Information Governance Environment - Beverly Carter
Head of Information Governance
Chilworth Manor Hotel
• The legal framework governing the use of personal
confidential data in healthcare is complex
• It includes the NHS Act 2006, the Health and Social
Care Act 2012, the Data Protection Act, and the
Human Rights Act
• Following a request from the Secretary of State for
Health, Dame Fiona Caldicott carried out this
independent review of information sharing within
the NHS to ensure that there is an appropriate
balance between the protection of patient
information and the use and sharing of information
to improve patient care.
What can you use?
• Care Commissioners do not provide direct patient
care and therefore they have no legal basis on which
to access personal confidential patient data without
gaining explicit consent from each individual.
• The Health and Social Care Act 2012 allows the HSCIC
(now NHS Digital) to handle personal confidential
data (PCD). Security, processes and tools are used to
minimise the visibility and accessibility of PCD, which
allows staff to perform analysis and keep patient
• Data Services for Commissioners Regional Offices
(DSCROs) provide this service
• DSCROs perform their services with staff from
Commissioning Support Units (CSUs) who are
seconded into the DSCRO and work with data in the
regional processing centres.
• Staff follow strict rules on accessing, analysing and
processing data. The powers granted to the
organisation by the Health and Social Care Act 2012
mean that staff are operating within the approved
October 2016 – Big changes to rules
• In October of last year, NHS Digital introduced
additional rules around the linkage of their data
with the local flows being requested.
• Every data flow sourced from NHS Digital needs
to be included on a Data Access Request (DARS)
application made by the requesting organisation.
• A list of the types of data being used and for what
purpose has to be included.
• NHS Digital retain the role of Data Controller for
any data flow that originates from themselves.
What are the rules now?
• There are complex rules around linking and sharing data for
anything other than direct patient care. However, it is possible
to find solutions if the following rules are considered:
• All data flows required are identified, reviewed and logged
• A legal basis is identified which allows the data to flow -
usually supported by the completion of a Privacy Impact
Assessment and Data Sharing Agreement and Data
• Aggregated data may now be used for secondary purposes
without the need for complex paperwork (recent change)
• NHS Digital retain Data Controller status for the onward use
of any data provided by them.