Statutory guidance

Adult social care provider information provisions: guidance for providers on data enforcement

Updated 21 July 2023

Applies to England

Background

In the government’s health and social care data strategy, Data saves lives: reshaping health and social care with data, we set out our vision to transform adult social care (ASC) data so that people who draw on support have access to information and can make more informed choices about their care, and for their carers to have timely data so that they can provide the best possible care.

The Health and Care Act 2022 (the 2022 Act) received Royal Assent in April 2022. The 2022 Act amended part 9 of the Health and Social Care Act 2012 (the 2012 Act) by inserting a new power (new section 277A) for the Secretary of State for Health and Social Care to require ASC providers to provide information relating to:

  • themselves
  • their activities in connection with the provision of ASC in England
  • persons to whom they have provided such care

This power came into force on 31 July 2022 and applies to all ASC providers regulated by the Care Quality Commission (CQC).

The 2022 Act also inserted a new power into the 2012 Act to make regulations enabling the Secretary of State for Health and Social Care to impose a financial penalty on private ASC providers who, without reasonable excuse, do not comply with an information request or provide false or misleading information (new section 277E).

The Adult Social Care Information (Enforcement) Regulations 2022 were made on 10 November 2022 and came into force on 1 December 2022. The new enforcement regulations apply to all private ASC providers regulated by CQC. Private providers are all providers of ASC, other than a public body, who are required to be registered with CQC. Public body is defined in section 250(7) of the 2012 Act as a body or person whose functions are of a public nature, or whose functions include functions of a public nature (though in this case they would only be a public body in respect of those functions of a public nature).

In this guidance, we set out the approach that the Department of Health and Social Care (DHSC) will follow when using the enforcement powers to address breaches of the statutory duty to provide information as set out in the formal notice of a mandate for all ASC providers. This is intended to help providers to understand the approach we will take in cases where enforcement action is required, and should be read alongside the guidance for providers on data collection.

Under new section 277F of the 2012 Act, the Secretary of State for Health and Social Care has directed the NHS Business Services Authority (NHSBSA) to carry out the enforcement function under section 277E.

Purpose of enforcement

Now that data collection from providers has been put on a statutory footing through the new section 277A of the 2012 Act, the Secretary of State can require information from all regulated providers of ASC services relating to themselves, their activities in connection with the provision of ASC in England or persons to whom they have provided such care.

Our intention is that the aggregated data collected will be shared appropriately with a defined group of organisations who need the data across the ASC sector (for example, local authorities, CQC and integrated care systems) to guide delivery, policy development and research in the area for purposes connected with the health or ASC systems in England. This information will continue to be subject to restrictions under the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).

To ensure that we continue to get vital data from ASC providers, we will use, where appropriate, the new enforcement regulations made under new section 277E of the 2012 Act, which enable the Secretary of State to impose a financial penalty on private ASC providers. This can happen when ASC providers, without reasonable excuse, fail to comply with the requirement to provide information or provide false or misleading information.

We will have a 5-month lead-in period, meaning that we do not expect to issue any notices to providers before the end of April 2023. This is to allow providers time to ensure that they are properly registered on Capacity Tracker, and that they have been able to reach out for support where required.

We have made clear that financial penalties will normally be a last resort, which will be imposed where:

  1. a provider continues to be, or is persistently, in breach of their data obligations
  2. after the delivery partner (NHSBSA) has reached out to offer guidance and support, the provider is still not sharing their data or is sharing false or misleading data and has not taken appropriate steps to comply with the requirement to provide information

If we are to maximise the benefit of collecting data via these new powers, we need to ensure that we are able to enforce them. While we expect compliance to be the norm so that financial penalties are not required, a deterrent is important to ensure that providers are held to account when they are not meeting their statutory duties, and the regulations provide the powers to impose financial penalties if needed.

The level of the fines will be the same as a provider’s CQC registration fee, which is scaled to the provider’s type and size.

The ultimate goal is to have a health and care system that is underpinned by high-quality, readily available data, which is collected and shared appropriately with those in the sector who need it. We have developed this enforcement policy to ensure that we get information consistently from all ASC providers so that data is:

  • transparent and accessible by all who need it
  • used intelligently to support commissioning and delivery of services
  • used to support system assurance and the management of risks at local, regional and national levels

The primary purpose of enforcement is to:

  • ensure that we receive the mandated data from all ASC providers to enable streamlined, consistent collections to support decision making at all levels
  • hold providers to account for failure to provide mandated data without reasonable excuse, or for providing false or misleading information

Guiding principles

Support

We are making the process of information submission as simple as possible for providers and ensuring that there is support at all stages of the process so that providers are able to avoid any enforcement action, or have it suspended if they come back into compliance.

Where adequate attempts or reasonable steps have been taken by providers to provide the required data, no enforcement action will be taken.

Providers will be contacted when they have not updated their Capacity Tracker data and will be offered support and advice by the North of England Care System Support (NECS) about completing the return. NECS will also utilise their regional leads to disseminate key information with providers.

The NECS regional leads run regular provider engagement sessions and have set up regional forums to help support continuous improvement of the system and support our user-centred design approach.

Capacity Tracker also has an integrated resource centre which houses communications, user guides, video tutorials and contact details for local system champions.

The NECS dedicated support centre offers support to care providers and wider stakeholder users of Capacity Tracker. They can be contacted by:

Proportionality

We will ensure that the amount of data required will be proportionate and take account of the burden on providers. Further, we will seek to ensure that providers are normally given 3 months’ notice of any changes to the data required unless the circumstances warrant otherwise.

Providers will not be penalised at the first breach, but rather they will be contacted by our delivery partner, NECS, to understand the issue and to work with them to resolve the issue before it reaches the point for escalation to a formal notice. Even where a formal notice is issued, we will work with providers, wherever possible, to avoid a financial penalty. If the provider comes back into compliance, any notice may be withdrawn and enforcement action cancelled.

Financial penalties have been developed to make sure that any fine is proportionate to the type and size of the provider.

Consistency

We will aim to be consistent in how we exercise our enforcement powers, as far as possible, which is why we have sought to publish comprehensive guidance on our approach to enforcement action.

We will deal with similar cases in a consistent way in line with this guidance - however, decisions will be made based on the individual facts of each case and any specific representations made.

Our enforcement partner, NHSBSA, will train and support their staff to promote consistency in the approach to enforcement and decisions made in conjunction with DHSC.

Transparency

We aim to be transparent about our approach to enforcement. As part of this, we have engaged with the Provider Data Advisory Group (PDAG) on the development of this guidance. This includes representation from:

  • Local Government Association
  • Association of Directors of Adult Social Services
  • CQC
  • Department for Levelling Up, Housing and Communities
  • DHSC
  • NHS Transformation Directorate
  • NHS England
  • assured software suppliers
  • Think Local Act Personal
  • other relevant stakeholders as required

We have published this guidance online and shared it with ASC providers through the Capacity Tracker tool.

This guidance clearly sets out what we expect from providers, and the steps we will take in the event that enforcement action is required, as well as the steps providers can take to request a review of the decision or appeal the decision in the HM Courts and Tribunals Service (HMCTS) First-tier Tribunal.

What we can enforce and who it applies to

Enforcement action can be taken against any private providers of ASC required to be registered with CQC, who without reasonable excuse fail to submit the information required in the formal notice of a mandate for all ASC providers via Capacity Tracker within the reporting window specified in that notice, or who provide information in response to that request that is false or misleading to a material extent.

Private providers are all providers of ASC, other than a public body, who are required to be registered with CQC. Public body is defined in section 250(7) of the 2012 Act as a body or person whose functions are of a public nature, or whose functions include functions of a public nature (though in this case they would only be a public body in respect of those functions of a public nature).

We accept that there will be occasions when more facts emerge later in the process, or disputes of fact are resolved, which therefore means that the enforcement action is no longer required. If that stage is reached, NHSBSA will withdraw any notices issued and cease enforcement action.

Process for enforcement

Any enforcement action taken will take place over a period of months rather than weeks, with financial penalties normally a last resort where providers have not made adequate attempts to comply with requirements to provide information, or have provided false or misleading information, despite multiple offers of support.

There will generally be a 4-stage approach taken from the first breach to a final notice imposing a financial penalty. ‘Stages’ in this instance is used to mean each instance of non-compliance.

  1. The first stage will focus on contacting providers to understand the issue and to offer them support and guidance ahead of the next time they are due to submit their data. Providers can use this communication to flag any extenuating circumstances.
  2. The second stage is similar to the first stage with support and guidance offered to providers ahead of the next time they are due to submit their data. Providers can use this communication to flag any new or continued extenuating circumstances.
  3. The third stage is reached where a provider continues not to provide the data or persistently fails to comply with their data obligations (or where the data is false or misleading to a material extent). A notice of intent will be issued at this stage to remind the provider of their legal obligation to comply and warn that a final notice may be issued. (See the ‘Notice of intent’ section below.) A provider can make formal representations within 14 days to explain why they were unable to comply with the requirement to provide information and a decision will be made as to whether or not to proceed to a final notice. (See the ‘Representations’ section below.) 
  4. The fourth stage is reached when any written representations have been received and considered and a decision has been made (within 28 days) as to whether or not to proceed to a final notice. This decision will take into account whether a provider has made adequate attempts to comply or engage with the support offered, or where they continue to not comply with their data obligations, whether their reasons for not complying constitute a reasonable excuse. Where providers have not made adequate attempts to comply or engage with the support offered, or where they continue to not comply with their data obligations and their reasons for not complying do not present reasonable excuse, a final notice imposing a financial penalty may be issued.

If a provider makes representations, but the review panel does not consider that those representations constitute reasonable excuses to justify the breach, a provider can request a review of the decision within 7 days.

If a request for a review is not received within that time, a final notice imposing the financial penalty will be issued. Providers will be able to appeal to the HMCTS First-tier Tribunal if they disagree with the decision.

Financial penalties will normally be a last step where:

  • a provider continues to be, or is persistently, in breach of their data obligations
  • our delivery partner, NECS, has reached out multiple times to offer guidance and support, but the provider is still not sharing their data, and has not made adequate attempts to comply with the requirements to provide information

A provider will always be given the opportunity to make representations within the period specified in the notice of intent as to why they have not provided the required data and why a financial penalty should not be imposed.

Notice of intent

When a provider breaches their duty to submit the required data within the collection window, NECS will contact them in the first instance, either by phone or email, to understand whether there are any issues, or if the provider needs any additional support.

Where a provider continues to be in breach of their duty, a notice of intent may be issued on the provider.

The notice of intent notifies the provider that they have not been complying with their statutory duty to provide the required information within the time period specified, and that a financial penalty is proposed to be issued if they do not comply at the next reporting window.

The notice of intent will be issued in writing to the provider’s registered address or email address if there is a confirmed email address on file. The notice of intent will set out:

  • the relevant section of the 2012 Act that the provider is not complying with and the regulation under which enforcement action is being taken
  • the reasons for proposing to impose a penalty
  • the amount of the proposed penalty and how this was calculated
  • the circumstances in which the Secretary of State may not impose the penalty and a warning that there may be further action if the provider does not comply at the next collection window
  • information about the right to make written representations
  • information about timescales for complying with the request or for making representations

Representations

Any provider issued with a notice of intent has the right to make written representations to the Secretary of State about the proposed financial penalty.

Examples of when a provider may want to make representations against the notice of intent include:

  • the provider has reasonable excuses for not complying
  • the provider has made adequate attempts to comply and has been prevented from complying due to circumstances out of their control
  • the notice contains an error or is based on inaccurate facts
  • the notice should not have been issued for some other reason

While there is no exhaustive list of reasonable excuses, we would likely consider the following examples to constitute reasonable excuses:

  • an emergency situation at the provider location - such as a new COVID-19 outbreak -that has a significant impact on the day-to-day running of the provider’s business
  • a computer failure at the provider location - such as a cyber attack - that lasts a number of months and prevents the ability of the provider to provide the requested information

How to make a representation

Representations must be made in writing, either by email or post. Digital representations are the preferred method, where possible. We will not accept a verbal representation. This avoids any misunderstanding about the representation and ensures that all details are recorded properly for decision making.

Representations should be in Word, PDF, or Open Document format. Providers may wish to use the representations form. If the form is not used, providers must be clear that they are making written representations against the notice of intent within the period specified.

Representations can be made by:

NHS Business Services Authority
Adult Social Care Enforcement
Unit 5, Greenfinch Way
Newburn Riverside
Newcastle upon Tyne
NE15 8NX

You must make representations within 14 days of receiving the notice of intent.

For support, providers can contact NHSBSA by:

Decision

NHSBSA will write to the provider to let them know of the review panel’s decision on whether to proceed with enforcement action within 28 days following the period for making representations, and to explain the next steps.

In making this decision, the review panel will consider:

  • the representations made
  • the provider’s compliance history
  • previous contact with the provider
  • the amount of information missing
  • the extent that the information is false or misleading
  • any other relevant information

The decision will be to either:

  • not uphold the representations: the review panel (comprised of NHSBSA and DHSC officials) has not agreed with the grounds made in the representations or does not agree that the reasons for non-compliance constitute reasonable excuses
  • uphold the representations: the review panel has agreed with the grounds made in the representations or agree that the reasons for non-compliance constitute reasonable excuses
  • withdraw and reissue the notice of intent if it contains an error which can be rectified, but we still consider that it is appropriate to issue a notice of intent. If a notice of intent is re-issued, the provider, again, has 14 days to make representations

Where the representations are upheld, the notice will be withdrawn with immediate effect and no further action will be taken.

If the representations are not upheld, a final notice will be issued and the decision will be recorded on the provider’s file. That information will be used in decision making if there is a further breach by that provider, which could lead to a further financial penalty being imposed.

If the provider disagrees with the decision made, they can request a review of the decision in the first instance.

The decision letter will set out:

  • the relevant section of the 2012 Act that the provider is not complying with and the regulation under which enforcement action is being taken
  • reference to the notice of intent that was issued
  • reference to the representations that were received
  • the decision made
  • information about how to seek a review of the decision made, and when to make that request by
  • information on next steps if the decision is to proceed to a final notice

Final notice

If, after a notice of intent is issued, a provider continues to be in breach, and has no reasonable excuse for doing so, we may decide to proceed to a final notice imposing a financial penalty.

The final notice notifies the provider that we consider that they have not been complying with their statutory duty to provide the required information within the time period specified, and that as they have no reasonable excuse for breaching, we consider it appropriate to issue a financial penalty.

The final notice will be issued in writing to the provider’s registered address or email address if there is a confirmed email address on file. It will set out:

  • the relevant section of the 2012 Act that the provider is not complying with and the regulation under which enforcement action is being taken
  • reference to the notice of intent that was issued, the representations that were received and the decision made
  • the reasons for imposing the penalty
  • the amount of the penalty and how this was calculated
  • information about how to pay the penalty
  • when the penalty must be paid by
  • information about the right of appeal to the First-tier Tribunal, and the time limit within which they must notify the tribunal of their intention to appeal
  • the consequences of failing to pay the penalty in accordance with the notice

Right to appeal to the First-tier Tribunal

Any provider issued with a final notice has the right to appeal to the First-tier Tribunal (Health, Education and Social Care Chamber) against the final notice.

The provider can bring an appeal against the decision of the Secretary of State to impose the penalty or appeal against the amount of the penalty.

Appeals to the First-tier Tribunal are to be lodged within 28 days of the service of the final notice. See further information on appealing to the Care Standards Tribunal.

Recovering financial penalties

Where a provider does not pay their penalty charge within the time specified in the final notice, NHSBSA will send reminder letters to the provider and will try to contact the provider.

If the fine remains unpaid after 40 days, the case will be passed on to a third party for debt recovery.

As a last resort, action may be taken in the county court to recover any unpaid fines.

Fines

The level of fine for breach of this duty will be equivalent to a provider’s CQC registration fee.

The power to impose a penalty applies in relation to any breach of the duty to provide data. At present, data is required to be provided monthly. Each time this duty is breached, a fine could be imposed. In practice, we would go through a process of contacting providers to understand the problem and to offer support before further action is taken.