- Scope and purpose
- NHS Scotland Counter Fraud Services
- NHS Counter Fraud Authority
- Working together
- Types of information
- Data control
- Sharing framework
- Information sharing protocol
- Retention of information
- Security of information
- Privacy notices
- Breach and dispute procedures
- Audit arrangements
- Point of contact
- Duration and review
- NHS Scotland Counter Fraud Services
3 Bain Square, Livingston, West Lothian, EH54 7DQ;and
- NHS Counter Fraud Authority
Fourth Floor, Skipton House, 80 London Road, London, SE1 6LH; and
- NHS Counter Fraud Services (NHS Wales)
First Floor Block B, Mamhilad House, Mamhilad Park Estate, Pontypool, NP4 0YP1
being collectively 'the Parties'.
Scope and purpose
This agreement describes the roles of NHS Scotland Counter Fraud Services and NHS Counter Fraud Authority and outlines the basis of cooperation and collaboration between the Parties. It sets down the principles underpinning the interaction between the Parties and provides guidance on the exchange of information between them.
This agreement is a statement of principle; more detailed operational protocols and guidance will be developed, as and when these are required.
This agreement applies to Scotland, England and Wales and is intended to provide a framework to assist the joint working of the Parties to ensure maximum effectiveness and efficiency when carrying out investigations. The agreement includes practical arrangements designed to ensure the relationship is effective and that together the Parties meet their aims and objectives, particularly when there are overlapping interests and responsibilities.
Although the Parties agree to adhere to the contents of this agreement, it is not intended to be a legally binding document. The agreement does not override each Party’s statutory responsibilities or functions, nor does it infringe the autonomy and accountability of either Party or their governing bodies.
The Parties agree to abide by the Data Sharing Code of Practice produced by the Information Commissioners Office, and recognise their respective responsibilities as public bodies under the General Data Protection Regulation 2016, Data Protection Act 2018 and the Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002.
The aims of this agreement are to:
- prevent and reduce fraud and corruption within the NHS;
- maintain patient safety and confidence in the NHS;
- support the sharing of information, intelligence, expertise and experience;
- define the circumstances in which the two organisations will act independently.
The term 'information' is used in this agreement by NHS Counter Fraud Authority to refer to any and all information or data used for NHS business purposes, including commercial, business, personal and sensitive information or data. The medium in which information or data may be displayed, presented, shared, disclosed or processed, may be in the form of hard-copy or electronic data, records or documents.
To facilitate the sharing of information, both Parties will follow due processes as they are defined in the agreement.
NHS Scotland Counter Fraud Services
The National Health Service (Functions of the Common Services Agency) (Scotland) Amendment Order 2000 gave the Common Services Agency (commonly known as NHS National Services Scotland) the function of preventing, detecting and investigating fraud and other irregularities in relation to primary care services in Scotland.
NHS Scotland Counter Fraud Services was established on 1 July 2000 to provide these functions within NHS Scotland. The functions were extended to all NHS services by the National Health Service (Functions of the Common Services Agency) (Scotland) Amendment (No 2) Order 2003. In 2014, NHS Scotland Counter Fraud Services was permitted to provide counter-fraud services to other public bodies by Part 2 (Section 62) of the Public Bodies (Joint Working) (Scotland) Act 2014.
NHS Scotland Counter Fraud Services exists to contribute to the improvement of health and healthcare in Scotland, by providing the best possible counter-fraud service to NHS Scotland through the provision of a professionally accredited team undertaking proactive fraud and other investigations in a nationally consistent and accountable manner. As part of its remit, NHS Scotland Counter Fraud Services will promote a counter-fraud culture within the Service to change the perception of NHS fraud as a victimless crime, thereby reducing the losses to NHS Scotland.
The role of NHS Scotland Counter Fraud Services is to provide NHS Scotland with a comprehensive counter-fraud service by delivering:
- proactive detection of fraud and other financial crime against NHS Scotland
- full and fair investigations into alleged fraud and other financial crime by patients, staff, contractors or suppliers
- specialist advice to assist in the formulation of counter fraud policy and regulations
- a range of fraud prevention services aimed at reducing losses, increasing fraud resilience and developing an anti-fraud culture.
NHS Counter Fraud Authority
NHS Counter Fraud Authority is an independent Special Health Authority established in November 2017. NHS Counter Fraud Authority leads on work to identify and tackle fraud across the NHS. Its purpose is to safeguard NHS resources so that the NHS is better equipped to care for the nation’s health, providing support, guidance and direction to the NHS. This work enables effective prevention, detection and enforcement action to take place against fraud and fraudulent activity. NHS Counter Fraud Authority also collects, collates and analyses information that holds intelligence value, which in turn broadens the understanding of fraud risks in the NHS
NHS Counter Fraud Authority has duties and enforcement powers under the NHS Act 2006, the Health and Social Care Act 2012, and the NHS Counter Fraud Authority (Establishment, Constitution and Staff and other Transfer Provisions) Order 2017, issued by the Secretary of State for Health. NHS Counter Fraud Authority is responsible for:
- leading on work to protect NHS staff, patients and resources from fraud, bribery and corruption;
- educating and informing those who work for, who are contracted to, or who use the NHS about fraud in the health service and how to tackle it;
- preventing and deterring fraud in the NHS by reducing it and removing opportunities for it to occur or to re-occur; and
- holding to account those who have committed fraud against the NHS by detecting and prosecuting offenders and seeking redress where viable.
NHS England and NHS Improvement follows the NHS Counter Fraud Authority strategy when undertaking its own work to tackle fraud.
Officers working for NHS England and NHS Improvement must report any suspicions of economic fraud to NHS Counter Fraud Authority as soon as they become aware of them to ensure they are investigated properly and maximise the chances of financial recovery.
The majority of allegations of economic fraud will be investigated by Local Counter Fraud Specialists (LCFS) appointed to provide counter fraud services on behalf of NHS England and NHS Improvement.
NHS Counter Fraud Authority will work cooperatively with officers to ensure work is conducted to prevent, deter and detect fraud within and against NHS England and NHS Improvement.
NHS Counter Fraud Authority will investigate cases of fraud that cannot be dealt with by NHS England and NHS Improvement, including cases of bribery and corruption.
Fraud and corruption against or affecting the NHS in any part of the UK is unacceptable. Such activities divert much needed finance and resources from their intended purpose and threaten to undermine the mutual trust and confidence which should permeate all working relationships across the entire NHS network.
Everyone employed in the NHS, as well as those contracted to provide services to the NHS, those working within NHS premises, those using NHS services and those visiting NHS premises, has a legal and moral duty to counter fraud and corruption, no matter how minor it may appear and to ensure that NHS finances and resources are used appropriately and efficiently and that any misappropriation of finances or misuse of resources is identified, reported and ultimately stopped.
The Parties are committed to working together in order to tackle fraud, bribery and corruption against or affecting the NHS in the UK and to providing comprehensive counter fraud services to the NHS in Scotland, Wales and England.
As healthcare fraud continues to occur, becoming more sophisticated and complex and on occasion crossing borders, it is important that the NHS in Scotland, Wales and England are able to share intelligence and best practice efficiently and legally and assist each other with proactive action to tackle fraud. Through the development of this Agreement, the Parties can greatly assist each other in the prevention and detection of fraud, bribery and corruption against or affecting the NHS in the UK.
Types of information
The General Data Protection Regulation 2016 essentially defines the following classes of information relevant to this agreement; ‘personal data’, ‘special categories’ and ‘personal data relating to criminal convictions and offences’.
The Caldicott Information Governance Review 2013, commissioned by the Department of Health, introduced the term ‘personal confidential data’ across the healthcare system to widen the interpretation of ‘personal data’ and ‘sensitive data’ for patient identifiable information.
Personal data are defined as '…any information relating to an identified or identifiable natural person; an identifiable natural person (data subject) is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
The obtaining, handling, use and disclosure of personal data is principally governed by the General Data Protection Regulation 2016 (GDPR), Data Protection Act 2018, Article 8 of the Human Rights Act 1998, and the common law duty of confidentiality.
The law imposes obligations and restrictions on the way personal data is processed (in this context processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction), and the data subject has the right to know who holds their data and how such data are or will be processed, including how such data are to be shared.
Special Category Data
Certain types of data are referred to as 'special categories of personal data’ or ‘sensitive personal data'. These are data which relate to the data subject’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data for the purpose of uniquely identifying a person;
- sex life or sexual orientation.
Additional and more stringent obligations and restrictions apply whenever sensitive personal data is processed.
Data Relating to Criminal Convictions and Offences
There are separate safeguards for personal data relating to criminal convictions and offences set out in Article 10 of the GDPR. To process personal data regarding convictions or offences there must be a lawful basis under GDPR Article 6 and legal/official authority under Article 10.
Personal confidential data
In 2013 the Department of Health published the Caldicott Information Governance Review, which was an independent review of how information about patients is shared across the health and care system. The review introduced the term ‘personal confidential data’ to describe ‘personal’ and ‘sensitive’ information about identified or identifiable patients, which should be kept private or secret. The Caldicott Information Governance Review can be found at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf
Under the GDPR, controller means any ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’ All data controllers are required to comply with the GDPR whenever they process personal data. At all times, when providing data to partners, the partner responsible for delivering a service will be considered the “data controller.
Where two or more controllers jointly determine the purposes and means of processing they are joint controllers and they shall in a transparent manner determine their respective responsibilities for compliance with their obligations under the GDPR.
For the purpose of this agreement the Parties are data controllers engaged in processing NHS information for and on behalf of individual health body clients and associated agencies, including but not limited to parental government departments, NHS Trusts and Boards, Ambulance Services, Commissioning Groups and Support Units, Regional and Local Area Teams, other healthcare subdivisions and Arms -Length Bodies.
The Parties agree and acknowledge that they collect and store information. Where the Parties decide to share information with each other, they will share that information according to the information sharing agreement described below and with due regard to the counter-fraud requirements in the NHS Standard Contract which can be found at:https://www.england.nhs.uk/wp-content/uploads/2019/03/3-FL-SCs-1920-sepsis.pdf
The Parties agree to share information in order to assist with counter-fraud work (for example to identify fraudulent or suspicious activity, to establish fraud trends based on specific projects or targeted areas, to identify individuals or companies suspected of fraud and to prevent fraudulent or similarly inappropriate transactions from being made).
When the giving Party discloses information to the receiving Party, that information shall be disclosed for the purposes of the prevention, detection, investigation and prosecution of fraud or any other unlawful activity affecting the NHS, as set out in the NHS Counter Fraud Authority (Establishment, Constitution and Staff and Other Transfer Provisions) Order 2017 and the National Health Service (Functions of the common services agency )(Scotland) Amendment Order 2000, which can be found at: http://www.legislation.gov.uk/uksi/2017/958/contents/made
Where the giving Party shares information with the receiving Party, it may share the information in any manner it considers appropriate, although the receiving Party may from time to time make recommendations to the giving Party as to the most practicable means by which information may be shared.
If the Parties wish to share information electronically, it will be in a mutually compatible IT format and shared in a secure method.
In relation to the sharing of information, the Parties shall take all measures necessary to ensure their respective compliance with all relevant legislation, including, but not limited to, regulations or restrictions regarding disclosure of information to third parties. The Parties will be responsible for processing information in accordance with all applicable data privacy and related regulations (Article 5 of the GDPR).
Information sharing protocol
Information disclosed by the Parties will comply with the Government Security Classification System (GSC). In this regard, each piece of information will be assigned a level of protection for its processing. All material with a protective marking will be, where possible, marked at the top and bottom and page numbered, and will have a distribution list. Further information regarding the Government Security Classification System is available in the HM Government Security Policy Framework, which can be found at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf
The levels of classification assigned by the Parties to information shared will fall under the “Official” classification, but may need to be further marked to indicate that extra care should be taken when handling the information. If that is the case the marking “Official-Sensitive” should be used. This will be applicable if compromise or loss of the information could have damaging consequences for an individual.
The Parties agree that, in relation to information contained in material which is marked as “Official” or ‘’Official-Sensitive’’, that it will not:
- disclose, release, communicate, or otherwise make available, the information to any other individual, organisation or third party not directly connected with the work involved without prior agreement and approval of the giving Party, except in the form of non-disclosive statistical data, anonymised data or conclusions;
- use the information for any commercial, industrial or other purpose; or
- copy, adapt, duplicate or otherwise reproduce the information save as provided in this Agreement.
If there is a need for the Parties to disclose or supply information to other law enforcement agencies, government departments and agencies, or any specified external body for the purposes of counter fraud activities, full records will be kept of when and what information is disclosed or supplied to external bodies
Lawful use of information
In writing this Agreement due attention has been paid to the views of the Parties where possible, and all guidance has been written to ensure that the disclosure, access, storage and processing of shared information is accurate, necessary, secure, legal and ethical, taking into account relevant legislation and approved guidance where applicable, including:
- NHS Act 2006
- Freedom of Information Act 2000
- General Data Protection Regulation 2016
- Data Protection Act 2018
- Human Rights Act 1998
- NHS Counter Fraud Authority (Establishment, Constitution and Staff and other Transfer Provisions) 2017
- Equality Act 2010
- Access to Health Records Act 1990
- Computer Misuse Act 1990
- Confidentiality:NHS Code of Practice
- Opticians Act 1989
Responsibility for arranging healthcare provision nationally and for complying with legislation is the responsibility of the Cabinet Secretary for Health and Sport (Scotland), the Minister for Health and Social Services (Wales) and the Secretary of State for Health (England). These accountable officers also have a responsibility to ensure healthcare provision is protected from fraud and other unlawful activities. It is therefore appropriate that information relating to the administration of NHS business may be used for counter-fraud purposes provided that the requirements of law and policy are satisfied.
Information shared between the Parties will only be used for the purpose(s) specified in this Agreement and its use by NHS Counter Fraud Authority will comply with the NHS Counter Fraud Authority information security policy and operating procedures.
Part 10 of the NHS Act 2006 makes provision for the protection of the NHS from fraud and other unlawful activities. The NHS Act 2006 confers powers upon NHS Counter Fraud Authority, as the statutory body responsible for tackling crime across the NHS, to require the production of information or data from an NHS contractor (defined as any person or organisation providing services of any description under arrangements made with an NHS body) in connection with the exercise of the Secretary of State for Health’s counter fraud functions.
Operational work undertaken by NHS Counter Fraud Authority is carried out under Article 6, para (e), Article 9(2) paras (f) and/or (g) and Article 10 of the GDPR and Part 3 and Schedule 2 Part 1 of the Data Protection Act 2018, for the prevention and detection of crime; under Part 10 of the NHS Act 2006, for the protection of the NHS from fraud and other unlawful activities; and in accordance with the powers contained in part 4 of the NHS Counter Fraud Authority (Establishment, Constitution, and Staff and other Transfer Provisions) 2017 and such directions as the Secretary of State for Health may give.
The sharing of information between NHS Scotland Counter Fraud Services and NHS Counter Fraud Authority will be actioned within a legal framework, as permitted under Part 10 of the NHS Act 2006, GDPR, Data Protection Act 2018 and with regard to the counter-fraud requirements in the NHS Standard Contract:
- NHS Act 2006, Part 10:
- General Data Protection Regulation 2016
- Data Protection Act 2018, Part 3:
- Secretary of State for Health's counter fraud functions:
Information or data shared between NHS Scotland Counter Fraud Services, and NHS Counter Fraud Authority may be used by the Parties for criminal prosecution purposes if the information or data demonstrates evidence of fraud or other unlawful activities against the NHS and/or the information forms a material part of an investigation.
The Parties are subject to the Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002. Therefore, the disclosure of information by the Parties is subject to the provisions contained therein. The principles contained in these pieces of legislation apply throughout the agreement.
Under these legislative instruments, individuals can make a request to the Parties for information to be disclosed. This is called a Freedom of Information Request. Requests must be put in writing to the recipient Party following their official Freedom of Information Request process. Requests will be considered by the Party’s Information Governance representative and a decision will be made as to the legality and appropriateness of information disclosure.
The Parties are subject to the GDPR and the Data Protection Act 2018. Under the General Data Protection Regulation 2016 and the Data Protection Act 2018, data subjects can ask to see the information that is held on computer and in some paper records about them. This is called a Subject Access Request. If data subjects wish to know what information is held about them, requests must be submitted to the recipient Party following their official Subject Access Request process. Requests will be considered by the Party’s Information Governance representative and a decision will be made as to the legality and appropriateness of information disclosure.
Complaints from data subjects about personal or sensitive information held by the Parties must be made in writing to the person or organisation holding the information, detailing the reasons for the complaint. Complaints must be put in writing to the relevant person or organisation following their official complaints process.
Security of information
NHS Scotland Counter Fraud Services, NHS Counter Fraud Authority and NHS Counter Fraud Services (NHS Wales) are registered with the Information Commissioner’s Office on the Data Protection Register. Registration entry can be found at: http://www.ico.org.uk/esdwebpages/search
- NHS Scotland Counter Fraud Services Registration number: Z5801192
- NHS Counter Fraud Authority Registration number: ZA290744
- NHS Counter Fraud Services
- (NHS Wales Shared Services Partnership)Registration number: Z5021900
Regardless of the type of information being accessed, processed and stored, security is considered of paramount importance. All information held by the Parties are held on secure servers, with access restricted to internal use by appropriately authorised members of staff. As data controllers for the information they collect, the Parties are expected to treat all information in accordance with the General Data Protection Regulation 2016 and the Data Protection Act 2018, and ensure that security is in place sufficient to protect the information from unauthorised access. This includes physical security, such as adhering to organisational clear desk policies and adequate protection for premises when unattended, to IT related security such as passwords, secure IDs and secure servers.
It is understood that the Parties may have differing security needs, however it is important that all reasonable steps are made to ensure information is kept private and confidential at all times. Each Party is expected to comply with their own Information Security Policy and operating procedures and to make staff aware of their obligations in this respect. As administrators of NHS business, the Parties are also expected to comply with the standard requirements in the NHS Code of Practice for Information Security Management and the NHS Information Governance Guidance on Legal and Professional Obligations, which can be found at:https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200506/Information_Security_Management_-_NHS_Code_of_Practice.pdf and
Each Party’s responsible officer will ensure that their staff know, understand and guarantee to maintain the confidentiality and security of the information and will ensure that anyone involved with the processing of the information is aware of the penalties of wrongful disclosure.
Due to the sensitive nature of operational work carried out by the Parties, much of the information held by the Parties is of a sensitive nature and is classified by central government as “Official’ or ‘Official Sensitive’. NHS Counter Fraud Authority therefore uses the Public Services Network (PSN) in its operations and in so doing complies with the standard requirements in the code of connection for Government Connect.
The Parties must take appropriate technical and organisational measures against unauthorised or unlawful accessing and/or processing of information and against accidental loss or destruction of, or damage to, information. This will include:
- appropriate technological security measures, having regard to the state of technology available and the cost of implementing such technology, and the nature of the information being protected;
- secure physical storage and management of non-electronic information;
- password protected computer systems;
- ensuring information is only held for as long as is necessary, in line with data protection obligations; and
- appropriate security on external routes into the organisation, for example internet firewalls and secure dial-in facilities.
Each Party is responsible for its own compliance with security in respect of the General Data Protection Regulation 2016 and Data Protection Act 2018, irrespective of the specific terms of this Agreement.
The physical and technical security of the information will be maintained at all times. No disclosable information will be sent by fax or email (unless vis PSN or NHS.scot networks) and, if posted, will be encrypted to approved standards to protect the information and dispatched by Royal Mail Special Delivery service or by courier.
Access to the information will be restricted to those staff with a warranted business case. Access to information will be via restricted-access password protection and be capable of audit. The means of access to the information (such as passwords) will be kept secure.
For NHS Counter Fraud Authority, the preferred method of information transfer for general enquiries, general communications and small data attachments (for example MS or PDF files not exceeding 15MB) and large volume information sharing (such as downloads of complete datasets where size exceeds 15MB), will be by email (via PSN). NHS Counter Fraud Authority uses Egress Switch to send data securely using the ‘official (official-sensitive) marking under the Government Classification Scheme.
For NHS Scotland Counter Fraud Services, the preferred method of data attachments (for example, Microsoft or PDF files not exceeding 10 MB) will be by email (via NHS.scot networks).
For NHS Scotland Counter Fraud Services, the preferred method of information transfer for large volume information sharing (such as downloads of complete datasets where size exceeds 10 MB), will be by secure file transfer, using either FTPS or SFTP via NHS.scot systems, whereby files can be transferred from one host to another over a Transmission Control Protocol (TCP) network, such as the internet. Files will be encrypted and password protected to approved standards to protect the information. De-encryption processes and passwords will be disclosed separately upon receipt of the information.
Laptops used to access information must be encrypted and secured to an HM Government approved or recognised level, commensurate with the level of the protective marking of the information involved as will any network they are connected to.
The Parties may be required to provide copies of any audits conducted during the period of the Agreement, including any audit arrangements or implementation plans.
Retention of information
Information shall be stored in accordance with the Parties’ records retention and disposal schedule.
In the absence of a records retention and disposal schedule, or a statutory retention period, the information shall not be retained for longer than is necessary to fulfil the specified purpose or purposes.
Each Party is responsible for providing privacy information to data subjects describing the information that may be used for the purposes outlined in the Agreement and their information rights.
Breach and dispute procedures
The Parties agree to report immediately instances of breaches to any of the terms of this Agreement and to raise an appropriate security incident.
Any disputes arising between the giving and receiving Parties will be resolved initially between the principles of this Agreement. Otherwise, outstanding issues will be referred to an executive group established on behalf of each party.
The Parties will maintain an information sharing log in respect of the agreement. The log will contain:
- A record of NHS Counter Fraud Authority information disclosed;
- A record of NHS Scotland Counter Fraud Services information disclosed;
- The decision of justification to disclose or not to disclose;
- An access list recording the authorising officer;
- Notes of meetings with partners;
- A record of any review of the agreement.
Point of contact
The Parties agree to, when possible, share information and intelligence using a single point of contact (SPOC). The SPOC will be responsible for sending and receiving shared information, and will act as facilitator for enquiries (however, this person may not necessarily be the end user or processor of the information).
The Parties acknowledge that points of contact within the Parties may differ over time due to the nature of investigative activities and the appropriateness of Party involvement. The Parties may nominate an appropriate alternative point of contact for day-to-day communication and/or joint-working in the event of a specific investigation taking place which involves a specialised area of business, specialist knowledge or a particular expertise. The nominated person(s) will therefore act as single point of contact for investigation purposes. A SPOC who understands criminal investigation procedures and what is required to a criminal standard is essential to enable investigators to exchange crucial information in a timely manner, to prevent contradictory information being exchanged, and to ensure delays are minimised.
Duration and review
This agreement shall commence on the date of its signature by the Parties and will remain in effect for a term of one year unless it is terminated, re-negotiated or superseded by a revised document.
At the end of one year following the commencement of the agreement, the agreement will be formally reviewed by the Parties, and will be reviewed again no less frequently than on each anniversary of its signing. Each annual review will:
- report on actions arising from the operation of this agreement within the preceding 12 months;
- consider whether the agreement is still useful and fit for purpose, and make amendments where necessary;
- refresh operational protocols where necessary;
- identify areas for future development of the working arrangements; and
- ensure the contact information for each organisation is accurate and up to date (Appendix 1).
Following each annual review, the agreement shall automatically renew for a further period of one year, unless terminated or re-negotiated by either Party.
Either Party may terminate or re-negotiate this agreement at any time upon giving the other Party one month’s notice in writing of its intention to do so.
This agreement is not legally binding and is not intended to create legal relationships between the Parties.