The document discusses information governance and the legal framework surrounding the use of personal confidential data in healthcare in the UK. It notes that the legal framework is complex and includes acts like the NHS Act 2006, Health and Social Care Act 2012, and Data Protection Act. It summarizes the Caldicott review on balancing patient privacy with information sharing. It then discusses rules around what organizations like Care Commissioners and NHS Digital can access without explicit patient consent due to their roles in providing or supporting care. Lastly, it outlines current rules for linking and sharing data, noting the need to identify legal bases, complete assessments, and respect NHS Digital's data controller status.

1. Information Governance
Environment
Beverly Carter
Head of Information Governance
Chilworth Manor Hotel
Southampton

2. It’s complicated!
• The legal framework governing the use of personal
confidential data in healthcare is complex
• It includes the NHS Act 2006, the Health and Social
Care Act 2012, the Data Protection Act, and the
Human Rights Act

3. Caldicott review
• Following a request from the Secretary of State for
Health, Dame Fiona Caldicott carried out this
independent review of information sharing within
the NHS to ensure that there is an appropriate
balance between the protection of patient
information and the use and sharing of information
to improve patient care.

4. What can you use?
• Care Commissioners do not provide direct patient
care and therefore they have no legal basis on which
to access personal confidential patient data without
gaining explicit consent from each individual.
• The Health and Social Care Act 2012 allows the HSCIC
(now NHS Digital) to handle personal confidential
data (PCD). Security, processes and tools are used to
minimise the visibility and accessibility of PCD, which
allows staff to perform analysis and keep patient
data confidential.

5. NHS Digital
• Data Services for Commissioners Regional Offices
(DSCROs) provide this service
• DSCROs perform their services with staff from
Commissioning Support Units (CSUs) who are
seconded into the DSCRO and work with data in the
regional processing centres.
• Staff follow strict rules on accessing, analysing and
processing data. The powers granted to the
organisation by the Health and Social Care Act 2012
mean that staff are operating within the approved
legal framework.

6. October 2016 – Big changes to rules
• In October of last year, NHS Digital introduced
additional rules around the linkage of their data
with the local flows being requested.
• Every data flow sourced from NHS Digital needs
to be included on a Data Access Request (DARS)
application made by the requesting organisation.
• A list of the types of data being used and for what
purpose has to be included.
• NHS Digital retain the role of Data Controller for
any data flow that originates from themselves.

7. What are the rules now?
• There are complex rules around linking and sharing data for
anything other than direct patient care. However, it is possible
to find solutions if the following rules are considered:
• All data flows required are identified, reviewed and logged
• A legal basis is identified which allows the data to flow -
usually supported by the completion of a Privacy Impact
Assessment and Data Sharing Agreement and Data
Processing agreements
• Aggregated data may now be used for secondary purposes
without the need for complex paperwork (recent change)
• NHS Digital retain Data Controller status for the onward use
of any data provided by them.