and/or other contacts provided by NHS CFH, for example the local RA manager for Smartcard incidents.

          8. All systems connected to NHS CFH provided infrastructure shall be subject to up to date Anti-Virus/malware procedures and products in accordance with the NHS CFH published requirements and industry standard good practice, as documented on the NHS CFH website http://www.connectingforhealth.nhs.uk .

        6. Audit

          1. IGSoC compliance checks are required annually.

          2. Compliance monitoring is through annual NHS CFH Information Governance Toolkit returns for ASRs or other forms of assurance required by NHS CFH.

          3. The ASR shall allow NHS CFH or its representatives to carry out up to two ad-hoc on-site audits in any twelve month period.

        7. Logical Connection Architecture

          1. Any connections to other systems or networks that are not covered by an approved IGSoC must either be disconnected or comply with a security mechanism specifically approved by the NHS CFH IGSoC team. If an ASR is in doubt over its compliance, the NHS CFH IGSoC team must be consulted for advice and guidance.

          2. ASRs shall ensure that all users (both Authorised Users and other personnel accessing IT) in their organisation who may impact the performance/security of NHS CRS and/or services are aware they must not connect or reconfigure computer/network devices or load software which has not been notified where necessary to or authorised in advance by the ASR according to the highest standards and good practice guidance published by NHS CFH (as occasionally amended) Department of Health or provided by the NHS Connecting for Health IGSoC team.

        8. Sponsorship (third party organisations only)

          1. Non-NHS organisations are required to provide written evidence, in a standard form, that their requirement to receive services is supported by an NHS organisation.

          2. In the event that sponsorship for certain services expires, access to these services may be withdrawn.

          3. In the event that all sponsorship expires and is not replaced, NHS CFH retains the right to deactivate service access.

        9. Offshore Requirements

          1. ASRs shall ensure that they meet the requirements of DH and NHS CFH policy on personal data leaving England, or being viewed from overseas, by completing and complying with the Information Governance Offshore Support Requirements.

          2. A copy of the Information Governance Offshore Support Requirements is available on request or can be downloaded from http://www.connectingforhealth.nhs.uk/igsoc .

          3. Process

              1. The IGSoC must be completed by the Authorised Signatory and returned to NHS CFH using the process specified below.

              2. The IGSoC is now a part of the application process for new requests for services from NHS CFH, directly or indirectly, and must be completed before a connection will be activated.

              3. Some organisations, that have received NHS CFH services for some time, will not have previously completed an IGSoC.

              4. On successful completion of an IGSoC submission, the requesting organisation will become an Authorised Service Recipient of NHS CFH services.

              5. The IGSoC (appendix A) together with any other required information or documentation, as stated on the IGSoC website, should be completed by the Authorised Signatory and submitted via email to [email address].

              6. The submitting email must originate from the mailbox of the Authorised Signatory. A copy of the completed IGSoC submission should be retained for the ASR's Information Governance records.

              7. The Authorised Signatory may wish to distribute the contents of this document to the colleagues responsible for information governance to meet the necessary requirements of the IGSoC and Information Governance Toolkit, but only the Authorised Signatory may sign and submit the IGSoC.

              8. The Authorised Signatory must notify NHS CFH the name, job title and contact details of nominated delegates with authority to raise change to service requests on behalf of the organisation. These should be listed in the IGSoC form below. Changes to these should come from the Authorised Signatory by email to [email address].

              9. IGSoC compliance is monitored through the annual submission of the NHS CFH Information Governance Toolkit, a self-assessment tool that is web-based and checklist-driven.

              10. Compliance if further assured by a combination of additional audits by the Healthcare Commission, Authorised Service Recipients and ad-hoc audits by NHS CFH or its authorised representatives

              11. Guidance, copy documents and answers to frequently asked questions are available at http://www.connectingforhealth.nhs.uk/igsoc .


          Appendix A - Information Governance Statement of Compliance

          26 March 2008

          To the NHS Connecting for Heath IGSoC Team;

          I confirm, on behalf of Bristol City Council, that I have read and agree to comply with the terms and conditions stated in the Information Governance Statement of Compliance and acknowledge that failure to maintain compliance with the Information Governance Statement of Compliance may result in the withdrawal of affected NHS Connecting for Health services.

          My organisation is a Social Care oranisation and, as such, I have ensured that appropriate supporting documentation has been submitted in accordance with the instructions on the Information Governance Statement of Compliance website.

          The method of connection that we are requesting is sponsored by Bristol PCT.

          The NACS code for my organisation is V014.

          The person/people (up to four) accountable for Information Governance in this organisation are:

          Name

          Job Title

          Email

          Telephone

          Carew Reynell

          Director of Central Support Services

          [email address]

          0117 9224420

          Stewart Long

          Head of ICT

          [email address]

          0117 9222081

          Bill Venables

          Performance and Information Manager

          [email address]

          0117 9022062

          This certificate is subject to the qualifications set out in the submitted Information Governance Toolkit.

          Yours

          0x01 graphic

          Signed:

          Name: Carew Reynell

          Job Title: Director of Central Support Services

          Telephone: 0117 9224420

          Email: [email address]

          Once completed in accordance with instructions, submit to [email address]

          The information you provide will be used by NHS Connecting for Health for purposes of the management and administration of the Information Governance Statement of Compliance. NHS Connecting for Health will pass the contact details you provide onto your Service Provider for the purposes of managing your organisations' connectivity securely. It will not be disclosed or used for any other purpose without your permission, which will be sought prior to any such use or disclosure. NHS Connecting for Health undertake to keep your information secure until the time when it is no longer required, at which time it will be destroyed by secure means (in accordance with the Data Protection Act 1998). You may be contacted by your Service Provider for maintenance and improvement purposes of your connection. If you require further information NHS Connecting for Health can be contacted at mailto:[email address].

          Glossary of terms

          Acceptable Use Policy

          A policy that sets out the use, frequency, appropriateness and volume of use that is and is not acceptable

          Aggregator

          An Aggregator is the provider of the N3 service necessary to access NHS CFH applications

          Airwave

          Airwave is the national digital radio communications network dedicated to the emergency services.

          Authorised Service Recipient (ASR)

          The organisation whose IGSoC statement of compliance has been accepted by NHS Connecting for Health and has been approved to receive its services.

          Authorised Signatory

          The individual able to commit their organisation to the obligations of the IGSoC and swiftly put in place any action plans necessary to correct deficiencies in compliance

          Authorised User

          Any person authorised to use NHS Connecting for Health services or healthcare related applications or has been issued a Smartcard

          De Minimus

          De Minimus means "about small things", used to imply that use of the system for the purposes described should be kept minimal and not constitute a significant use of the system.

          Digital Services

          Digital Services are those networking, communications and applications services provided by the NHS Connecting for Health that comprise and are collectively known as the NHS National Programme for IT (NpfIT)

          Incident Reporting

          Incident Reporting concerns the formal identification and reporting of perceived or actual events with the potential to cause the physical or logical loss of or damage to the IT assets of the NHS CFH and its services providers, or causing failure, disruption or discredit to its services

          Information Governance

          Information Governance is the structures, policies and practice of the DH, the NHS and its suppliers to ensure the confidentiality and security of all records, and especially patient records and to enable the ethical use of them for the benefit of individual patients and the public good.

          Information Governance Toolkit (IGT)

          The Information Governance Toolkit is the on-line self-assessment tool that contains the expected IG standards, best practice methods and guidelines applicable to NHS information services generally.

          N3

          The National Network for the NHS, the NHS's own network

          NACS

          The National Administrative Code Service. It is responsible for the national policy and standards with regard to organisation and practitioner codes. These code standards form part of the NHS data standards.

          NHS CFH

          NHS CFH means NHS Connecting for Health.

          NHS CRS

          NHS Care Record Service (one of NHS Connecting for Heaths digital services)

          NPfIT

          National Programme for Information Technology

          Organisation

          The legal entity that supports or utilises NPfIT services, (i.e. GP practice, Partnership, Limited Company, Public Limited Company and other legal organisations).

          Registered Users

          Registered Users these are all personnel employed or contracted in the organisation who have been approved to receive services

          Smartcards

          Smartcards are plastic cards containing an electronic chip (like a chip and PIN credit card) that is used to access the NHS Care Records Service and other National Programme for IT applications, along with a Passcode.

          Information Governance Statement of Compliance v5.0

          © Crown Copyright 2008 Information Governance Statement of Compliance v5.0 10 of 10

          0x01 graphic

          Information Governance Statement of Compliance v5.0

          © Crown Copyright 2008 Information Governance Statement of Compliance v5.0 10 of 10

          Information Governance Statement of Compliance v5.0

          © Crown Copyright 2008 Information Governance Statement of Compliance v5.0 10 of 10

          Information Governance Statement of Compliance v5.0

          © Crown Copyright 2008 Information Governance Statement of Compliance v5.0 10 of 10