DOCUMENTSTATUS: / Approved
VERSION: / Version 2.1
DOCUMENT OWNER: / Reaz Khedarun, Information Governance Manager
DOCUMENTRATIFIED BY: / Information Governance Committee
DATE ISSUED: / 24th August 2013
DATETOBE REVIEWED: / 24th August 2014
1.INTRODUCTION
1.1Appropriate information sharing is essential to the efficient provision of safe, effective care, both for the individual patient and for the wider community of patients.The aim of public policy is for citizens to receive the health and social care services that they need. The organisation of services should not impede or debase the service provided. This requires organisations to work effectively and efficiently together to tailor services to the particular circumstances of each individual. North West London Commissioning Support Unit (NWLCSU) and the Parties to the Agreement recognise that sharing appropriate and relevant personal information about an individual between relevant organisations in a secure framework is vital to the provision of co-ordinated and seamless care to that individual.
1.2In order to address these responsibilities and concerns, organisations have been advised by the Health and Social Care Information Centre, NHS England and Department of Health to establish inter-organisational protocols. These will be backed by appropriate training and procedures to ensure that personal information transfer processes work smoothly and are effectively managed.
1.3The aim of this Information Sharing Protocol (ISP) is to remove any potential barriers to, and uncertainty about, personal information sharing between participating organisations at both operational and managerial levels by ensuring legal requirements and ethical standards are satisfied. This ISP in particular is designed to facilitate the sharing of patient identifiable data for the purposes of risk stratification and for the purposes of direct care or otherwise to quality assure the care provided (i.e. clinical audit/Peer Review)
1.4Consent for the necessary sharing of information to support care delivery can be inferred from the fact that an individual agrees to receive that care; however, only relevant information should be shared. The following tests for establishing the conditions under which consent can be implied, all of which must be met affirmatively:
1.4.1Is the activity a type of direct care within the scope of specified by the professional’s regulatory body?
1.4.2Does the professional have a legitimate relationship with the person or persons concerned?
These sit alongside the legal requirements for valid consent.
These sit alongside the legal requirements for valid consent.
1.5This ISP:
1.5.1forms an over-arching agreement to provide a framework for the secure and confidential sharing of personal information between NWLCSU and GP Practicesas Data Recipients in order to enable the Data Recipients to meet the needs of communities and individuals for care, protection and support in accordance with statute and government policy;
1.5.2Describes roles and structures to support the exchange of personal information ;
1.5.3Covers the sharing of personal information for any of the purposes listed in the ISP
1.5.4Applies to the sharing of personal information in whatever medium it is held and however it is transmitted;
1.5.5Is designed to ensure that service users are informed of the reasons why personal information about them may need to be shared and how this sharing will be managed;
1.5.6Sets out commitments to the proper handling of requests by service users for information;
1.5.7Applies to the activities of the staff of the signatory organisations;
1.5.8Describes how complaints from service users relating to personal information sharing between two or more organisations will be investigated, recorded, handled and resolved;
1.5.9Sets out commitments to ensure security of personal information and the retention of audit trails.
- LEGAL BASIS FOR SHARING INFORMATION UNDER THIS ISP
- Undertaking a Clinical Audit or Peer Review
Both clinical audit and Peer Revieware perceived to be direct patient care and therefore does not require explicit consent from a patient for their record to be accessed or for their information to be shared.
The aim of Clinical Audit is to encourage individual GP Practices to self-examine different aspects of their practice, to implement improvements where the need is identified and to re-examine, from time to time, those areas which have been audited to ensure that a high quality of service is being maintained or further improved.
Clinical Audit may be undertaken by individual GP Practices or by a group of GP Practices, who may not necessarily be in the same practice, working together in a Collaborative Clinical Audit.
The focus of any audit must be to:
1) ensure that patient records are accurate
2) linked to direct clinical care i.e. an individual patient or group of patients can be identified as benefitting from the audit and/or
3) identify where clinical practice can be improved.
Peer Review provides an opportunity for groups of GPs to get together to review aspects of practice. The aim is to share experiences and identifyareas in which changes can be made with the objective of improving thequality of service offered to patients.
If the primary focus of any audit is to identify cost savings, changes to practice that do not directly impact on patients etc. then this is regarded as secondary processing and may only be undertaken with 1) the consent of the patient or 2) using anonymised data.
2.2Undertaking Risk Stratification
For risk stratification, the most appropriate route for disclosure of data from the HSCIC is either by obtaining explicit patient consent or under Section 261(5)(d) where the disclosure is made to the GP for the exercise of their functions conferred under their obligations to provide medical services under Part 4 of the NHS Act 2006. Please note the decision by NWLCSU to share information for the purposes of risk stratification is based on current NHS England Guidance: Information Governance and Risk Stratification: Advice and Options for CCGs and GPs (July 2013).[1]
- DATA RECEIPIENT OBLIGATIONS
- To support the validity of the consent, however, there is a need to ensure that service users are informed about how their information is used.
- As a Data Controller/data custodian, with respect to the data being under this ISP, the Data Recipient undertakes to ensure that:
- It processes personal or sensitive personal data only for medical purposes, and only for purposes described in the data sharing agreement with NWLCSU which it assures are also consistent with the purposes recorded in the Data Recipients data protection registration with the Information Commissioners Office;
- It processes the minimum data necessary (e.g. using age range rather than age if sufficient)
- Report any data quality issues.
- It deploys secure processes, procedures, practice and technology for storage and access, commensurate with the personal or sensitive personal data being processed
- It ensures no individual other than those to be named in the Contract will access the data, and that all computer terminals and other means of access are maintained securely in secure premises.
- It ensures the rights of individuals are met, such as satisfying subject access requests received, ensuring data accuracy and correcting errors, and handling objections and complaints
- It destroys the Data once it is no longer required for the purpose for which it was collected;
- It ensures all employees with access to the Data provide a written undertaking that they understand and will act in accordance with their responsibilities under the Data Protection Act, will not share passwords, and will protect the confidentiality of the data they access
- It reports immediately to NWLCSU any security incidents relating to use of the supplied Data under this Agreement, and any instances of breach of any of the terms of this Contract. Serious IG incidents will also need to reported via the IG Toolkit on line reporting tool.
- It complies with any specific legislation in relation to the Data provided under this Agreement e.g. Statistics and Registration Services Act 2007.
- It signs this Agreement prior to the release of any Data
- The Parties recognise that the initial legal responsibility for personal identifiable information resides with the organisation that first created or received it. But if personal information is shared, the responsibility extends to the recipient in the receiving organisation regardless of how transitory that storage of the personal information by the receiving organisation might be.
- All personal information about service users is regarded as being subject to an obligation of confidence and therefore no personal information should be transferred between parties (whether within or outside the NHS) unless there is a valid justification and either:-
3.4.1The service user has consented or
3.4.2Such disclosure is required or permitted by law
3.5Where information is to be shared within the NHS explicit consent from the service user is not required as long as it is reasonable to assume that the service user understands and is in agreement with the purposes for which their data may be transferred.
3.6Explicit consent must be sought and obtained from service users before information is transferred or viewed by NHS bodies outside the boundaries of the NHS or its contractors unless there are grounds to dispense with consent as described in 3.5 above
3.7Where information is to be shared between non-NHS bodies or between non-NHS bodies and NHS bodies explicit consent must be sought and obtained unless there are grounds to dispense with consent as described in 3.5 above.
3.8Where information is to be shared between agencies who are not part of the NHS or contracted to provide services on behalf of an NHS Agency, this ISP will be supplemented by Subject Specific Information Sharing Agreements (“SSISAs”) addressing particular personal information sharing purposes. SSISAs will set out the detailed arrangements relevant to particular personal information sharing purposes.
3.9All public bodies are bound by current relevant legislation and guidance affecting the sharing and disclosure of personal information. This ISP is in compliance with the Information Governance Assurance Programme and NHS Care Record Guarantee.
3.10This ISP includes provisions dealing with procedures to manage any breach of the ISP.
3.11The appendices include forms for disclosure across different organisations and details of the NHS Care Records Guarantee.
3.12The governance of this ISP is carried out by the NWLCSU
- definitions
The following terms shall have the meanings set out below.
“Personal information” / Any personally identifiable information in any form including “personal data” as defined in the DPA1998“Personnel” / the Parties employees, officers, elected members, directors, voluntary staff, consultants and other contractors and their subcontractors(whether or not the arrangements with suchcontractors and sub-contractors are subject to legally bindingcontracts) and such contractors’ and their sub-contractors’Personnel
“Sensitive personal data” / as defined in the Data Protection Act 1998
“Service users” / the individuals who are recipients of the Parties’ health and careservices
"Information Governance" / means the framework bringing together all the legal rules, guidance and best practice that apply to the handling of NHS information, including those set out in:-
- the Data Protection Act 1998
- the common law duty of confidentiality
- the Confidentiality NHS Code of Practice
- the NHS Care Record Guarantee for England
- the Social Care Record Guarantee for England
- the International Information Security Standard: ISO/IEC 27002: 2005
- the Information Security NHS Code of Practice
- the Records Management NHS Code of Practice
- the Freedom of Information Act 2000;
"NHS Information Governance Toolkit" / means a performance tool produced by the Department of Health (DH). It draws together the legal rules and central guidance set out above and presents them in one place as a set of information governance requirements. Organisations processing NHS information are required to carry out self-assessments of their compliance against the IG requirements;
4.1This ISP is in compliance with the Information Governance Assurance Programme and NHS Care Record Guarantee.
4.2This ISP includes provisions dealing with procedures to manage any breach of the ISP.
4.3In this Agreement (except where the context requires otherwise):-
4.3.1a reference to a "Party" is to a Party to this Agreement and includes that Party's personal representatives, successors or permitted assignees;
4.4In consideration of the Parties' rights and obligations set out in this Agreement, the Parties shall perform their respective obligations as set out herein.
- personnel provisions
Data Recipient Warranties re Data Recipient Personnel
5.1The Data Recipient warrants, represents and undertakes that:-
5.1.1allData Recipient Personnel shall comply with the current and evolving NHS codes of practice and standards that relate to information governance, when Processing information supplied under this Agreement.
5.1.2allData Recipient Personnel shall be suitably qualified, skilled, honest, experienced and trained in the work which they are to perform and shall, at all times, Process Informationsupplied under this Agreement in a workmanlike and professional manner.
5.1.3ensure that all Data RecipientPersonnel have access to appropriate training and developmentactivities to enable them to comply with the procedures laid down in this Protocol,including for example but not limited to, the correct processes and procedures forobtaining consents from individuals and the circumstances when consent is not required
5.1.4take responsibility for any breach by them of this Protocol or relevant legislation which causes loss or damage to any person, including another Party, and co-operate with any other Party in resolving the problem including where necessary by the provision of information, notification to other Parties and taking responsibility for remedial actions including compensation or rectification of data.
Obligations in respect of Data Recipient Personnel
5.2The Data Recipient shall ensure that all Data Recipient Personnel:-
5.2.1are informed of the confidential nature of the Information supplied under this ISP;
5.2.2have undertaken training regarding NHS information governance requirements relating to handling Personal Data as amended annually and shall provide evidence of this training upon request;
5.2.3are aware both of the Data Recipient’s duties and their personal duties and obligations under the Data Protection Laws and this Agreement; and
5.2.4the Data Recipient shall take reasonable steps to ensure the reliability of any of the Data Recipient Personnel who have access to Information supplied under this ISP.
Obligations in respect of Disclosures to Data Recipient Personnel
5.3The Data Recipient shall restrict the disclosure of the Information supplied under this ISP to those of the Data Recipient Personnel who may be required by it to assist it in meeting its obligations under this Agreement and no other Data Recipient Personnel shall have access to the Information.
5.4Prior to allowing the Data Recipient Personnel access to any Personal Data, the Data Recipient shall:-
5.4.1undertake all reasonable background checks to verify the identity, honesty, trustworthiness and general suitability of all Data Recipient Personnel who will have or are reasonably likely to have access to the Information supplied under this ISP
5.4.2ensure that the employment contracts of the relevant Data Recipient Personnel include appropriate Information Governance related clauses which shall include details of sanctions to be imposed in the event of a breach of confidentiality or of any Data Protection Laws that causes loss of or damage to information supplied under this ISP
5.5The Data Recipient shall, as soon as practically possible and in any event not later than two (2) Working Days, inform the NWLCSU when access rights are no longer required, for a specific member of the Data Recipient Personnel.
- data Protection obligations
- For the purposes of this Agreement, the terms "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Sensitive Personal Data" and "Processing" shall have the meaning given to those terms in the Data Protection Act 1998.
- The Data Recipient shall indemnify on demand and keep indemnified NWLCSU against any and all losses which the NWLCSU may suffer or incur (directly or indirectly) in relation to the Data Recipient failing to comply with its obligations under this ISP.
Accountability Expectations
6.3In assuring that the Processing is compliant with Data Protection Laws, the Data Recipient will:
6.3.1conduct an appropriate form of privacy impact assessment, where relevant;
6.3.2put in place measures to ensure that privacy is designed into the processes and controls of new and changing information systems and processes;
6.3.3put in place measures to ensure that data minimisation principles enshrined in the Data Protection Laws are complied with;
6.3.4only Process Personal Data for as long as is necessary in connection with the Purposes;
6.3.5put in place appropriate and effective measures to ensure that the principles enshrined in the Data Protection Laws, including accountability, transparency and security measures, are complied with; and
6.3.6implement and maintain a process to enable data subjects to make complaints and / or challenge the Processing being carried out by the Data Recipient.
7 PURPOSE
- The Parties recognise that many multi-agency services cannot be effectively delivered without the exchange of personal information and so agree to exchange, in a manner which is compliant with their legal responsibilities, personal information about individual service users, levels of activity relating to the service users and the level and nature of resources deployed in support of the service users.Personal information may be shared under this Protocol for the purposes of:
4.4.1Improving the health of service users
4.4.2Protecting people and communities;
4.4.3Supporting people in need; and
7.2Personal information may not be shared under this Protocol for the primary purposes of financial audit and research unless the conditions under clause 7.3 is complied with.
7.3Personal information which has been anonymised by the disclosing Party may be shared under this Protocol for the purposes of:
7.3.1Managing & planning services;
7.3.2Commissioning and contracting services;
7.3.3Developing inter-organisational strategies;