3. Background
• It’s complicated!
• National data sharing rules determined by
NHS Digital
• BI and IG work together to find the most
pragmatic solution at a local level
• We have examples of where we have solved
data linkage / integration challenges
4. Data Sharing – Why we care
• The key points detailed in this briefing refer to patient data that is
not used for direct patient care.
• We all have a duty to keep this safe as it is increasingly easy for this
data to be lost, corrupted or misused. Advances in technology mean
that what may have been acceptable in terms of data sharing 6
years ago is not applicable now.
• Negative publicity about the sharing of SUS data with the private
sector and the NHS ‘losing data’ creates a very sensitive political
environment.
• These slides are designed to give you a very high-level view of the
regulatory framework that is in place to protect data, the associated
paperwork, and the roles and governance in place to ensure that
we and our customers are compliant with it.
5. Data Sharing – Roles and Regulators
• Information Commissioners Office (ICO)
– Cover the Data Protection Act. They have the power to fine
organisations (£500k) and individuals (SIROS £5K). They specify
that patient-level data must be ‘Anonymous in Context’. All
breaches are reported to them by the Data Controller.
• NHS Digital (previously HSCIC)
– Under the legislation of the Health and Social Care Act 2012 they
are mandated to hold Patient Identifiable Data (PID) for
secondary use (commissioning). No one else can, except for
invoicing, and then you must have a ‘Controlled Environment for
Finance’ (CEfF) set up.
– NHS Digital have an audit arm they can use to investigate anyone
they share data with. They have no regulatory powers but can
restrict access to SUS/HES Data by exercising their role as Data
Controller.
6. Data Sharing – Roles and Regulators
• Data Controllers
– Data controllers are responsible for what happens to the data and
for ensuring it is handled appropriately. They hold the legal liability.
• Data Processors
– South, Central and West CSU (SCW) are data processor for the CCGs.
– SCW must act in accordance with the Data Controller’s instructions
but should also comply with the regulatory frameworks.
– SCW is never a Data Controller and cannot make autonomous
decisions about who it shares data with. If it does share data with a
third party, it has to be under instruction from the Data Controllers.
7. Data – It’s all the same right?
This are three main classifications:
• Patient Identifiable Data (PID)
• Anonymous Patient Level Data (PLD)
• Aggregate Reporting
Decreasing
level of
restriction for
sharing data
8. Data – It’s all the same right?
• Patient Identifiable Data (PID)
– This relates to data that can identify patients.
– This includes records containing:
• NHS number
• Postcode
• Date of birth
– This data can only be used for direct patient care and some
very restricted uses relating to finance or risk stratification,
where there is separate legislation in place to cover the use
of the data.
9. Data – It’s all the same right?
• Patient Level Data (PLD) / Record Level Data (RLD) - Anonymous data
All data flows which include patient level data (regardless of whether
it is PID or not) must have 3 types of document in place:
• SLA / Contract
• Local Data Sharing Agreement (DSA)
• National DSA if it includes Secondary Uses Service (SUS) data.
The legal liability largely sits with the Data Controller and, in the
majority of cases, that is the CCG and NHSD.
10. Data – It’s all the same right?
3rd Parties
SCW
CCG
NHS
Digital
Key questions
• What data is involved?
• Who is/are Data
Controller(s)?
• Who is/are Data
Processor(s)?
• Data linkages required?
• Who will received datasets /
under what legal basis?
11. Data – It’s all the same right?
• Patient Level Data (PLD) / Record Level Data (RLD) - Anonymous data
Key document – Data Sharing Agreements (DSAs)
Are documents that specify: the type of data being released, the
purposes for which the data will be used, any specific Terms and
Conditions of use and details relating to the security of the data.
Key document – Data Access Request Service (DARS)
The NHS Digital service responsible for receiving and processing
applications for data.
A Data Access Request Service (DARS) application is an application
submitted by a requesting organisation (e.g. CCG) setting out the
nature of the requested data and the purpose for which it is being
requested.
12. Data – It’s all the same right?
• For example sharing between CCGs:
– In respect SUS or any other data that flows via a DSCRO, the use of
this data is defined within the Data Sharing Agreement (DSA)
between the CCG and NHS Digital.
– If the CCG i.e. Data Controller wishes to share patient-level data
with other CCGs, then they should have an appropriate local Data
Sharing Agreement in place in addition to amending their DARS
application with NHS Digital to reflect the sharing arrangement.
NHSDDSCROCCGs
Local
DSA
DARS
Data
Sharing
Agreement
The DARS application for data
flowing via NHS Digital to the
CCG must include everyone
the CCG wants to share data
with, including SCW and any
other third parties.
It should also include
any purposes and
data linkages for
which the data will be
used.
13. • Using national datasets e.g. SUS
– As NHS Digital will be ‘joint Data Controllers’ with the CCG,
all data sharing will also require NHS Digital sign-off.
– Any changes requested as part of a DARS application must be
reflected in the final DSA between the CCG and NHS Digital.
– If NHS Digital become aware that a CCG is sharing data in
breach of details in the Data Sharing Agreement, they can
send in the auditors for investigation.
Data – It’s all the same right?
14. • Need to be aware of risks
Data – It’s all the same right?
15. • Aggregate Reporting – More details
• Recent guidance issued by NHS
Digital (19th May) gave
permission for reporting with
aggregate data with other STP
Partners without the need for
detailed Data Sharing Agreements
as long as CCGs (Data Controllers)
agree to this.
• No need to amend their
DARS/DSA with NHS Digital.
“External aggregated reports only with
small number suppression can be
shared where contractual
arrangements are in place”
“Only external aggregated reports
with small number suppression can
be shared except where otherwise
specified within this agreement”.
Data – It’s all the same right?
16. • Aggregate Reporting
– Reports with aggregated data can be shared with STP Partners.
– As a general rule, aggregate information can be shared based on the following
approach:
• Reports with aggregated data are in line with national guidance on small
number suppression i.e. less than 6.
• No data restrictions have been imposed by the Data Controller.
• The customer has instructed data processor to process the data for the
purpose of sharing.
– The exception will be for some specific national data sets, e.g., Mental Health,
Maternity and children’s health, where the rules for data suppression are
different – suppress figures between 0 and 4 or round all to the nearest 5.
Data – It’s all the same right?
email
confirmation
service
specification
data sharing
agreement
A publication and
data sharing policy
17. BI and the Future
Evolved CCG
‘Thin’
Commissioning
Emerging
Accountable Care
System
Integrated with
Performance and
Provider
Management
Integrated with
intelligence,
transformation
and IT
Core Analysts
and Contract
Finance
Population
Health
Analysis
Intelligence Partners (with continuing OD support)
Partners and Specialist BI Services (e.g. IPA + Quality
Observatory)
Processes and Strategic Information Governance
DSCRO and Data Management Systems
Resilient and Integrated Technology Platforms
Integrated BI Strategy
New Care System
Customer Delivery Director
Patients
Clinicians Commissioners
ProvidersLocal Authority
industry
Carers
Insight, Interpretation, Intelligence
18. Population Analytics
• Linked Data and STPs
Challenge: linking data sources across a number of care settings / with third
parties.
– Here is the logic problem that underpins why it’s hard to link data:
• All SUS data must flow through the DSCRO
• No Primary Care (GP) data can flow through the DSCRO
• No NHS number can flow from the DSCRO (unless it has a legal basis)
• No Social Care data can flow through the DSCRO
– So you cannot use NHS numbers to link data.
= In short, very tricky!
19. Population Analytics
• Linked Data and STPs
– There is no national solution on the horizon.
– Having worked closely with NHS England and NHS Digital, reviewed
existing legislation, and designed an IG and technical framework, a
workable solution was approved in March 2017.
– This is the first and only national ‘trusted environment’ approved
solution of its type.
– The solution has been designed into two parts:
• The first part is the IG framework and Data Access Request (DARS)
amendments which outline the legal basis and activities that the CCG
can undertake using this solution.
• The second part is the technical implementation of the data
linking.
20. Where we have done this
• Symphony project in Somerset
“I've just been at the Vanguard PACS
IG event where NHS Digital used our
diagram as an example of good
practice!”
– Jeremy Martin, Symphony
Programme Director, Yeovil District
Hospital NHS Foundation Trust
NHS Digital compliant solution for pseudonymisation of linked data
21. Where we have done this
• Vanguard support for North East Hampshire & Farnham
Linking of Primary and Secondary Uses Service data to evaluate Urgent Care Centre.
• Update DARS
• Local DSAs
• Build the technical
solution
In order to help understand how the
service is operating and the impact it
may be having, the IG and BI teams
worked together to:
22. Summary
• It’s complicated!
• We have shown examples of where we have
solved data linkage / integration challenges
• BI and IG work together to find the most
pragmatic solution at a local level
SIRO - Senior Information Risk Owner
The SIRO’s responsibilities can be summarised as:
Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers
Owning the organisation’s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by IAOs
Advising the CEO or relevant accounting officer on the information risk aspects of his/her statement on internal controls
Owning the organisation’s information incident management framework
Patient Identifiable Data (PID)
This includes records with NHS number or data including other key identifiers. This can only be used for direct patient care and some very restricted users relating to finance or risk stratification, where there is separate legislation in place to cover the use of the data.
For example section 251 of Health and Social Care Act to allow for the provision of risk stratification of patients.
Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.
Source: Health Research Authority - http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/what-is-section-251/
Areas of interest:
SLA / Contract – lots of debate specifically in support of ACS / ACOs
What data is involved?
Will determine whether there is a legal basis to flow data.
Will determine what data linkage restrictions there are.
Who is Data Controller(s)?
If local datasets – this will be the CCG
If using national datasets i.e. SUS then NHS Digital will be joint data controllers
Who is Data Processor(s)?
Usually SCW, however if data provided to a 3rd party is then subject to further manipulation and linkage they will be deemed as Data Processors, requiring additional IG paperwork – Data Processor Agreements.
Data linkages required?
Specifically is there a requirement to link with NHS Digital datasets?
Will affect the level of IG paperwork required and restrictions with what we can do with the data.
Who will received datasets / under what legal basis?
The recipient will determine what paperwork is required, for example if a 3rd party then a copy of the contract required.
Data Sharing Agreements (DSAs)
Are documents that specify: the type of data being released, the purposes for which the data will be used, any specific Terms and Conditions of use and details relating to the security of the data.
These apply to data controllers, including any work undertaken by data processors who are contracted to perform services on behalf of an organisation.
Data Access Request Service (DARS)
A DARS application must be completed and submitted by the organisation requesting the data (e.g. CCG), to formalise a DSA.
Specifically in relation to commissioner applications to receive data, the following purposes require a DARS application (resulting in a DSA) -
Risk Stratification requests /
Invoice Validation requests
Pseudonymised data requests
Patient Level Data (PLD) or Record Level Data (RLD) – Both Anonymous
The following guidance relates in particular to PLD being used for purposes that are not classed as direct patient care.
SCW is able to process on behalf and share with each respective CCG anonymous PLD or RLD where that data is for internal CCG use only.
In respect to Secondary Uses Service (SUS) or any other data that flows via a DSCRO, the use of this data is defined within the DSA between the CCG and NHS Digital. If the CCG wishes to share patient level data with other CCGs in an STP, then they should have an appropriate local data sharing agreement in place in addition to amending their DARS application with NHS Digital to reflect the sharing arrangement.
This assumes each CCG sharing data has a current DSA in place with NHSD which allows them access to SUS & Schedule 6 Information for the purposes of carrying out Commissioning.
PLD or RLD might meet the ICO definition of Anonymous in Context but NHS Digital will still treat it as a serious data breach if the sharing of this data has not been included in a DARS application, signed off by them and updated in their DSA with the CCG.
Flowing Anonymous PLD via NHS Digital
NHS Digital have drafted the original DARS applications and they took some time to come through and they didn’t reflect all the uses and sharing approach that the CCGs had in place.
The DARS application for data flowing via NHS Digital to the CCG must include everyone the CCG wants to share data with, including SCW and any other party.
It should also include any purposes and data linkages for which the data will be used.
The CCG does not have the ability to mandate where the data goes without NHS Digital also signing it off. Any changes requested as part of a DARS application must be reflected in the final DSA between the CCG and NHS Digital.
If NHS Digital become aware that a CCG is sharing data in breach of details in the DSA, they can send in the auditors for investigation.
The legal liability largely sits with the data controllers and in the majority of cases, that is the CCG and NHS Digital.
DeepMind, the Google-owned artificial intelligence company, has been given “legally inappropriate” access to the personal medical records of 1.6m British patients by the National Health Service, according to the senior data protection adviser to the NHS.
Google’s AI firm originally obtained the NHS patient records to test a smartphone app called Streams that could help monitor people with kidney disease
In a letter to the Royal Free NHS Trust in London, the UK’s National Data Guardian, Dame Fiona Caldicott concluded that sensitive and personally identifiable patient data shared by the hospital with the British AI firm did not have an appropriate legal basis.
NHS Digital Letter
Makes it official that there is no need for contractual agreements when CCGs are sharing data as part of aggregate reports with low number suppression (<6). This mean that NHS Digital will not take any action when this type of data is shared.
For some specific national data sets, e.g., Mental Health, Maternity and children’s health, the rules for data suppression are different. For example, we need to suppress figures between 0 and 4 or round all to the nearest 5. More details are included on the second letter below.
In both cases, SCW will require an instruction from each CCG to share aggregate data.
Sharing the output of reports with aggregated data (small number suppression – less than 6) done for CCGs on behalf of CCGs is not as tightly controlled. We are increasingly being asked by customers to share reports and information with STP partners. If CCGs have agreed to this then we should be prepared to share reporting with aggregate data with other STP Partners without detailed data sharing agreements.
As a general rule, aggregate information (with low number suppression) does not pose a risk to patient confidentiality and can be shared, as long as
no restrictions have been imposed by the Data Controller of the data, on behalf of whom we are undertaking analysis or reporting
SCW has instructions from the customer to process the data / we check with the customer that they are happy for the data to be processed
Confirmation from the customer could take different forms
A written instruction from the customer to share outputs– as part of the initial request or after afterwards (e.g., email confirmation when asked)
Agreement as part of a service specification or contract to provide reporting to other organisations
A data sharing agreement between organisations working across a health system
A publication and data sharing policy provided by the customer
Linked Data, Population Analytics and STPs
Where third party RLD data sources are required to be combined with the CCG data for sharing purposes e.g., GP Data, then the CCG DSA with NHS Digital would require amendment (as previously mentioned, subject to a DARS application and NHS Digital approval) and further local sharing agreements will need to be implemented or amended by the CCG’s IG Manager.
To address the matter of solving the data integration IG issues, SCW has developed a technical solution. This work is has been approved by NHS Digital and IGARD and currently the solution is being implemented. Please note that the position with NHS Digital has been extremely fluid and has prohibited any further detailed briefings. Also, there will be a cost to the CCG per data flow implemented.
Further details may be obtained by contacting the Head of Service Delivery t.counsell@nhs.net (Tom Counsell). SCW CSU is looking to build upon the foundations of the technical architecture within this solution to expand to other areas. The focus is to ensure support for Integrated Population Analysis purposes within the constraints of the NHS Digital DSAs and the legal framework.
Central point of access for urgent primary care appointments, diverting ‘urgent’ patients (those asking for on the day appointments) to the Urgent Care Centre.