Guidance

Adult social care client level data: privacy notice

Published 11 January 2024

Applies to England

Summary of initiative or policy

As outlined in Care data matters: a roadmap for better adult social care data, we are committed to transforming how social care data is collected, shared and used. Improving social care data will enable:

• better joined-up care for people who draw on care and support
• more time and resources for people who provide and commission care and support
• greater understanding of people’s care journeys
• better management and oversight of the health and care system

This privacy notice describes how the Department of Health and Social Care (DHSC) intends to use data from the new adult social care client level data collection. NHS England runs the client level data collection, and this document should be read alongside its transparency notice describing:

• what data is collected
• how it can be used
• which organisations the data can be shared with

Client level data will enable more frequent and detailed reporting about adult social care activity and service delivery. This will support improved benchmarking, care market oversight, service planning and commissioning. For the first time, it will be possible to link pseudonymised health and social care records on a national scale, enabling in-depth analysis of patterns of health and care use, and evaluation of how effective and integrated services are.

Data controller

DHSC is the data controller.

What personal data we collect

The client level data collection is the first national collection of social care records covering requests for support, assessments, and reviews and services provided or commissioned by local authorities as part of their duties under the Care Act 2014.

Instead of aggregated annual returns, local authorities submit social care records every quarter to NHS England, starting from July 2023. Personal data is collected to understand support needs and enable demographic analysis and assessment of inequalities in care provision. More information is available on the Arden & GEM website, including the client level data specification and guidance.

Analysts in DHSC access pseudonymised client level data through a secure repository hosted by NHS England. The data is pseudonymised by NHS England using appropriate techniques to remove and prevent disclosure of identifying personal information such as name, NHS number and date of birth.

How we use your data (purposes)

DHSC will use client level data and linked data sets (such as health data or population estimates) to provide insights to support the Secretary of State for Health and Social Care in delivery of their duties under the National Health Service Act 2006, Health and Social Care Act 2012 and Care Act 2014.

For example, analysis of the data will be used to support ministerial priorities including understanding waiting times for adult social care services and delays to hospital discharge among people waiting for social care.

More detail on planned uses of the data can be found in our transparency statement, which can be found in ‘Annex D: adult social care client level data - DHSC approach to using the data’ to Care data matters: a roadmap for better adult social care data.

Data will also be routinely shared back with local authorities in an accessible manner appropriate to the needs of different users (one of DHSC’s key commitments to the social care sector and a central part of our data strategy). DHSC will provide a dashboard serving local authorities, including client level data and linked health data, to level up local authority analytical capability, and provide insights and benchmarking. This will enable local authorities to:

• gain an operational understanding through monitoring activity
• carry out strategic thinking for understanding and planning services
• improve their strategic commissioning

Legal basis for processing personal data

Under the UK General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

• Article 6(1)(e) – processing is necessary for the performance of a task in the public interest, or in the exercise of official authority vested in the controller
• Article 9(2)(h) – processing is necessary for the purposes of the provision of health or social care treatment or the management of health or social care systems and services
• Article 9(2)(j) – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes

Data processors and other recipients of personal data

Arden & GEM Commissioning Support Unit (CSU), as part of NHS England, are data processors operating the collection, pseudonymising the data and removing individual identifying information.

Local authorities accessing the DHSC client level data dashboard (for the purposes described above, where sub-licensing agreements are in place) are data controllers of their data. Local authorities are legally required to update their privacy notice and other transparency materials, such as service user information leaflets to set out:

• what data is being shared
• for what purposes
• what people’s rights are in relation to their data

International data transfers and storage locations

Information is stored and processed in the UK.

Retention and disposal policy

Data accessed by DHSC will be retained until the expiry of the data sharing agreement, at which point it will be securely destroyed by Arden & GEM CSU.

How we keep your data secure

Access is only granted for uses permitted by the terms of the data sharing agreement, and is securely controlled and managed through a regular review process and appropriate technical security controls.

Your rights as a data subject

By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679), and the UK Data Protection Act 2018 applies.

These rights are:

1. The right to get copies of information – individuals have the right to ask for a copy of any information about them that is used.
2. The right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected.
3. The right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used.
4. The right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.
5. The right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.

Comments or complaints

Anyone unhappy or wishing to complain about how personal data is used as part of this programme should contact data_protection@dhsc.gov.uk in the first instance or write to:

DHSC Data Protection Officer
1st Floor North
39 Victoria Street
London
SW1H 0EU

Anyone who is still not satisfied can complain to the Information Commissioner’s Office (ICO), either through the ICO website or by post at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Automated decision-making or profiling

No decision will be made about individuals solely based on automated decision-making (where a decision is taken about them using an electronic system without human involvement) that has a significant impact on them.

Changes to this policy

This privacy notice is kept under regular review, and new versions will be available on this page. This privacy notice was last updated on 4 January 2024.