Contents
1. Purpose
1.1 The Futures collaboration platform (also referred to as ‘FutureNHS’ or ‘the platform’) is a digital tool designed to help individuals working in health and care connect, collaborate and share knowledge across organisational boundaries. The platform hosts workspaces, self-contained areas with a membership dedicated to a particular health and care project, programme or community.
1.2 This security policy outlines the management and security measures in place to protect the Futures platform’s users and the information it hosts. It explains the procedures for user accounts and access, platform management, and overall system security.
1.3 If you need assistance with any aspect of this policy, please contact support.
2. User accounts
Passwords
2.1 User account passwords must have a minimum of 8 characters. Passwords must contain an upper-case letter, a lower-case letter and a number. Password strength is visible when a user sets their password.
2.2 Users are locked out of their account for 30 minutes after 6 failed login attempts.
Account verification
2.3 Users must verify that they have access to the email address associated with their Futures account every 90 days. A user cannot log in and access Futures unless they have verified their email.
2.4 Users are not permitted to change their email address on their account and retain their workspace membership(s) unless the old and new email address are both issued by an approved health and care organisation, and they have retained access to their account. Otherwise, users must create a new account and re-join or request access to workspace(s) again.
2.5 Multi-factor authentication (MFA) is being rolled out to accounts on the platform in line with the NHS England MFA policy.
Inactive accounts
2.6 A user’s account will be deleted after 365 days of inactivity.
3. Access management
3.1 Workspace managers must follow the rules and procedures set out in the platform policies and terms and conditions, including the access management restrictions within the workspace management policy and acceptable use policy. Our support centre provides step-by-step guidance to support users with all aspects of Futures policy.
3.2 Organisations with access to self-registration (where a user can self-register for a Futures account without an invitation to a workspace) are vetted to ensure they have a robust joiners, movers and leavers (JML) process in place to safely manage their corporate email accounts.
4. System security
4.1 The Futures platform is hosted on the cloud-based software Kahootz. Kahootz is a vetted government supplier and undertakes vulnerability management and monitoring. Kahootz undertakes an annual IT Health Check by a CHECK accredited testing partner to ensure that the service is secure against a determined hacker. Kahootz also have CyberEssentials+ and ISO27001 certification. All Kahootz staff are vetted to BS7858.
4.2 Kahootz’s servers and backup servers are based securely in the UK. All communication between the end user's browser and the Kahootz servers goes over encrypted connections. Kahootz uses encryption on every page of the platform, including log in, upload and download.
4.3 Kahootz uses a variety of security lockdowns, perimeter tests and controls to stop attacks from affecting their servers. They also ensure that all parts of the software are fully security tested in design and deployment. As a government supplier working to high-security levels, Kahootz are regularly checked on this by CREST-approved penetration tests. They have been consistently marked as clean.
5. Platform management
5.1 The Futures team run compliance checks across the platform to ensure that content, accounts, and user activity adhere to our policies and terms and conditions. This includes routine and ad‑hoc monitoring of platform activity, review of reported or flagged content and accounts, checks on workspace configuration and access controls, and investigation of potential policy breaches. Where non‑compliance is identified, the Futures team may take appropriate action in line with our policies, including undertaking or requesting corrective action, restricting access, or removing content or accounts where necessary.
5.2 The platform records an audit log of activity, including invites and registrations to the system.
5.3 The platform is regularly reviewed and updated to block common prohibited email address types from access, such as journalist emails, shared email accounts or users who have been banned from access for violating a policy.
5.4 General users and workspace managers are supported to use the platform securely and effectively through the policies, guides, and training videos in the support centre. All users can also raise queries directly with the support team (operating Mon-Fri, 9am – 5pm except bank holidays) using the blue button on the platform or by filling out our contact form.
5.5 The Futures team receive site administration training.
5.6 Dedicated training on secure permissions is on offer to managers of workspaces with more sensitive content. The Futures team also run community huddles and share communications with users to educate them on compliance and promote best practice.