Plan for the day Objectives and principles Some

Plan for the day • Objectives and principles • Some pictures of SCPEA • The Assurance Process – What has worked, How and Why? – Moving from pilots to general take-up. • Lunch • Identity and Information Sharing – Registration Authorities and Identity • Key questions – Consent and governance – Products, procurement and markets – …. . (your issues? )

Some pictures of SCPEA • Trying to reflect back to you what we think we have observed. • Systems and environments • Roles and relationships • Agencies and partnerships We are looking for your comments, discussions suggestions.

Applications Client Facilities Server Facilities Intranet The Internet

Post-it Notes Development and Support Facilities Applications Client Facilities Server Facilities Intranet In House Provision The Internet

Post-it Notes Remote Development and Support Facilities Applications Client Facilities Server Facilities Intranet Different Facilities Providers The Internet

Post-it Notes End to end security, safety and performance SSB PDS NASP - BT N 3 Applications Client Facilities Server Facilities Intranet The Internet

Post-it Notes Data quality and consistency R R Record System Other Apps NHS Trust Facilities (LSP) SSB PDS NASP - BT N 3 Applications Client Facilities Server Facilities Intranet The Internet

Roles and Relationships Caldicott Guardian Service manager Other service providers and record holders Post-it Notes Practitioner Client Cf. H Technical Support Information Governance Manager R Data Quality Manager Local Technical Support R Record System Other Apps NHS Trust Facilities (LSP) SSB PDS NASP - BT N 3 Applications Client Facilities Server Facilities Intranet

Organisations and Agencies I Department of Health Practices Local Authority PCT Acute Trust Health Care Partners Connecting for Health Adult Social Services Department IT Provision Applications, Systems and Service Suppliers Commissioning Relationships Housing (ALMO) Social Care Partners Fire Brigade Voluntary Sector Organisations Commercial Suppliers

Housing (ALMO) PCT Lead Authority Procurement Relationships Applications, Systems and Service Suppliers Local Authority Do. H Acute Trust Local Strategic Partnership Police Fire Brigade sys OA 1 Children’s Services Voluntary Sector Organisations OA 2 Connecting for Health Adult Social Services Contact Point DCSF Organisations and Agencies II

Plan for the day • Objectives and principles • Some pictures of SCPEA • The Assurance Process – What has worked, How and Why? – Moving from pilots to general take-up. • Lunch • Identity and Information Sharing – Technical developments across Government • Key questions – Consent and governance – Products, procurement and markets – …. .

The Assurance Process Assurance involves the separation of inspection and implementation responsibilities. This requires that principles, plans and criteria are made explicit. For a technical system (component) testing is empirical. For a socio-technical system….

Document the specific local process or configuration according to the standard • The standard must be clearly and accessibly documented. • Must be adequate, relevant and applicable to the local situation • Must involve all parties with a stake or responsibility

Inspect and approve the document • Inspection competence • Inspection capacity Compares two documents: the plan and the standard

Implement the documented process/configuration • Resources and capacities • Capability and commitment

Inspect and approve the implementation • Inspection competence • Inspection capacity. Compares a set of observations with a specification.

Ongoing monitoring and audit of structures and processes • Access and visibility • Inspection competence • Inspection capacity. Compares a set of observations with a specification.

Review the implementations and the standards against outcomes • Access to the evidence. • Participation and voice. • Power to make decisions and to mandate change. Applies a set of principles and values to observations and evidence.

The accreditation process is applied to: • Technical products • Facilities such as platforms, networks and buildings. • Technical services • Client care processes • Client service management processes.

What is the scope of SCPEA? • Document process according to the standard • Inspect and approve the document • Implement the documented process/configuration • Inspect and approve the implementation • Technical products • Ongoing monitoring and audit of structures and processes • Review the implementations and the standards against outcomes • Client care processes • Facilities such as platforms, networks and buildings. • Technical services • Client service management processes.

The graveyard spot… • Workshop material on Registration Authorities, smart cards and information sharing. • Part of SOCITM work on LA response to the different technical initiatives in ID and security • Do. H, DWP, DCSF, DCLG.

A User is to be provisioned to access a record service controlled by a custodian. The record contains information about an individual – the subject. The process is imitated by a sponsor. User Subject To achieve this the user requires: ● An identity that can be authenticated. ● A role that confers the appropriate rights and Sponsor capabilities respecting the record system. ● A token that is depended upon to link these together. Custodian

A User is to be provisioned to access a record service controlled by a custodian. The record contains information about an individual – the subject. The process is imitated by a sponsor. User These roles can be mapped onto a number of different situations: Employee Subject Citizen Employer Local Authority Sponsor CRM System Custodian

A User is to be provisioned to access a record service controlled by a custodian. The record contains information about an individual – the subject. The process is imitated by a sponsor. User These roles can be mapped onto a number of different situations: Parent Child Pupil Subject School Head Teacher School Records Sponsor Custodian

A User is to be provisioned to access a record service controlled by a custodian. The record contains information about an individual – the subject. The process is imitated by a sponsor. User These roles can be mapped onto a number of different situations: Someone I trust Subject Me Sponsor My Home Page Custodian

A User is to be provisioned to access a record service controlled by a custodian. The record contains information about an individual – the subject. The process is imitated by a sponsor. User Subject Practitioner These roles can be mapped onto a number of different situations: The commissioning of Voluntary Sector Organisations to deliver service represents a particularly complex case. Service User Sponsor Care Agency Case Records Service Commissioner Custodian

Confirming Information Supplier. Other relationship holders A Registrar creates a new identity: Registrar New Entry User Subject Credentials ● Credentials are presented to the registrar. ● These have been created in other relationships Sponsor and data has been collected in a confirming information service. ● This results in a new entry in the register. Custodian

Confirming Information Supplier. Other relationship holders Responsibilities of the Registrar New Entry User Subject ● That the registration process is fit for purpose and is adhered to. ● That the presenting individual corresponds to the one in the credentials and that they are valid. Sponsor ● That the quality of data in the register conforms to the registration standards. Custodian

Other relationship holders Confirming Information Supplier. Producing a smart card Registrar Printed Information New Entry Token Identifier Card Issuing Process User Identity Info Capability Token Provider Provisioner New Entry ● ● ● Subject Sponsor Electronic and printed information is placed on a blank card. Appropriate electronic keys and certificates are placed in the card memory. Provisioning data is recorded for future authentication purposes. Custodian

Other relationship holders Confirming Information Supplier. Responsibilities of the Authority Printed Information Registrar Card Issuing Process Token Identifier User Identity Info Capability Subject Authority Token Provider Provisioner Sponsor ● That capabilities are necessary and sufficient for each role. ● That only qualified, current role holders are granted capabilities. Custodian

Other relationship holders Confirming Information Supplier. Responsibilities of Token Provision Printed Information Registrar User Token Subject Identifier Identity Info Capability Token Provider Provisioner Sponsor ● That the intended capabilities are associated with each token. ● That each tokens are delivered to the intended recipients. Custodian

Other relationship holders Confirming Information Supplier. Provisioning Responsibilities Printed Information Registrar User Token Subject Identifier Identity Info Capability Authority Token Provider Provisioner Authenticator Sponsor ● That all issued capabilities have been appropriately mandated by the Authority. ● That the list of valid capabilities is maintained and made available to authentication services. Custodian

Other relationship holders Confirming Information Supplier. Questions: Printed Information Registrar User Token Subject Identifier Identity Info Capability Authority Token Provider Provisioner Authenticator Sponsor ● What sorts of agencies and organisations are appropriate for these roles ? ● Which can be shared between different domains of identity and authentication ? Custodian

Questions and issues that have arisen in the Lessons Learned exercise

Prerequisites: • What are the minimum requirements on an adult social care context to connect to spine services? – Organisational structures and relationships – Technical systems and processes – Political • What are the potential show stoppers? • What are the possible remedies?

Demography service as a starting point • Arguments for: – Clearly defined service – Good vehicle for addressing the technical problems of connection and inter-working – Clear information management benefits • Against: – Scaling the user registration approach. – Practitioner/client benefits are indirect (? )

Documentation issues • There is an awful lot of material ! • There have been many comments about: – Coverage – Levels of abstraction, specificity and detail – Realism – Organisation and accessibility • Where is further investment needed? • Cf. H + who?

Consent and information governance • Social care practice and clinical practice. • Who must be involved in the change process? • How standardised is the design? – Process – Instruments (forms, reports, records…) • What is the relationship between technical and organisational developments?

Products, services and markets • What is the role of suppliers in rollout and take-up? • Accredited products and Accredited installations. • What is the transferability of SCPEA developments? • User groups and the LA community?