Supports the controls needed to ensure that Special Category Data is kept confidential, is accurate and is available to authorised users when required.

The implementation of this Standard applies to all Business Capabilities illustrated in the Capabilities and Standards Model and is a mandatory Overarching Standard.

The Information Governance Standard defines the controls that are needed to ensure that the significant quantities of sensitive Personal Special Category Data processed by systems are kept confidential, are available to authorised users when required, and are accurate. 

Authentication

Applicable Contracting Vehicle(s)

Requirement ID

Requirement Text

Level

All

GP-IG-2.3-1

Authentication Services

The Solution must use the applicable NHS authentication service to provide authentication:

• For Patients/Citizens: NHS Login

• For Health or Care Professionals: CIS2 (where a smartcard is required) or NHSMail

• Where access to interfaces that demand it is required (such as the NHS Spine). Suppliers will integrate with the appropriate identity service as per Authentication and Access

If the Solution cannot use any existing NHS authentication, an alternative, standards-based authentication service that delivers equivalent strength should be used. These cases are expected to be rare and will be reviewed on a case-by-case basis.

MUST

All

GP-IG-2.3-2

Authentication Assurance Level 3 (AAL3)

Access to confidential Patient information requires AAL3 level authentication.

MUST

All

GP-IG-2.3-3

Application Access Authentication

Provide access to all areas of the application through a single authentication step.

MUST

All

GP-IG-2.1-3A

Authentication - Access using NHS authentication

Any access to Personal or Special Category Data within Solutions to be subject to NHS authentication (as per Authentication and authorisation section of Interoperability Standard).

MAY

All

GP-IG-2.1-3B

Authentication - General standards

Any access to Personal or Special Category Data within Solutions will be subject to authentication at least to standards described in GP-IG-2.2-1.

MUST

All

GP-IG-2.1-4

Authentication - NHS authentication with no additional authentication 

Solutions shall ensure that, where NHS authentication (as per Authentication and authorisation section of Interoperability Standard) is used, those users are able to carry out all Solution activities (subject to their access rights) without the need for any additional authentication.

MUST

All

GP-IG-2.1-10

Authentication - Local 

Users not using NHS authentication (see GP-IG-2.1-4) can only use local authentication and will not therefore be allowed access to Solution functions for which NHS authentication is required.

MUST

All

GP-IG-2.1-14

Audit authentication activity

All activities associated with requirements in this section will be recorded in the Solution Audit Trail. Such Audit Trail entries can also include End User device (or Solution) identification information.

MUST

All

GP-IG-2.2-1

Local authentication model

The Solution can provide a local authentication model to provide an alternative method of authentication for users who are unable to use NHS authentication. 

Access to records on the Spine will use Authenticator Assurance Level 3 - ref: NIST 800-63-b.

MAY

All

GP-IG-2.2-9

Two-factor authentication

Two-factor authentication can be used for local authentication.

Access to records on the Spine will use Authenticator Assurance Level 3 - ref: NIST 800-63-b.

MAY

All

GP-IG-2.2-9A

Two-factor authentication for Citizens

Two-factor authentication will be used for Citizens to log into Solutions.

MAY

All

GP-IG-2.2-2

Local authentication - unique user identity and password

Any local authentication will be based on a unique user identity which is then authenticated at least through the use of a password.

MUST

All

GP-IG-2.2-3

Local authentication - password strength and management

Local authentication will satisfy the password strength and password management guidance set out in Meeting the Digital Service Standard and Password Guidance.

MUST

All

GP-IG-2.2-4    

Password storage

Where passwords are stored in Solution databases, they will be stored salted and hashed, using algorithms and strengths recommended in NIST Cryptography Standards.

MUST

All

GP-IG-2.2-5

User access and password Audit Trail

Successful login, unsuccessful login attempts, logouts and password changes will be recorded in the Solution Audit Trail. Data to be included in such an Audit Trail entry:

Successful login, logout:

• User ID

• Date and time (to the second)

Unsuccessful login:

• Number of attempts

• Date and time

• Access point (if available)

• User ID (if available)

Password changes:

• User ID

• User whose password was changed

• Date and time

Such Audit Trail entries to also include End User device (or Solution) identification information.

MUST

All

GP-IG-2.2-6

New user - password creation

New users will be assigned, or will be required to enter, a password matching password-strength requirements in GP-IG-2.2-3.

MUST

All

GP-IG-2.2-7

New user - define own password on first use

If initial password is assigned, the new user will be required to set a password that meets the password-strength requirements in GP-IG-2.2-3, upon first use of the Solution.

MUST

All

GP-IG-2.2-8

Password reset

Password reset facilities are provided; the Solution will store additional information associated with each user so as to allow newly-generated passwords to be provided securely to devices previously known to be associated with the user (such as mobile number or NHSmail email address). Any such newly-generated passwords cannot be made visible to Solution-administration staff, and following first use of such passwords, the user will be required to set their own password.

MUST

Additional Privacy Controls

All

GP-IG-17-1

Access to whole Records

It will be possible to:

• Restrict access to a Patient/Service User’s entire record (use case is Practice staff member)

• Apply such restrictions at the level of RBAC user roles and to custom groups of Staff Members

• Have an audit trail of any such restrictions created

MUST

Data Labelling

All

GP-IG-9-1

Data Labelling - hard-copy output

The Supplier shall ensure that:

• All Personal Data which are output to hard-copy by the Solution will be labelled "Official – Sensitive". This includes Medical Records, audit trails, etc.

• The protective labelling of the information is shown in a consistent location and manner on any hard-copy output displaying the information

• The Solution provides a means for users to verify that hard-copy print-outs are complete (e.g. "page 3 of 5" annotations)

The requirements in this section are not intended to affect the printing specifications for prescriptions or dispensing tokens as specified by the Electronic Prescription Service (EPS) requirements, or for any other outputs that are subject to separate requirements.

SHOULD

All

GP-IG-9-4

Hard-copy labelling - standardised location and manner

The Supplier shall ensure that the protective labelling of the information is shown in a consistent location and manner on any hard-copy output displaying the information.

MAY

All

GP-IG-9-5

Identify that hard-copies are complete

The Supplier shall ensure that the Solution provides a means for users to verify that hard-copy print-outs are complete (e.g. "page 3 of 5" annotations).

MAY

Audit

All

GP-IG-12-10

Audit retention

The Audit Trail can be moved to archive storage as required for efficient Solution operation. This shall be retained in accordance with the audit retention policy; as specified in Records Management Code of Practice for Health and Social Care 2016 (or later) the latest version of Records management: code of practice for health and social care to allow access as specified above in requirement GP-IG-12-4.

Where audit data has been previously archived, it will be made clear in audit viewing tools or other arrangements that some audit data might not be immediately available, but that it can be retrieved (with an indication of steps to take to make such archived data visible).

MUST

All

GP-IG-2.1-14

Audit authentication activity

All activities associated with requirements in this section the Authentication section will be recorded in the Solution Audit Trail. Such Audit Trail entries can also include End User device (or Solution) identification information.

MUST

General Data Protection Regulation (GDPR)

All

GP-IG-16-1

General Data Protection Regulation (GDPR)

Suppliers to ensure that Solutions processing (including storage of) Personal or Special Category Data adhere to General Data Protection Regulation (GDPR) and Privacy and Electronic Communications Regulations (PECR).

See General Data Protection Regulation guidance,and ICO - Guide to the General Data Protection Regulation (GDPR) and the ICO Guide to PECR for further guidance on cookies.

MUST

Information Security

All

GP-IG-14.5

Secure Design Principles

The Solution to comply with NCSC Secure Design Principles.

MAY

All

GP-IG-14.1-4

Synchronise Internal Clocks - with HSCN Network DNS Servers

Solutions can synchronise any internal time clocks with HSCN Network DNS Servers – currently at cns0.nhs.uk & cns1.nhs.uk – using the NTP protocol. Alternatively, tThe Solution will utilise a Stratum 3 time source as a minimum. However, Suppliers can consider the use of Stratum 2 or above.

MUST

All

GP-IG-14.2-3

Protection from Loss or Theft

While being processed, stored, and in backup and archive storage, all Personal Data, and sensitive Personal Special Category Data and audit logs shall be physically protected from loss or theft in line with Records Management Code of Practice for Health and Social Care 2016 (or later)the latest version of Records management: code of practice for health and social care.

MUST

All

GP-IG-14.2-4

Personal Data and Sensitive Personal Special Category Data - retention policy

Personal Data, and sensitive Personal Special Category Data and audit logs shall be retained in line with Records Management Code of Practice for Health and Social Care 2016 (or later)the latest version of Records management: code of practice for health and social care.

MUST

All

GP-IG-14.2-5

Data Storage and Processing - Location

The location of physical storage of Personal or Sensitive Personal Data shall abide by published Health and Social Care Cloud Security - Good Practice Guide and described in the Records Management Code of Practice for Health and Social Care 2016 (or later) or as subsequently amended.

The geographical location for the processing and storing of any Personal Data (including Special Category Data) must be within the UK. This is in line with the agreed Deed of Processing (S2.5.16). The physical storage of Personal Data (including Special Category Data) will abide by the published Department of Health and Social Care (DHSC) guidelines described in the latest version of Records management: code of practice for health and social care.

Please also see Cloud Security - good practice guide.

MUST

All

GP-IG-14.2-6

Data - storage periods

The Solution shall ensure all data is stored for periods as defined by DHSC guidelines described in the latest version of Records management: code of practice for health and social care.

MUST

All

GP-IG-14.3-9

Encryption Keys - unique per data archive discrete dataset

The Supplier shall ensure that the encryption key for each archive discrete dataset is unique to that data archive.

MUST

All

GP-IG-16-2

ISO/IEC 27001 Accreditation

A valid ISO 27001 Certificate is required from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances.

SHOULD

MUST

All

GP-IG-18-3

Application Security

The Supplier will ensure that applications are appropriately protected using industry standard techniques, such as controlled access to standard ports and APIs, applying Lleast Pprivilege, accepting only encrypted connections, input validation, and fail-safe defaults.

The Supplier will be aware of common specific application vulnerabilities common specific application vulnerabilities and will ensure all appropriate mitigations are incorporated in their architecture.

MUST