Search loading...

API Hub

Explore and Make use of Nationally Defined Messaging APIs

 

Auditing

Overview of audit and provenance requirements for data transported over NRL FHIR and SSP interfaces.

Overview

Consumers and Providers are required to keep an audit of requests to and responses from the NRL API interfaces.

Consumers and Providers are required to keep an audit of requests and responses related to the retrieval of records and documents.

In addition to this there is a requirement for the NRL and SSP to keep an audit of requests and responses that flow through these sevices.

Consumers

Consumers MUST keep an audit of the requests to and responses from the NRL.

Consumers MUST keep an audit of the requests they make to retrieve a record or document from a Provider system.

Consumers MUST keep an audit of the responses they recieve from a request to retrieve a record or document from a Provider system.

These MUST include all details of the HTTP request that is made including all HTTP Header values.

Providers

Providers MUST keep an audit of the requests to and responses from the NRL.

Providers MUST keep an audit of the requests they receive from Consumers to retrieve a record or document from their system.

Providers MUST keep an audit of the responses they send in response to requests they receive from Consumers to retrieve a record or document from their system.

This MUST include all details of the HTTP request that is made including all HTTP Header values.

It is not necessary for a Provider to keep an audit trail of the response payload that is returned to Consumers; however Providers MUST be able to provide details of the record returned if required for medico-legal purposes.

SSP Trace ID

The SSP Trace ID is a unique identifier for a request which is generated by the Consumer and included in the SSP-TraceID HTTP Header for record/document retrieval requests. The SSP Trace ID is for the purpose of auditing and support.

Consumers and Providers MUST audit this value to enable an end-to-end audit trail of a retrieval request and the associated response.

Access Tokens (JWT)

Consumers and Providers MUST generate and supply an access token (JWT) with each request they initiate using the standard HTTP Authorization header. Details of these requirements can be found on the Access Token page.

Any request to the NRL or SSP that does not supply an Authorization header that conforms to these requirements will be rejected.


All content is available under the Open Government Licence v3.0, except where otherwise stated