|
This Data Sharing Agreement is made on:1st August 2025 |
||
| 1 |
Between: NHS Business Services Authority (“NHSBSA”) NHS Counter Fraud Authority (“NHSCFA”) |
|
| 2 |
Purpose, objectives of the information sharing: In line with the MOU that exists between the NHSBSA and NHSCFA that covers the provision of data, as well as the principles of continued collaboration, NHSCFA requests access to NHSBSA dental datasets for the purpose of preventing and detecting fraud and other criminal offences within the NHS. More specifically, the purpose of this proposed data sharing is to:
The above steps necessitate full transparency in all steps undertaken and the designation of any and all outliers. As such, this data will not be subjected to any form of artificial intelligence (AI) and any machine learning algorithms will be developed using NHSCFA’s own in-house expertise, with all processes and findings subjected to human oversight and review within a defined ethical framework. Delivery of outcomes will also be undertaken in collaboration with NHSBSA themselves, particularly in so far as this supports confirming the appropriateness of methodologies, validation of findings and directing changes that might range from removing system weaknesses, to supporting more specific or wider data shares to respond to identified threat. Although this information concerns NHS patients, NHS staff and wider individuals associated with dental activity, the intention is to undertake a robust process of encryption of all NHSCFA subsets of personal data, prior to NHSCFA access, in order to mitigate risks of confidentiality. This will allow the above steps to take place without the need for NHSCFA to receive or process personal data in the first instance (although this may inform additional exercises where this does occur). It is recognised, however, that as part of the overarching data share that the NHSBSA will need to undertake this processing prior to receipt by NHSCFA and so these are recorded in an accompanying DPIA. The overarching counter fraud purpose is supported in the Directions to NHS Trusts and Special Health Authorities 2017 and the NHS Act 2006 (see below). |
|
| 3 |
Controller/s In line with ICO guidance, the data is assessed as sufficiently masked to be considered “anonymised” from the point of receipt by NHSCFA but, as the full extent of the data share concerns processing of the originating PID and special category data by NHSBSA, who undertake this data masking prior to sharing with the NHSCFA) the following responsibilities are outlined:
|
|
| 4 |
Processor/s N/A |
|
| 5 |
Data items to be processed (add more lines if required) The NHSCFA data request is outlined below and concerns dental and orthodontic activity undertaken in England for the period from 1st April 2018 onwards. All personally identifiable data will undergo masking by NHSBSA (pseudonymisation) prior to receipt by the NHSBSA, to prevent identification whilst allowing the ability to make distinctive counts of activity. The below is intended to give a broad summary and within each of the data items listed, an appropriate level of refinement will be undertaken, both initially and then as part of an ongoing process of engagement with NHSBSA to consider the requirements within each table, on a column-centric level, ensuring the relevance, minimisation and proportionality of all data shared and to limit processing and storage costs. Whilst the summary below is as extensive as possible, it is recognised that the datasets themselves may change with additional tables and columns. Additionally, the continued collaborative activity between NHSCFA and NHSBSA may identify additional and complementary data which might support the exercise’s objective concerning detection of fraud and that. Provided this is proportional, within agreement of the parties, and aligned with the principles of the law, the Caldicott principles and the context of this agreement and supporting DPIA basis for use (i.e. subject to appropriate data masking to prevent PID) this can be included in the data sharing and thus within this agreement. |
|
|
Detail Item |
Justification (including confirmation of signed DPIA where applicable) |
|
|
Dental activity data concerning dental and orthodontic treatment and claims, data provided to a granular patient level, including any wider data calculated and derived by NHSBSA as part of their processing. This data will concern details of the patient and their treatment and, in its native format, will be considered personally identifiable data and special category data (as it concerns health). This will thus be subjected to the data masking outlined above. Information about clinician(s) undertaking treatment will also be necessary for inclusion and will be subject to data masking, except that which is made publicly available – i.e. that which is within the published General Dental Council (GDC) registration data, made public via the Dentists Act 1984 (i.e. name, GDC registration etc.) |
Utilising subsets of the identified dental data, NHSCFA seeks to undertake proactive analysis to confirm the presence, extent and characteristics of a range of recognised fraud risks that have been substantiated through intelligence processes and/or existing proactive analysis undertaken by NHSCFA in the past. NHSCFA additionally intends to undertake a range of machine learning techniques which will identify previously undetected fraud risks concerning irregular dental claims activities through a range of supervised/unsupervised methods and the utilisation and development of fraud classifiers drawn from this data. The above steps and the format / nature of this proposed data share is in alignment with the NHSCFA/NHSBSA MOU which was updated in August 2024 to encapsulate these changes. https://www.legislation.gov.uk/ukpga/2018/12/schedule/8 Due to the provision of data masking an encrypted dataset which effectively anonymises the data, no PID is to be included in the NHSCFA subsets of data – however, to ensure that these considerations are properly recorded a DPIA has been produced for the full extent of this data share. It is noted that, should the NHSBSA share the pseudonymisation key, this will render the data as subsequently falling in scope of the UK data protection legislation. However, the current intention is that the pseudonymisation key will never be shared; if more explicit data was needed (for example if identifiable data was needed for an investigation) NHSCFA would request that data as a separate data share, but not the key itself. The legal basis for both NHSBSA and NHSCFA is confirmed below. |
|
|
Corresponding payment data including any/all claims, payments and charges alongside, including refunds, amendments and withdrawals and messaging data relating to submissions of claims. Data provided to a granular level to a performer/provider level |
||
|
Contractor data for every dental contractor in England, including details of all contracts (contractor name, address, contract value etc) and UDA/UOA values and contract performance metrics. |
||
|
Supplementary data including student flags and supervision system supplier data, messaging data relating to submissions of claims and comment codes, information about amendments and any flags concerning adjustments / amendments and change logs concerning changes to the dataset (e.g. when new fields are added or removed) |
||
| 6 |
Article 6 Condition – Personal Data Although the data contained within the originating dataset contains a number of fields that concern NHS patients. NHSCFA and NHSBSA utilise an encryption process that was developed collaboratively between the NHSBSA and NHSCFA and is applied for the existing dental data sharing. It compiles a 15-digit numeric encrypted key from the patient data above into a single field (“Patient_key”) which remains constant and unique to each patient without allowing identification of the components. Reversibility is only possible through the NHSBSA and identification would thus only be possible through a separate data share that requested and authorised NHSCFA access to the explicit identifiable data (the masking key itself would not be shared, only the identifiable data in its entirety). The purpose of this process is to remove identifiable elements from the data processed by the NHSCFA prior to access. This process has the benefit of being able to link courses of treatment to distinct patients and maintain counts and sequences of events when the actual identification of the patient themselves is unnecessary. However, as the underlying data (and the wider activity undertaken by NHSBSA, prior to receipt by NHSCFA, but as a part of the overall processing for this data share) does concern personally identifiable data and special category (health) data, a DPIA has been produced to outline these considerations fully. Finally, it is recognised that, should the NHSBSA share the pseudonymisation key, this will render the data as subsequently falling in scope of the UK data protection legislation; however, it is not the current intention that this will be shared. If identifiable data is required by NHSCFA, this will be requested a separate data share of the data in its identifiable format, rather than NHSBSA sharing the pseudonymisation key to unlock the data. |
|
|
Basis (One of these must apply whenever you process personal data) |
Tick which one you are using |
|
|
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. |
||
|
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. |
||
|
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). |
||
|
(d) Vital interests: the processing is necessary to protect someone’s life. |
||
|
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. NHSCFA basis in law: ‘4.—(1) The Authority is to exercise the functions of the Secretary of State in respect of counter fraud which are identified in paragraph (2), subject to and in accordance with this article and directions to the Authority given by the Secretary of State. (2) The counter fraud functions the Authority is to exercise are— (a)taking action for the purpose of preventing, detecting or investigating fraud, corruption or other unlawful activities, carried out against or otherwise affecting the health service in England;’ NHSBSA basis in law: Directions to NHS Trusts and Special Health Authorities in respect of Counter Fraud 2017: ‘2.(1) Each NHS body is directed to take such action as is reasonably necessary for the purpose of preventing, detecting or investigating fraud.’ |
X |
|
|
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) |
||
| 7 |
Article 9 condition – Special Categories of Personal Data The processing is deemed necessary for reasons of substantial public interest, on the basis of UK law and is proportionate to the aim pursued in terms of detecting fraud and preventing financial loss to the NHS, and ensuring NHS resources can be utilised for patient care. The processing respects the essence of the right to data protection through pseudonymisation and through this provides suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. |
|
| Conditions for processing special category data | Tick which one you are using | |
|
(a) Explicit consent: (the data subject has given explicit consent) |
||
|
(b) Vital interests: (to protect the vital interests of the data subject, who cannot give consent (life or death situations) |
||
|
(c) Legal claims or judicial acts: (the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity) |
||
|
(d) Reasons of substantial public interest (with a basis in law): (which shall be proportionate to the purpose and, respect the essence of the right to data protection) NHSCFA: ‘Schedule 1(6) of the DPA 2018 - (1)This condition is met if the processing— (a)is necessary for a purpose listed in sub-paragraph (2), and (b)is necessary for reasons of substantial public interest. (2)Those purposes are— (a)the exercise of a function conferred on a person by an enactment or rule of law; (b)the exercise of a function of the Crown, a Minister of the Crown or a government department.’ NHSCFA and NHSBSA: Schedule 1(10) of the Data Protection Act 2018 - |
x |
|
|
(e) Health or social care (with a basis in law): (preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services) |
||
|
(f) Public health (with a basis in law): (protecting against serious internal or cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices) |
||
|
(g) Archiving, research and statistics (with a basis in law): (archiving purposes in the public interest, scientific or historical research purposes or statistical purposes) |
||
Other: |
||
|
Please state (and indicate) below if you are processing data based on Schedule 1, Part 1, Data Protection Act 2018: N/A |
||
| 8 |
Individual rights and preferences |
|
|
Individual right |
Indicate how the right will be managed or why it is not applicable |
|
| The right to be informed |
NHSCFA: Given the data share will utilise encryption to remove all identifiable information it would not be possible to identify those individuals concerns nor undertake this step on an individual basis. However, NHSCFA outlines risks concerning dental contractor fraud within its Strategic Intelligence Assessment Dental contractor fraud | Strategic Intelligence Assessment (cfa.nhs.uk). https://www.nhsbsa.nhs.uk/our- policies/privacy/nhs-dental-services-privacy- notice Additionally, NHSCFA maintain a range of pages online that outlines our use of personal data and the basis for doing so. It provides an in-depth mechanism for informing patients, service users and any stakeholders about the activity NHSCFA provides, the basis under which it acts and the standards NHSCFA holds itself to in terms of managing records. More specifically to this data share the section within the NHSCFA privacy notice links to Who we work with | About | NHSCFA and cites the nature of the NHSBSA activity. This will be updated with the signed ISA once this agreement is finalised (see section 10 below). NHSCFA also have a mechanism for answering queries or concerns which is advertised on these pages. NHSBSA: NHS Dental Services privacy notice | NHSBSA -NHSBSA states that information may shared with NHSCFA for the purposes of preventing, detecting and investigating fraud and errors |
|
|
The right of access |
NHSCFA: NHSCFA maintain a centralised process for managing subject access requests in order for members of the public to receive, on request, the personal data NHSCFA holds. The data within this proposal would be included within the remit for such requests and thus would be considered for any requests, however it would be likely it would not be possible to respond to such requests due to it not being possible, without further information, to overcome the encryption that removes all identifiable information from the data, therefore it would not be possible to identify those individuals concerned and respond. NHSBSA: NHSBSA, as data controllers, will undertake any requests concerning the dental data. If such considerations were linked to NHSCFA processing, such responses would necessarily need to consider the likelihood would be likely to prejudice the proper discharge of any of these functions. This is covered within the NHSBSA dental data privacy notice and NHSBSA’s own mechanism for managing subject access requests. |
|
|
The right to rectification |
NHSCFA: Given the data share will utilise pseudonymisation to remove all identifiable information it would not be possible to identify those individuals concerned nor undertake any rectification. NHSBSA: NHSBSA, as data controllers, will undertake any requests concerning the dental data. If such considerations were linked to NHSCFA processing, such responses would necessarily need to consider the likelihood would be likely to prejudice the proper discharge of any of these functions. This is covered within the NHSBSA dental data privacy notice and NHSBSA’s own mechanism for managing subject access requests. |
|
|
The right to erasure |
NHSCFA: Given the data share will utilise encryption to remove all identifiable information it would not be possible to identify any individual concerned in a request and undertake erasure. Additionally in light of the counter fraud remit it would not be appropriate for data to be removed upon request as this could hide fraudulent behaviour. NHSBSA: NHSBSA, as data controllers, would thus need to undertake a response to any requests. This is covered within the NHSBSA dental data privacy notice. However, were NHSBSA to be subject to a request for deletion by a data subject who wishes their data deleted from that processed by NHSCFA for the purposes outlined, section 3b of Article 17 of the UK GDPR “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” would apply and be sufficient to deny this request. The basis for this refusal concern A) the prevention and detection of fraud within the NHS overwhelmingly supports the public interests and B) the defined function of NHSCFA as an official authority, supported the NHSCFA Establishment Order and the Secretary of State for Health Directions |
|
|
The right to restrict processing |
Were NHSBSA to be subject to a request by a data subject who wishes to restrict processing, this would need to be considered and, if necessary, discussions undertaken with NHSCFA. Where this applies to the rights of the data subject as per the Data Protection Act, it will be necessary for NHSBSA and NHSCFA to collectively determine a rationale to continue/restrict processing NHSCFA: Given the data share will utilise pseudonymisation to remove all identifiable information it would not be possible for NHSCFA to identify or modify any individual request and restrict or prevent processing. NHSBSA: NHSBSA, as data controllers with access to wider information (including that of data subjects), would thus need to undertake a response to any requests and consider the legal requirements and basis to refuse restriction, to erase or to refuse this restriction.in line with the DPA and wider legislation/guidance from the ICO. |
|
| The right to portability |
The UKGDPR Article 20 right to data portability only applies when:
And this is not relevant in the context of this datashare. |
|
| The right to object |
Given that none of this data concerns direct marketing, the absolute right to object does not apply. However, individuals have the right to object to the processing of their personal data at any time, even where a task is carried out in the public interest, in line with official authority and/or legitimate interest. ICO guidance regarding the Right to Object confirms that the applicant must give specific reasons why they are objecting. NHSCFA/NHSBSA would need to determine if they have compelling legitimate grounds which override the interests of the use in detecting/preventing fraud. If an individual cites that processing is causing them substantial damage or distress (e.g. the processing is causing them financial loss), the grounds for their objection will have more weight. This, however, is very unlikely. It would be necessary to document the considerations and outcomes and may also be possible to give assurance through the extent that NHSBSA/NHSCFA already partly comply with this request through use of the masking techniques |
|
|
Rights in relation to automated decision-making profiling |
This data will not be subjected to any form of artificial intelligence (AI). Any machine learning algorithms will be developed using NHSCFA’s own in-house expertise, with all processes and findings subjected to human oversight and review. However given that outlier detection through proactive bulk analysis might determine specific behaviours as being suspicious or believed to be fraudulent, and that such behaviours may directly or indirectly link to the treatment of patients, it is therefore necessary to identify that Article 22(4) of the UK GDPR principles, whilst providing an additional layer of protection for special category personal data (which includes healthcare data) identifies the exception for undertaking the processing described in Article 22(1) if one of the above exceptions applies where the processing is necessary for reasons of substantial public interest. This is consistent, therefore, with the basis for processing under public interest which has been cited elsewhere (i.e. protection of the public purse, prevention of fraud, safeguarding the NHS). |
|
|
Please state below how you will manage any complaints raised regarding the proposed data sharing: NHSCFA have a dedicated complaints management process that is supported by approved policy and procedure. This information is available online via the NHSCFA website and includes the full extent of the process and timeframe for management of complaints Making a Complaint | Corporate and information governance | NHS Counter Fraud Authority (cfa.nhs.uk) NHSBSA will handle complaints in line with the NHSBSA Complaints policy Does the National Data Opt-out apply to proposed purpose/s for data sharing? Y/N No – The national data opt-out does not apply to the disclosure of confidential patient information where there is an overriding public interest in the disclosure, i.e. the public interest in disclosing the data overrides the public interest in maintaining confidentiality as confirmed by the Guidance, or where the information is required by law. When does a national data opt-out not apply? - NHS England Digital |
||
| 9 |
Compliance with duty of confidentiality / right to privacy NHSCFA and NHSBSA already utilise an encryption process that was developed collaboratively between the NHSBSA and NHSCFA and is applied for the existing dental data sharing. It compiles a 15-digit numeric encrypted key from the patient data above into a single field (“Patient_key”) which remains constant and unique to each patient. Reversibility is only possible through the NHSBSA and their direct access to the source data/encryption key. The purpose of this process is to remove identifiable elements from the data processed by the NHSCFA prior to access. This process has the benefit of being able to link courses of treatment to distinct patients when the actual identification of the patient themselves is unnecessary. The NHSCFA assessment of this process is that, although the NHSBSA’s own activity can be considered the practice of pseudonymisation, it can be considered as effectively rendering the data anonymised for the purposes of NHSCFA access and use and thus bypasses risks associated with privacy and confidentiality. The rationale for this assessment is that,
The ICO have issued some guidance concerning anonymisation Anonymisation: managing data protection risk code of practice which state that different types of anonymised data have different vulnerabilities and pose different levels of re-identification risk. They therefore advise that the DPA does not require anonymisation to be completely risk free – organisations must be able to mitigate the risk of identification until it is remote. In particular they state “although it may not be possible to determine with absolute certainty that no individual will ever be identified as a result of the disclosure of anonymised data, this does not mean that personal data has been disclosed.” Accordingly, NHSCFA have applied the “motivated intruder” test and still do not believe that a wider risk is substantiated because the NHSCFA data would still be insufficient to reidentify patients. The guidance also identifies the difference in anonymisation risk that is associated with wide publication and submissions to a limited audience (as is the case for these proposals) and identifies that this further mitigates the risk. It is recognised the full extent of processing of this data share concerns the NHSBSA activities to mask the data, as well as the NHSCFA activities after receipt, so the appropriate considerations for processing the data are included in the DPIA, as well as the legal basis to undertake the process, whilst still recognising the anonymisation of data held by NHSCFA / These considerations are underscored by the DPIA that has been undertaken for the NHSCFA Dental Data Fraud Analysis and the wider one undertaken for the NHSCFA Data Analytics Platform. Finally, the guidance notes that the “in your hands” approach “only applies when disclosing information to an organisation who is not acting with as a joint controller or as a processor. This ISA identifies each party as independent controllers and thus this is not applicable in this context, nonetheless the context of the data controller or processor—including their access to other datasets, technical capabilities, and motivations—plays a critical role in determining whether data is truly anonymised and shall remain a key consideration for data usage and the extension of any additional data shares, overseen by the continued engagement between NHSCFA and NHSBSA to oversee this and all other data shares. Should data be reidentified through a subsequent request, or linkage, then the appropriate personal data legislation will apply. Is there any interference with Human Rights Article 8? No – see above. If yes, document why it is necessary to interfere with Human Rights and proportionate to do so: N/A |
|
| 10 |
Transparency The NHSBSA privacy statement confirms the basis for processing dental data and this specifically cites sharing data with NSHCFA for the purposes of detecting fraud, this information can be found here: NHS Dental Services privacy notice | NHSBSA NHSCFA maintain a range of pages online that outlines their use of personal data and provides an in-depth mechanism for informing patients, service users and any stakeholders about the activity NHSCFA provides, the basis under which it acts and the standards NHSCFA holds itself to in terms of managing records. Information hub | About the NHSCFA | NHS Counter Fraud Authority Within the above, NHSCFA have a privacy statement concerning their processing of data for the purposes of detecting and preventing fraud, which can be found here: https://cfa.nhs.uk/about- nhscfa/information-hub/terms-of-service/privacy Finally, to further support transparency, upon approval NHSCFA will add this Dental Data Sharing Agreement to the NHSCFA website. However, it would be necessary to redact the following information:
Names and contact details of NHSCFA/NHSBSA colleagues responsible for
managing the process or producing/approving these agreements. Information concerning the specifics of NHSCFA’s fraud detection efforts that may assist in evading detection Following agreement and approval of the data share, NHSCFA would need to take a position on the extent of transparency concerning the full granular extent of the data shared, as this might support evasion / detection by fraudsters Redacting this information would be in line with the ICO’s Data Sharing Code of Practice which supports redacting or withholding information if providing the information to the individual would render impossible or seriously impair the achievement of the objectives of the processing and the overarching law: DPA 2018 Schedule 2, Paragraph 2 which allows exemptions from certain UK GDPR rights (including transparency) if applying them would likely prejudice crime prevention or detection. UK GDPR – Article 23 which allows restriction of data subject rights (including transparency) for reasons such as Prevention, investigation, detection or prosecution of criminal offences and other important objectives of general public interest |
|
| 11 |
How will the data sharing be carried out? The purpose of this data share is to replace the incumbent process of producing static datasets with a dynamic form of data pipeline between NHSBSA and NHSCFA (the provision of static datasets may remain in place for a limited time, as an interim measure, whilst longer term arrangements are put in place concerning the extraction approach by NHSCFA). In this instance a pre-authorisation key allows access and extraction of static data sets from the NHSBSA environment (Oracle Secure Storage) by designated NHSCFA users. Regardless of whether static or dynamic, a similar model is used (the only change is frequency): NHSBSA create NHSCFA specific subsets of data will be stored in a separate container (environment) owned by NHSBSA. Using these tools NHSBSA can create a designated “view” of the secure environment. They would then process an NHSCFA extract of their dental data that meet the NHSCFA data requirements (as outlined in part 5 above) and undertake the data masking processes that anonymises the data NHSCFA will receive (see the DPIA). They will then grant access to nominated NHSCFA users who, using their designated permissions and associated security, can log in and access this data. The reason behind the separate container is to enable a purpose-specific pseudonym for the data, simplify security and enable easier clean up once the data is no longer required. The purpose-based environment will be populated by members of the NHSBSA dental team in conjunction with the datasets that have been agreed in this document. Updates to the data will be made available monthly. NHSBSA will thus query dental data within their dental database drawn from the Compass claims management system and the eDen dental database, extracting subsets of the data in line with this ISA and applying the pseudonymisation tool. This dataset will be made available in the secure environment (Microsoft Fabric), at which point it can be accessed and extracted by NHSCFA for use with their analytical tooling, Databricks (more information on these tools is provided within the DPIA accompanying this ISA) . NHSCFA will extract data, from the environment, in line with the purposes set out in this agreement, e.g. for purposes of supporting counter fraud activity. Following extract, and using analytical tools like Python, R and Alteryx, NHSCFA will create an analytical product from the data which will be used to derive outliers that can be indicative of fraud. Findings will be converted into either an intelligence product which will drive fraud prevention activity or used as the basis to form a separate explicit request for data to act as evidential data for the purposes of criminal investigations. Should NHSCFA wish to extract identifiable data following identification of outliers that may be indicative of fraud (for example to support commencement of a criminal investigation), an identifiable extract of the same data will be sought through wholly separate means through an entirely separate, specific and focussed data access request, subject to the specific investigative powers of the NHSCFA. This request and subsequent data share will be managed entirely separately from this agreement and the wider solutions outlined above. It is not the intention that NHSBSA will ever share the pseudo key. All NHSBSA data assets used for these activities will be stored within a secure environment on NHSCFA servers. The Data will not be transferred to any other location and will not be transferred outside the UK. |
|
| 12 |
Accuracy of the data being shared The nature of the planned processing concerns identification of anomalies, through which outliers which could be indicative of fraud can be detected. As such, it would not be appropriate to perform any form of validation or data cleansing for risk of removing indicators of fraud. Nonetheless, NHSCFA maintains strong relations with the NHSBSA Dental Data team, and this provides a basis for domain expertise to support understanding of individual fields and their content, as well as any basis to consider issues of accuracy. |
|
| 13 |
Rectification of data that has been shared The nature of the planned processing concerns identification of anomalies, through which outliers which could be indicative of fraud can be detected. As such, it would not be appropriate to perform any form of validation or data cleansing for risk of removing indicators of fraud to the data itself. |
|
| 14 |
Retention and disposal requirements for the information to be shared - including details of the return of information to the source organisations (if applicable) Information shall be retained in accordance with the NHSCFA’s records retention and disposal schedule and the underlying IG policies that concern NHSCFA data usage. The overriding principle is that data shall not be retained for longer than is necessary to fulfil the specified purpose of the exercise. Although this data share does not concern personally identifiable data, in line with the principles of this policy and the wider requirement to store data only as long as necessary, NHSCFA will - as part of its exploratory analysis – determine the extent that data will no longer be necessary for it to complete the purposes outlined in section 2. Additionally, as this design of this data share concerns dynamic data, it would be expected that updates of data be replaced as part of a rolling process of update. In most cases, this will be provision of new data but there may be circumstances where there is instability to the historical data (for example, if old data is subsequently updated from previous months) that necessitate longer retention. In these circumstances NHSCFA would need to either take a longer snapshot of data in each update (to ensure the new data is captured) or find a way to append the old/new data as a) the fact there are changes could be a fraud indicator in and of itself and b) changes to the data will necessitate adapting the models to accommodate them. In line with the NHSCFA Information Governance Policy, NHSCFA maintains a retention schedule which details a timeframe for storage and deletion of all information assets and this is enacted as necessary for individual data sources. There is no intention to return any data to the source organisation (NHSBSA), however the continued collaborative approach between NHSCFA and NHSBSA will necessitate sharing methodologies and results to determine their veracity and determine appropriate next steps in terms of conjoined activity. This might extend to findings of wider loss that are unrelated to fraud but remain aligned with the remit of NHSBSA in preventing error/loss. |
|
| 15 |
Breach management Given the pseudonymisation process that is detailed above removes any personal data this risk is assessed to be LOW. Nonetheless, the confidentiality and security of all data concerned with this data share will be respected as part of the NHSCFA conformance with its own policies, the following of which would apply:
NHCFA maintains full compliance with all statutory and regulatory requirements for the data it stores and utilises, including certification with ISO-27001 Information Security Code of Practice (ISO/IEC 27001:2022 was awarded in Oct 2024). All constraints on the exchange of information will be fully respected, including the requirements of the General Data Protection Regulation 2016, the Data Protection Act 2018, the Freedom of Information Act 2000 and the Human Rights Act 1998 |
|
| 16 |
Specify any particular obligation on any party to this agreement NHSCFA has been given the express function of the prevention, detection and investigation of fraud, corruption and unlawful activities against or affecting the health service in England. NHS bodies including Special Health Authorities (such as NHSBSA) are directed to cooperate with the NHSCFA and to enable the NHSCFA to efficiently and effectively carry out its functions as specified in paragraph 3(1)) of the NHS Counter Fraud Authority and supplemental directions 2017. This is further substantiated in the in NHS Secretary for State Directions 2017 which provides a mandate to all NHS organisations, special health authorities and arms lengths bodies in terms of data sharing in pursuit of counter fraud detection. |
|
| 17 |
Contacts – Information Governance and Caldicott Guardian |
|
| 18 |
Commencement of agreement This agreement will come into force on 1st August 2025 |
|
| 19 |
Review of agreement In line with the timeframe outlined in section 20 below, this ISA will be reviewed by the Data Acquisition Manager (or an individual nominated in his stead) in liaison with the above parties, and in conjunction with input from the NHSFA/NHSBSA oversight meeting and in accordance with the stipulations of sections 20, 21 and 22. |
|
| 20 |
Review period This ISA will be reviewed annually, with the opportunity for revision and amendment. However, as part of the ongoing collaboration the NHSBSA and NHSCFA will meet regularly to discuss the ongoing data requirements, their utilisation and the – this may prompt earlier review, and this ISA can be refined dynamically to ensure both parties make the most of the insights gained and assure the continuing justification and proportionality of the data shared and appropriateness of this data share. |
|
| 21 |
Variation This ISA could be revisited on the request of either party in terms of updating or amending the data concerned and, should any of the wider stipulation of this ISA change, this document would need redrafting and ratification prior to implementing said changes in the data sharing itself. |
|
| 22 |
Ending the agreement This ISA could be ended by either participant through formal notification to the parties outlined in section 17 |
|
| 23 |
End date This agreement will be considered indefinite unless subject to the stipulations identified in section 20, 21, and 22 which might change or end data sharing arrangements in this capacity |
|
Was this page helpful?
Help us improve cfa.nhs.uk
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.