Consumers are required to ensure an appropriate level of authentication and authorisation is applied, within their systems, when giving users access to information received via Spine services.

Healthcare Professional Access

Where the consuming system is making a request on behalf of a healthcare professional, the system MUST have authenticated the user using:

• NHS Identity
• National Smartcard Authentication

The user details, including user ID and associated Role Based Access Controls (RBAC) role, MUST be included in the JWT as specified on the JSON Web Token Guidance page.

Consumers MUST apply appropriate RBAC governance to manage access to different types of pointers and retrieved information.