Help us help the frontline

Advice to protect NHS staff and the public from scams related to the COVID-19 vaccination

Published: 22 January 2021

Image of member of the public being injected with Covid 19 vaccination



Government policy places a strong emphasis on the need to share information across organisational and professional boundaries, in order to ensure the effective co-ordination and integration of services.

The Government has also emphasised the importance of security and confidentiality in relation to personal information, strengthening legislation and guidance in this area, building upon the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

It is important that the NHS Counter Fraud Authority (NHSCFA) protects and safeguards person-identifiable information that it gathers, creates, processes or discloses, so that it complies with the law and any other mandatory requirements applicable to NHS organisations and in doing so provide assurance to the public and its stakeholders.

All employees working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual or professional regulatory responsibilities, but is also a requirement within the common law duty of confidence and data protection legislation.

This policy sets out the requirements placed on all NHSCFA staff when sharing personal information amongst NHS organisations or between other bodies.

The Information Commissioner’s Data Sharing Code of Practice states that: ‘under the right circumstances and for the right reasons, data sharing across and between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors - both public and private. But citizens and consumers’ rights under the Data Protection Act must be respected. Organisations that don’t understand what can and cannot be done legally are as likely to disadvantage their clients through excessive caution as they are by carelessness’.

The Caldicott Review “To share or not to share” states that ‘The duty to share information can be as important as the duty to protect patient confidentiality’. Those who work in a health and social care environment should, where appropriate, have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employer, regulator and professional bodies.

Information can relate to patients, staff (including temporary staff), members of the public, or any other identifiable individual, however stored. Information may be held electronically (laptops, tablets, mobile phones, digital cameras), on paper, storage media (CD/DVD, memory sticks), or even by word of mouth.

What constitutes person-identifiable information?

Person-identifiable information is anything that contains the means to identify a person, e.g. name, address, date of birth, NHS number etc. either directly or indirectly. Such information should not be stored on removable or mobile media unless it is appropriately encrypted and approved by Information Security Systems team and/or advice sought from the Information Governance Team.

What constitutes confidential information?

Confidential information within the NHS is often commonly thought of as health information; however, it can also include any information that is private and not publicly known information that an individual would expect not to be shared.


All staff working in or on behalf of the NHSCFA fall within the scope of this policy, including all permanent employees, contractors, interns, temporary staff and those working for NHSCFA on secondment.

Purpose of this policy

The purpose of this policy is to provide a framework for NHSCFA and those working on its behalf to:

  • consider the controls needed for information sharing,
  • ensure expected standards are met; and
  • establish a mechanism for the exchange of information between NHSCFA and the participating organisation in question.

Information Sharing

Information sharing in the context of this policy relates to the disclosure of personal information between NHSCFA and the other participating organisation(s). Information sharing may take the form of:

  • a reciprocal exchange of data
  • organisations pooling information and making it available to one another
  • organisations pooling information and making it available to a third party
  • exceptional, one-off disclosures of data in an unexpected or emergency situation.

Sharing non-personal information with other organisations - Key information may be shared with another organisation to: facilitate the commissioning of services; manage and plan future services; assure and improve the quality of care and treatment; comply with statutory obligations & requests; and/or to audit performance.

Sharing personal information with other organisations - Where necessary and proportionate, personal information may be shared with other organisations to: investigate complaints or pursue/defend potential legal claims; the prevention, detection and investigation of offences; protect vulnerable persons at risk or to assess the probity of service delivery and treatment.

This policy covers two main types of information sharing:

  • ‘systematic’, routine information sharing where the same or similar data sets are shared between the same organisations for an established purpose; and
  • ‘ad hoc’, time restricted, one-off decisions to share information for any range of purposes.

Different approaches apply to these two types of information sharing and this policy reflects this. Some of the good practice recommendations that are relevant to systematic, routine information sharing are not applicable to one-off decisions to share.

‘Systematic’ information sharing - This will generally involve routine sharing of data sets between organisations for an agreed purpose. It could also involve a group of organisations making an arrangement to ‘pool’ their data for specific purposes and will be governed by established rules and procedures.

‘Ad hoc/ one-off’ information sharing - The majority if not most information sharing, takes place in a documented, pre-planned and routine way (as above). However, there may be occasions when business units/staff may be asked or decide to share information in situations which are not covered by any formal agreement. All adhoc or one-off sharing decisions must be carefully considered and documented.

When deciding whether to enter into an arrangement to share personal data (either as a provider, recipient or both), it is important to consider what the sharing is intended to achieve. Having clear objectives will help identify the following:

  • Could the objective be achieved without sharing the data or by anonymising it? If so, it would not be appropriate to use personal data where the objective could be achieved using non-personal information.
  • What information needs to be shared? If the objective cannot be achieved without the sharing of personal data, then only the minimum required to achieve the objective will be shared (see the third Caldicott Principle).
  • Who requires access to the shared personal data? Only those individuals requiring access to the data to do their job should have access.
  • When should it be shared? All sharing of data should be accurately documented within a defined set of agreed parameters.
  • How should it be shared? There should be an agreed process for the secure transmission, receipt, access and retention of the data.
  • How do you check the sharing is achieving its objectives? Evaluate whether sharing is still appropriate and confirm any safeguards that are in place still match the corresponding risks.
  • How are individuals made aware of the information sharing? Consider what information is provided to individuals concerned. Where applicable (subject to any relevant exemptions) this needs to be made clear in privacy notices.
  • Are there any risk(s) to the individual and/or the organisation through sharing the data? Is any individual likely to be damaged by it and where applicable, are they likely to object? Could it undermine the individual’s trust in the organisations that hold records about them?

It is good practice to document all decisions and reasoning related to the information sharing. If there is any doubt about whether it is appropriate to share information advice should be sought from the Information Governance team.

In all instances where there is a requirement to share information staff must ensure that:

  • sharing complies with the law, available guidance and best practice
  • only the minimum information necessary for the purpose will be shared
  • individual rights will be respected, particularly in relation to confidentiality and security of their information
  • confidentiality must be respected unless there is an overriding public interest or a legal justification for disclosure
  • periodic reviews of information sharing agreements must be undertaken to ensure that it meets the required objectives/purpose and is still fulfilling its aims.

Information Sharing Agreements

Information sharing agreements set out a common set of rules to be adopted by the organisations involved to facilitate the sharing of information. As part of best practice, all NHSCFA data sharing agreements will be regularly reviewed particularly where information is to be shared on a large scale, or on a regular basis.

An information sharing agreement should as a minimum, document the following:

  • the purpose or purposes, of the sharing
  • the data to be shared
  • the legal basis for sharing
  • the potential recipients and the circumstances in which they will have access
  • who the data controller(s) is, any data processor(s) and the data to be shared
  • data quality - accuracy, relevance, usability
  • data security
  • the retention of shared data
  • individual rights - procedure for dealing with access requests, queries or complaints;
  • review effectiveness/termination of the sharing agreement and any particular obligations on the parties to the agreement, giving an assurance around the standards expected
  • awareness of sanctions for failure to comply with the agreement or breaches by individual staff.

The Data Security and Protection Toolkit (mandatory for NHS organisations) – makes clear that when confidential personal information that can identify an individual is shared, both the disclosing and receiving organisations should have procedures that meet the requirements of law and guidance and make clear to staff the appropriate working practices. In some circumstances these procedures (and the law and guidance on which they are based) should be set out within an agreed information sharing agreement or protocol.

Where it is decided that a formal Information Sharing Agreement is required between the NHSCFA and a participating organisation, a template agreement can be obtained from the Information Governance Team, following the process outline below.

The process

The business unit will identify the area where an information sharing agreement is required and provide all of the relevant contact details to the Information Governance (IG) Team.

Requests for the disclosure of information received from a regulatory body under their regulatory or statutory powers do not fall within the scope of this policy.

The IG team will provide a template agreement to the business unit, to establish the purpose of the agreement, the data to be shared with the third party/parties and its scope; completing the relevant section(s) of the template and return it to the IG team.

The IG team will circulate the completed draft to NHSCFA internal stakeholders and the Leadership Team for contribution to the agreement, where appropriate.

The IG team will then establish dialogue with the third party contact to agree and finalise the propose agreement.

Dialogue is maintained throughout the process with the third party to agree a final draft, which will be circulated to the Leadership Team for comment.

The final draft will then be sent to the Senior Management Team for authorisation.

Once authorised, the Information Sharing Agreement will be published where appropriate to do so.

Data Protection Impact Assessment (DPIA)

Before entering into any data sharing arrangement a DPIA should be undertaken. This will help to assess the benefits that the information sharing might bring to the participating organisations and/or more widely to individuals or society. It will also help to assess any risks or potential negative effects, such as an erosion of personal privacy or the likelihood of damage, distress or embarrassment being caused to data subjects.

As well as any potential harm to individuals, staff should consider the potential harm to the organisation’s reputation which may arise if information is shared inappropriately, or not shared appropriately.

Any new information assets or data flows that arise out of a new project or procurement where NHSCFA is the data controller or receives personal, confidential, sensitive or business sensitive information will need to be recorded as part of the NHSCFA’s wider Information Asset Register.

Further information on DPIAs can be obtained from the IG team.

Further advice

With information sharing there will always be exceptional and difficult circumstances where advice may be needed. The organisation’s Information Governance Lead and/or Caldicott Guardians should be consulted where there are any concerns about whether a proposed information sharing is appropriate.

You should contact the IG team about any exceptional needs or requests for information sharing or decisions that may require input from the Caldicott Guardians.


This document will be made available to all staff via NHSCFA’s Go2 intranet site.


Compliance with this policy and the process outlined in this document will be monitored via the Finance and Corporate Governance Unit. The Information Governance Lead will be responsible for the annual review and updating of this document.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!