Third Party Connection Process - Introduction

For the purposes of the process, a 'third party' is defined as an organisation not included in the definition of a 'Health Service Entity' as described in the BT and C&W Managed Network Services Agreement (MNSA). The definition of Health Service Entities includes; Health Service Bodies, Health Authorities, NHS Trusts etc. An example of a third party might be an external provider of managed applications but who is not part of the Health Service.

Caldicott / DPA Issues

The Third Party Connection Process covers ONLY the Infrastructure Security of the environment connecting to N3.

It does not cover the requirements for security of any data that may pass between participating organisations or the approval for any data flows mentioned in the application.

Approval of the application by the NHS Information Authority – Third Party Security Manager should not be taken as approval for any dataflow or business relationships mentioned in the application.

Responsibility for Data Security issues remain with the participating organisations in any business relationship and the Data Owners involved.

NHS and Third Party organisational participants must ensure that Caldicott Guardian approval has been issued for a business process where, access to, or transfer of, personal data or Patient Identifiable Data is involved before that process is implemented.

Where Patient Identifiable or Personal Data my be exposed to a Third Party organisation as a result of any access permitted to perform a support function or as the result of a business dataflow then the Organisation permitting the access to their environment or the Data flow to take place, their Data Owner(s) and Caldicott Guardian, should ensure that there are appropriate technical and organisational measures employed in relation to the access or transfer of data within the participating organisations, including sufficient policies, procedures and contractual agreements, to cover their responsibilities under Caldicott and the Data Protection Act.

Secure Application Hosting

Organisations may wish for applications/material to be hosted on NHSnet with access to the application/material without the necessity to take an NHSnet connection. If this service would meet the organisation’s business need then please see Web Based Application Hosting page on the Security site.

For Third Party Organisations located in Scotland

Please email: ISSGTelecomms@isd.csa.scot.nhs.uk

For Organisation in England, Wales and Northern Ireland

The following material is intended to give Third Party organisations wishing to take a connection to NHSnet enough information about the process and deliverables required to be able to develop a Connection Proposal.

1. Sponsorship Letter
2. Outline proposal
3. Produce a Connection Proposal
4. Completed proposal
5. Complete the Approval documents as required
6. Audit
7. Customer Access

Line costs and service details

Summary of N3 Connection Security Assurance Process Steps

1. Sponsorship Letter

To be considered for connection the NHS Information Authority must receive a sponsorship letter from one of the following, the CEO, Head of Finance, Head of IM&T, Senior Clinician or Caldicott Guardian of an organisation you are proposing to connect to.

Letter to be Addressed to:

Third Party Security Support

Third Party Security Support
NHS Information Authority
First Floor
Aqueous II
Aston Cross
Rocky Lane
Birmingham
B6 5RQ

Letter Template.

2. Outline proposal

Email 3rd Party Connections Managers to register your organisations intention to pursue an N3 connection and a brief summary of what it is you are proposing to connect to N3.

This will facilitate any future advice or guidance which may be necessary and avoid wasted effort.

3. Produce a Connection Proposal.

Use the proposal template in the download zip file on this website to produce a brief description of the service and system you wish to connect together with the components which will protect the proposed system and N3.

Provide detail (where applicable) in each of the template headings and avoid turning the proposal into a sales document.

4. Email the completed proposal to 3rd Party Connections Managers for review.

You will need to develop and supply a System Security Policy in line with BS7799 standard.

5.�Complete the Approval documents as required

There are a number of documents which require signatures these, together with the SSP must be provided to the NHSIA Security Manager.

When the proposal and associated documents have been reviewed and confirmed as accepted the NHSIA Security Manager will indicate that the connection can be made live.

6. Audit

The audit requirements for N3 are yet to be clarified and any approval would be subject to whatever future audit requirement was standard.

Post connection there may be a requirement for an audit paid for by you and a review of your System Security Policy in line with BS7799.

7.�Customer Access

The process gets you connection from your location to the Third Party Secure Gateway (TSPG) and onward to the IP addresses identified in the sponsorship letter.

Additional customer access thereafter is achieved by the use or a Filter Request form and associated management process/mechanism.

Important

You must ensure that your customer site(s) has (have) enabled their firewall(s) and completed any internal routing to the devices you need to access to complete the end to end connection.

Line costs and service details:

BT N3 Non-NHS Organisations Website (coming soon)

Process Documentation

Further security reference documents are available from: 3rd Party Connections Managers

On-line view of the Document Checklist also supplied in the above Process Documents

Third Party Connections/Approval List
A-Z list of companies/organisations with third party connections to NHSnet, including those who have been recently granted connection approval.

Third Party Connections