Condatis delivers bespoke Identity and Access Management solutions designed to simplify onboarding, enhance security, and boost overall business efficiency for clients globally.
The company is a leading systems integrator for Microsoft Azure in the UK, and is one of the partners involved in delivering the National Health Service (NHS) Digital Staff Passport for the past three years.
We caught up with founder and CTO, Chris Eckl, to hear about how the service began life in the midst of the pandemic, and how it is evolving to support broader NHS objectives and use cases.
The NHS Digital Staff Passport has an interesting history. How did the project come about?
Staff onboarding can take a long time in the NHS. There are hundreds of Trusts (local healthcare organizations) and senior staff have many credentials. Doctors were turning up with briefcases full of paper every time they needed to move to a new location.
We were planning some hackathons in December 2019 together with our sister company Sitekit and Interopen (a group aiming to accelerate interoperability in the UK healthcare sector) to explore how decentralized identity could help address this.
Then the pandemic hit.
Suddenly, the NHS was facing hotspots of high demand around the country. They needed to move staff around a lot quicker, and to have them working in the new organization from Day One.
We saw that a decentralized approach was the right direction. Give the doctor or nurse their own data and they can share it directly with the new employer, without the need for Human Resources (HR) to manage everything.
What solution did you implement initially and how has it evolved?
Because of our long experience building Identity and Access Management (IAM) systems, we suggested we could stand something up quickly. First, we went through this legal exploration of how to do the staff onboarding in a new way. The base system was built in six weeks and the COVID-19 Digital Staff Passport went live in summer 2020.
Every NHS Trust that opted in got their own instance. At first the aim was to ensure COVID hotspots had enough staff. The ‘sending’ Trust’s HR team put the staff member’s credentials into a Verifiable Credential (VC), then physically visited the ‘receiving’ Trust to authorize the secondment.
Later in the project, it became more about ensuring all immunization facilities are staffed. We also moved from face-to-face governance meetings to Skype, and connected to the Electronic Staff Record (ESR), a common HR system.
We’ve built in a lot more automation since the early days.
Please can you describe the key technology pieces that sit behind the NHS Digital Staff Passport, and Condatis’ role in delivering these
Microsoft Entra is now being used to issue and verify credentials, but the NHS wants to ensure staff are not forced to use any particular wallet. Condatis developed an OpenID Connect (OIDC) bridge we call the Credentials Gateway, that can communicate with many wallet providers and allows the NHS to work with a single integrator partner, as well as enabling users to choose their wallet.
A key piece is the trust layer that underpins communication between wallet and verifier. The issuers’ Decentralized Identifiers (DIDs) were initially anchored on the Sovrin network. This is now moving to did:web, as credential holders don’t need their own identifiers (Editor’s note: this method works by hosting an issuer’s DID document on a company website domain, proving the DID’s owner controls the domain and is affiliated with the company).
There’s also a need for a trust register and a revocation register, so verifiers know they can trust the issuer of a credential, and that it is still valid. Condatis is working on both of those pieces.
What is the current status of the project, and what’s the future direction?
We have a successful system in place that’s been used since summer 2020, and was really helpful in enabling the COVID-19 immunization program to be delivered.
The NHS has used this experience to create a framework for a long-term Digital Staff Passport.
The program is moving into a public Beta phase over the autumn (Editor’s note: a full roll-out is expected by August 2025*). The current system will be decommissioned and replaced with a new solution encompassing the full identity lifecycle of a healthcare professional, from when they graduate and do placements, to getting registered with their professional body, right-to-work checks and continuing professional development, all using Verifiable Credentials. It’s also moving into access credentials for digital services used by NHS staff.
The ecosystem is expanding (for example, enabling more wallet providers to participate) and Condatis and Sitekit have been retained as partners.
What lessons have been learned during this journey?
The current program has provided a lot of insight about how to do things better. For example, we ended up with a lot of data fields in the credentials. Now we’re looking to use more specific credentials and combine them in compound proofs. We’ve also done important work with Microsoft, Evernym (now part of Gen Digital) and Yoti on how different wallets can interoperate.
Another learning has been around the governance process for staff secondments. There are many legal and HR challenges, such as who needs to agree to what in a secondment.
There’s also the question of how to establish trust between issuers and verifiers. Each identity platform only goes so far. We’re aiming to codify the trust framework in the Credentials Gateway and to make it more modular, so it’s replicated on all partner nodes.
How has DIF membership helped?
We’ve been a DIF member for a long time. The work on Presentation Exchange (PE) in particular is important to us, and has helped us address some of the interoperability challenges around exchanging credentials.
*Source: NHS Long Term Workforce Plan https://www.england.nhs.uk/wp-content/uploads/2023/06/nhs-long-term-workforce-plan-v1.2.pdf