Contents1


The Surrey Provision of Care Information Sharing Agreement

Executive Summary1

Executive Summary

The Surrey Provision of Care Information Sharing Agreement is a framework designed to support information sharing initiatives within Surrey where the primary aim is to support Direct Care. Its objective is to provide a single set of agreed standards and template documents approved by all care providers in Surrey to support the timely development of robust Information Sharing Agreements between organisations.

The Frameworkconsists of the following parts:

The Terms

This section sets out the main terms and conditions of the Surrey Provision of Care Information Sharing Agreement. Organisations wishing to share Personal Confidential Information for the purposes of direct care must agree to abide by these terms if they wish to utilise the Surrey Provision of Care Information Sharing Agreement Framework.

Schedule A – Project Specific Sharing Specification

The Project Specific Sharing Specification is a template document designed to capture all relevant details about each specific project which intends to rely on the Surrey Provision of Care Information Sharing Agreement. Under the Framework this template must be completed for each information sharing initiative to provide assurance that the project will comply fully with terms of Surrey Provision of Care Information Sharing Agreement.

Schedule B – Initial Privacy Impact Assessment (PIA)

Under the Framework an Initial PIAmust be completed for every project to ensure privacy risks associated with each project have been suitably identified. Schedule B provides a template which complies with the Information Commissioner’s Office (ICO)’s Code of Practice on Conducting Privacy Impact Assessmentswhich can be used where all affected parties agree and/or where no alternative template exists.

Schedule C – Full Scale Privacy Impact Assessment (PIA)

Under the Framework a Full Scale PIAmust be completed wherever an Initial PIA identifies significant or numerous privacy risks or a requirement for wider consultation. Schedule C provides a template which complies with the Information Commissioner’s Office (ICO)’s Code of Practice on Conducting Privacy Impact Assessments which can be used where all affected parties agree and/or where no alternative template exists.

Appendices

The Appendicesto the Surrey Provision of Care Information Sharing Agreement provide additional detail to assist in the interpretation of the document.

The Surrey Provision of Care Information Sharing Agreement

Introduction1

Introduction

Nationally, organisations involved in the commissioning and provision of health and social care services are identifying substantial requirements to share and use Personal Confidential Data (PCD) in order to:

  • Plan and organise appropriate care/services for people
  • Deliver planned improvements in care delivery and financial efficiency
  • Protect vulnerable people from harm

The information needed to support these aims will vary depending on local requirements and theparticular initiatives being pursued. It may range from basic identification and contact details to more sensitive information such asthe involvement of social services, housing officials or the police with a family in crisis, through to highly confidential information contained within health and social care records.

The increasing need for organisations to appropriately share information is emphasised in:

  1. The addition of a seventh Caldicott Principle in 2013; “The duty to share information can be as important as the duty to protect patient confidentiality“[1]
  2. The introduction of the Health and Social Care (Safety and Quality) Act 2015; which sets out a legal duty requiring health and adult social care bodies to share information with each other for the direct care of individuals.

Locallywithin Surrey it has been recognised that historically, opportunities to improve care have been delayed or lost due to the challenges associated with an ever increasing demand to design and agree information sharing agreements on a project-by-project basis. In 2015, public service leaders across Surrey signed up to a commitment to share(for the latest version of Surrey Commitment Statement, go to:

This Information Sharing Agreement(ISA) underpins the national drive and the local requirement to share information where it is lawful and appropriate to do so. It provides a framework to support the timely development of robust ISA’s between organisations where the primary aim is to support Direct Care.

Purpose of the Agreement

There is no requirement to have ISA’sbetween organisations when the purpose is for Direct Care. There is however a need to show due diligence both legally and in relation to confidentiality and for organisations tomaintain visibilityandcontroloverthePCDthey are sharing andusing.

The purpose of this agreement is to:

  1. Provide a clear framework to enable the lawful, secure and appropriate sharing of PCDto improve the delivery of care;
  2. Accelerate the pace with which county-wide and local sharing requirements can be agreed;
  3. Simplify and reduce the costs of developing and agreeing individual sharing requirements; and
  4. Ensure the legal responsibilities across health and social care, stipulated by the Care Act 2014 and the Health and Social Care (Quality and Safety) Act 2015, are integrated into sharing practice.

Scope and Applicability

The list of parties to The Agreementis maintained by Surrey County Council Adult Social Care Information Governance Team(SCC ASC IG Team) on behalf of all Signatories and can be found at:

Sharing agreements negotiated prior to the commencement of The Agreement are excluded from the scope of The Agreement and are not terminated or otherwise varied by the implementation of The Agreement.

The Surrey Provision of Care Information Sharing Agreement

The Terms1

The Terms

The Surrey Provision of Care Information Sharing Agreement (The Agreement) sets out standard terms and conditions under which the Sharing Organisation(s)will make PCDavailable to support theprovision of health and social care services by the User Organisation(s).

Responsibilities

EachUser Organisationacknowledges and accepts its responsibility to:

  • Maintain confidentiality in respect of the use of PCD;
  • Use PCD solely for the purpose of providing Direct Care to Individuals (unless those Secondary Purposes are explicitly catered for within a Project Specific Sharing Specification which has been subject to a Full Scale Privacy Impact Assessment (PIA) and has received approval by the Designated Officer(s)of the Sharing Organisation(s));
  • Use PCD in accordance with The Agreement.

The Sharing Organisation(s) acknowledges that sharing is in the interest of Individuals and accepts its duty to process the PCD in accordance with relevant legislation and guidance as detailed in The Agreement, its schedules and appendices.

The parties to The Agreement acknowledge that:

  • The Agreement is consistent with the Caldicott Principles and the requirements of the Data Protection Act 1998 (The Act) as amended.
  • The Act provides the legal framework for the sharing of PCD.
  • All PCD shared under The Agreement will adhere tothe Data Protection Principles as required by The Act as follows:
  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a)at least one of the conditions in Schedule 2 is met, and

(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  • All information sharing initiatives resulting in the sharing of PCDunder The Agreement will be accompanied by Fair Processing or Privacy Notices which comply with the Information Commissioner’s Office Privacy notices code of practice[2]. As a minimum these must be readily available to the Individuals whose PCD will be shared and will ensure those Individuals are informed of:
  • the identity of all organisations/parties involved in the information sharing;
  • the purpose or purposes for which the organisations/parties intend to Process the information; and
  • any extra information necessary in the circumstances to enable PCD to be processed fairly.
  • The sharing of PCD will only occur where this is likely to facilitate the provision of health or social care services to the Individual and is in the Individual’s best interests.
  • Information that concerns, or is connected with, the provision of health services or adult social care by an anonymous access provider will not be shared under The Agreement withoutthe Explicit Consent of Individualsas specified within Schedule 2 (1) and Schedule 3 (1) of The Act.
  • For all other sharing of PCD under The Agreement, wherever possiblethe Explicit Consentof Individualsas specified within Schedule 2 (1) and Schedule 3 (1) of The Act will be sought prior to PCD being shared under The Agreement.
  • Where Explicit Consentcannot be sought:
  • Schedule 2 (3) of The Act will be relied upon to ensure organisations comply with the Duty to Share within the Health and Social Care (Safety and Quality) Act 2015; and
  • Individualswill be provided with the opportunity to object to the sharing and any objections will be fully considered and respected unlesscapacity and competence are in question in which case The Mental Capacity Act 2005 Code of Practice will be followed to assess whether a best interest’s decision should instead be made; and
  • Schedule 3 (8) (1) of The Act will be relied upon by ensuring the Processing is necessary for Medical Purposes and is only undertaken by a Health Professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a Health Professional.
  • The specific details of how PCD will be processed fairly and lawfully will be detailed within the Project Specific Sharing Specification.
  1. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Sharing of PCD under The Agreement will only occur for the purpose of the Provision of Care.
  • The specific purposes for which PCD will be processed will be detailed within the Project Specific Sharing Specification.
  1. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • The minimum necessary PCD required the fulfil the purpose of the Provision of Care will be shared under The Agreement.
  • The specific categories of PCD to be shared will be detailed within the Project Specific Sharing Specification.
  1. Personal data shall be accurate and, where necessary, kept up to date.
  • All parties will take appropriate steps to ensure all PCD shared under The Agreement is accurate and kept up to date.
  • The specific processes which will be implemented to ensure PCD is kept accurate and up to date will be detailed within the Project Specific Sharing Specification.
  1. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • PCD shared under The Agreement will only be retained for the minimum period of time necessary to fulfil the purpose of the Provision of Care.
  • The retention period for PCD shared will be detailed within the Project Specific Sharing Specification.
  1. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  • All sharing of PCD under The Agreement will occur in accordance with the Rights of Individuals. As a minimum each information sharing initiative must uphold the Rights of Individuals whose PCD is shared to:
  • access to a copy of the information;
  • object to Processing that is likely to cause or is causing damage or distress at any time;
  • prevent Processing for direct marketing;
  • object to decisions being taken by automated means;
  • in certain circumstances have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of The Act.
  • The specific details of how PCD will be processed in accordance with the Rights of Individuals will be detailed within the Project Specific Sharing Specification.
  1. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Sharing of PCDunder The Agreement will only occur where appropriate technical and organisational measures are in place that take account of the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction.
  • An assessment of the risks will be completed for each sharing initiative in the form of a PIAwhich as a minimum will consider:
  • Management and organisational measures;
  • Staff vetting and training;
  • Physical security;
  • Technical security;
  • Business continuity and disaster recovery;
  • Incident management.
  • The specific details of how PCD will be kept suitably secure will be detailed within the Project Specific Sharing Specification.
  1. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  • PCDshared under The Agreement will not be transferred outside of the EEA unless the proposed transfer of personal data outside the EEA has been assessed in line with the with the Information Commissioner’s Office Assessing Adequacy International data transfers[3] and a finding of adequacy has been made and approved by the Designated Officer via a Full Scale PIA.

Each information sharing initiative will be accompanied by a Project Specific Sharing Specificationwhich will detail:

  • How the initiative will comply with the requirements of The Agreement and the Data Protection Principles (as detailed above);
  • The Sharing Organisation(s) making the PCD available for sharing;
  • The User Organisation(s);
  • The categories of data made available as part of the sharing initiative;
  • The dates between which the sharing initiative is in effect.

Each sharing initiative is accompanied by an assessment of the risks posed by the sharing (and where applicable any technical solution(s) that support the sharing) through the completion of a PIA.

Only those sharing requirements approved by the Designated Officer(s) of the Sharing Organisation(s) are included within the scope of The Agreement.

The parties to The Agreement commit to:

  • Implement and adhere to The Agreement;
  • Ensure that the necessary protocols and procedures are established within the User Organisation(s) and the Sharing Organisation(s) to mitigate the risks of all sharing requirements in which the organisationsare involved;
  • Ensure compliance with the agreement by establishing systems, raising awareness, informing Individuals, issuing guidance, providing training to staff and monitoring the use of shared PCD;
  • Ensure that the Designated Officer is widely known within the organisation;
  • Ensure that no restrictions are placed on the sharing ofPCD other than those specified in The Agreement and in continuing agreements in effect at the commencement of The Agreement.

Caldicott Guardians and Designated Officers

Allproviders ofhealthandsocialcareservicesmusthavea CaldicottGuardianwhoforthe purposesofinformation sharingistheDesignatedOfficer.Otherorganisationsmustnominatea DesignatedOfficer.

AllProject Specific Sharing SpecificationsdevelopedunderThe AgreementmustbeapprovedbytheDesignated Officer of theSharingOrganisation(s).

Trusted Organisations

A strongInformationGovernance(IG) managementframeworkiscriticalfor organisationstodemonstrate thatPCDis beingProcessed,usedandsharedlawfully.

SharingOrganisationshaveresponsibilityforobtainingassurancethatuser organisation(s)haveadequateIG controlsinplace and where appropriate obtain independent assurance of this.

For those authorities providing and/or commissioning health and social care services, this assurance standard is level 2 compliance with the HSCIC IG Toolkit. When sharing PCD forthe purpose of the Provision of Care under The Agreement, organisationswillberegardedasTrustedOrganisationswhere they:

  1. Areachievingan HSCIC IG Toolkitattainment level 2or higher; or
  2. Have submitted an agreed action plan which demonstrates the organisation is working towards HSCIC IG Toolkitattainment level 2or higher.

Trusted Organisationsare deemed to meet the necessary level of assurance for the sharing of PCD under The Agreement.

Should aUser Organisation cease to comply with Level 2 of the HSCIC IG Toolkitthen within 6 months of the date of non-compliance the User Organisation must:

  • Implement the corrective measures necessary to satisfy the HSCIC IG Toolkitrequirement(s) to level 2 or above; or
  • Cease to make use of the PCD shared under The Agreement.

Organisations wishing to share or access PCD under The Agreement which do not have a contractual obligation to complete the HSCIC IG Toolkit(e.g. District and Borough Councils, the Police and organisations in the voluntary sector), will be required to:

  1. Complete the HSCIC IG Toolkit to a minimum of level 2 compliance; or
  2. Provide a Statement of Assurance which includesdetails of other compliance standards being adhered to (e.g. an externally audited PSN and ISO27001 returns). The Project Lead/SharingOrganisationwill be required to audit and risk assess the controls in place as part of the PIA and the outcomes of these assessments must be detailed within the Project Specific Sharing Specification and approved by the Sharing Organisation(s)Designated Officer.

By signing The Agreement, each signatory undertakes to implement and adhere to the principles, standards and governance set out in The Agreement and any specific requirements set out within Project Specific Sharing Specifications developed under The Agreementto which they are party. This provides all Signatories to The Agreement with the appropriate assurances that PCD will only be used in full compliance with the law and Rights of Individual.

The Agreement will be reviewed by the Surrey Information Governance Group (SIGG)[AJS1] on behalf of Signatories quarterly in the first year of implementation and annually thereafter. New Signatories and Project Specific Sharing Specificationswill be a standing agenda item at the quarterly SIGG meetings for continued efficiency and compliance.

Sharing for Non-Care Purposes

The AgreementdoesnotapplytothesharingofPCDforNon-CarePurposes.

ThesharingofPCDforNon-CarePurposesis subjecttoadditionalrequirementsincluding (but not limited to):

  • The recordingofinformedconsentgivenbytheindividual;or
  • Evidencethatthesharingislawfulundersection251oftheNHSAct2006.

Where PCD is to be used for Secondary Purposes this must be explicitly catered for within a Project Specific Sharing Specification which has been subject to a Full ScalePIA and has received approval by the Designated Officer(s) of the Sharing Organisation(s).