GP mythbuster 41: Smartcards

Page last updated: 25 November 2024

Proof of recruitment

The NHS prints a smartcard with the staff member's name, photograph and unique user identity number. To get a smartcard, you must have an identity check, which includes:

at least 3 forms of evidence of identity (including photo and non-photo forms)
proof of address.

Regulation 19(3)(a) requires a provider to have certain information available in relation to their staff, including proof of identity (with a recent photograph). Providers should collect this information at the point of recruitment. If a member of staff has been through this process, we can accept smartcards as proof of ID.

If a new staff member has not previously worked in the NHS and needs to apply for a smartcard after appointment, the provider will need to demonstrate that they 'requested' the ID photo at the time of recruitment rather than at the time of smartcard request. For locum staff who use their NHS smartcard in various NHS settings, the contracting provider needs to ensure appropriate recruitment checks have been completed.

Security of smartcards

All staff issued with an NHS smartcard have a duty to keep patient information secure and confidential at all times. Any access to patient data is auditable and traceable back to the holder of a smartcard. Smartcard holders should treat smartcards the same as a credit or debit card. They should never share passcodes and keep them safe and secure.

Smartcard holders must follow these simple rules:

Never allow anyone else to use your smartcard.
Never leave your smartcard unattended.
Never leave your smartcard in a smartcard reader when you are not using it. Log out of the system if away from the desk
Always keep your smartcard in a safe and secure place when not in use.
Report any lost, stolen or damaged smartcards immediately to the local registration authority (RA) team or local smartcard administrator.

See Smartcard security and access controls.

When staff accept a smartcard they should adhere to the Privacy notice and terms and conditions.

Smartcard holders should never:

share smartcards with any other users
use smartcards to access clinical systems for purposes outside of their role or for personal reasons
use smartcards to produce prescriptions via someone else’s identity / card.

See Security and confidentiality - NHS England Digital.

Permissions

Prescribers should ensure that their smartcard has the correct roles assigned to allow them to sign a prescription. They can electronically sign prescriptions individually or select multiples to sign in bulk, and if necessary, can view patient details on screen before applying their electronic signature. Other levels of permission will be required by other staff. Prescribing rights must only be granted to authorised prescribers.

Role Access

Role-based access control (RBAC) is a way of ensuring that users are suitably authorised because:

users are assigned pre-defined roles. For example, as a general practitioner, receptionist or health care assistant
roles are linked to pre-defined activities. For example, general practitioners can view patients’ demographic details
users can have multiple roles. For example, a user might be both a general practitioner and a privacy officer
roles can be linked to multiple activities. For example, a general practitioner might be able to both view and amend patients’ demographic details

What we look at

When assessing GP practices, we use these regulations when we review if the practice is safe, effective, responsive, caring and well-led.

For this mythbuster, we use:

We would expect that:

you follow appropriate recruitment processes
systems are in place to ensure the safe, secure and appropriate use of smartcards.

GP mythbusters

SNIPPET GP mythbusters RH

Clearing up some common myths about our inspections of GP and out-of-hours services and sharing agreed guidance to best practice.