Sharing a user's NHS login information with your service
For users to access your service they need to agree to share their NHS login information with you. An ID token or authorisation code, containing the user information, must be passed from NHS login to your service. This can only happen with the user's consent.
If a user does not agree to share their NHS login information, your service should display a clear message telling them they can either continue their journey or cannot use your service.
User journey asking users to share their NHS login information
We ask users to agree to share their NHS login information with your service when:
they register a new level of verification
they sign into your service using their NHS login for the first time
your service has an update to the user information required
Consent flow
When a user agrees to share their NHS login information, they can continue to your website or app and use the service they need.
Their consent allows the ID token with their information to be securely passed from NHS login to your service.
No-consent flow
If a user does not agree to share their NHS login information, they can go back from the confirmation screen to amend their decision. They can then continue to your service.
If the user still does not agree to share their NHS login information, they are redirected to your service without passing an ID token or authorisation code.
Their information is not passed to your service, and you need to display a 'no-consent error screen'.
How the user is able to continue to your website or app depends on how you handle them. For example, you may have a guest process or alternative authentication journey.
The suggested content on the no-consent error screen differs, depending on the category of service that you belong to:
Although the no-consent error screen is the responsibility of your service, the solution does not need a complex implementation and only needs tailored content to adjust user expectations.
Guidance for no-consent error screen content
There are three different types of implementation of the no-consent error screen. The guidance most suitable for you will depend on what type of service you are.
Services that use NHS App
Use this version of the no-consent error screen content guidance if your website or app uses NHS App or Wayfinder in either the browser or the mobile application.
View the no-consent error screen content guidance for services that use NHS App
This version of the no-consent error screen refers to your service as 'The service provider'.
This should remain unchanged. Do not use the name of your service as it may not make sense to the user in their journey.
To align with other services that use NHS App, only use the content provided and do not change it.
To minimise clinical risk, make sure all anchor tags to emergency services are operational and implemented as suggested.
You can use your service font, headers, footers and styling on this screen, but it must follow our styling guidelines.
How to display content for the no-consent error screen
Here are two examples of the NHS App no-consent error screen. You can copy the content and code by selecting the HTML tab below each diagram.
You will need to apply your own CSS to the code. You should not add any other content to this screen.
The version of copy your service will use depends on whether your service:
<h1>You cannot continue without sharing your information </h1><p>The service provider needs your NHS login information to verify your identity.</p><p>If you need medical help, go to <a href="https://111.nhs.uk/">111.nhs.uk</a> or call<a href="tel:111">111</a> or your GP.</p><p>Call <a href="tel:999">999</a> if it's a life-threatening emergency.</p><p>Close this tab to go back to NHS App.</p>
<h1>You cannot continue without sharing your information </h1><p>The service provider needs your NHS login information to verify your identity.</p><p>If you need medical help, go to <a href="https://111.nhs.uk/">111.nhs.uk</a> or call<a href="tel:111">111</a> or your GP.</p><p>Call <a href="tel:999">999</a> if it's a life-threatening emergency.</p>
Behaviour of the back navigation in the NHS App (mobile application only)
A user can return to previous point in their journey in the NHS App by using the native back link.
Styling guidelines
heading font size should be no smaller than 20px.
body copy should be no smaller than 16px.
hyperlink emergency contact numbers as advised.
Contact information:
For any queries about how NHS App will work with your service, email app.integration@nhs.net.
Services that have alternative user verification processes
Use this version of the no-consent error screen content guidance if your website or app can get user information for verification in an alternative way, such as 111 online.
View the no-consent error screen content guidance for services that have alternative user verification processes
What is an alternative user verification process?
This is when users can log in as a guest using their own details without the need for passing an ID token.
If this is possible in your service, you do not need to display the no-consent error screen.
Instead, the user will move directly to the guest process.
All other services
Use this version of the no-consent error screen content guidance if the previous options did not describe your service.
<h1>You cannot continue without sharing your information </h1><p>[Service name] needs your NHS login information to verify your identity.</p><p>Dynamic content.</p><p>If you need medical help, go to <a href="https://111.nhs.uk/">111.nhs.uk</a> or call<a href="tel:111">111</a> or your GP.</p><p>Call <a href="tel:999">999</a> if it's a life-threatening emergency.</p>
Only add your own content when you have information that might be of value to the user to either navigate away from the no-consent error screen, or to correct any errors. For example, a contact email or number.
Contact us if you are unsure which version of the no-consent error screen content guidance is right for your service.
