SUS RBAC Assignment Guide User guidance on Payment by Results (PbR) in SUS Payment by Results (PbR) in SUS

Transcription

1 SUS RBAC Assignment Guide User guidance on Payment by Results (PbR) in SUS Payment by Results (PbR) in SUS Published August 2015

2 We are the trusted source of authoritative data and information relating to health and care.

3 SUS RBAC Assignment Guide v1.3 Contents Introduction 4 This Document 4 Accessing SUS 4 Registration Authority (RA) 4 Smartcards 4 SUS Applications 4 IG and Access Controls 4 Role Based Access Controls (RBAC) 5 Unique User ID 5 User Role Profiles 5 Business Functions 5 Accessing Identifiable and Pseudonymised Data 5 Organisation Code 6 Cross Organisational Access 6 Shared Services 6 Independent Sector Providers 6 User Limits 7 Business Function Combination Restrictions 7 Assigning Business Functions 8 SUS Access 8 CDS Extracts 8 Payment by Results 8 SUS Submission Monitoring 9 Data Deletion Service 9 Logging into SUS 10 Appendix A: Index of SUS Activities (Business Functions) 11 ACTIVE Activities (Business Functions) 11 INACTIVE Activities (Business Functions) 13 Appendix B: Conflicting Business Functions 16 Appendix C: Restricted Business Functions 17 Appendix D: Redundant Business Functions 22 Copyright 2015, Health and Social Care Information Centre. All rights reserved. 3

4 SUS RBAC Assignment Guide v1.3 Introduction This Document a face-to-face meeting with their local RA RA verification of the user s identity with photo ID and proof of address This document provides guidance for sponsors and Registration Authorities (RA) on the rules associated with Role- Based Access Control (RBAC) and the process of allocating permissions for users. It also assists users in understanding the appropriate SUS access levels required for their business needs. For general information about using SUS please refer to the SUS Guidance page of the HSCIC website. Accessing SUS Access to SUS is controlled using Role Based Access Control (RBAC). RBAC uses role information assigned to a user s Smartcard to determine permitted system functionality and access levels. Registration Authority (RA) A Registration Authority (RA Sometimes referred to as Registration Agent) is responsible for issuing and assigning functionality (Business Functions also referred to as Activities ) and system access levels to Smartcards. In most cases the local RA will be a member of the IT or Information Governance department within the user s organisation. Smartcards In order to access SUS a user must have a Spine Smartcard. completion of the relevant local Smartcard application procedure SUS Applications SUS applications are maintained centrally on the NHS Spine system. They support the following functionality: Standard Extract Mart (SEM) Payment by Results (PbR) Mart Strategic Data Deletion Service IG and Access Controls SUS information is provided in either pseudonymised ( pseudo ) or patient identifiable ( clear ) form. Which one of these is applicable to a user is dependent on their legal rights to view the data. As a general rule all organisations can see the activity for which they are responsible. Where a user does not have a right to view clear data, pseudo data is made available. Although pseudonymised data protects a patient s identity it can still be used for record linkage as the data has been pseudonymised centrally by SUS. A Spine Smartcard is assigned by the local Registration Authority (RA) to a user when the following requirements have been met: 4 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

5 Role Based Access Controls (RBAC) As with other Spine applications, access to SUS is enabled via the NHS Smartcard system which uses Role Based Access Controls (RBAC). Unique User ID Each user has a Smartcard with a Unique User ID (UUID). In the RBAC system this UUID is associated with any number of User Role Profiles (URP). User Role Profiles A URP contains: Role Identifier (three-level code) Organisation code Business Functions (BF) SUS applications use this information to determine the functionality available to the user. SUS only uses Business Function codes and Organisation code, within a single URP to determine the access rights granted to the user for each session. Therefore if a user has multiple URPs, they will be asked to select which URP they want to use for the session when logging in. Smartcard with UUID URP 1: + Role + Organisation + Business Functions URP 2: URP 3: Business Functions The Business Functions or Activities allocated to the Smartcard determine what the user can see within the system. They also determine the functionality available to the user, such as Local views of 18 week RTT reports for a Trust, or commissioner PbR extracts for a commissioner. The Business Function codes in the table below are the most common codes used for access to SUS. Code Function B1500 Gateway access to SUS application B1525 Manage Tracking and Data Quality B0163 Access to PbR extracts (clear view) B0164 Access to PbR extracts (Pseudo) B1505 Execute CDS extracts Clear (SEM) B1510 Execute CDS extracts Pseudo (SEM) B0141 Access Data Deletion Request Service Access to SUS via B1500 In order for any user to access SUS, they must have the SUS Gateway Business Function B1500 assigned to their URP. Therefore all URPs needing to access SUS must contain B1500. It must be specifically granted as it is not included in a default URP. More detailed information on granting Business functions can be found in section Assigning Business Functions. Accessing Identifiable and Pseudonymised Data Access to identifiable data should be minimised for secondary purposes, even within a single organisation. In order to comply with policy and information governance best practice, users are not able to simultaneously view identifiable ( clear ) and pseudonymised ( pseudo ) records during a single SUS session (using a single URP); RAs should never allocate Business Functions for pseudonymised ( pseudo ) data and identifiable ( clear ) data within 5 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

6 SUS RBAC Assignment Guide v1.3 the same URP. There is no business need for an individual to access both types of data for one functional area. There should therefore be no need for an RA to artificially create 2 URPs for a user simply to access one area of functionality. For an index of all the SUS Business Functions/Activities please refer to Appendix A. It is possible for a user to have several Business Functions within each URP. However, some combinations of Business Functions are not allowed on the same URP and certain Business Functions are only applicable to users in certain types of organisation. There are no technical constraints within RBAC identity management system to prevent the allocation of incorrect Business Function codes or forbidden combinations. However, if a forbidden combination of Business Functions and/or Organisation codes are allocated to a user s Smartcard, the system detects a conflict and the user is denied access to SUS using that URP. For information governance reasons, users are not allowed access both clear and pseudonymised data on the same URP. This is because having access to both would constitute a security risk as the user would have access to both pseudo and clear data and would therefore be able to cross-reference the Patient ID with the pseudonymised value and effectively reveal the pseudonymisation key. An RA should therefore never allocate Business Functions granting clear and pseudo data access within a single URP. Organisation Code The Organisation code is used to restrict which data can be seen within some reports. The Organisation code is also used, to check for forbidden combinations of Business Functions and Organisation. Where data is restricted by the organisation code, this does not necessarily mean that ONLY data from the organisation in the URP can be seen by the user when logging in with that URP. SUS can hold organisational relationships that can allow an organisation to see appropriate data from all of the other organisations for which it is responsible. This is based on the assumption that the required agreements are in place. For more information please see Shared Services section below. Cross Organisational Access Shared Services Shared services must: Register with the NHS Organisation Data Service (ODS) And Inform the SUS Helpdesk to enable SUS to be set up to recognise the Shared Service Shared Services must register with SUS using the Shared Services Registration form found on the SUS Guidance page under How do I set up a Shared Service or Specialist Commissioning Service?. Independent Sector Providers Facilities have been set up in SUS to enable Independent Sector Providers (ISP) to process data for itself as the parent or Head Quarters of the organisation and other child or satellite sites within the same overall ISP organisation. To implement this, the ISP will need to: Register with the NHS Organisation Data Service (ODS) and Inform the SUS Helpdesk to enable SUS to be set up to handle each ISP ISPs must register with SUS using the Independent Sector Registration form found on the SUS Guidance page under the section How do I set up an Independent Sector Provider in SUS? 6 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

7 User Limits Each organisation is permitted 3 user licenses to use the SUS Data Access Service (Ardentia). In exceptional circumstances, an organisation that can provide a valid business reason to increase their smartcard limit can raise a SUS User Limit Request via to HSCIC Enquiries at enquiries@hscic.gov.uk. The SUS activities/business functions that are used to access this area are shown in the table below. NB - This is different to the SUS Business Intelligence Service (BO) which does not restrict the number of user licenses per organisation. Business Function Combination Restrictions SUS enforces certain Information Governance principles around the type of data that users are allowed to access. There are therefore certain combinations of SUS activities that should not be allocated to a user s role. A user can mix activities shown in column A with those from any one other column. However users cannot mix activities from columns B, C or D. For example, you cannot not use both B1505 and B0164 together. You can use B1505 and B0163 together. A B C D SEM CDS Extracts PbR B Access Financial Integrity Extracts B Execute CDS Extracts (Clear) B Access PbR Extracts (clear view) B Execute CDS Extracts (NHS Group Pseud. Data) B Access PbR Extracts (pseudonymised view) B Execute CDS Extracts (Spatial key Pseud. Data, Clear Postcode) B Access PbR Extracts (Spatial view) Old PbR Tracker B Manage Tracking and Data Quality B Run Aggregate PbR B Run PbR Commissioning Extracts B Run PbR Provider Extracts Please refer to Appendix B for a full table of conflicting activities. 7 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

8 SUS RBAC Assignment Guide v1.3 Assigning Business Functions SUS Business Functions are described in Appendix A. The following high-level guidance is intended to assist sponsors and RAs in determining the correct combination of Business Functions (or Activities ) for particular users. Individuals may work across different areas and may therefore need several Business Functions within a single User Role Profile (URP). As highlighted earlier, certain combinations of Business Functions are not permitted within a single URP; particularly the combination of clear and pseudo. There is no technical constraint on the granting of Business Function and Organisation combinations but where a forbidden combination of Business Functions and Organisations is granted, the user will be denied access to SUS using that URP. Users attempting to log into SUS with conflicting Business Functions will be presented with the following error message: Your currently selected User Role Profile contains an invalid combination of SUS Activities. Please contact your local Registration Agent. Please refer to Appendix B for a full table of conflicting activities. SUS Access In order to access SUS the SUS Gateway Business Function B1500 must be assigned. B1500 must be specifically granted as it is not included by default. CDS Extracts The following Activities are available: Execute CDS Extracts (Clear) Execute CDS Extracts (Pseud. Data, Clear Postcode) Execute Spatial CDS Extracts (Pseud. Data, Clear Postcode) B1505 B1510 B1840 Users in Provider and Commissioner Organisations (including Shared Services) should be granted B1505. This provides a local view of CDS data based on the organisation code in the URP. Users in Shared Service organisations should have a URP created with the Shared Service organisation code, and should separately notify SUS of the relationship between the Shared Service organisation and its child organisations. It is expected that only a small number of users in each organisation will require this activity and these users will then share the extracted data locally in line with the SUS Data Handling protocol. Users who are only permitted to view pseudonymised data should be granted B1510. Payment by Results The following Activities are available: Access PbR Extracts (clear view) Access PbR Extracts (pseudonymised view) Access PbR Extracts (Spatial pseudonymised view) The following Activities are available: Run Aggregate PbR Run PbR Commissioning Extracts Run PbR Provider Extracts B0163 B0164 B1841 B1555 B1560 B1565 PbR users may be granted any or all of these Business Functions. However, for a typical provider or commissioner organisation, only B1560 or B1565 would be applicable. Both would be required for organisations acting as both provider and commissioner. B1555 is applicable to PbR users in provider and commissioner organisations. 8 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

9 SUS Submission Monitoring Activity B1525 (Manage Tracking and Data Quality) allows users to execute data quality reports against specified data sets, and view submission status. It may therefore be granted to Information Service staff with responsibility for sending and extracting CDS data. Data Deletion Service The following Business Function is available for users requiring access to the Strategic Data Deletion Service: Access Data Deletion Request Service B0141 This Business Function allows users in NHS Organisations to request service from the Health and Social Care Information Centre Data Deletion Service. Further information can be found on the SUS Strategic Data Deletion Service page. 9 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

10 Organisation filtering SUS RBAC Assignment Guide v1.3 Logging into SUS Once a smartcard has been assigned with the appropriate Business Function codes, accessing SUS is straightforward. Start Insert smartcard into reader (A popup Dialog Appears) Enter PIN Access to Spine Portal is granted following authentication Access to SUS is granted if gateway Business Function (BF) B1500 is found Business Function codes are checked to determine available functionality Organisation and User filters applied Authentication Spine Portal B1500 present? BF BF BF A A A A A Application Logic SUS 10 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

11 Appendix A: Index of SUS Activities (Business Functions) ACTIVE Activities (Business Functions) Functionality currently available to use. NB This does not include restricted activities. Area Business Function Code Description Online Query Services Extracts Extracts Payment by Results Payment by Results Payment by Results Access SUS Execute CDS Extracts (Clear) Execute CDS Extracts (NHS Group Pseud. Data) Access PbR Extracts (clear view) Access PbR Extracts (pseudonymised view) Run PbR Commissioning Extracts B1500 B1505 B1510 B0163 B0164 B1560 Required to access SUS application. All SUS users must be granted this BF. Where not granted, the SUS link will not appear on the Spine portal page. Allows a user to run parameterised or pre-set CDS data extracts with patient identifiable data for a commissioning organisation within the NHS. Allows a user to view previously executed parameterised or pre-set CDS data extracts with patient identifiable data for a commissioning organisation within the NHS. Allows a user to run parameterised or pre-set CDS data extracts with patient identifiable data for a provider organisation (within the NHS). Allows a user to view previously executed parameterised or pre-set CDS data extracts with patient identifiable data for a provider organisation (within the NHS). Only applicable to information service staff in commissioner and provider organisations. Allows a user to run parameterised or pre-set CDS data extracts with patient identifiable data in pseudonymised form, using the NHS Group key, for their organisation. Allows user to view previously executed parameterised or pre-set CDS extracts with patient identifiable data in pseudo form, using the NHS Group key, for their org. This includes Main extracts + Error Extracts + Supplementary, via managed service and via PbR Online application for these reports There is only one functional view. All functionality is available to all users (they can select any of the parameters within the forms displayed) however data will only be displayed that is relevant to the user s organisation (as in the selected URP) All of the detailed rules for which data is available in each report for each organisation will be specified in the reporting specification Users must not have clear and pseudo BFs on single URP. Allows user to run extract for other roles, e.g. copy recipient, Org of Residence, etc. This includes Main extracts + Error Extracts + Supplementary, via managed service and via PbR Online application There is only one functional view. All functionality is available to all users (they can select any of the parameters within the forms displayed). Data will only be displayed that is relevant to the user s organisation (as in the selected URP) All of the detailed rules for which data, etc. is available in each report for each organisation will be specified in the reporting specification Users must not have clear and pseudo BFs on single URP. Allows user to run extract for other roles, e.g. copy recipient, Org of Residence etc. Allows a user to run a parameterised or pre-set data extract from the PbR data set with patient identifiable data for a commissioning organisation in the NHS. 11 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

12 SUS RBAC Assignment Guide v1.3 Area Business Function Code Description Allows a user to view a previously executed parameterised or pre-set data extract from PbR with pseudonymised data for a commissioning organisation in the NHS. Allows a user to run a parameterised or pre-set data With Errors extract from PbR mart with pseudo data for an Organisation. Allows a user to run a parameterised or pre-set data With Errors extract from the PbR data set with pseudo data for an Org. Allows user to run extract for other roles, e.g. copy recipient, Organisation of Residence, Organisation of Responsible. Only applicable to information service staff in commissioner organisations. Payment by Results Tracking and Data Quality Data Deletion Service Population Analysis Population Analysis Run PbR Provider Extracts Manage Tracking and Data Quality Access Data Deletion Request Service Run Population Analysis Extracts (Local, Pseudonymised) Run Population Analysis Extracts (Local, Clear) B1565 B1525 B0141 B1813 B1815 Allows a user to run a parameterised or pre-set data extract from the PbR data set with patient identifiable data for a provider organisation within the NHS. Allows a user to view a previously executed parameterised or pre-set data extract from PbR data set with pseudonymised data for a provider organisation within the NHS. Allows a user to run a parameterised or pre-set data With Errors extract from the PbR data set with pseudonymised data for an Organisation. Allows a user to run a parameterised or pre-set data With Errors extract from the PbR data set with pseudonymised data for an Organisation. Allows user to run extract for other roles, e.g. copy recipient, Organisation of Residence, etc. Only applicable to information service staff in provider organisations. Allows a user to run predefined standard service tracking reports for submitted data and accessed through Extract Mart Detail. Allows a user to execute the latest data quality report, for data the provider organisation has submitted to SUS, and accept or reject the submission and also accessed from Extract Mart. Allows a user to execute a data quality report against an existing specified data set (APC, outpatient, A&E, MHMDS) and other data validations. Allows users to view predefined Organisation / GP derivation reports (view tailored to current organisation). Only applicable to information service staff in commissioner and provider organisations Allows users in NHS Organisations to request service from the HSCIC Data Deletion Service. Includes reporting on the progress of the data deletion request Allows access to underlying person data for the user's own organisation. There is no national view accessible via this activity. If the Org code in corresponding URP is DH, IC (HSCIC) or PHO no data is displayed Only one Population Analysis reporting activity should be granted within a URP Allows access to underlying person data for the user's own organisation. There is no national view accessible via this activity. If the Org code in the corresponding URP is DH, IC (HSCIC) or PHO then no data is displayed. Only one Population Analysis reporting activity should be granted within a URP. 12 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

13 INACTIVE Activities (Business Functions) The following functionality is not yet available to use. If allocated, users may receive an error message. Area Business Function Code Description Access predefined Allows users to access predefined PCT/GP derivation reports. Tracking and PCT/GP Derivation View tailored to current organisation - applicable to provider B0116 Data Quality reports (provider, organisations only. Patient identifiers are displayed as clear clear) text. Tracking and Data Quality 18 Weeks RTT 18 Weeks RTT 18 Weeks RTT 18 Weeks RTT 18 Weeks RTT Access predefined PCT / GP Derivation reports (pseudo) National aggregate and dashboard 18 Weeks RTT reports (no drill-through to patient level data) Run Ad Hoc 18W RTT Queries (National, Aggregate) Run Ad Hoc 18W RTT Queries (Local, Pseudonymised) Run Ad Hoc 18W RTT Queries (Local, Clear) Run Fixed 18W RTT (Local, Pseudonymised) B0117 B0155 B1800 B1803 B1804 B1805 Allows users to access predefined PCT/GP derivation reports. View tailored to current organisation only. Patient identifiers are displayed as pseudonyms. Allows access to RTT dashboards and Aggregate RTT reports Ad hoc reporting tool with ability to formulate queries on Aggregate data (no pseudonyms or identifiers), for data across the whole nation. NB only one 18W RTT Activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Run the ad hoc reporting tool with ability to formulate queries on RTT data with pseudonymised identifiers, restricted to organisation in logon URP. HISs are allowed access to data via this activity. Only data relevant to the user's organisation is available. Also includes access to whole nation aggregate ad hoc views although no national pseudonymised view is accessible via this activity. If a user tries to access data via this activity with a DH or HSCIC / CFH org code then no data is displayed. NB only one 18W RTT activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Run ad hoc reporting tool with ability to formulate queries on RTT data with cleartext identifiers, restricted to organisation in logon URP. HISs are allowed access to data via this activity. Drill-through data is only available for the user's organisation and below in the NHS organisation hierarchy. Also includes access to whole nation aggregate ad hoc views although no national drill-through is accessible via this activity. If a user tries to access data via this activity with a DH or HSCIC / CFH org code then no data is displayed. NB only one 18W RTT activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Predefined Pathway & Event data and DQ reports on data that relates to the user's own organisation only to allow drill-through to individual records. All identifiers are pseudonymised. HISs are allowed access to data via this activity. Drill-through data is only available for the user's organisation and below in the NHS organisation hierarchy. No national drill through is accessible via this activity. If a user tries to access data via this activity with a DH or HSCIC / CFH org code then no data is displayed. NB only one 18W RTT activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. 13 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

14 SUS RBAC Assignment Guide v1.3 Area Business Function Code Description 18 Weeks RTT 18 Weeks RTT 19 Weeks RTT 20 Weeks RTT 21 Weeks RTT 22 Weeks RTT CAB Reporting CAB Reporting CAB Reporting Mental Health Minimum Dataset Run Fixed 18W RTT (Local, Clear) RTT Pilot - Run National PTL RTT008 Report RTT Pilot Run PTL Report Validation RTT011 and Summary Objects RTT Pilot Run PTL Report Validation RTT011 and Period/Detail Objects. Local-Clear RTT Pilot Run PTL Report Validation RTT011 and Period/Detail Objects. Local - Pseudo Run national Population Analysis Aggregate reports Run Aggregate Choose and Book Run Choose and Book (Expert view) Run Choose and Book Data Quality Access MHMDS Predefined (local, aggregate) B1807 B1837 B1838 B1839 B0171 B0154 B0156 B1817 B1818 B0119 Predefined Pathway & Event data and DQ reports on data that relates to the user's own organisation only to allow drill-through to individual records. HISs are allowed access to data via this activity. All identifiers should be displayed as cleartext. If a user tries to access data via this activity with a DH or HSCIC / CFH org code then no data is displayed. NB only one 18W RTT activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Activity should only be allocated to RTT pilot users. Pilot users will require separate authorisation from the HSCIC in order to gain access Allows temporary access to RTT008 National Patient Tracking List (PTL) report for live piloting. Aggregate data Activity should only be allocated to RTT pilot users. Pilot users will require separate authorisation from the HSCIC in order to gain access Allows temporary access to RTT011 Patient Tracking List (PTL) report validation and whole universe and new summary objects. Aggregate data Activity should only be allocated to RTT pilot users. Pilot users will require separate authorisation from the HSCIC in order to gain access Allows temporary access to RTT011 Patient Tracking List (PTL) report validation and whole universe and new Period/Detail objects. Data returned is local and clear Activity should only be allocated to RTT pilot users. Pilot users will require separate authorisation from the HSCIC in order to gain access Allows temporary access to RTT011 Patient Tracking List (PTL) report validation and whole universe and new Period/Detail objects. Data returned is local and pseudo Allows access to National Aggregate NSTS. NB. Only one Population Analysis reporting activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Should only be granted to PHO, DH, HSCIC or SHA staff. Allows access to CAB General User Domain (predefined aggregate reports). Allows access to Analyst views of the Choose and Book reports. Applicable to expert users (who have undergone appropriate training) only. Allows access to Data Quality reports for Choose and Book. Applicable only to staff working in CAB DQ only. Access predefined reports displaying aggregate data that relates to the user's own organisation only. HISs are allowed access to data via this activity. No individual patient identifiers are displayed. If a user tries to access data via this activity with a DH or HSCIC / CFH org code then no data is displayed. NB only one MHMDS activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. 14 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

15 Area Business Function Code Description Mental Health Minimum Dataset Mental Health Minimum Dataset Mental Health Minimum Dataset Mental Health Minimum Dataset Mental Health Minimum Dataset Access MHMDS Predefined (local, clear) MHMDS Ad Hoc Report Generation (local, aggregate) Access MHMDS Predefined (local, pseudo) MHMDS Ad Hoc Report Generation (local, pseudo) MHMDS Ad Hoc Report Generation (local, clear) B0134 B0135 B0136 B0137 B0138 Access predefined reports displaying data that relates to the user's own organisation with drill-through to individual records. HISs are allowed access to data via this activity. All identifiers should be displayed as cleartext. If a user tries to access data via this activity with a DH or HSCIC org code then no data is displayed. NB only one MHMDS activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Ad hoc report generation and extracts for SHAs - aggregate data only. Outputs aggregate data for Trusts in the SHA only. NB only one MHMDS activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Access predefined reports displaying data that relates to the user's own organisation with drill-through to individual records. HISs are allowed access to data via this activity. All identifiers should be displayed as pseudonyms. If a user tries to access data via this activity with an SHA, DH or HSCIC / CFH org code then no data is displayed. NB only one MHMDS activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Access ad hoc reporting tool and extracts service for MHMDS data. Users may view patient level data for their own organisation, patient identifiers are replaced by pseudonyms. If a user tries to access data via this activity with an SHA, DH or HSCIC / CFH org code then no data is displayed. NB only one MHMDS activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Access ad hoc reporting tool and extract service for MHMDS data. Users may view patient identifiable information for their own organisation. If a user tries to access data via this activity with an SHA, DH or HSCIC / CFH org code then no data is displayed. NB only one MHMDS activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. 15 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

16 SUS RBAC Assignment Guide v1.3 Appendix B: Conflicting Business Functions The following pairs of SUS Business Functions / Activities conflict: BF 1 BF 2 BF 1 BF2 BF 1 BF 2 BF 1 BF2 B0116 B0117 B1807 B1801 B1813 B1812 B1819 B1801 B0160 B1505 B1807 B1805 B1813 B1804 B1819 B1802 B0160 B1840 B1808 B1801 B1813 B1808 B1819 B1803 B0160 B0163 B1808 B1803 B1813 B1811 B1819 B1804 B0160 B1841 B1808 B1805 B1814 B1801 B1819 B1805 B0163 B1510 B1808 B1806 B1814 B1803 B1819 B1806 B0163 B1840 B1808 B1807 B1814 B1805 B1819 B1807 B0163 B0164 B1808 B1804 B1814 B1806 B1819 B1808 B0163 B0160 B1809 B1540 B1814 B1807 B1819 B1809 B0163 B1841 B1809 B1545 B1814 B1809 B1819 B1810 B0163 B0165 B1809 B1835 B1814 B1810 B1819 B1813 B0164 B1505 B1809 B1836 B1814 B1812 B1819 B1816 B0164 B1840 B1809 B0255 B1814 B1813 B1819 B1540 B0164 B0163 B1809 B1801 B1814 B1804 B1819 B1811 B0164 B1841 B1809 B1802 B1814 B1808 B1819 B1812 B1505 B1510 B1809 B1803 B1814 B1811 B1819 B1814 B1505 B1840 B1809 B1805 B1815 B1801 B1819 B1815 B1505 B0164 B1809 B1806 B1815 B1805 B1819 B1817 B1505 B0160 B1809 B1808 B1815 B1806 B1819 B1818 B1505 B1841 B1809 B1525 B1815 B1808 B1834 B1510 B1505 B0165 B1809 B1550 B1815 B1810 B1834 B1840 B1510 B1505 B1809 B1800 B1815 B1803 B1834 B0160 B1510 B1840 B1809 B1804 B1815 B1809 B1834 B0164 B1510 B0163 B1809 B1807 B1815 B1812 B1834 B1841 B1510 B1841 B1810 B1525 B1815 B1811 B1834 B0165 B1560 B1510 B1810 B1540 B1815 B1813 B1840 B1505 B1560 B1840 B1810 B1550 B1815 B1814 B1840 B1510 B1560 B0160 B1810 B1835 B1816 B1803 B1840 B0163 B1560 B0164 B1810 B1836 B1816 B1807 B1840 B0164 B1560 B1841 B1810 B1800 B1816 B1810 B1840 B0160 B1560 B0165 B1810 B1804 B1816 B1815 B1840 B0165 B1565 B1510 B1810 B1805 B1816 B1801 B1841 B1505 B1565 B1840 B1810 B1807 B1816 B1804 B1841 B Copyright 2015, Health and Social Care Information Centre. All rights reserved.

17 Appendix C: Restricted Business Functions Only some Activities are available for granting by RAs in the NHS outside central organisations. The Activities shown here are only for use by RAs in HSCIC. They should not be granted by RAs in other organisations, nor should they be granted to users from other organisations. If users outside HSCIC are granted any of these Activities they will automatically be denied access to SUS. If a URP is created that has any of these Activities with any other organisation code, the SUS application will not allow the access via that URP (although other URPs that the user has with valid combinations of Activities and Organisations will continue to work). NB: Users who require these Activities must apply to the HSCIC. All of these users will additionally require B1500. Area Business Function Code Description Online Query Services Run On Line Queries B1535 Allows Access to Sim Mart and On Line Query Business Models for MH & PbR. Restricted to HSCIC only via organisationally filtered controls (in initial release) Payment by Results Run National non-uk NHS Users Report B1834 Allows access to Payment by Results reports that give the name, address and country of residence of non-uk nationals who have used NHS services, in order to allow costs to be reclaimed from the patients' home nations. Should only be granted to users if their org code is DH (or another organisation nominated by the DH). Payment by Results Access PbR National Extract B0160 Solely users in the HSCIC Payment by Results Access Financial Integrity Extracts DH/IC view B0161 Extracts which show that data balances at national level for all providers and commissioners, split out across SHAs (possibly will be the same as the SHA view - requirements still under development). Payment by Results National support for end users B0165 This would be a restricted function used within the HSCIC to gain access to particular reports from any organisation when queries/ issues are raised around the content of the reports SUS Restricted Perform SUS Helpdesk Support B1540 Enables the Helpdesk service to mimic users activities in order to replicate and resolve problems. Do not allocate pending consideration of the paper 'RA Supplier Application Support Agreement'. Restricted to SUS Helpdesk staff only. Should only be granted to users in the HSCIC SUS Restricted Perform User Information Support B1545 Enables maintenance of SUS metadata, help text and documentation. Restricted to HSCIC User Support Team only. Should only be granted to users in the HSCIC 17 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

18 SUS RBAC Assignment Guide v1.3 Area Business Function Code Description SUS Restricted SUS Restricted SUS Restricted SUS Restricted SUS Restricted Perform Implementation Support Perform BO Favourites folder management Monitor SUS Processing Investigate SUS Usage Access Data Deletion Authorisation Service B1550 B0151 B1835 B1836 B0142 Enables the implementation support team to undertake user assurance and information governance activities. Restricted to SUS Implementation Team. Should only be granted to users in the HSCIC Enables maintenance of BO Personal Favourites folder. Restricted to particular members of HSCIC User Support Team only. Should only be granted to users in the HSCIC Allows a user to run ad hoc queries to see how the data is being processed within SUS via a BO universe. The number of errors that were raised, the time taken to process data, and the records processed. Should only be granted to HSCIC users. Allows a user to run simple ad hoc queries to view how users are using the system, and provides an ability to investigate improper use. Should only be granted to HSCIC users. Allows users in the Health and Social Care Information Centre to perform Data Deletion Requests following requests submitted by users in NHS. organisations. Includes national reporting on the data deletion request service. Should be granted to Information Centre users only. Pseudonymis ation service Access Depseudo. Service for NHS Group Pseudonyms B0139 Access to user functionality to allow return of NHS number from NHS Group Pseudonym. National Run National SUS (HES, MHMDS, PbR) B1530 Allows a user to run predefined standard: HES data extracts for provider organisations; MHMDS data extracts for provider organisations; and National PbR Extracts. Restricted to HSCIC and DH access to specific reports through organisation filtered controls. SUS Temporary SUS Temporary SUS001 SUS002 B1515 B1520 (Not used) (Not used) SUS Temporary SUS003 B1566 Proof of Concept 18 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

19 Area Business Function Code Description 18 Weeks RTT 18 Weeks RTT 18 Weeks RTT 18 Weeks RTT 18 Weeks RTT 18 Weeks RTT PDS DQ Run Ad Hoc 18W RTT Queries (National, Pseudonymised) Run Ad Hoc 18W RTT Queries (National, Clear) Run Fixed 18W RTT (National, Pseudonymised) Run Fixed 18W RTT (National, Clear) RTT Pilot Run PTL Report Validation RTT011 and Period/Detail Objects. National Clear RTT Pilot Run PTL Report Validation RTT011 and Period/Detail Objects. National - Pseudo Run Non-sensitive PDS Data Quality B1801 B1802 B1806 B1808 B0276 B0279 B1809 Ad hoc reporting tool with ability to formulate queries on RTT data with pseudonymised identifiers, for data across the whole nation. NB only one 18W RTT Activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Should only be granted to DH / HSCIC users. Ad hoc reporting tool with ability to formulate queries on RTT data with cleartext identifiers, for data across the whole nation. NB only one 18W RTT Activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Should only be granted to DH / HSCIC users. Precanned Pathway & Event data and DQ reports on national data that allow drill-through to individual records. All identifiers are pseudonymised NB only one 18W RTT Activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Should only be granted to DH / HSCIC users. Precanned Pathway & Event data and DQ reports on national data that allow drill-through to individual records. All identifiers displayed as cleartext.nb only one 18W RTT Activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Should only be granted to DH / HSCIC users. This activity should only be allocated to Referral To Treatment (RTT) Pilot users. Pilot users will require separate authorisation from the HSCIC in order to gain access. Allows temporary access to RTT011 Patient Tracking List (PTL) Report Validation and whole universe and new Period/Detail objects. Data returned is national and clear. This activity should only be allocated to Referral To Treatment (RTT) Pilot users. Pilot users will require separate authorisation from the HSCIC in order to gain access. Allows temporary access to RTT011 Patient Tracking List (PTL) Report Validation and whole universe and new Period/Detail objects. Data returned is national and pseudonymised. Should only be granted to Demographics National Back office Staff (may be extended to other HSCIC staff). 19 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

20 SUS RBAC Assignment Guide v1.3 Area Business Function Code Description PDS DQ PDS DQ Population Analysis (NSTS Replacement ) Population Analysis (NSTS Replacement ) Run Sensitive PDS Data Quality Run Sensitive PDS Birth Registration Run Population Analysis Extracts (National, Pseudonymised) Run Population Analysis Extracts (National, Clear) B1810 B1811 B1812 B1814 Should only be granted to Demographics National Back office Staff (may be extended to other HSCIC staff). Should only be granted to Demographics National Back office Staff (may be extended to other HSCIC staff). Allows access to underlying person data for all organisations. NHS group pseudonyms are displayed in place of all identifiers. NB. Only one NSTS reporting activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Should only be granted to PHO, DH, HSCIC staff. Allows access to underlying person data for all organisations. All identifiers are displayed as cleartext. NB. Only one NSTS reporting activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Should only be granted to PHO, DH, HSCIC staff. Population Analysis (NSTS Replacement ) Run Ad Hoc Population Analysis Queries (Pseudo) B0149 NB. Only one Population Analysis reporting activity should be granted within a URP; a full list of disallowed combinations of activities is available on the SUS website. Should only be granted to specific individuals in the HSCIC Population Analysis (NSTS Replacement ) Run Ad Hoc Population Analysis Queries (Clear) B1816 NB. Only one NSTS reporting activity should be granted within a URP; a full list of disallowed combinations of Activities is available on the SUS website. Should only be granted to specific individuals in the HSCIC Population Analysis (NSTS Replacement ) Run PAR Extracts B0170 Gives access to 0349 Banded Capitation by Postcode Extract and 0350 Registration Analysis Extract. Aggregate data. Should only be granted to Demographics National Back Office Staff or to HSCIC staff for support purposes. Population Migration Statistics Reporting Run Population Migration Statistics B1819 Should only be granted to staff in the ONS population migration statistics unit, and to HSCIC staff for support purposes. 20 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

21 Area Business Function Code Description Population Migration Statistics Reporting Mental Health Minimum Dataset ETP Nomination ETP Nomination ETP Nomination ONS Pilot - Run Population Migration Statistics Access MHMDS National and Extracts Access Aggregate ETP Nomination Access by-general Practice/Dispensary Nomination Access by-patient Pharmacy Nomination B0169 B0118 B0157 B0158 B0159 This activity should only be allocated to ONS Pilot users. Pilot users will require separate authorisation from the HSCIC in order to gain access. Allows temporary access to ONSEX003 and ONSEX004 for live piloting. Provides National Clear data. Should only be granted to staff in the ONS population migration statistics unit and to HSCIC staff for support purposes. Allows access to the MHMDS reporting environment and extracts (Analyst and Information Consumer views) for staff at the Health and Social Care Information Centre only. Display of row level data is possible with identifiers replaced with NHS Group Pseudonym. Also allows access to MHMDS National Extract Allows access to Aggregate ETP nomination reports. Should only be granted to SHA and Organisation EPS leads. Allows access to General Practice/Dispensary Nomination that display nominations made by individual providers. Should only be granted to the Organisation Medicines Management Lead and Deputy. Allows access to General Practice/Dispensary nominations reports that display nominations relating to individual patients. Should only be granted to the Organisation Medicines Management Lead and Deputy. 21 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

22 SUS RBAC Assignment Guide v1.3 Appendix D: Redundant Business Functions The following activities/business functions have no functionality mapped to them and should not be assigned by RAs. Area Business Function Code Description Practice Based Commissioning Extracts Extracts Pseudonymisation service View SUS PBC Indicators Execute CDS DQ Extracts (Clear) Clear CDS extract and PbR access for provision to practices Access Depseudo. Service for non-nhs Group Pseudonyms B0255 B0145 B0147 B0140 Allows a user to view aggregate and rate based indicators down to practice based commissioning level in pre-populated cubes for commissioning organisations within the NHS. Applicable to SHAs and commissioners only (i.e. PCTs, Specialist Commissioning Groups and Practices). Allows a user to run parameterised or pre-set CDS data quality extracts with patient identifiable data for a provider organisation (within the NHS). Allows a user to view previously executed parameterised or pre-set CDS data quality extracts with patient identifiable data for a provider organisation (within the NHS). Only applicable to information service staff in provider organisations. Allows a user in a support organisation to run parameterised or pre-set CDS data extracts and to access PbR data with patient identifiable data on behalf of practices. Access to user functionality to allow return of NHS number from non-nhs Group Pseudonym (within own organisation only). 22 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

23 23 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

24 SUS RBAC Assignment Guide v1.3 Published by the Health and Social Care Information Centre Part of the Government Statistical Service For further information: Copyright 2015 Health and Social Care Information Centre. All rights reserved. This work remains the sole and exclusive property of the Health and Social Care Information Centre and may only be reproduced where there is explicit reference to the ownership of the Health and Social Care Information Centre. This work may be reused by NHS and government organisations without permission. 24 Copyright 2015, Health and Social Care Information Centre. All rights reserved.