Information - DAC Beachcroft

Information's Tags

Tags related to this article


Published 24 febrero 2017

At the heart of collaboration between organisations is the sharing of information. This may be performance-related information shared by commissioners who are collaborating to commission services in an STP footprint, or the sharing of patient data between acute, community services, primary care and social services providers, to ensure a patient-centred service.

In the NHS to date, there are many examples of data being held in silos and not being joined up across organisations. Better data sharing is key and having the IT systems to be able to implement this in STP footprints is crucial (as highlighted in the Wachter Review).

STPs call for an increase in the sharing and analysis of patient data.  Commissioners of care are especially keen to link and analyse data from different sources (GPs, hospitals, social care) to better understand how patients move along care pathways and how good outcomes are achieved. Patient access to their own data is also particularly important, and this is even more pertinent for those with long-term conditions seeking to self-manage.

The legal landscape for information governance is changing, with the implementation of the General Data Protection Regulation in the UK firmly in view. Under the GDPR, the maximum fine by the Information Commissioner for data breaches will increase from £500,000 to 4% of turnover, or €20,000,000.

Furthermore, the obligations upon data controllers are amplified. For example, data controllers must ensure that those processing information on their behalf can implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject – in practice, this will mean carrying out due diligence.

When implementing STPs, providers and commissioners should consider what information sharing will take place. The first steps should include:

  • consideration of the impact on the privacy and confidentiality of the patients and other stakeholders by the proposed collaboration.
  • carrying out a Privacy Impact Assessment to assess the privacy risks and ensure any integrated care model is designed with appropriate information governance systems in place.

We have created a top ten checklist of information sharing issues, which can help inform any information sharing agreement: 

 #  Points to consider
 1 What is the scope of information that is required for the collaboration? Who will the information be shared with, and what due diligence has been undertaken on those organisations?
 2 Do you need to use patient identifiable data, or could you use data that cannot be linked back to patients?
 3 Where will you get that information from?
 4 Why is the information needed? 
 5 What will need to be done with the information? 
 6 Is the use of identifiable data proportionate to the purpose for which it is required?
 7 Will you need to get service user consent to avoid breaching confidentiality? How will you do that? How will you deal with people who want to “opt out”?
 8 How will you tell service users what may be done with their data?
 9 What information is not required?

What technological solutions are available?

Alongside the information governance considerations, a communication strategy should be developed, ensuring that stakeholders are engaged from the outset and given an opportunity to input into the service design.

Often, the proposed collaboration between providers of care also seeks to give patients greater access to their data. This is particularly useful for those managing long-term conditions. Some technological solutions allow for online consultations, amongst other methods, to allow for a greater degree of self-monitoring and enabling self-care.  As ever though, there is a tension between accessibility and concerns about data security.

Using patient data to inform commissioning

The diversification of the NHS and the drive for smarter commissioning has led to an increased demand for the sharing and analysis of patient data by both commissioners and providers.

The current rules on the use of data in the NHS are restrictive and make this kind of analysis difficult.  Caldicott 3 - Review of Data Security, Consent and Opt-Outs - has been published, and this proposes the rules be changed so that patient data can be used for NHS commissioning decisions.  However, the proposal is that patients can “opt out” of this wider use of their data. There are questions over whether this is workable in practice.

Data security

Unlike most other sectors, the providers of NHS care report breaches to the regulator and the individuals affected. Data breaches in the NHS therefore draw a great deal of attention, and can mean hefty fines for NHS organisations, not to mention a breakdown of trust with affected patients. With the stated ambition in the NHS Five Year Forward View for a paperless NHS, this is an increasingly important area.

With an increase in the digitisation of the NHS, and greater information sharing under STPs, there is a commensurate increase in risk for susceptibility to cyber-crime. We have seen recent instances of NHS IT systems being infected by ransomware – a malicious piece of software which locks up systems until a ransom is paid to get them unblocked. Boards of NHS organisations should therefore consider what plans they have in place to combat cyber-crime, as this is of critical importance to data security.

Competition law and data sharing

Finally, organisations that are collaborating in accordance with STP plans need to consider whether they are sharing information in a manner that does not breach competition law rules. As new models of care emerge, and providers consolidate, there is an increasing risk of collaborative working falling foul of competition law obligations.


Anne Crofts

Anne Crofts

London - Walbrook

+44 (0)20 7894 6531

< Back to articles