Good morning. It's obviously the end of the week, so there's a fewer people here as we would expect. So today what I wanted to talk to you about is some of the work we've been doing with the NHS over the last four or five years that predates a lot of the stuff that is now happening in Europe with trust frameworks. So there's three things I wanna talk about. The challenges that we faced introducing digital wallets and the trust frameworks and the technical requirements to underpin that.
Secondly, I want to talk about why interoperability is extremely crucial across ecosystems. And, and thirdly, it's not about the wallets, it's about what people need to do.
So, okay, so it's about enabling doctors to be ready to treat patients. And one of the things that we often talk about is about just about identity, but it's not just about identity, it's about the eligibility and the suitability of doctors to be able to do things.
So as you'd expect, what we've been doing is looking at secure digital wallets with verifiable credentials. And what we are actually talking about is how we get a doctor onto the ward to do something.
So it's not just about the identity proofing, it's not just about the eligibility checks, but it's about how we actually get them to be ready to do things. And that's one of the challenges that we faced is, is actually getting them ready to be able to be on the ward and present things. And what we've been doing, this is part of a project that's called the Digital Staff Passport. And it's a whole ecosystem of credentials that are all of the things that people need to be able to do in order to prove that they are able to work on the ward to prove that they are are a doctor.
And we've been doing lots of hackathons as well. So a lot of the hackathons are actually thinking about how we actually make it work in practice.
So one of the things we found is in the NHS when we did a lot of re user research over the years, is we would expect it to be easy, quick, and safe for doctors to get onto the ward, but in reality, it's very onerous. There's a lot of repetition and duplication of checks. It takes a long time to do it, and ultimately it's very expensive.
And, and, and why is this? Well, when we think about onboarding, and I'm largely talking about onboarding here, what we do first is that obviously organizations, we strive to find the right people for the right jobs. And for an individual to, to be able to get that job is they must prove their identity, their eligibility, and their suitability. And we'll go into that in a bit more. But in the NHS, what we found is that there is a need for freedom of movement.
And, and we're in the uk so no jokes about Brexit, but it's really important that people can move between one organization because they do it a lot. And this is partly with postgraduate doctors. They need to move from one hospital to another one so that they can do different training. And we've also got a lot of people that work among more than one job. And to do this, our organizations conversely have to ensure that onboarding is legal and ideally efficient. So we have credentials that we need to prove are authentic and valid, and that can be reused. So that's kind of what we want to do.
So we have this problem in the NHS. Now, the NHS is the National Health Service in the uk, and people think it's one organization, but what it actually is, is a whole set of hospital trusts. It's hospitals themselves and GP surgeries, of which there are tens of thousands.
And we're also devolved, so the NHS is not one organization, it's actually a lot of independent legal entities. So we have NHS England, NHS, Scotland, NHS, Wells, and NHS, Northern Ireland. But doctors don't just work in the NHS, they also work in the private sector.
So they have to move between the private sector and the public sector, and the same with charities and military. So they're coming from all over the place. And the reason I've put the, I've selected three country areas here on the, on the on, on the slide, which is, so we have this problem across tens of thousands of organizations in the uk in the states. We've done some work with the one of the organizations there that looks at doctors and they have to do the same, in the same set of checks across 50 states.
So we have that movement across where it's all different and each time it has to be done again. And of course in the u we have 27 member states.
So this, this ability to move across organization sectors and borders is really crucial for us to be able to do it. And so the, the challenge that we have here is that multilateral recognition. And it's great to see what's happening in the EU now. And we've been trying to do this for a long, long time in the uk.
So why, why do they, why is it such a problem that people have trying to prove that to, to fulfill all these checks? Well, the problem is that each organization as a legal entity has a regulatory requirement to, to fulfill. So they need to know that when they're doing the checks, the checks are fit for purpose at each point. They also want to know that the checks have actually been performed correctly. And they want to know that, that the outcome is, is what meets the requirements. And because they do all of this and it's, they don't trust other organizations, there is this lack of trusts.
And what happens is each organization repeats the same checks that were done in the last one. So we have this huge repetition, which is expensive, timely, and time con, time consuming.
So what's really important, and this is one of the recommendations we, which is probably obvious, but we need to really understand what the user needs are. So both the user need and the organizational need. And if we think about users, so it's, everything's about control.
We want to put things in the face of the, in the hands of the user and who, so that they can actually control with whom they share the credentials. And when they do it, we want to make sure that's all privacy preserving and includes consent. And then it needs to be done on a lawful basis. So each individual has to also meet requirements as per regulations. And I've put portability here. So one of the challenges that we've seen is the portability across the ecosystem.
So what we really want is the ability to reuse the credentials to prove that authentic, that they're authentic and that they're valid. And from a business perspective, everyone that starts work, again, there's regulatory requirements. They have to make sure that things can be trusted and they haven't been tampered with and they're still valid. So it's really important to think about all the stakeholders when you're doing any of this work to ensure that you meet all of the needs of everything and this, all these needs are under underpinned the rules and they inform the rules.
So because we have a lack of trust, what we need to do is, is define the trust. And we've done that in three ways. In the NHS is we looked at the business rules. So why do we need to do this to meet a regulatory requirement? Why does the organization need to do this? And that's all of the inform, that's, that's what the, the business policy is how to do this so that they meet the requirements of everyone. And these are regulatory requirements and organizational requirements and this, and, and by defining this, we can then also define what the liability is and limit that liability to a point.
But we also need to think about once we've done those checks, how do we transfer it from one organization? So there's first making sure the check is actually what needs to be done by the organization.
And secondly, we need to make sure that we can transfer it in a, in an easy way. And the last thing that is really important to think about is thinking about how we deal with existing things. Now Marcel then taught a bit earlier about interoperability and a hybrid world. So we're gonna be living in a hybrid world for a long time.
And we are seeing this in the NHSA lot is that we want to move to a verifiable credentials and a and an easier way of doing things with, with digital technology. But there will always be people. And it's the same in the i Aida regulations that, that are unwilling or unable to use the technology. And there will be people that aren't ready yet, organizations that haven't done it. So we need to think about how we work live in this hybrid world and we have transitional rules and processes that allow us to do that interaction between the two different systems that we're gonna have going forward.
And that means that for a doctor who presents their wallets with their digital credentials to an organization that doesn't have that capability, how do we deal with that? And conversely, how do we deal with the existing legacy checks? So it's really important to think about how, how we we do that across going forward.
So one of the things in the NHS is we, we, we have 60% of people are not from the uk. And one of the challenges that we face is about identity assurance.
So there are different types of identity proofing models in the uk we use good Practice Guide 45, which is all about identity proofing an individual which informed and is very similar to NIST 863 3 and obviously you have a, YA does two and there are other systems, but we need that mutual recognition. And it's great to see a lot of the work that the EU is doing to do recognition with Japan and other places. But we need to prove we need to, we need to be able to accept identities from everywhere.
And what we find in the, in the UK is that because we are now a third country, we have, we need to be able to consume identities from elsewhere.
And ultimately going forward, we need to also be able to share our identities. So one of the things is that all the individuals are unique and their experiences and credentials are very different. But we have very similar requirements. So when we think about from an eligibility point of view, is that person allowed to work in a country?
So we have something called the right to work, which is about from the UK home office, which is about whether a person is able to to work in the uk We also have criminal record checks 'cause we want to make sure that, that when patients are on the ward, they're being treated safely by doctors. And one of the challenges is that we face is we need to do the criminal records check in the uk but we also need to do it from other countries.
So how, how do we, how do we use that in the moment it's, it's very manual and there's a lot of notarized forms that come out and it's very difficult to actually prove anything.
Then we've got qualifications, qualifications. If I've trained as a doctor in one country, how is that going to be recognized somewhere else? So there's the qualifications and there's also professional licenses. So doctors and nurses and other healthcare professionals have to get a license to practice. And that usually is, is in each organizational boundary.
So we have a, we have a UK one and when I mentioned about the states previously, they have one in each state. So we need to think about how we can do that. So we talk about proving who the individual is thinking about all these things to make sure that they're eligible to work. And then we also need to obviously, are they suitable to work? So have they got the clinical skills to be able to do it? Have they got the experience to be able to, to work as in a, as a particular role? And are they competent?
So they, they might have the experience and they might have the skills, but they might not be competent and are they available? So these are two challenges that we face is this identity assurance across the world and credential equivalents. And we need to think about this very carefully so we can make it work easily.
And the final bit is that we think about is is actually the local provisioning.
So we, we've talked a little bit about selection. How do we know we've got the right person to do the job and these are all of the checks that we need to do in the NHS to get someone onto the ward. So the eligibility text and there's a series of six checks that they have to do in the NHS. So identity, right to work, criminal records, that professional registration, occupational health, is there anything that needs to be done for me to make it easier to work? And looking at your experience in your work history. And then there's a role check.
So one, one of the other things as a doctor is you need to make sure that you've had the correct medical interventions to do whatever job you're doing. So that's all about immunizations and vaccinations.
And of course we had this with Covid.
So how, how can I prove that I've got all of the, the requisites medication. And then in the UK we also have statutory mandatory training and there's 15 different checks and they go across all sorts of things. And a lot of those are very local. So things like looking at fire escapes, I need to understand where the, what, where the muster points are and where the exit routes are. And these are very local to an organization. And then I need to have signed my contract.
And, but finally that last piece to actually get the doctor to be able to work is they need to have been provisioned. So it's about authorization. So we've done identity checks, we've done suitability checks, we've done eligibility checks. And then to actually get them to work, they need to have access to systems, systems that allow them to submit information about patients and, and get information about patients.
They need to have access to buildings and specifically to wards. And they need to have the ability to prescribe and to issue medicines and they need to be paid.
So a lot of the, so we, it takes a long time for all of these processes to get done. They might have a pension. So all of these things needs to get done before we get them on the ward. And we've been doing, I think Chris may have talked about it in the previous panel. There's a lot of things that we're doing to enable that, that final piece in terms of buildings access and systems access.
So what have we done? Well these are all the things that we did to make it work. So we created a trust framework which looked at what's done to today.
And we translated that into a set of rules that much like the a EI does two regulation that talks about what you need to do in order to meet the requirements to be a doctor and participants sign up to that. And then we created a technical trust framework. And there's some links to this, which we created four or five years ago, which are very similar to a lot of the stuff in, in the IDUs that talks about how we share it using verifiable credentials and SG jts and and and all of that. And what we do.
And there's, because of the way it works in the uk, we have a digital identity scheme that we have to do that sits on top of the UK trust framework to give us more specific requirements that we have, which is, so we're still working with different levels of assurance in the uk but we need a high level of assurance to be able to do a lot of these checks.
So we have our requirements in there and then we've got data schemas. Now the data schemas and all of the things that are sort of in blue here are things that are still in flux and will be changing for a long time as we move forward.
So we're still finding new credentials that we need and we, but we need to share these and interoperate with everyone so that we can actually move people across borders and across sectors. And of course, so we've got all the trust framework that defines the rules and then we need to have the registers. And you've heard a lot about sort of trust registers.
So we need to have a, a register of the people that are signed up to the trust framework so we know that they're, they're involved and that also allows them us to limit the liability 'cause it's defined within the trust framework, but we need to have trusted issuers.
And one of the things, so we've also done some work with the general medical council in the uk, which is the effectively the regulator that allows you to, to prove that you are able to work as a doctor, but they're upstream.
So, and, and they don't need to create verifiable credentials. So we, we, we need to think about, whereas in the NHS, they're used more downstream. So how do we, how do we encourage people to become issuers when there is no sort of real desire for them? There's no need for them to do it. There's no commercial bank and we need trusted wallets. We need wallets that meet our requirements. So Marcel mentioned before about GPG 44, which is all about authentication. How do we make sure that the wallet is secure and everything's underpinned by standards.
So we talked a little bit about identity assurance.
We're using the W three C VC data model, looking at open wallet, all the things that they're doing with open wallets. And we're using the, everything's based around the open ID for VC issuance and, and pres presentation. And the bit there that I'm also talking about is we've done quite a lot of work around attributes. So there's a NIST standard that came out, a NIST 8 1 1 2 that talks about how you look at the strength of credentials.
So we've had to do quite a lot of work around that, about how we actually measure how strong a credential is. And it's all about provenance and currency and all of those things. But to make it all work, we also need to have that interoperability. So I mentioned it before is we need to think about how we're going to work with existing processes, how we're going to work with that legacy thing or how are we going to deal with people that that can't or won't use the technology.
How are we gonna do with that? It's really important. You can't just have a, a dead end and a cliff edge.
People need to be able to do those things. We have to be inclusive, we need to do it across borders and across sectors and across organizations. We have to do all these compliance checks. We need to make it easy. And the way to do that is to share all of the data schemas and things we can do. And we need these local rules and we've done a lot of alphas and public beaters and we're, we're in a public vitra at the moment and we've done lots of hackathons. So this is what we've done to make them ready. So what's next?
Well, the next thing we're actually looking at large language models and retrieval, augmented generation to think about how we look at requirements and how we match people with suitability.
So you know, we think we, we, there's a requirement for skills, for experience, for competency at a particular date and at a particular location from the individual's perspective. They have the clinical, they need to have the clinical skills, the experience and the competency. And what we are looking at is how we can use this going forward so we can match people for a future need.
So it's a lot about rostering and, and things that we can do in the future. So three things I've just been talking about, think outside your ecosystem today. 'cause it's really important.
We, we have 60% of our people come from outside of the uk include the transitional plans so that you can actually still work with the existing things. And don't forget the local provisioning 'cause that's actually what gets people onto the wards, the doctors onto the wards to be able to do things. So that's it. Thank you very much.
And we say thank you. That was a very informative presentation, gave us a lot of tools to work with when we imagine our own use cases.
And perhaps as a last summary, what are some really practical ways that organization, organizations can get ready if they're interested in, in pursuing their own projects?
I, I, I think, you know, it's, it's really making sure you talk to the stakeholders to define the needs is really important.
And, and, and thinking about actually what it means to, to actually deliver the end goal. And this was all about how we get doctors onto the wards to be able to treat patients you never forget. That's the bit identity is just a part of the way on the, on the road.
Thank you so much. Alright.
Can I ask you a question?
Yes, please
Speak up Mike. I can use them. The people can hear from online. Yes.
My, my name is Andrew Ferguson and I'm from Australia and we have done a lot of consulting in the health sector. In fact for the state of Queensland for Department of Health, human services, Northern Territory government and, and also Victoria and obviously right across the health and human services area. Very interestingly for us, this idea about checking credentials of doctors and nurses for that matter through the respective bodies we have, similar to the UK exactly the same situation.
But we also have had some very, very bad or very dreadful cases where people were supposedly qualified to practice medicine and surgery, in fact turned out not to have all of those credentials because the, the peak bodies effectively they, they, they don't have like an online registry as such. I think you just mentioned the Royal College of General practitioners, but what about all of the other organizations in your ecosphere and are you talking to let's say Australian Health or, or any other countries? You've obviously got a lot of experience here.
I think you've got a lot to offer to countries like Australia.
Thank you.
Yeah, I mean very interesting. We, so we've worked, I I mentioned we worked, done some work with the general medical council, which is the regulator in the uk It's, it's really important to be able to and and dig identity, actually do the identity proofing of the doctors there and you know, so, so that they prove they are who they claim to be before they can get their permission to practice their license practice. So that's a really, really crucial part so that you know that you can trust them and then there's liability defined and within that they're a regulated sector.
I think we are also talking, so we've started the NHS is is is a brand. It, it's not, you know, it's all these different separate organizations.
So, and we, we didn't realize how complicated it can be. So we've started with doctors, postgraduate doctors 'cause they move a lot. But then we're gonna move to nurses, then we're gonna move to other healthcare professionals and it's, it's crucial to be able to, to check the provenance of, of, of their qualifications and work. So we work closely with regulators to try and help that.
Thank you. Thank you. Another round of applause. Thank you. Thank you very much.
