Contents

Between

(1) General Optical Council
10 Old Bailey, London EC4M 7NG

(2) The NHS Counter Fraud Authority
4th Floor Skipton House, 80 London Road, London SE1 6LH

(3) NHS Counter Fraud Services (NHS Wales)
First Floor Block B, Mamhilad House, Mamhilad Park Estate, Pontypool, NP4 0YP

being collectively 'the Parties'.

NHS Counter Fraud Authority provides NHS anti-fraud services to the Welsh Assembly Government (under section 83 of the Government of Wales Act 2006). For simplicity, the term 'NHS Counter Fraud Authority' is used throughout this document to represent counter fraud services in England (under NHS Counter Fraud Authority) and Wales (under Counter Fraud Services Wales). The signatory for NHS Counter Fraud Authority represents both NHS Counter Fraud Authority (England) and NHS Counter Fraud Services (Wales).

Purpose of agreement

The overarching aim of this Agreement is to define how information or data may be shared between the Parties and the methods used by the Parties for the secure and confidential transfer of that information or data.

The purpose of this Agreement is to:

  • set out the operational arrangements for the exchange of information or data between the Parties; and
  • set out the principles and commitments the Parties will adopt when they collect, store amend, disclose, retain or dispose of information or data.

The term 'information' or 'data' is used in this Agreement to refer to any and all information or data used for NHS business purposes, including commercial, business, personal and sensitive information or data. The medium in which information or data is processed, may be in the form of hard-copy or electronic data, records or documents.

Description of the General Optical Council

The General Optical Council is the regulator for the optical professions in the UK. Its purpose is to protect the public by promoting high standards of education, performance and conduct amongst opticians.

The General Optical Council has four core regulatory functions deriving from the Opticians Act 1989:

  • Setting standards for optical education and training, performance and conduct.
  • Approving qualifications leading to registration.
  • Maintaining a register of individuals who are qualified and fit to practise, train or carry on business as optometrists and dispensing opticians.
  • Investigating and acting where registrants' fitness to practise, train or carry on business is impaired.

The overarching objective of the General Optical Council is the protection of the public.

The General Optical Council has statutory powers to take action where there are concerns about the fitness to practise of its registrants. This includes those registrants whose fitness to practise is affected by their health.

Description of the NHS Counter Fraud Authority

The NHS Counter Fraud Authority is an independent Special Health Authority established in November 2017. The NHS Counter Fraud Authority has duties and enforcement powers under the NHS Act 2006, the Health and Social Care Act 2012 and the NHS Counter Fraud Authority (Establishment, Constitution and Staff and Other Transfer Provisions) Order 2017. The NHS Counter Fraud Authority leads on work to identify and tackle fraud across the NHS. Its purpose is to safeguard NHS resources so that the NHS is better equipped to care for the nation's health, providing support, guidance and direction to the NHS. This work enables effective prevention, detection and enforcement action to take place against those committing fraud. The NHS Counter Fraud Authority also collects, collates and analyses information that holds intelligence value, which in turn broadens the understanding of fraud risks in the NHS.

NHS England follows NHS Counter Fraud Authority strategy when undertaking its own work to tackle fraud.

Officers working for NHS England must report any suspicions of economic crime to the NHS Counter Fraud Authority as soon as they become aware of them to ensure they are investigated properly and maximise the chances of financial recovery.

The majority of allegations of economic crime will be investigated by Local Counter Fraud Specialists appointed to provide counter fraud services on behalf of NHS England.

The NHS Counter Fraud Authority will work co-operatively with NHS England Local Counter Fraud Specialists to ensure work is conducted to prevent, deter and detect fraud within and against NHS England.

The NHS Counter Fraud Authority will investigate cases of fraud that cannot be dealt with by NHS England, including cases of bribery and corruption.

Intelligence

The Parties acknowledge that intelligence can be received by way of complaints, professional whistleblowing, concerns raised by members of the public, referrals from other public bodies (including overseas regulators or investigatory bodies), or by information received from other sources (e.g. from press monitoring or during the course of routine inspections to registered ophthalmic premises).

If either Party receives intelligence which:

  • indicates a significant risk to the health and wellbeing of the public, particularly in relation to the fitness of a GOC registrant to practise;
  • indicates a significant risk of fraudulent activity against the NHS; and/or
  • requires a coordinated multi-agency response;

the information will be shared in confidence with the contact specified below, within the other Party at the earliest possible opportunity.

The NHS Counter Fraud Authority has a duty, under the National Health Service (Performers Lists) Regulations 2013, to respond to enquiries from persons, bodies or agencies considering applications from individuals or body corporates for inclusion on an ophthalmic performers list, whether the individuals or directors of the body corporates have any record of, or are under investigation for, fraud. To facilitate these checks, it is important that intelligence held by the General Optical Council relating to fraud offences by its registrants is shared with the NHS Counter Fraud Authority on a timely basis. The regulations can be viewed at: http://www.legislation.gov.uk/uksi/2013/335/pdfs/uksi_20130335_en.pdf

The NHS Counter Fraud Authority has a responsibility to protect NHS staff, patients and resources from fraud, bribery and, corruption, by way of effective prevention, detection and enforcement action against those committing fraud. To facilitate this work, it is important that intelligence held by the General Optical Council relating to registrants' fitness to practise is shared with the NHS Counter Fraud Authority in a timely manner.

The General Optical Council is responsible for regulating the ophthalmic profession, which includes taking action when allegations are received which question the fitness to practise of its registrants. This can include allegations relating to fraudulent activity. To facilitate this work, it is important that intelligence held by the NHS Counter Fraud Authority relating to investigations into opticians or ophthalmic care professionals is shared with the General Optical Council in a timely manner.

Investigation

Where the General Optical Council becomes aware of allegations relating to fraud, corruption or bribery against a registrant working in or for the NHS in England or Wales (or indeed, where there are misdirected allegations against other NHS staff) the matter must be reported to the NHS Counter Fraud Authority as soon as possible in order to ensure it is investigated appropriately and to maximise the chances of financial recovery.

Reports to the NHS Counter Fraud Authority can be made via the freephone NHS Fraud and Corruption Reporting hotline on 0800 028 4060 or by completing an online form at www.reportnhsfraud.nhs.uk. The latter method is encouraged as this will enable the General Optical Council, as a healthcare regulatory body, to create an online account for reporting allegations of fraud, or corruption in the NHS. By having an account, the General Optical Council will be able to report matters quickly and more efficiently as and when they arise, and will be able to monitor progress of reports made.

In cases where there are other allegations of dishonesty or criminality, the General Optical Council will disclose relevant information and documentation to the NHS Counter Fraud Authority where such allegations are relevant to the NHS Counter Fraud Authority's core functions. However, whether such disclosure takes place will depend on the circumstances of the case and the seriousness of the allegations.

In cases where the General Optical Council is in doubt as to whether a case should be disclosed to the NHS Counter Fraud Authority, they will make contact with the point of contact specified below in order to discuss the matter. Any discussions at this stage will be anonymised. The General Optical Council will be able to rely on the fact that if the specified NHS Counter Fraud Authority contact indicates that they wish to receive full disclosure, this will be on the basis that it is essential for the NHS Counter Fraud Authority's core purpose or is in the public interest.

Where the NHS Counter Fraud Authority is aware that during or following an investigation, evidence exists that an optician or ophthalmic care professional has been involved in fraud, corruption or bribery, the General Optical Council will be informed of such matters. The General Optical Council will consider whether any further investigation needs to be carried out and/or whether the registrant(s) should become subject to its fitness to practise process.

In cases where the NHS Counter Fraud Authority is in doubt as to whether a case should be disclosed to the General Optical Council, they will make contact with the point of contact specified below in order to discuss the matter. Any discussions at this stage will be anonymised. The NHS Counter Fraud Authority will be able to rely on the fact that if the specified General Optical Council contact indicates that they wish to receive full disclosure, this will be on the basis that that is essential for the General Optical Council's overarching objective to protect the public, or is in the public interest.

Where a case has resulted in a criminal prosecution, the NHS Counter Fraud Authority will share details of the case with the General Optical Council. That information will already be in the public domain and consent to disclose that information will not be required.

In cases where an investigation has concluded that there was no criminal activity, but indicates there may be concerns about the activities of a General Optical Council registrant the information will be passed to the General Optical Council to enable the General Optical Council to decide on the seriousness of the allegations and whether the registrant(s) should become subject to its fitness to practise process. The General Optical Council will share that information with the registrant and their representatives and other third parties involved in the case (where appropriate) and through the provision of that information to the General Optical Council, the NHS Counter Fraud Authority is consenting to the disclosure of that information.

When information is disclosed to the General Optical Council there will be a discussion in advance about the timing of any action that the General Optical Council may consider appropriate, including disclosure of the case to the employer and individual involved. The General Optical Council will consider any request to delay action which may compromise any current NHS Counter Fraud Authority investigation. However, the NHS Counter Fraud Authority recognises that action may need to be taken by the General Optical Council where it is in the public interest to do so.

In cases where the NHS Counter Fraud Authority becomes aware of allegations or evidence that an individual may be posing as a registered (or licensed) or competent registrant, either through a stolen identity, fraudulently acquired registration or through falsified qualifications, the NHS Counter Fraud Authority will immediately contact the General Optical Council via the point of contact specified below. The NHS Counter Fraud Authority will provide all available information that might suggest that an individual is falsely posing as qualified, competent or as a General Optical Council registrant. In these cases, the primary concern for the Parties will be patient safety. The General Optical Council will take whatever action is appropriate in the interests of protecting patients.

There may be occasions when the Parties need to undertake concurrent investigations. When this occurs the Parties will take steps to ensure that they do not undermine the progress and/or success of each other's investigation. This may include allowing criminal investigations to take place as a priority. There may, however, be occasions when the General Optical Council will need to act swiftly to take steps to protect public safety and would do so with due regard for other known ongoing investigations.

Where either Party intends to undertake an investigation the contact in the other Party specified below should be alerted, in confidence, at the earliest possible opportunity.

Outcomes arising from any relevant investigations actioned by either Party will be shared with the contact specified below at the earliest possible opportunity.

Where joint or parallel investigations are required, preliminary discussions should resolve any potential areas of conflict or overlap, arising from each Party's respective powers.

Enforcement

Where the NHS Counter Fraud Authority has taken or intends to take enforcement action or the General Optical Council intends to take action, the outcome of which is relevant to the other Party, details will be shared at the earliest possible opportunity with the contact specified below.

Communication

Areas of communication between the Parties include, but are not limited to:

  • sharing of expertise and experience
    Regular meetings between Managers within the Fitness to Practise and Registration departments of the General Optical Council and counterparts within the NHS Counter Fraud Authority to facilitate the development of effective investigative methodologies. These meetings may involve discussion about particular cases (anonymised if appropriate) and the Parties may be able to share information about approaches to investigations which have been successful in particular circumstances or about useful contacts within other organisations.
  • discussions about strategy/policy
    Regular meetings between the Parties will provide an opportunity to discuss strategic/policy developments which may impact on each other's work. Whilst it is not possible to predict all future developments which may be of mutual interest, it is clear that when either Party is reviewing disclosure policies, for example, discussion will be valuable.
  • discussions about individual registrants
    Whilst the Parties have very distinct roles, it is clear that there is an overlap where there are allegations that a registrant working in or for the NHS has acted dishonestly or fraudulently and one or each of the Parties are investigating the individuals in question. Where this kind of issue arises, it is essential that knowledge and information is shared at an early stage between the Parties in order to allow each to carry out their core functions.
  • sharing experiences of investigations or trends
    From the many cases that the Parties handle, common themes frequently arise. Working collaboratively and sharing this information will enable trends and weaknesses to be quickly identified. Opportunities to deal with the cause of the problems can be discussed and wherever possible fed into policy discussions to work towards changes in practice to prevent further opportunities for fraud, corruption, theft and other dishonesty.
  • sharing views and information about how improved performance might be encouraged
    By sharing this information, appropriate strategies for disseminating information on best practice can be identified and implemented.
  • publicising joint working commitments
    Making known, at every available opportunity through all viable mediums, the Parties' commitment to working together and sharing information about potential media interest, or when the media have actively shown an interest, on an issue of relevance to both organisations. Thereby, supporting an anti-fraud culture within the ophthalmic industry and the wider health service, including where possible promotion of the NHS Fraud and Corruption Reporting Line.

The working relationship between the Parties will be characterised by regular ongoing contact and the open exchange of information and intelligence, through both formal and informal meetings at all levels, including senior levels

Disclosures from either party to the other will be regularly monitored to ensure that arrangements are working effectively.

Types of information

The General Data Protection Regulation (GDPR) 2016 essentially defines the following classes of information relevant to this agreement, 'Personal Data', 'Special Categories of Personal Data and Data Relating to Criminal Convictions and Offences'.

The Caldicott Information Governance Review 2013, commissioned by the Department of Health & Social Care introduced the term 'personal confidential data' across the healthcare system to widen the interpretation of 'personal data' and 'ensitive data' for patient identifiable information.

Personal Data

Personal data are defined as '…any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.

The obtaining, handling, use and disclosure of personal data is principally governed by the GDPR 2016, the Data Protection Act (DPA) 2018, Article 8 of the Human Rights Act 1998, and the common law duty of confidentiality.

The law imposes obligations and restrictions on the way personal data is processed and the individual who is the subject of the data (the 'data subject') has the right to know who holds their data and how such data are or will be processed, including how such data are to be shared.

Special Categories of Personal Data (Sensitive Data)

Certain types of data are referred to as 'sensitive personal data'. These are data which relate to the data subject's:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs, or other beliefs of a similar nature
  • Trade union membership
  • Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Sexual life

Additional and more stringent obligations and restrictions apply whenever sensitive personal data is processed.

Data Relating to Criminal Convictions and Offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6 (1) of the GDPR, is carried out under Part 3 of the Data Protection Act (DPA) 2018

Whilst the GDPR 2016 has defined these classes of information, some information within these classifications will have different levels of responsibility and risk associated with them.

Patient Indentifiable Information

In 2013 the Department of Health published the Caldicott Information Governance Review, which was an independent review of how information about patients is shared across the health and care system. The review introduced the term 'personal confidential data' to describe 'personal' and 'sensitive' information about identified or identifiable individuals, which should be kept private or secret The purpose of the review was to ensure that patient identifiable information is only shared for justified purposes and that only the minimum necessary information is transferred in each case.The Caldicott Information Governance Review can be found at:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf

In keeping with the recommendations, the NHS Counter Fraud Authority have nominated a senior person (refer Appendix 1) to act as a guardian responsible for safeguarding the confidentiality of patient information.

Data control

Under the GDPR 2016, any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data is called a 'data controller'. All data controllers are required to comply with the GDPR 2016 whenever they process personal data. At all times, when providing data to partners, the partner responsible for delivering a service, will be considered the 'data controller'. The recipient partner becomes the joint data controller for the shared information.

If a partner wishes to disclose shared information to a third party, the partner should seek written consent from the partner that provided the information, If a partner makes a further disclosure to a third party they must ensure that the sharing of data is not processed in a manner incompatible with the purpose/s it was obtained for.

Sharing framework

The Parties agree and acknowledge that they each collect and store information. Where the Parties decide to share information with each other, it will share that information according to the Information Sharing Protocol described below and with due regard to the counter fraud requirements in the NHS Standard Contract, which can be found at https://www.england.nhs.uk/wp-content/uploads/2016/11/2-service-conditions-fl.pdf

The Parties agree to share information with each other in order to assist with anti-fraud work (for example to identify fraudulent or suspicious invoices for NHS payment, to establish fraud trends in the procurement process, to identify individuals or companies suspected of fraud and to prevent fraudulent or similarly inappropriate payments from being made).

When the giving Party discloses information to the receiving Party, that information shall be disclosed for the purposes of the prevention, detection, investigation and prosecution of fraud or any other unlawful activity affecting the NHS, as set out in The NHS Counter Fraud Authority (Establishment, Constitution and Staff and Other Transfer Provisions) Order 2017 which can be found at http://www.legislation.gov.uk/uksi/2017/958/part/3/made

Where the giving Party shares information with the receiving Party, it may share the information in any manner it considers appropriate, although the receiving Party may from time to time make recommendations to the giving Party as to the most practicable means by which information may be shared.

If the Parties wish to share information electronically, it will be in a mutually compatible IT format and shared in a secure method.

In relation to the sharing of information, each of the Parties shall take all measures necessary to ensure their respective compliance with all relevant legislation, including, but not limited to, regulations or restrictions regarding disclosure of information to third parties. Each Party will be responsible for processing information in accordance with all applicable data privacy and related regulations (GDPR 2016). In particular, information held by either Party will not be kept for longer than provided for under the GDPR obligations, and will be destroyed in an appropriate manner conforming to the GDPR obligations when no longer required, in compliance with the NHS Counter Fraud Authority Retention and Destruction Policy can be viewed by visiting NHSCFAs privacy page

The information provided by the giving Party shall be accessed by authorised personnel within the receiving Party. Both protectively marked material and non-protectively marked material (see below), whether in hard-copy or electronic format, held by either Party, will be stored securely.

Information sharing protocol

Information disclosed by either Party will comply with the Government Security Classification System (GSC), referenced here: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf

Each piece of information will be assigned a level of protection for its handling, processing, storage and movement. All material with a protective marking will be, where possible, marked at the top and bottom and page numbered, and will have a distribution list.

The levels of classification assigned by each Party to information shared shall be 'Official' ('Official Sensitive') or 'Secret' depending on the content.

Official

Most information will fall under the 'Official' classification but may need to be further marked to indicate that extra care should be taken when handling the information. If that is the case the marking 'Official-Sensitive' should be used. This will be applicable if compromise or loss of the information could have damaging consequences for an individual.

Secret

Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threats should be marked as 'Secret', for example where compromise could seriously damage the investigation of very serious organised crime. The threat profile for 'Secret' anticipates the need to defend against a higher level of capability than would be typical for the 'Official' level. This includes sophisticated, well-resourced and determined threats, such as highly capable serious organised crime groups.

The Parties agree that, in relation to information contained in material which is marked as 'Official' or 'Secret'', that it will not:

  • disclose, release, communicate, or otherwise make available, the information to any other individual, organisation or third party not directly connected with the work involved without prior agreement and approval of the giving Party, except in the form of non-disclosive statistical data, anonymised data or conclusions;
  • use the information for any commercial, industrial or other purpose; or
  • copy, adapt, duplicate or otherwise reproduce the information save as provided in this Agreement.

If there is a need for either Party to disclose or supply information to law enforcement agencies, government departments and agencies, or any specified external body for the purposes of anti-fraud activities, full records will be kept of when and what information is disclosed or supplied to external bodies.

Lawful use of information

In writing this Agreement due attention has been paid to the views of the Parties where possible, and all guidance has been written to ensure that the processing of shared information is accurate, necessary, secure, legal and ethical, taking into account relevant legislation where applicable, including:

  • NHS Act 2006
  • Freedom of Information Act 2000
  • General Data Protection Regulation 2016
  • Data Protection Act 2018
  • Human Rights Act 1998
  • NHS Counter Fraud Authority (Establishment, Constitution and Staff and other Transfer Provisions) 2017
  • Equality Act 2010
  • Access to Health Records Act 1990
  • Computer Misuse Act 1990
  • Confidentiality:NHS Code of Practice
  • Opticians Act 1989

The Secretary of State for Health has responsibility to make arrangements for healthcare provision nationally and to comply with legislation. The Secretary of State for Health, acting through the NHS Counter Fraud Authority, has a responsibility to ensure healthcare provision is protected from fraud and other unlawful activities. It is therefore appropriate that information relating to the administration of NHS business may be used for these purposes provided that the requirements of law and policy are satisfied.

Information shared between the Parties will only be used for the purpose(s) specified in this Agreement and its use will comply with the NHS Counter Fraud Authority information security policy and operating procedures.

Part 10 of the NHS Act 2006 makes provision for the protection of the NHS from fraud and other unlawful activities. The NHS Act 2006 confers powers upon the NHS Counter Fraud Authority as the statutory body responsible for tackling crime across the NHS, to require the production of information or data from an NHS contractor (defined as any person or organisation providing services of any description under arrangements made with an NHS body) in connection with the exercise of the Secretary of State for Health's counter fraud functions.

Operational work undertaken by NHS Counter Fraud Authority is carried out under Article 6, para (e), Article 9(2) paras (f) and/or (g) and Article 10 of the GDPR 2016 and Part 3 of the DPA 2018, for the prevention and detection of crime; under Part 10 of the NHS Act 2006, for the protection of the NHS from fraud and other unlawful activities; and in accordance with such directions as the Secretary of State for Health may give. 60 The disclosure of information or data by the General Optical Council to the NHS Counter Fraud Authority will be actioned within a legal framework, as permitted under Part 10 of the NHS Act 2006 and Article 6 , para (e), Article 9(2) paras (f) and/or (g) and Article 10 of the GDPR 2016 and Part 3 of the DPA 2018, and in accordance with the powers contained in part 4 of NHS Counter Fraud Authority (Establishment, Constitution, and Staff and other Transfer Provisions) 2017 These can be found at:

Information or data supplied by the General Optical Council to the NHS Counter Fraud Authority may be used by the NHS Counter Fraud Authority for criminal prosecution purposes if the information or data demonstrates evidence of fraud or other unlawful activities against the NHS and/or the information forms a material part of an investigation.

Both the General Optical Council and the NHS Counter Fraud Authority as public sector health bodies are subject to the Freedom of Information Act 2000. Therefore, the disclosure of information by the parties is subject to Freedom of Information provisions. The principles of the Freedom of Information Act 2000 apply and nothing provided in this Agreement is confidential to either Party to this Agreement. Where disclosure of information is likely to affect the interests of the partner organisation appropriate steps should be taken by the recipient of the request to consult with the other party and inform the other party of their duty to comply with the request as recommended in the Freedom of Information Act Section 45 Code of Practice. Public sector information which is subject to the provisions of the Freedom of Information Act 2000 cannot be accessed under Freedom of Information processes by going directly to a third party data processor.

Under the Freedom of Information Act 2000, individuals can make a request to the NHS Counter Fraud Authority for information to be disclosed. This is called a Freedom of Information Request. Requests must be put in writing to the NHS Counter Fraud Authority following the official Freedom of Information Request process. Requests will be considered by the Information Governance Lead at the NHS Counter Fraud Authority and a decision will be made as to the legality and appropriateness of information disclosure.

The Parties are subject to the GDPR 2016. Under the GDPR 2016, data subjects can ask to see the information that is held on computer and in some paper records about them. This is called a Subject Access Request. If data subjects wish to know what information is held about them, requests must be addressed to the Party processing the information following their official Subject Access Request process.

Complaints from data subjects about personal or sensitive information held by either Party must be made in writing to the person or organisation holding the information, detailing the reasons for the complaint. Complaints must be addressed to the relevant person or organisation following their official complaints process.

Security of information

Both the General Optical Council and the NHS Counter Fraud Authority, as functional administrators of NHS business, are registered with the Information Commissioner's Office on the Data Protection Register. Registration entry can be found at http://www.ico.org.uk/esdwebpages/search

The General Optical Council | Registration number: Z5718812
The NHS Counter Fraud Authority | tRegistration number: ZA290744

Regardless of the type of information being accessed, processed and stored, security is considered of paramount importance. All information held by the Parties is held on secure servers, with access restricted to internal use by appropriately authorised members of staff. As data controllers for the information they collect, the Parties are expected to treat all information in accordance with the GDPR 2016, and ensure that security is in place sufficient to protect the information from unauthorised access. This includes physical security, such as adhering to organisational clear desk policies and adequate protection for premises when unattended, to IT related security such as passwords, secure IDs and secure servers.

It is understood that each Party may have differing security needs, however it is important that all reasonable steps are made to ensure information is kept private and confidential at all times. Each Party is expected to comply with their own Information Security Policy and operating procedures and to make staff aware of their obligations in this respect. As administrators of NHS business, the Parties are also expected to comply with the standard requirements in the NHS Code of Practice for Information Security Management and the NHS Information Governance Guidance on Legal and Professional Obligations, which can be found at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200506/Information_Security_Management_-_NHS_Code_of_Practice.pdf and https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200702/NHS_Information_Governance_Guidance_on_Legal_and_Professional_Obligations.pdf

Each Party's responsible officer for information governance will ensure that their staff know, understand and guarantee to maintain the confidentiality and security of the information and will ensure that anyone involved with the processing of the information is aware of the penalties of wrongful disclosure.

Due to the sensitive nature of operational work carried out by the NHS Counter Fraud Authority, much of the information held by the NHS Counter Fraud Authority is of a sensitive nature and is classified by central government as 'Official' or 'Official-Sensitive'. The NHS Counter Fraud Authority therefore uses the secure Public Service Network (PSN) in its operations and in so doing complies with the standard requirements in the code of conduct for Government Connect.

The Parties must take appropriate technical and organisational measures against unauthorised or unlawful accessing and/or processing of information and against accidental loss or destruction of, or damage to, information. This will include:

  • Appropriate technological security measures, having regard to the state of technology available and the cost of implementing such technology, and the nature of the information being protected
  • Secure physical storage and management of non-electronic information
  • Password protected computer systems
  • Ensuring information is only held for as long as is necessary, in line with data protection obligations
  • Appropriate security on external routes into the organisation, for example internet firewalls and secure dial-in facilities
  • Each Party is responsible for its own compliance with security in respect of the GDPR 2016 and DPA 2018, irrespective of the specific terms of this Agreement.

    The physical and technical security of the information will be maintained at all times. No disclosable information will be sent by fax or email (unless via PSN or NHS.net networks) and, if posted, will be encrypted to approved standards to protect the information and dispatched by Royal Mail Special Delivery service or by courier.

    The preferred method of information transfer for general enquiries, general communications and small data attachments (for example, Microsoft or PDF files not exceeding 15 MB) and large volume information sharing (such as downloads of complete data sets where size exceeds 15MB)will be by email (via PSN ).The NHS Counter Fraud Authority uses Egress Switch to send data securely using the 'official' ('official sensitive') marking under the Government Classification Scheme.

    For each Party, access to the information will be restricted to those staff with a warranted business case. Access to information will be via restricted-access password protection and be capable of audit. The means of access to the information (such as passwords) will be kept secure.

    Laptops used to access information must be encrypted and secured to an HM Government approved or recognised level, commensurate with the level of the protective marking of the information involved as will any network they are connected to.

    The Parties may be required to provide copies of any audits conducted during the period of the Agreement, including any audit arrangements or implementation plans.

    Retention and deletion

    Information shall be stored in accordance with the Parties' records retention and disposal schedule.

    In the absence of a records and disposal schedule, or a statutory retention period, the information shall not be retained for longer than is necessary to fulfil the specified purpose or purposes.

    Breach and dispute procedures

    The Parties agree to report immediately instances of breaches to any of the terms of this Agreement and to raise an appropriate security incident, in line with the Information Commissioners Guidance on Data Security Breaches.

    Any disputes arising between the giving and receiving Parties will be resolved initially between the principles of this Agreement. Otherwise, outstanding issues will be referred to an Executive Group established on behalf of each Party.

    The Parties will monitor and review information shared and the impact of the agreement on a regular basis. In future, this may include the production of periodic monitoring reports that cover the frequency, or number, of interactions, the nature of the shared information and joint working and the impact that the cooperation of the two organisations has had.

    Audit arrangements

    The Parties will maintain an information sharing log in respect of the agreement. The log will contain:

    • A record of the NHS Counter Fraud Authority information disclosed
    • A record of information disclosed to the NHS Counter Fraud Authority
    • The decision of justification to disclose or not to disclose
    • An access list recording the authorising officer
    • Notes of meetings with partners
    • A record of any review of the agreement.

    Point of contact

    The Parties agree to, when possible, share information using a single point of contact (SPOC) (Appendix A). The single point of contact will be responsible for sending and receiving shared information, and will act as facilitator for enquiries (however, this person may not necessarily be the end user or processor of the information).

    The Parties acknowledge that points of contact within either Party may differ over time due to the nature of investigative activities and the appropriateness of Party involvement. The Parties may nominate an appropriate alternative point of contact for day-to-day communication and/or joint-working in the event of a NHS Counter Fraud Authority investigation taking place which involves a specialised area of business, specialist knowledge or a particular expertise. The nominated person(s) will therefore act as single point of contact for investigation purposes. A single point of contact who understands fraud investigations and what is required to a criminal standard is essential to enable investigators to exchange crucial information in a timely manner, to prevent contradictory information being exchanged, and to ensure delays are minimised.

    Term of agreement

    This Agreement shall commence on the date of its signature by the Parties and remain in effect for a term of one year. Upon its anniversary the agreement with be reviewed and re-negotiated by the Parties. The Agreement may be reviewed more urgently at any time at the request of either party.

    Either Party may terminate or re-negotiate this Agreement at any time upon giving the other Party one month's notice in writing of its intention to do so.

    This Agreement is not legally binding and is not intended to create legal relationships between the Parties.