Help us help the frontline
Advice to protect NHS staff and the public from scams related to the COVID-19 vaccination
Published: 22/01/2021
Published: 22/01/2021
Government policy places a strong emphasis on the need to share information across organisational and professional boundaries, in order to ensure the effective co-ordination and integration of services.
The Government has also emphasised the importance of security and confidentiality in relation to personal information, strengthening legislation and guidance in this area, building upon the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
It is important that the NHS Counter Fraud Authority (NHSCFA) protects and safeguards person-identifiable information that it gathers, creates, processes or discloses, so that it complies with the law and any other mandatory requirements applicable to NHS organisations and in doing so provide assurance to the public and its stakeholders.
All employees working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their work. This is not just a requirement of their contractual or professional regulatory responsibilities, but is also a requirement within the common law duty of confidence and data protection legislation.
This policy sets out the requirements placed on all NHSCFA staff when sharing personal information amongst NHS organisations or between other bodies.
The Information Commissioner’s Data Sharing Code of Practice states that: ‘under the right circumstances and for the right reasons, data sharing across and between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors - both public and private. But citizens and consumers’ rights under the Data Protection Act must be respected. Organisations that don’t understand what can and cannot be done legally are as likely to disadvantage their clients through excessive caution as they are by carelessness’.
The Caldicott Review “To share or not to share” states that ‘The duty to share information can be as important as the duty to protect patient confidentiality’. Those who work in a health and social care environment should, where appropriate, have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employer, regulator and professional bodies.
Information can relate to patients, staff (including temporary staff), members of the public, or any other identifiable individual, however stored. Information may be held electronically (laptops, tablets, mobile phones, digital cameras), on paper, storage media (CD/DVD, memory sticks), or even by word of mouth.
Person-identifiable information is anything that contains the means to identify a person, e.g. name, address, date of birth, NHS number etc. either directly or indirectly. Such information should not be stored on removable or mobile media unless it is appropriately encrypted and approved by Information Security Systems team and/or advice sought from the Information Governance Team.
Confidential information within the NHS is often commonly thought of as health information; however, it can also include any information that is private and not publicly known information that an individual would expect not to be shared.
All staff working in or on behalf of the NHSCFA fall within the scope of this policy, including all permanent employees, contractors, interns, temporary staff and those working for NHSCFA on secondment.
The purpose of this policy is to provide a framework for NHSCFA and those working on its behalf to:
Information sharing in the context of this policy relates to the disclosure of personal information between NHSCFA and the other participating organisation(s). Information sharing may take the form of:
Sharing non-personal information with other organisations - Key information may be shared with another organisation to: facilitate the commissioning of services; manage and plan future services; assure and improve the quality of care and treatment; comply with statutory obligations & requests; and/or to audit performance.
Sharing personal information with other organisations - Where necessary and proportionate, personal information may be shared with other organisations to: investigate complaints or pursue/defend potential legal claims; the prevention, detection and investigation of offences; protect vulnerable persons at risk or to assess the probity of service delivery and treatment.
This policy covers two main types of information sharing:
Different approaches apply to these two types of information sharing and this policy reflects this. Some of the good practice recommendations that are relevant to systematic, routine information sharing are not applicable to one-off decisions to share.
‘Systematic’ information sharing - This will generally involve routine sharing of data sets between organisations for an agreed purpose. It could also involve a group of organisations making an arrangement to ‘pool’ their data for specific purposes and will be governed by established rules and procedures.
‘Ad hoc/ one-off’ information sharing - The majority if not most information sharing, takes place in a documented, pre-planned and routine way (as above). However, there may be occasions when business units/staff may be asked or decide to share information in situations which are not covered by any formal agreement. All adhoc or one-off sharing decisions must be carefully considered and documented.
When deciding whether to enter into an arrangement to share personal data (either as a provider, recipient or both), it is important to consider what the sharing is intended to achieve. Having clear objectives will help identify the following:
It is good practice to document all decisions and reasoning related to the information sharing. If there is any doubt about whether it is appropriate to share information advice should be sought from the Information Governance team.
In all instances where there is a requirement to share information staff must ensure that:
Information sharing agreements set out a common set of rules to be adopted by the organisations involved to facilitate the sharing of information. As part of best practice, all NHSCFA data sharing agreements will be regularly reviewed particularly where information is to be shared on a large scale, or on a regular basis.
An information sharing agreement should as a minimum, document the following:
The Data Security and Protection Toolkit (mandatory for NHS organisations) – makes clear that when confidential personal information that can identify an individual is shared, both the disclosing and receiving organisations should have procedures that meet the requirements of law and guidance and make clear to staff the appropriate working practices. In some circumstances these procedures (and the law and guidance on which they are based) should be set out within an agreed information sharing agreement or protocol.
Where it is decided that a formal Information Sharing Agreement is required between the NHSCFA and a participating organisation, a template agreement can be obtained from the Information Governance Team, following the process outline below.
The business unit will identify the area where an information sharing agreement is required and provide all of the relevant contact details to the Information Governance (IG) Team.
Requests for the disclosure of information received from a regulatory body under their regulatory or statutory powers do not fall within the scope of this policy.
The IG team will provide a template agreement to the business unit, to establish the purpose of the agreement, the data to be shared with the third party/parties and its scope; completing the relevant section(s) of the template and return it to the IG team.
The IG team will circulate the completed draft to NHSCFA internal stakeholders and the Leadership Team for contribution to the agreement, where appropriate.
The IG team will then establish dialogue with the third party contact to agree and finalise the propose agreement.
Dialogue is maintained throughout the process with the third party to agree a final draft, which will be circulated to the Leadership Team for comment.
The final draft will then be sent to the Senior Management Team for authorisation.
Once authorised, the Information Sharing Agreement will be published where appropriate to do so.
Before entering into any data sharing arrangement a DPIA should be undertaken. This will help to assess the benefits that the information sharing might bring to the participating organisations and/or more widely to individuals or society. It will also help to assess any risks or potential negative effects, such as an erosion of personal privacy or the likelihood of damage, distress or embarrassment being caused to data subjects.
As well as any potential harm to individuals, staff should consider the potential harm to the organisation’s reputation which may arise if information is shared inappropriately, or not shared appropriately.
Any new information assets or data flows that arise out of a new project or procurement where NHSCFA is the data controller or receives personal, confidential, sensitive or business sensitive information will need to be recorded as part of the NHSCFA’s wider Information Asset Register.
Further information on DPIAs can be obtained from the IG team.
With information sharing there will always be exceptional and difficult circumstances where advice may be needed. The organisation’s Information Governance Lead and/or Caldicott Guardians should be consulted where there are any concerns about whether a proposed information sharing is appropriate.
You should contact the IG team about any exceptional needs or requests for information sharing or decisions that may require input from the Caldicott Guardians.
This document will be made available to all staff via NHSCFA’s Go2 intranet site.
Compliance with this policy and the process outlined in this document will be monitored via the Finance and Corporate Governance Unit. The Information Governance Lead will be responsible for the annual review and updating of this document.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.