- Purpose and aims
- Information Sharing
- Data items
- Legal basis for sharing
- Data Security
- Access and Individuals rights
- Information Governance
The parties to this information sharing agreement are:
(1) General Medical Council
Regent’s Place, 350 Euston Road, London NW1 3JN
(2) NHS Counter Fraud Authority
7th Floor, HM Government Hub, 10 South Colonnade, Canary Wharf, London E14 4PU; and
(3) NHS Counter Fraud Services (NHS Wales)
First Floor Block B, Mamhilad House, Mamhilad Park Estate, Pontypool, NP4 0YP
Purpose and aims
The purpose of this Information Sharing Agreement (ISA) is to set out the framework for information sharing between the NHS Counter Fraud Authority (NHSCFA) and the General Medical Council (GMC). It sets down the principles underpinning the interaction between the parties and provides guidance on the exchange of information between them.
This ISA does not override the statutory responsibilities and functions of NHSCFA and the GMC and is not enforceable in law. However, NHSCFA and the GMC are committed to working in ways that are consistent with the content of this ISA.
The aims of this ISA are to ensure information is legally and appropriately shared in order to assist the parties to fulfil their statutory functions. In particular to:
- ensure the sharing of information is carried out between the parties in an accurate, adequate, timely and lawful manner;
- promote co-operation between the GMC and the NHSCFA in the conduct of their respective statutory duties;
- facilitate the effective and efficient sharing of information to assist the GMC to protect the public and promote public confidence in the medical professions;
- assist the NHSCFA with information gathering to safeguard NHS resources by assisting with the prevention and detection of fraud and other unlawful activities committed by those working in the NHS.
Remit of the NHS Counter Fraud Authority
NHSCFA is an independent Special Health authority. NHSCFA leads on work to identify and tackle fraud across the NHS. Its purpose is to safeguard NHS resources so that the NHS is better equipped to care for the nation’s health, providing support, guidance and direction to the NHS. This work enables effective prevention, detection and enforcement action to take place against fraud and fraudulent activity. NHSCFA also collects, collates and analyses information that holds intelligence value, which in turn broadens the understanding of fraud risks in the NHS.
NHSCFA has duties and enforcement powers under the NHS Act 2006, the Health and Social Care Act 2012, and the NHS Counter Fraud Authority (Establishment, Constitution and Staff and other Transfer Provisions) Order 2017, issued by the Secretary of State for Health. NHSCFA is responsible for:
- leading on work to protect NHS staff, patients and resources from fraud, bribery and corruption, educating and informing those who work for, who are contracted to, or who use the NHS about fraud in the health service and how to tackle it;
- preventing and deterring fraud in the NHS by reducing it and removing opportunities for it to occur or to re-occur; and
- holding to account those who have committed fraud against the NHS by detecting and prosecuting offenders and seeking redress where viable.
NHS England (NHSE) follows the NHS Counter Fraud Authority strategy when undertaking its own work to tackle fraud.
Officers working for NHSE must report any suspicions of economic crime to the NHS Counter Fraud Authority as soon as they become aware of them to ensure they are investigated properly and maximise the chances of financial recovery.
The majority of allegations of economic crime will be investigated by Local Counter Fraud Specialists appointed to provide counter fraud services on behalf of NHSE.
The NHS Counter Fraud Authority will work co-operatively with NHSE Local Counter Fraud Specialists to ensure work is conducted to prevent, deter and detect fraud within and against NHSE.
The NHS Counter Fraud Authority will investigate cases of fraud that cannot be dealt with by NHSE, including cases of bribery and corruption.
Remit of the General Medical Council
The GMC is an independent organisation that helps to protect patients and improve medical education and practice across the UK. The GMC’s powers and statutory functions are derived from the Medical Act 1983.
- Deciding which doctors are qualified to work here and overseeing UK medical education and training.
- Setting the standards that doctors need to follow, and ensuring that they continue to meet these standards throughout their careers.
- Taking action to prevent a doctor from putting the safety of patients, or the public's confidence in doctors, at risk.
- Doctors must be registered with a licence to practise with the GMC, to practise medicine in the UK. The GMC manages the UK medical register.
Single Point of contact
The named contacts with responsibility for this ISA are named in Appendix 1. The points of contact will liaise as required to ensure this ISA is kept up to date; identify any emerging issues in the working relationship between the two organisations; and resolve any questions that arise as to the interpretation of this ISA. The points of contact can nominate an appropriate alternative point of contact for day-to-day communication and/or joint working but must communicate this to the other organisation.
Where either the GMC or NHSCFA become aware of matters that appear to fall within the remit of the other organisation, it will, at the earliest opportunity convey the concerns and relevant supporting information to the point of contact in accordance with this ISA.
Where the parties encounter concerns which come under the sharing remit of this ISA, in the interests of patient safety and protection of the public, the referring organisation will not wait until its own review or investigation has concluded before conveying the concerns.
Fraud and Corruption
Where NHSCFA receives information or pursues an investigation that a medical practitioner has been involved in fraud or corruption the GMC will be informed as soon as practicable. The GMC will then be able to consider the matter under its fitness to practise process and whether any further investigation needs to be carried out.
Where NHSCFA becomes aware of allegations or evidence that an individual may be posing fraudulently as a medical practitioner, either through a stolen identity, fraudulently acquired registration or through falsified qualifications, NHSCFA will immediately contact the GMC via the single point of contact. In these cases, the primary concern for both parties will be patient safety. The GMC will take whatever action is appropriate in the interests of protecting the public.
Where the GMC receives information or investigates the actions of a medical practitioner which relates to allegations concerning fraud, corruption or theft in the NHS, it will share that information with NHSCFA.
Fitness to practise
Where NHSCFA receives information relating to allegations that call into question the fitness to practise of a medical practitioner, it will share that information with the GMC. Fitness to practise includes the conduct, performance or health of a medical practitioner.
Allegations of criminality
In cases where there are other allegations of criminality, the GMC will disclose relevant information and documentation to NHSCFA where such allegations are related to fraud or, corruption.
Where a case has resulted in a criminal prosecution, NHSCFA will share details of the case with the GMC.
In cases where an investigation has concluded that there was no criminal activity, but indicates there may be concerns about the fitness to practise of a GMC registrant, the NHSCFA will pass relevant information to the GMC to enable it to decide on the seriousness of the allegations and whether they should be referred under its fitness to practise process.
Decisions to disclose
In cases where the GMC is in doubt as to whether information should be disclosed to NHSCFA, they will make contact with the point of contact specified in Appendix 1 in order to discuss the matter. Any discussions at this stage will be anonymised.
In cases where NHSCFA is in doubt as to whether a case should be disclosed to the GMC, they will make contact with the point of contact specified in Appendix 1 in order to discuss the matter. Any discussions at this stage will be anonymised.
When information is disclosed by either party, there will be a discussion in advance about the timing of any action, including onward disclosure. Each party will consider any request to delay action which may compromise the other’s action, recognising that each party has a responsibility to make decisions in the public interest.
If either party shares information under the provisions of this ISA it will provide the other with the necessary information and documentation to permit the other party to investigate, and provide ongoing assistance by providing any additional relevant information and documentation that may reasonably be requested by the other organisation.
Where cases have been identified as of mutual interest to NHSCFA and the GMC both parties will endeavour to keep each other informed of findings, actions and updates.
There may be occasions when the parties need to undertake concurrent investigations. When this occurs both parties will take steps to ensure that they do not undermine the progress and/or success of each other’s investigation. This may include allowing criminal investigations to take place as a priority.
Where there is an issue of mutual interest to the parties, the parties will work together to support an anti-fraud culture within the health profession industry and the wider health service.
The parties agree to abide by the Data Sharing Code of Practice produced by the Information Commissioners Office, and recognise their respective responsibilities as public bodies under the General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and the Freedom of Information Act 2000 (FOIA).
The GDPR defines the following classes of information relevant to this ISA; ‘personal data’, ‘special categories of data’ and ‘personal data relating to criminal convictions and offences’.
Personal data is defined as “any information relating to an identified or identifiable natural person; an identifiable natural person (data subject) is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The obtaining, handling, use and disclosure of personal data is principally governed by the GDPR, DPA, Article 8 of the Human Rights Act 1998, and the common law duty of confidentiality.
The law imposes obligations and restrictions on the way personal data is processed, and the data subject has the right to know who holds their data and how such data will be processed, including how such data will be shared.
Special Category Data
Certain types of data are referred to as “special categories of personal data’ or ‘sensitive personal data”. These are data which relate to the data subject’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data;
- sexual life.
Additional and more stringent obligations and restrictions apply whenever sensitive personal data is processed.
Data Relating to Criminal Convictions and Offences
There are separate safeguards for personal data relating to criminal convictions and offences, set out in Article 10 of the GDPR. To process personal data regarding convictions or offences there must be a lawful basis under GDPR Article 6 and legal/official authority under Article 10.
Part 3 of the Data Protection Act sets out the requirements for processing personal data for criminal law enforcement purposes.
Legal basis for sharing
The parties are to ensure that the disclosure, access, storage and processing of shared information is accurate, necessary, secure, legal and ethical, taking into account relevant legislation and approved guidance where applicable, including:
- NHS Act 2006;
- General Data Protection Regulation
- Access to Health Records Act 1990;
- Human Rights Act 1998;
- Freedom of Information Act 2000;
- Data Protection Act 2018;
- Medical Act 1983
Information shared between the parties will only be used for their respective statutory purposes; data exchanges will be managed by observing the methods and guidelines outlined in this ISA.
When the parties share information they do so in order to perform their respective statutory functions. Each party is solely responsible for determining their legal basis for sharing.
NHSCFA statutory function of identifying and tackling fraud across the NHS
The statutory duties and powers of the NHSCFA are set out in the NHS Counter Fraud Authority (Establishment, Constitution and Staff and Other Transfer Provisions) Order 2017 . NHSCFA has further duties in the NHS Act 2006, the Health and Social Care Act 2012.
Operational work undertaken by NHSCFA is carried out under Article 6, para (e), Article 9(2) paras (f) and/or (g) and Article 10 of the GDPR and Part 3 and Schedule 2 Part 1 of the DPA, for the prevention and detection of crime; under Part 10 of the NHS Act 2006, for the protection of the NHS from fraud and other unlawful activities; and in accordance with the powers contained in part 4 of the NHSCFA (Establishment, Constitution, and Staff and other Transfer Provisions) 2017 and such directions as the Secretary of State for Health may give.
GMC statutory function in relation to fitness to practise
The GMC will share personal data with NHSCFA under this ISA when the conditions set out in Article 6(1)(e) of the GDPR are met. The GMC will share special category data and personal data relating to criminal convictions and offences when one of the additional conditions set out in Part 2 and/or 3 of Schedule 1 of the DPA is met.
The statutory duties and powers of the GMC are set out in the Medical Act 1983.
The GMC and NHSCFA are registered with the Information Commissioner’s Office on the Data Protection Register :
As data controllers the parties are expected to treat all information in accordance with the GDPR and the DPA and ensure that security is in place sufficient to protect the information from unauthorised access. This includes physical security, such as adhering to organisational clear desk policies and adequate protection for premises when unattended, to IT related security such as passwords, secure IDs and secure servers.
It is understood that the parties may have differing security needs, however it is important that all reasonable steps are made to ensure information is kept secure at all times. Each party is expected to comply with their own Information Security Policy and operating procedures and to make staff aware of their obligations in this respect.
Each party’s point of contact will ensure that their staff know, understand and will maintain the confidentiality, where appropriate, and security of the information and will ensure that anyone involved with the processing of the information is aware of the penalties of wrongful disclosure.
Due to the sensitive nature of operational work carried out by the parties, much of the information held by the parties is of a sensitive nature and is classified by central government as “Official’ or ‘Official Sensitive’. NHSCFA therefore uses the Public Services Network (PSN) in its operations and in so doing complies with the standard requirements in the code of conduct for Government Connect.
The parties must take appropriate technical and organisational measures against unauthorised or unlawful accessing or processing of information. The parties agree to take steps to prevent accidental loss, destruction or damage of information. This will include:
- appropriate technological security measures, having regard to the state of technology available and the cost of implementing such technology, and the nature of the information being protected;
- secure physical storage and management of non-electronic information;
- password protected computer systems;
- system access control;
- ensuring information is only held for as long as is necessary, in line with data protection obligations; and
- appropriate security on external routes into the organisation, for example internet firewalls and secure dial-in facilities.
Access to the information will be restricted to those staff with a warranted business case. Access to information will be via restricted-access password protection and be capable of audit. The means of access to the information (such as passwords) will be kept secure.
When the parties share information electronically, it will be in a mutually compatible IT format and shared in a secure method.
Where the data to be transferred includes special category data or personal data relating to criminal convictions and offences, one of the following secure methods of transmission will be used:
- encrypted email or file transfer;
- a secure electronic portal;
- encrypted portable media;
- royal mail special delivery service or by contracted courier.
Access and Individuals rights
Freedom of Information requests
The parties are subject to the Freedom of Information Act 2000 (FOIA). Information relating to NHS business processed by the parties is essentially public sector information, therefore this information may be subject to Freedom of Information enquiries but only by going through the parties own Freedom of Information process.
The FOIA provides individuals with a statutory right to access information held by public authorities. Members of the public have a right to be told whether information is held by a public body, and a right to have that information communicated to them, although these rights are subject to certain exemptions. This is called a Freedom of Information Request.
Requests must be put in writing. Where both parties to this ISA hold the information requested, the organisation who originally held the data will have the responsibility to respond under the terms of FOIA.
Requests will be considered by the organisation and a decision will be made as to the legality and appropriateness of information disclosure. Any release of information will be in accordance with the law.
Subject Access Requests
The parties are also subject to the GDPR and DPA. The DPA provides individuals with a statutory right of access (subject to certain exemptions) whereby data subjects can ask to see the information that is held about them (personal data). This is called a Data Subject Access Request or Right of Access.
Where both parties to this ISA hold the personal data requested, the organisation who originally held the data will have the responsibility to respond under the terms of the DPA and/or GDPR.
Requests will be considered by the organisation and a decision will be made as to the legality and appropriateness of information disclosure. Any release of information will be in accordance with the law.
Complaints regarding data
Complaints from data subjects about personal or sensitive information held by the parties must be made in writing to the person or organisation originally holding the information, detailing the reasons for the complaint. Complaints will then be responded to by the organisation following their official complaints process.
Each party will maintain an information sharing log in respect of the ISA. The log will contain:
- a record of information disclosed to the other party;
- the justification of decisions to disclose or not to disclose;
- a record of the outcome of any referral made and the outcome of the referral;
- an access list recording the authorising officer;
- notes of meetings between the parties;
- a record of any review of the ISA.
The parties may be required to provide copies of any audits conducted during the period of the ISA, including any audit arrangements or implementation plans.
Ensuring data quality
The party disclosing data shall ensure that shared data is accurate. Where either party becomes aware of inaccuracies in shared data, they will inform the other party immediately.
Retention of shared data
Each party shall continue to retain information in accordance with their individual retention and disposal schedules.
In the absence of a records retention and disposal schedule, or a statutory retention period, the information shall not be retained for longer than is necessary to fulfil the agreed purposes in this ISA.
The GMC publishes its retention / records management policy at https://www.gmc-uk.org/-/media/documents/gmc-records-retention-and-disposal-policy-v1_3_pdf-74564751.pdf
The NHSCFA Data Retention and Records Management Policy is published on the website:
Under the GDPR, controller means any ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’ All data controllers are required to comply with the GDPR when they process personal data.
Under the framework of this ISA, the parties are each data controllers in their own right. The GMC is a data controller in respect of the organisation’s information, and accordingly the NHSCFA is data controller in respect of the information it holds. It is not the intention of either organisation that they will act as joint data controllers at any time of any shared data. When sharing information each organisation will retain distinct legal responsibility for the handling of information that it acquires for the purpose of its statutory functions.
Each party is responsible for providing privacy information to data subjects describing the information that may be used for the purposes outlined in this ISA and their information rights.
The parties agree to report promptly breaches of any of the terms of this ISA to the point of contact in Appendix 1 especially breaches of the security of personal data.
Any dispute between the parties will normally be resolved at an operational level. If this is not possible, it may be referred to a Senior Manager who will try to resolve the issues within 14 days of the matter being referred to them.
Unresolved disputes may be referred upwards through those responsible for operating this ISA up to and including the Chief Executive Officer or Managing Director (or equivalent), who will be jointly responsible for ensuring a mutually satisfactory resolution.
This ISA shall commence on the date of its signature by the parties and will remain in effect unless it is terminated, re-negotiated or superseded by a revised document.
At the end of one year following the commencement of this ISA, it will be formally reviewed by the parties, and will be reviewed again every 12 months. Each annual review will, where required:
- report on actions arising from the operation of this ISA within the preceding 12 months;
- consider whether this ISA is still useful and fit for purpose, and make amendments where necessary;
- refresh operational protocols where necessary;
- identify areas for future development of the working arrangements; and
- ensure the contact information for each organisation is accurate and up to date.
Either party may terminate or re-negotiate this ISA at any time upon giving the other party one month’s notice in writing of its intention to do so.
Upon termination of this ISA each party shall consider if any data received under this ISA should be returned to the original party or destroyed in the following circumstances:
- on termination of this ISA each party shall consider if any data received under this ISA should be returned to the original party ;
- on expiry of the term (unless extended further to the terms of this ISA);
- once processing of the shared Personal Data is no longer necessary for the purposes it was originally shared for.