Information sharing is crucial to facilitating integrated care across health and social care organisations, not only in the delivery of care and enabling better outcomes for individual patients, but also by providing analytics which afford commissioners and providers the ability to better evaluate and manage integrated care. In some circumstances there is also a positive duty for health and social care organisations to share information.
While greater clarity on how patient data can be used and shared in accordance with patient expectations has the potential to unlock barriers to better information sharing, ensuring the safety and security of that data has never been so challenging. It is a particularly tumultuous time for organisations handling patient data, with the General Data Protection Regulation ("GDPR") and the Data Protection Act 2018 heralding a new legislative regime, plus the development of national policy on the use of consent when dealing with patient data. Organisations handling patient data need to ensure compliance or face the possibility of greatly increased penalties and sanctions for getting it wrong.
Commissioners and providers need to review the practicalities of their data sharing arrangements, including the apportionment of liability and responsibilities. They should also ensure that information governance is embedded within an integrated model at the outset, and consider the impact on the privacy and confidentiality of the patients and other stakeholders. A good starting point is to undertake a Data Protection Impact Assessment ("DPIA"). A DPIA assesses the privacy risks and helps ensure any integrated care model is designed with appropriate information governance systems in place – it is also a requirement under the GDPR where processing activities present a "high risk" to the rights and freedom of individuals. In carrying out a DPIA, organisations should be mindful of the following key questions:
- What information is required? Do you need to use patient identifiable data or could you use data that cannot be linked back to patients?
- Where will you get that information from?
- Why is the information is needed?
- What will need to be done with the information?
- Is the use of identifiable data proportionate to the purpose for which it is required?
- Will you need to get service user consent to avoid breaching confidentiality? How will you do that? Are you relying on implied or explicit consent? How will you deal with people who want to "opt out"?
- How will you tell service users what may be done with their data?
- What information is not required?
- What technological solutions are available?
This should also be supported by a good communication strategy, ensuring that stakeholders are engaged from the outset and given an opportunity to input into the service design.