BHR: NHS Smartcards – Important Governance Messages and the IG Toolkit- 2019 UPDATE

Please see below for important messages relating to Smartcard usage and governance. 

All Smartcard users must comply with the Terms and Conditions of Smartcard Use, The NHS Care Record Guarantee, The GDPR/Data Protection Act (2018), Computer Misuse Act, other professional Codes of Conduct, contractual requirements and a range of other legislation, policies and procedures.

 All users sign up to the Terms and Conditions when they first register for their card and also agree to these when they first log in with their Smartcard, and with every subsequent login. People must abide by the Terms and Conditions as in doing so, they are protecting patients’ confidentiality and privacy, abiding by the Law and also protecting themselves, for example by not allowing other people to do things in their name.

It is the card-holders responsibility if someone uses or accesses information via their card; audit trails are kept of Smartcard access and usage.

Not abiding by the Terms and Conditions means that users will be breaking the law. If we visit your organisation, we are required to undertake spot checks and alert you to any issues.

 Measures taken in the case of non-compliance or breach range from re-training, verbal and written notification or warnings, investigation, suspension of card access, withdrawal of card and formal disciplinary processes up to and including dismissal. Serious governance breaches can lead to prosecution under the Data Protection Act (2018) or an action for civil damages which could result in costs, and a loss of reputation and patient trust; Since 25 May 2018, the Information Commissioners Office has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.

Suspected Smartcard misuse must be reported to the RA and in line with incident reporting policies and procedures, and depending on the severity of the allegation, an investigation may be required. Suspected misuse may be reported to Line Managers, Practice Managers or the Caldicott Guardian and the Smartcard may be suspended or revoked.

  • A pharmacist who worked for South West Essex Primary Care Trust was prosecuted by the Information Commissioner’s Office (ICO) under section 55 of the Data Protection Act and fined £1000, ordered to pay a £100 victim surcharge and £608.30 prosecution costs after unlawfully accessing medical records.
  • A receptionist in a Practice was prosecuted and fined under Section 55 of The Date Protection Act after unlawfully accessing medical records.

Important Points

  • Smartcards are unique to an individual and must not be shared or used by others. Only the individual to whom the Smartcard has been issued should log in with the card.
  • Passwords must not be shared or divulged to anyone else and especially not written on the card.
    • Keep the Smartcard safe and secure and never leave your Smartcard unattended.
    • You must only access patient or spine information where there is a legitimate clinical need.
  • The picture must not be covered (eg. with a sticker), scratched off or otherwise defaced.
  • The Smartcard is not an NHS ID badge and must not be used as such; in fact many people who have Smartcards aren’t direct employees of the NHS.
  • Tell a member of the RA Team as soon as possible if your card is lost, stolen or broken, so we can cancel it and get a new one issued.
  • If someone leaves a job and is going to another healthcare employer or there is the chance that they might be going to another healthcare employer, then they keep their smartcard, but please let us know via an IT Service Desk log,so we can remove the organisation from the profile.
  • If you have several registrations to be processed, please let us know so we can treat them as a group which is more efficient rather than doing them piecemeal
  • The cost of producing a card including administrative and processing costs can be up to £25. Frequent loss of smartcard can attract a charge of £10.


The BHR CCG RA Team has now moved offices from 29th July 2019 to the below location:

Barking & Dagenham, Havering and Redbridge CCGs

RA Team, 8th Floor, North House, St Edwards Way, Romford, RM1 3AE

Appointments only between 9.00am -5.00pm Mon-Fri

All Smartcard queries or problems must now be directed to the Service Desk

Telephone number: – 0203 416 5900

Or via e-mail: –