Remove OES link and replace with form

[Lynne2]

1. The OES link on the 'Ask a Question' is to be removed (the OES service will no longer be in service from 25 March 2013).
2. Please replace this with a webform (content detailed below) This should behave in the same way as the 'Report as unsuitable' webform in that it is accessed by a link and when submitted is sent to the 'ccfeedback@nhs.net' inbox.

I think the template is quite straight forward, but if any problems/questions let me know.

Ask a Question Please complete all of the following fields when submitting your question. We collect this data so that we can provide the best possible answer related to your question as the answer may be affected by your age, gender or location.

Are you enquiring for yourself or someone else? If you are using this service on behalf of someone else, the answers should be about them.

Please enter your gender: Please enter your age: Please enter your email address We will send our reply to this address so you need to make sure it is correct Please enter the first half of your postcode Is this service confidential? The information you provide to us through this secure form will be kept confidential, but please be aware of the security of the e-mail address you have provided for our response. For more information about how we collect and store information, please see our privacy policy (link to prviacy policy:https://www.nhs.uk/careconnect/choices/about#privacy-policy ). What do you want to know? We aim to respond to your enquiry within 24 hours. However, in some instances, for more complex enquires it may take longer; in this instance you will be notified by email. By submitting this form, you are agreeing to the Terms and Conditions (link to T&C's https://www.nhs.uk/careconnect/choices/about#terms-and-conditions ) of the service. 3.On the 'Ask a Question' page, please change the text (below the FAQ's) from: Not answered your question? Click on the button below to go to the NHS Direct Online enquiry service. To: Not answered your question? Click the button below to submit a question online. 1. In the Privacy Policy section, under Personal Information please change the wording from: 'Includes your first name, last name, email address, telephone number, DOB (for Ask a question), ethnicity (for Ask a Question) and other personal information you provide.' To 'Includes your first name, last name, email address, telephone number, gender (for Ask a question), postcode(for Ask a Question) and other personal information you provide.' This needs to be in place ideally by 24 March 2014.

[BenJam]

we raised the patient data flag on this approach (sending an email in plain text containing medical info ration) as such we are to propose a number of solutions for the NHS to discuss and decide. IMO they are:

• create a new feed of questions for someone to pull from
• send questions to a server accepting them on the N3 network
• create a new dashboard for teams to receive and respond to questions

we will have to ask for more feedback concerning the system(s) used by the team accepting and responding to questions before going any further but if three's another approach we should consider please do comment.

[BenJam]

if we could remove the link to avoid any issue as the team is closing down today.

[stevenday]

I've removed the link as requested. With regards to the options for alternatives, there are problems with regards to data privacy:

1. With @Lynne2's suggestion of a feedback form, we have the issue that medical data will be emailed from the site over an insecure system (our servers are not inside the N3 network, so AFAIK shouldn't be used to send patient data) - we have no control over the intermediary networks the emails will be sent through.
2. All of @BenJam's suggestions avoid this problem of emailing, but they require us to actually store the submitted data on our server, at least until it is retrieved, and probably indefinitely. I presume that storing this kind of data was not covered in the initial assessments of our system's security.

Assuming that we still can't get onto N3. The only option I can think of might be to encrypt the emails when we send them using PGP. Although this will require the recipient to give us their PGP key and be able to use it. I'm not sure if this will be considered sufficient security or not, it feels like someone from the NHS IT team need to think about this situation and tell us what is acceptable/required.

[Lynne2]

I have checked with NHS England IG and we can not go with initial email suggestion we made.