Transparency data

Letter to ICBs from NDG and UKCGC issued 7 November 2022

Published 23 November 2022

Applies to England

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/letter-to-integrated-care-board-siros-from-the-national-data-guardian-and-uk-caldicott-guardian-council/letter-to-icbs-from-ndg-and-ukcgc-issued-7-november-2022

To: Integrated care boards/senior information risk owners

Our ref: 299/1541

07 November 2022

Dear colleague,

I am writing this letter to you in conjunction with Dr Arjun Dhillon, chair of the UK Caldicott Guardian Council, because we have both been made aware that within some local record sharing programmes, organisations could be processing confidential patient information (CPI) without ensuring that the processing does not breach confidentiality.

In this letter, we outline four specific concerns raised with us. We also provide advice for organisations regarding the scope of existing legal gateways for processing patient information in those four specific circumstances.

The Information Governance Framework: Shared Care Records provides detailed guidance on implementing a shared care record in accordance with the law. This letter does not seek to replace this guidance. Instead, it draws out specific aspects of information governance compliance regarding the particular issues that clinicians involved in implementing record sharing programmes have raised with us. As a result, for completeness, this letter should be read alongside the Information Governance Framework: Shared Care Records.

Compliance with the duty of confidentiality

Establishing that data uses do not breach confidentiality is fundamental to the ethical use of data. Consent may be implied where it is necessary to use CPI to provide individual care. However, processing for secondary purposes cannot be based on implied consent, and another legal basis to lift the obligation of confidentiality must be established. Organisations must also do more to make people aware of how their data are being used and to ensure independent oversight of those uses.

Where it is not possible to gain consent, organisations can apply to the Confidentiality Advisory Group (CAG) of the Health Research Authority (HRA) to consider whether the processing they wish to undertake justifies temporarily lifting the common law duty of confidentiality under section 251 of the NHS Act 2006. Failing to seek the legal basis of support under section 251, where required, puts organisations at risk of breaching patient confidentiality.

Data processing activities

We now turn to the four particular information processing activities which have been raised with the NDG and UK Caldicott Guardian Council:

Activity 1: Processing data for elements of risk stratification that do not amount to individual care on the basis that they are for individual care

We are aware that some organisations are relying on the concept of implied consent for individual care to provide the legal basis for risk stratification data processing activities that combine confidential patient information to identify vulnerable or high-risk patients so that they can offer appropriate interventions.

Under CAG 7-04 (a)/2013, NHS England has support for the disclosure of CPI to enable the indirect care element of risk stratification, namely to combine and process GP data from GP systems with specific commissioning data sets as set out in CAG 2-03(a)/2013 and select target populations; and to provide protection to NHS Digital to legitimise the onward transfer to approved risk stratification suppliers.

Therefore, the preliminary processing to combine and process confidential patient information for risk stratification should not be based on implied consent for individual care and should be undertaken in line with ‘section 251 support’.

The only element of risk stratification activity that can rely on implied consent for individual care as a legal basis is the activity of sharing confidential patient information with clinicians who owe a duty of care, so that they can offer appropriate interventions to individuals.

Advice for organisations about how to undertake risk stratification and provide assurance to NHS England that they or their risk stratification tool providers meet the CAG approval conditions, as set out in the Risk Stratification Assurance Statement, can be found here: NHS England » Risk Stratification.

We are also aware that some local record sharing programmes believe that processing CPI for population health analytics or population health management falls under either the legal bases of implied consent for individual care, or the support of CAG 7-04 (a)/2013. Population health analysis or management activities that do not offer interventions to people are not individual care, and the legal basis of implied consent for individual care is therefore not a valid legal basis for this activity.

Population health analytics/management also does not fall within the activities for which section 251 support was given in CAG 7-04 (a)/2013. As outlined above, the support under section 251 was for the preliminary processing to combine and process specific primary care and secondary care data to identify vulnerable or high-risk patient populations who may be suitable for interventions.

In the minutes of its 12 October 2017 meeting, the CAG reiterated the scope of the original risk stratification application CAG 7-04(a)/2013 and clarified that processing CPI for the purposes of population health analytics/management is not within the scope of the original application.

Where ICBs intend to process confidential patient information for the purpose of population health analytics/management programmes, they can make a specific application to the CAG to seek advice and support under section 251 of the NHS Act 2006.

Where an organisation is considering making an application to CAG, they should contact the Confidentiality advice team supporting CAG before writing their application, who will explain the application process.

Activity 2: Lack of compliance with NHS England assurance statement where CAG 7-04 (a)/2013 is relied on as the basis for disclosure of confidential patient information for risk stratification

Where local organisations are relying on section 251 support to undertake risk stratification activities to combine and process CPI to select target populations, all organisations involved in processing that CPI need to comply with the NHS England risk stratification assurance statement.

However, we are aware that some organisations need to provide this assurance and are therefore not meeting the conditions set out in CAG 7-04(a) 2013. A number of particular issues have been raised with the NDG regarding processing for risk stratification, which are preventing organisations from meeting the NHS England risk stratification assurance statement:

*the risk stratification processing taking place is not designed to select and target vulnerable populations, but rather to inform wider population health management programmes that are focussed on the prediction and planning of care – and therefore the particular activity does not fall under the NHS England section 251 support in CAG 7-04(a) 2013. *the data extraction for the risk stratification activity in the local record sharing programmes is more extensive than the limited data extraction covered by CAG 7-04(a) 2013. Where patient information from GPs, NHS trusts, community trusts, mental health providers, and social care occurs before any risk stratification processing is undertaken, it falls outside the scope of the existing Section 251 support under CAG 7-04(a) 2013. CAG 7-04(a) 2013 only applies to the use of GP, Secondary Uses Service (SUS) data and the Mental Health Services Data Set. It explicitly does not cover the disclosure of social care data for risk stratification. *the organisations undertaking the risk stratification processing are not on the register of approved organisations for the receipt and processing of confidential patient information for this purpose.

To address these concerns, CAG and NHS England Transformation Directorate are working with ICBs to help them understand the current requirements and assurance for existing section 251 support. Together, these organisations are developing a coordinated action plan that considers future support for existing and planned risk stratification activities.

CAG has agreed to support the current NHS England led section 251 support for a further 12 months, until 30 September 2023. This is with a caveat that ICBs fully demonstrate compliance with the existing conditions and controls. Within the timeframe, the following key actions must be addressed:

*ICBs provide NHS England with assurance of their compliance with the existing section 251 exemption conditions and controls *ICBs identify and justify data processing occurring for risk stratification purposes *ICBs provide details of how they use confidential patient information for risk stratification *NHS England to develop a ‘core’ section 251 risk stratification application with standardised conditions for ICBs to progress

NHS England Transformation Directorate is helping ICBs to both demonstrate their compliance with the existing section 251 conditions, and to produce action plans.

ICBs are advised to contact the NHS England Transformation Directorate (england.igpolicyteam@nhs.net) who will be able to advise organisations about the future core section 251 risk stratification application process. Following advice from NHSE, ICBs may wish to contact the Confidentiality advice team who support CAG (cag@hra.nhs.uk).

Activity 3: Transfer of confidential patient information from local record sharing programmes into secure data environments

We are aware of cases where CPI that has been disclosed to local record sharing programmes’ data processors for individual care purposes is being transferred to third-party data controllers hosting secure data environments (SDE). The data is then being made available within the SDEs for secondary purposes.

We recognise and accept the potential advantages and benefits of SDEs. However, CPI shared for secondary purposes must be lawful. We want to remind ICBs that the implied consent that allows CPI to be disclosed lawfully within local record sharing programmes to provide individual care does not also provide a lawful basis for programmes to share that information with SDE providers for secondary purposes.

If you are sharing information from your local record sharing programmes for purposes other than individual care, then you are required to consider how you will satisfy or set aside the common law duty of confidentiality.

We recommend that organisations that wish to process confidential patient information within a SDE approach the CAG to discuss whether an application for support under section 251 NHS Act 2006 is required.

Where an organisation is considering making an application to CAG, they should contact the Confidentiality advice team supporting CAG before writing their application, who will explain the application process.

Activity 4: Disclosure of confidential patient information outside the shared care record team/systems to render it anonymous for secondary purposes

If possible, where ICBs plan to use patient information to support the effective functioning of the local health and care system, they should do this with information that has been rendered anonymous.

Data controllers anonymising CPI collected for care purposes is generally considered acceptable within the context of providing care, because there is no disclosure of confidential patient information from the individual care provider. However, transferring CPI to a third party that is not collecting it for individual care, so that they can undertake the process of anonymisation, cannot rely on implied consent for individual care as an appropriate legal basis.

Where you intend to use a third party to render CPI anonymous so that it can be used for secondary purposes, you should consider whether you need to apply for support under section 251 of the NHS Act 2006.

Furthermore, organisations seeking to allow access to data on the basis that it is anonymous and falls outside the duty of confidentiality should ensure that their anonymisation processes are effective in line with ICO guidance (currently in the consultation phase). While there is great benefit to be derived from high-quality research on anonymous data, we must have due regard for public trust, especially where commercial arrangements exist between care providers, third-party processors and researchers.

Reaching a shared view that drives collaboration between partners providing local health and social care is an incredibly valuable aim. It is an aim that we support, and one that we recognise to be dependent on access to CPI. Ensuring that record sharing programmes use CPI in ways that are legal, ethical and earn the trust of patients and the professionals caring for them is crucial in realising the potential of integrated care.

With best wishes

Dr Nicola Byrne

National Data Guardian for Health and Social Care

Dr Arjun Dhillon

Chair of UKCGC

Back to top