Local Shared Care Record Processing Across Thames Valley and Surrey

Purpose and content of the page

The purpose of this page is to set out details of the personal data we need to process and to give you insights into when and how personal data is used locally. We also summarise who has access to personal data. The page also includes contact information to allow readers to request more information about how we use the data.

This page sets out details of key data processing arrangements in place across the Thames Valley and Surrey areas with particular emphasis on processes that include the sharing of personal data between organisations to support and facilitate care.

Cross reference links within the page are presented as underlined italics and links to external resources are presented as underlined URLs (e.g. www.ico.org.uk).

The page covers:

1. Scope of the processing;
2. Identities of the controllers for the shared care records;
3. Purpose of the shared care record processing;
4. The data that is processed;
5. Types of processing;
6. Legal basis for the processing;
7. Controls in place;
8. Your rights;
9. Contacts and links; and
10. Frequently asked questions (FAQs).

This page addresses the personal data processing associated with the shared care records as set out below. Other forms of personal data processing (both by electronic means and using paper-based information) are carried out across Thames Valley and Surrey and are documented within the privacy notices of the organisations concerned.

The audience for this page includes:

1. Patients and residents requiring a general understanding of processing arrangements for the Thames Valley and Surrey shared care records;
2. Healthcare professionals requiring a general understanding of processing arrangements for the Thames Valley and Surrey shared care records;
3. Social care professionals requiring a general understanding of processing arrangements for the Thames Valley and Surrey shared care records;
4. Digital, change management and system transformation professionals involved in the various digital and system transformation projects and programmes involving the Thames Valley and Surrey shared care records who require a general understanding of processing arrangements for the Thames Valley and Surrey shared care records; and
5. Information governance professionals requiring a general understanding of processing arrangements for the Thames Valley and Surrey shared care records.

This document is regularly updated to reflect the latest status of the shared care record processing. The current version is v1.2 and the publish date is 9^th January 2024.

Scope of the processing

This page looks at the general scope of and the reasons for processing personal data as well as the types of personal data that are used to plan, provide and support your care as well as in the management of the local health and social care system.

In general

Personal data is processed to:

1. Understand your health and social care needs and provide you with the care and support you need;
2. Ensure that the quality of your care is safe and meets the necessary standards;
3. Make certain that the care provided to you across the range of local organisations is as joined-up as we can make it;
4. Communicate with you and to refer you to specific services; and
5. Manage the planning and delivery of your care.

Data is also used to arrange, plan and manage health and social care services locally. Unlike in the above cases data used to arrange, plan and manage health and social care services locally does not normally need to be identifiable. (We address the different Types of processing below.)

Shared care record specifics

To help ensure that the relevant organisations understand your health and social care needs and provide you with the care and support you need, to help ensure that your care is safe and to help make certain that the care provided to you across the range of local organisations is as integrated as we can make it, it is necessary for us to share personal data. We do this through a range of methods (for example: referrals, discharge summaries and shared care record systems).

While the points made here have a broad applicability to health and social care data processing this page primarily focuses on processing with the shared care record systems.

There are three main types of shared care record in place within the three ICSs (Integrated Care Systems) that comprise the Thames Valley and Surrey Shared Care Record partnership. These are:

1. Arrangements based on specialised clinical systems such as:
   1. Diagnostic imaging
   2. Pathology;
2. Electronic Patient Record (EPR) systems such as:
   1. General Practice systems that have been configured for use by multiple organisations
   2. NHS Trusts’ internal systems that have also been configured for use by multiple organisations; and
3. The cross-organisational shared care record systems themselves that consolidate and provide access to data from multiple sources into a single broadly accessible repository for a range of purposes (we address the range of purposes in the section Purpose of the shared care record processing below and the identities of the shared care record systems can be found in What are the Thames Valley and Surrey shared care records known as?.

In addition to the shared care records, organisations also share and process information on a transactional basis. For example, in a referral form from a GP to a Trust requesting treatment for a patient and a discharge letter from a hospital consultant to the patient’s GP setting out the results of the treatment.

Or as another example, a practice sends a list of patients to a provider which in turn sends an invitation to book a screening appointment by SMS to a patient and then processes the patients’ responses.

Identities of the controllers for the shared care records

The Thames Valley and Surrey Integrated Care Systems include:

1. Buckinghamshire Oxfordshire and Berkshire West ICS;
2. Frimley ICS; and
3. Surrey Heartlands ICS.

Together these ICSs serve over 3.5m residents across 19 local authorities who are supported by around 450 health and social care providers (including approximately 350 practices and a range of NHS Trusts and independent sector health and social care providers) … all of which are participants in the various local shared care records. See more information about How the NHS functions.

The UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) recognise these organisations as the joint data controllers for the shared care records.

A complete list of the joint data controllers for the shared care records can be provided on request. Please contact The lead data controller.

Joint data controllers

All of the organisations across the ICSs that comprise Thames Valley and Surrey and that contribute to and make use of the shared care records have agreed to work together as data controllers and agree to be responsible jointly for:

1. The lawfulness of the personal data processing;
2. Ensuring that the processing is consistent with the purposes for which the data was collected in the first place and that only the necessary data is processed;
3. The accuracy of the data; and
4. Ensuring that the data is protected, kept securely and only kept and processed for the minimum time needed.

The GDPR and the UK Information Commissioner require joint controllers to work together transparently, with the transparency supported by a binding agreement. In the case of the Thames Valley and Surrey shared care records this is achieved through the Regional Health and Social Care Information Sharing Agreement (Regional ISA).

To ensure that the jointly controlled shared care records are effectively managed a lead controller is appointed for each shared care record. (For more details please see Lead controllers below.)

The joint controllership arrangements set out above apply to joint data processing and sharing where data is held in a common system (these common systems are also sometimes referred to as “repositories” or “information assets”). For example:

1. Details of medications prescribed by a GP are held in the shared care record so that the medications are available to support Emergency Department clinicians, Outpatient consultants and Paramedics in the provision of timely and safe care; and
2. Details of blood test results are held in the shared care record so that the blood test results are available to support Emergency Department clinicians, GPs, Outpatient consultants, Paramedics and specialist nurses in the provision of timely and safe care.

These joint controllership arrangements also apply where there are live connections or interfaces between separate systems that support the passing of information between the systems to allow the user of one system to view data in a second system. (In this case, a copy of the viewed personal data is not held in the user’s system.) For example:

1. Details of any medications prescribed by a GP today are immediately available to support Emergency Department clinicians and Paramedics in the provision of timely and safe care.

Separate data controllers

Data is often passed between separate data controllers where there is no ongoing or continuing ability on the part of the sending data controller to manage the shared data. These arrangements are not covered in any detail by this page.

Examples of this form of sharing include:

1. A GP makes a referral to the local hospital for some specialist care, treatment or diagnosis:
   1. A referral form containing personal data such as name, address, contact details, reason for the referral and recent relevant GP clinical records would be sent electronically to (shared with) the local hospital; and
2. The local hospital provides the necessary specialist care or treatment or carries out the requested diagnostic procedure:
   1. After the care, treatment or diagnostic procedure is carried out the hospital would discharge the patient and electronically send (share) a summary of the care or treatment provided or a report on the results of the diagnostic procedure to the GP.

In both cases there is no ongoing or continuing ability on the part of either the GP’s practice or the local hospital to manage the shared data and as a consequence the GP’s practice and the local hospital are not regarded as joint data controllers for the processing.

Lead controllers

For the jointly controlled shared care records the role of the lead controller includes:

1. Being accountable to the joint data controllers in respect of the jointly controlled data;
2. Ensuring that the jointly controlled data is kept and processed as follows:
   1. The jointly controlled data is protected by appropriate organisational and technical measures
   2. All new processes, services and systems are developed and implemented in a secure manner
   3. Appropriate access control functionality and documented and managed access rights are in place for all users of the jointly controlled data
   4. Unauthorised access to the premises, equipment, records and other assets is prevented;
3. Responding to subject access and freedom of information requests regarding information that is part of jointly controlled data flows and information assets;
4. Notifications of breaches and data security and protection issues that are part of jointly controlled data flows and information assets. This includes notifying:
   1. The data subject(s) concerned
   2. The joint data controllers
   3. The Information Commissioner;
5. Ensuring the availability and publishing of privacy and processing notices regarding information that is part of jointly controlled data flows and information assets;
6. Coordinating timely responses to actions that relate to information that is part of jointly controlled data flows and information assets and where response timetables are set by statute or regulation the Lead Controller is responsible for ensuring that the individual controller organisations are notified early enough to allow all controllers to prepare responses in a timely manner;
7. Reporting to impacted joint data controllers for:
   1. Subject access and freedom of information requests regarding information that is part of jointly controlled data flows and information assets
   2. Breaches and data security and protection issues that are part of jointly controlled data flows and information assets
   3. The status of and progress with actions initiated by data subjects, the regulator for data security and protection and other data controllers where the actions relate to information that is part of jointly controlled data flows and information assets;
8. Supporting the joint data controllers concerned in determining the cause of and appropriate corrective actions for:
   1. Notifications of breaches and data security and protection issues that are part of jointly controlled data flows and information assets
   2. Actions initiated by data subjects, the regulator for data security and protection and other data controllers where the actions relate to information that is part of jointly controlled data flows and information assets; and
9. Allocation of a Data Protection Officer to oversee the data security and protection arrangements for the jointly controlled data flows and information assets.

Purpose of the shared care record processing

The overriding objective of the shared record processing is to ensure that the right care is provided safely and in as timely a manner as possible. The more specific purposes for the processing with the shared care records includes:

1. Directly supporting the provision of safe and timely care;
2. Managing the health and care of groups of individuals;
3. Managing the health and care of the population as a whole;
4. Managing the health and care system (the ICS) as a whole;
5. Commissioning local health and care services;
6. Research; and
7. National returns.

Directly supporting the provision of safe and timely care

The purposes of the processing to directly support the provision of safe and timely care includes:

1. Care provided face to face and remotely;
2. Triage and assessment prior to or as part of the provision of care;
3. As part of preparation for a face to face or remote care activity;
4. As part of following up a face to face or remote care activity;
5. Identifying who needs care (also referred to as “Case Finding”);
6. Managing a caseload;
7. Providing alerts and notifications regarding care events and episodes (for example, informing a practice that a patient registered with the practice has been admitted to the local hospital); and
8. Discharges from hospitals and other services and the planning and management of the discharges to ensure that the discharges are appropriate, timely and safe.

The National Data Opt-Out is NOT applied to this processing.

Managing the health and care of groups of individuals

The purposes of the processing to manage the health and care of groups of individuals includes:

1. Identifying the groups of individuals requiring care (often referred to as “Case Finding” or “Cohort Finding”). For example, identifying the local residents eligible for diabetic eye screening;
2. Screening, which would involve inviting individuals to attend a screening clinic and performing the required screening tests;
3. The management of vaccination and immunisation programmes;
4. Reviews of medication usage and outcomes to ensure appropriate, effective and safe prescribing and use of medication;
5. Planning and managing prevention and wellness programmes and interventions; and
6. Comparing, reviewing, evaluating and assessing variations in care and referral practice, the outcomes from care delivery and making improvements and interventions where required.

These purposes relate to the direct provision of care to individuals.

The National Data Opt-Out is NOT applied to this processing.

Managing the health and care of the population as a whole

The purposes of the processing to manage the health and care of the population as a whole using the shared care records includes:

1. The evaluation of services;
2. Planning and modelling demand and capacity;
3. Public communications programmes; and;
4. The planning, assessment and reporting of both local and national programmes.

These purposes do not relate to the direct provision of care to individuals and are often referred to as secondary purposes or uses.

The National Data Opt-Out is applied to processing to manage the health and care of the population as a whole.

Managing the health and care system (the ICS) as a whole

The purposes of the processing to manage the health and care system as a whole using the shared care records includes:

1. The management of pathways and services;
2. Managing the demand and capacity of the system as a whole; and
3. Managing the flow of activity across the system as a whole.

These purposes do not relate to the direct provision of care to individuals and are often referred to as secondary purposes or uses.

The National Data Opt-Out is applied to processing to manage the care system as a whole.

Commissioning local health and care services

The purposes of the processing to commission the local health and care services using the shared care records includes:

1. Commissioning services (this is a process to identify appropriate health and care service providers and to contract with them for the provision of specific services); and
2. Performance management of the commissioned services.

These purposes do not relate to the direct provision of care to individuals and are often referred to as secondary purposes or uses.

The National Data Opt-Out is applied to commissioning processing.

Research

No research programmes are currently supported by the shared care records and the shared care record data is NOT shared with the Thames Valley and Surrey SDE (Secure Data Environment).

The purposes of the processing for research using the shared care records includes:

1. Analysis of health and care data providing fully anonymous output to support design and assessment of research programmes and hypotheses:
   1. This purpose does not relate to the direct provision of care to individuals and is often referred to as a secondary purpose or use;
2. The identification of candidates for approved research programmes such as controlled studies and clinical trials that include direct involvement of the research subject in the programme:
   1. While research generally does not relate to the direct provision of care to individuals and is typically referred to as a secondary purpose or use (which would not typically involve identifiable data) there is an inherent need to identify individuals for this purpose; and
3. Analysis of health and care data relating to authorised research programmes to support the assessment of the research programmes and hypotheses:
   1. While research generally does not relate to the direct provision of care to individuals and is typically referred to as a secondary purpose or use (which would not typically involve identifiable data) there is an inherent need to identify individuals for this purpose.

The National Data Opt-Out is applied to research processing.

National returns

The purposes of the processing for national returns using the shared care records includes:

1. Preparing and submitting returns containing identifiable patient level data in response to a direction of the Secretary of State for Health;
2. Preparing and submitting returns containing anonymised patient level data in response to a national direction issued by NHS England; and
3. Preparing and submitting returns containing aggregated data in response to a national direction.

The National Data Opt-Out is NOT applied to national returns processing.

The data that is processed

To properly support the various purposes above, a broad range of health and social care data is required.

The sources of the data processed in the Thames Valley and Surrey shared care records includes:

1. General practice data;
2. Local authority data; and
3. NHS Trust data.

The Thames Valley and Surrey shared care records also process data from independent health and social care providers who have been commissioned by the NHS and by local authorities to provide services to patients and residents.

The types of data processed in the Thames Valley and Surrey shared care records includes details:

1. Of individual’s:
   1. Current and past conditions, medications and treatments
   2. Biometric information, such as:
      1. Blood pressure
      2. Blood type
      3. Ethnicity
      4. Gender
      5. Height
      6. Weight
   3. Diagnostics tests, results and reports
   4. General practice activity and appointments
   5. Hospital, community services and mental health activity and appointments
   6. Out of hours and 111 activity
   7. Referrals
   8. Social care support;
2. Of any care plans relating to the management of an individual’s health and social care needs;
3. Of the professionals involved in providing and managing an individual’s health and social care needs; and
4. Of the patient’s and resident’s personal, demographic and contact information.

Types of processing

There are three types of data processing using the share care records:

1. Identifiable:
   1. Processing which includes fully identifiable data being disclosed to health and care professionals and organisations
   2. The purposes for which fully identifiable data can be disclosed to health and care professionals and organisations includes:
      1. Directly supporting the provision of safe and timely care;

2. Pseudonymous:
   1. Processing that can be carried out at least in part with just anonymous output made available. However, these purposes typically also include a requirement to identify one or more individuals in order for health and care professionals and organisations to provide care
   2. The purposes for which pseudonymous data can be disclosed to health and care professionals and organisations includes:
      1. Managing the health and care of groups of individuals;
   3. For pseudonymous data output, all items that could be used to re-identify an individual are excluded from the output. The following would be excluded for example:
      1. Names
      2. Addresses
      3. Numbers
      4. References
      5. Other identifiers
   4. And for pseudonymous data output, to further reduce the risk of an individual being unnecessarily re-identified, ranges are in some cases substituted for actual values. For example:
      1. Ages are replaced with age ranges
      2. Full postcodes are replaced with partial postcodes; and

3. Anonymous:
   1. Processing that only allows fully anonymous data to be disclosed to health and care professionals and organisations
   2. The purposes for which only fully anonymous data can be disclosed to health and care professionals and organisations includes:
      1. Managing the health and care of the population as a whole
      2. Managing the health and care system (the ICS) as a whole
      3. Commissioning local health and care services
   3. Fully anonymous data is anonymised in line with the Information Commissioner’s requirements for anonymisation which include the removal of all items that could be used to reidentify an individual, such as:
      1. Names
      2. Addresses
      3. Numbers
      4. References
      5. Other identifiers
   4. And for anonymous processing the output is typically summarised or aggregated to further reduce the risk of an individual being reidentified, including measures such as the replacement of:
      1. Ages are replaced with age ranges
      2. Full postcodes are replaced with partial postcodes; and

For the types of data made available to research please see the Research section above.

Legal basis for the processing

Health and Care legislation

Unless an individual has objected to processing or joint processing and sharing and the sharing organisation has accepted the individual’s objection(s) the legal basis for sharing and viewing the shared records includes provisions of Section 251B of the Health and Social Care Act 2012 (as amended by the Health and Social Care (Safety and Quality) Act 2015):

2. The sharing organisation must ensure that the information is disclosed to:
   • persons working for the sharing organisation
   • any other relevant health or adult social care commissioner or provider with whom the sharing organisation communicates about the individual; and
3. So far as the sharing organisation considers that the disclosure is:
   • likely to facilitate the provision to the individual of health services or adult social care in England
   • in the individual’s best interests.

The legal basis for processing the shared records includes the provisions of Section 254 of the Health and Social Care Act 2012.

GDPR

Unless an individual has objected to processing or joint processing and sharing and the sharing organisation has accepted the individual’s objection the legal basis for processing the records for the Purpose of the shared care record processing set out above is also provided by the UK General Data Protection Regulation (“GDPR”):

1. Article 6(1)e
   “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;
2. Article 9(2)g
   “processing is necessary for reasons of substantial public interest”;
3. Article 9(2)h
   “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of Union or Member state laws”; and
4. Article 9(2)i
   “processing is necessary for reasons of public interest in the area of public health”.

The GDPR legal bases are further supported by the purposes set out in the Data Protection Act 2018, Schedule 1, Part 2, paragraph 6 “Statutory etc and government purposes” and sub-paragraph 2(a) “the exercise of a function conferred on a person by an enactment or rule of law”.

The “official authority” and the “member state laws” establish the legal bases that organisations rely upon for the need to share and jointly process data to deliver care.

Common Law

Where access to confidential data is legitimate, the common law duties of confidentiality are satisfied because consent to disclose or view an individual’s identifiable record is implied where the individual concerned agrees to be referred to a service or where the individual concerned refers themselves or presents to a service. In general individuals are made aware of data sharing either via privacy and “fair processing” notices, specific discussion with heath and social care staff or in most cases by both methods.

Where confidential data has been anonymised in line with the Information Commissioner’s Office code of conduct for anonymisation the above legal basis is no longer a pre-requisite for processing the data.

For the processing of data using the shared care records for secondary purposes (please see Purpose of the shared care record processing above), whether or not an individual has registered a National Data Opt-out is always considered and is applicable for any use of identifiable data unless the case for use is either direct care or supported by a waiver of such agreed by the National Confidentiality Advisory Group and the Secretary of State. Where the shared care record is used for processing purposes other than direct care data is only disclosed or viewed in anonymised or pseudonymised form meaning that the common law duties of confidentiality are not engaged.

Where the shared care record data is only made available in pseudonymised or anonymised form the common law duty of confidentiality is fully satisfied.

Consent to process identifiable data

Because processing using the Thames Valley and Surrey shared care records is based on official authority and joint data controllers’ legal duties in respect of an individual’s health and social care GDPR does not recognise consent as a valid basis to process the individual’s data for an individual’s direct health and social care.

GDPR does however provide individuals with the right to object to the processing of some or all of their personal identifiable data.

Please see Your rights below.

Data that is not explicitly health or social care data

While the Thames Valley and Surrey shared care records are primarily aimed at health and social care they do in some cases also process other forms of data as a consequence of the data’s relevance to the individual’s health and social care.

Examples of information that does not immediately appear to have a healthcare or social care relevance include:

1. Education – A child or young person’s health can have direct impact on the child or young person’s ability to engage with and access their education:
   1. The child or young person’s health needs may mean that the child or young person needs:
      1. time away from education to attend appointments
      2. adjustments to be made within their education setting
      3. school staff to support with medication and be appropriately trained to support health needs;
   2. Equally, how a child or young person interacts in their education setting with their peers, their teachers and their learning support staff can be directly relevant to the care plans and assessments health and social care staff may need to undertake;
   3. A young person spends much of their life in the educational system, their health needs don’t stop or diminish whilst they are in educational settings and can change or present differently while the child or young person is in the education system; and
   4. Understanding how health impacts education and vice versa is crucial to ensuring a young person can:
      1. access the education the young person has a right
      2. achieve their potential.
   5. Employment – Work and health are closely linked:
      1. Challenges with employment, whether the challenge is finding work, staying in work, or returning after a career break or sickness can impact on an individual’s wellbeing; and
      2. The NHS and Local Authorities provide services specifically designed to support individuals with these challenges. Services range from:
         1. help writing CVs and covering letters
         2. to interview practice and support
         3. to helping find reasonable adjustments to support health and wellbeing needs and how to approach the adjustments with an employer.
      3. Housing – Housing and health are often linked:
         1. Poor mental health can make it harder for individuals to cope with housing problems;
         2. Being homeless or having problems where an individual lives can make mental health worse; and
         3. Finding suitable housing can be challenging where an individual has physical health needs and adjustments to support the individual may need to be made by a landlord.
      4. The justice system:
         1. Liaison and Diversion services for example support people who have mental health, learning disability, substance misuse or other vulnerabilities when they first come into contact with the justice system as suspects, defendants or offenders:
            1. These services are provided by the NHS
            2. Where individuals come into contact with this service information will be stored in the individual’s health record
            3. This information will include, where relevant, the reason the individual became known to the justice system as the care and treatment offered considers not only the individual’s health needs but also wider information about the individual’s circumstances and how these circumstances may affect the individual’s care and treatment needs; and
         2. Sometimes an individual’s justice system history is relevant to the health and social care record to support the care that is being provided to the individual:
            1. For example, an individual who is suffering particular symptoms or a diagnosis that stems from the individual’s past or current lived experience (which includes justice system information)
            2. And where an individual’s needs for their health and wellbeing can be directly linked to the individual’s lived experiences in all kinds of areas.
         3. Risk and safety – There are also times when an individual’s history needs to be recorded in health and social care records for risk and safety reasons. This information must be known and considered to keep individual’s and staff safe and ensure appropriate working arrangements can be put in place if required.

Data in an individual’s health and social care record that is about another individual

While an individual’s Thames Valley and Surrey shared care records are primarily aimed at holding and processing health and social care about the individual they do in some cases also hold and process data about others that is relevant to the individual’s health and social care.

Examples include:

1. Carers – An individual’s health and social care records may hold information about the people providing the individual’s care:
   1. A carer may be a person who is paid to provide care to an individual, this is the carer’s job and the basis of the carer’s relationship with the individual:
      1. These carers are generally described as “Care Workers” and information about the carers would usually be limited to who the carer is and their observations of the patient through the carer’s paid role as appropriate
      2. Records may also include information on the therapeutic relationship between the care worker and the individual; and
   2. A carer can also be anyone who provides care on an unpaid basis for an individual who is a friend, a partner or a family member. Details of the person providing care for the individual, the carer’s relationship with the individual and any specific support, risks or other considerations may be recorded in the individual’s health and social care records.
2. The cared for:
   1. It is sometimes the case that information about the person being cared for is recorded in the carer’s own personal health and social care records:
      1. This is because caring for another person can bring health and wellbeing considerations for the carer themselves
      2. In this respect there may be particular risks, safeguarding concerns or support considerations about the cared for person and carer that need to be included in both the cared for and the carer’s records.
   2. Family:
      1. A person’s family history can be important for clinicians to consider when providing care and treatment. When information is shared with health and social care about a family member’s health and social care history that is relevant to the individual themselves the information about the individual’s family member may be entered into the individual’s record;
      2. Where an individual has a family member or members who are particularly supportive or integrated with the care of the individual, information about that family member may be recorded in the individual’s medical records; and
      3. Where a family member or members may have a negative impact on an individual’s health and wellbeing this is important for health and social care professionals to be aware of:
         1. there may be safeguarding information it is important for professionals to consider
         2. or health and social care professionals may become aware of safeguarding concerns and needs to document the concerns in the individual’s records.
      4. Friends – Where a friend or friends may have a negative impact on an individual’s health and wellbeing it is important for health and social care professionals to be aware of this potential because:
         1. There may be safeguarding information that it is important for the professionals to consider; and
         2. The professionals may become aware of safeguarding concerns and need to document the concerns in the individual’s records.

Legal opinions taken

To confirm their lawfulness, the data sharing and processing arrangements represented by the shared care records have been subjected to extensive scrutiny by local subject matter experts. The arrangements (with a particular emphasis on the shared care record solutions) have also been subjected to scrutiny by solicitors and by Kings Counsel:

1. In 2019 solicitors and Kings Counsel both confirmed that the arrangements are suitably lawful and robust;
2. In 2023 solicitors re-confirmed for the joint controllers that the arrangements continue to be suitably lawful and robust;
3. In 2023 solicitors confirmed for the joint controllers that the shared care record approach to managing the processing of identifiable, pseudonymous and anonymous data in discrete data repositories and in combined data repositories within the shared care record analytics solutions is lawful given the administrative and technical controls that are in place; and
4. In 2023 King’s Counsel reviewed and confirmed the lawfulness of our approaches to:
   1. Pseudonymisation and anonymisation to prevent breaches of common law where processing cannot rely on implied consent because the processing concerned is not for direct care purposes;
   2. The processing of data for risk stratification *;
   3. The processing of secondary uses data to support direct care; and
   4. The application of the National Data Opt-out.

(* Risk stratification is an assessment process that supports many of the processing purposes listed in Purpose of the shared care record processing above. It involves reviewing multiple aspects of an individual’s condition or conditions to assess and suggest the overall severity and impact on the individual and the likelihood of complications developing. Risk stratification for the shared care records is carried out within the shared care record analytics solutions and utilises the tried and tested Johns Hopkins Adjusted Clinical Group (ACG) methodology.)

Controls in place

While there are a broad range of controls in use, the primary controls in place for the Thames Valley and Surrey shared care records are set out below.

Qualifying Standard

For organisations to be able to access the Thames Valley and Surrey shared care records the organisations concerned are required to meet a Qualifying Standard. The Qualifying Standard requires each controller requiring access to the Thames Valley and Surrey shared care records to meet or exceed requirements covering:

1. Audit of access;
2. Confidentiality;
3. Contracts;
4. Internal governance arrangements;
5. Privacy notices;
6. Quality of data;
7. Security; and
8. Staff training.

Contracts

In line with the requirements of legislation the Thames Valley and Surrey shared care records joint data controllers incorporate data protection and confidentiality requirements within contracts with the data processor organisations that supply the Thames Valley and Surrey shared care records and run the technical processing on behalf of the joint controllers.

Furthermore, contracts with staff who have access to identifiable Thames Valley and Surrey shared care records data also include mandatory data protection and confidentiality requirements.

Role-Based Access Controls

A key control built into the Thames Valley and Surrey shared care records is known as Role-Based Access Control. This allows access to personal identifiable data to be restricted to those users with a legitimate reason to access the identifiable data.

For example, with respect to your identifiable data:

1. A receptionist would need access to demographic details such as your name and address but a receptionist would not need access to data such as the notes from your most recent appointment with your GP;
2. A pharmacist or physiotherapist would need access to demographic details and your current active healthcare conditions; and
3. The hospital consultant and your GP would need access to the full range of your health and social care data to properly and safely plan, provide and manage your care.

Roles with no access to your identifiable data would be those responsible for processes such as:

1. Managing the health and care of the population as a whole;
2. Managing the health and care system (the ICS) as a whole; and
3. Commissioning local health and care services.

Audits

Audits of usage of the Thames Valley and Surrey shared care records are also an important control.

Audits are carried out by the individual data controller organisations as well as the lead data controller for the Thames Valley and Surrey shared care records.

The purpose of the audits is to ensure that the controls applied to the Thames Valley and Surrey shared care records are operating effectively and to identify and address usage that is inconsistent with the policies and controls for the Thames Valley and Surrey shared care records.

Your rights

Your data protection rights are defined in GDPR.

While the purpose of this page is primarily to inform local residents, members of the public and patients about processing through the Thames Valley and Surrey shared care records and individuals’ rights in respect of the processing it should also be noted that the scope of the rights and protections set out here also extend to the health and social care professionals identified within the system. (For example, the notes from an individual’s GP appointment may also include the identity of the GP concerned.)

UK General Data Protection Regulation

GDPR gives you the right (with a small number of exemptions) to know what data about you is held and processed in the Thames Valley and Surrey shared care records. This includes:

1. Data provided by you;
2. Data created by a joint data controller; and
3. Data provided by another data controller organisation.

Once this data about you has been provided to you the data can be given by you to other health and care provider organisations.

GDPR also gives you the right to know the purposes for which data about you is processed.

You also have the right under GDPR to:

1. Request corrections to your records;
2. Request restrictions to be applied to the processing of your data; and
3. Object to the processing of your data for specific purposes.

These are not absolute rights and all corrections, restrictions and objections are subject to the agreement of the organisation that created the record in the first instance.

Contacts and links below provide the details regarding who to contact.

Contacts and links

How the NHS functions

The NHS is organised into Integrated Care Systems (ICS) led by Integrated Care Boards (ICB) with a primary responsibility to arrange (also referred to as commissioning) the provision of health care for patients registered within the area covered by the Integrated Care System. Local Authorities within the area work together with their health partners to help ensure that local health and social care are as aligned as possible. More information regarding the functioning of the NHS in England can be found at https://www.kingsfund.org.uk/audio-video/how-does-nhs-in-england-work.

The National Data Opt-out

The National Data Opt-out is a service that allows individuals who receive publicly funded health and social care in England to opt-out from their confidential information being used for some purposes. This ability was recommended by the National Data Guardian and was implemented in May 2018 in parallel with the General Data Protection Regulation (GDPR).

It is important to note that this opt-out does not apply to all forms of processing. The section Purpose of the shared care record processing above identifies where we take account of the National Data Opt-out in relation to the Thames Valley and Surrey shared care records.

More information about this national service can be found at https://digital.nhs.uk/services/national-data-opt-out and at https://digital.nhs.uk/services/national-data-opt-out/understanding-the-national-data-opt-out .

The anonymisation code of practice

To help ensure that personal confidential information is properly de-identified the Information Commissioner’s Office has agreed and published a code of practice for anonymisation.

For the Thames Valley and Surrey shared care records, this code of practice is applied to both the anonymised and pseudonymised processing.

The Information Commissioner’s code of practice for anonymisation can be found here https://ico.org.uk/media/1061/anonymisation-code.pdf .

The records management code of practice

The NHS Records Management Code of Practice is applied by the data controller organisations contributing to the Thames Valley and Surrey shared care records and by the Thames Valley and Surrey shared care records programme itself.

Details of the NHS Records Management Code of Practice can be found here

https://transform.england.nhs.uk/information-governance/guidance/records-management-code/ .

Details of Thames Valley and Surrey shared care records policy for record keeping and retention can be found here https://www.thamesvalleysurreycarerecords.net/about/prog-docs/privacy-notice-supporting-information/56-tvs-lhcr-faqs-data-retention/file .

The lead data controller

Frimley Health NHS Foundation Trust is the lead data controller for the Thames Valley and Surrey shared care records programme. The Data Protection Officer for Frimley Health NHS Foundation Trust can be contacted by email using fhft.information.governance@nhs.net and by post using THE DATA PROTECTION OFFICER, INFORMATION GOVERNANCE DEPARTMENT, FRIMLEY HEALTH NHS FOUNDATION TRUST, HEATHERWOOD HOSPITAL, GREENWOOD OFFICES, LONDON ROAD, ASCOT, SL5 8AA.

Should you require information relating specifically to one of the health and social care organisations you deal with directly, please contact the organisation concerned. You will find the contact details and process for individual organisations on their websites.

The Information Commissioner

The Information Commissioner’s Office (ICO) internet address is https://ico.org.uk/ and the ICO can be contacted here https://ico.org.uk/global/contact-us/contact-us-public/ and here: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone: 0303 123 1113.

Frequently asked questions (FAQs)

General

What is health and care data?

The types of health and social care data are outlined in The data that is processed.

Why is health and care information shared?

The reasons for sharing health and social care information between health and social care organisations are explained in Purpose of the shared care record processing.

What information is shared using the Thames Valley and Surrey shared care records?

The types of health and social care data processed using the Thames Valley and Surrey shared care records are outlined in The data that is processed.

What are the Thames Valley and Surrey shared care records known as?

To improve the quality of information available to support the management and delivery of care to residents within Thames Valley and Surrey and to help ensure the continuing value of this key capability, the partners for the Thames Valley and Surrey shared care record programme are consolidating multiple individual shared care records into a single shared care record. There are two parts to the Thames Valley and Surrey shared care record. These are:

1. The Thames Valley and Surrey care record which supports:
   1. Directly supporting the provision of safe and timely care
   2. Managing the health and care of groups of individuals; and
2. The Thames Valley and Surrey and the Connected Care System Insights analytics platform which together support:
   1. Managing the health and care of the population as a whole
   2. Managing the health and care system (the ICS) as a whole
   3. Commissioning local health and care services
   4. Research.

The shared care records previously or currently in use within the Thames Valley and Surrey Integrated Care Systems that are transitioning to the Thames Valley and Surrey shared care record are:

1. Buckinghamshire Oxfordshire and Berkshire West ICS:
   1. Connected Care (Berkshire West)
   2. My Care Record (Buckinghamshire)
   3. Oxfordshire Care Record (Oxfordshire);
2. Frimley ICS
   1. Connected Care (East Berkshire, North East Hampshire and Farnham and Surrey Heath); and
3. Surrey Heartlands ICS:
   1. Surrey Care Record (Surrey Heartlands).

The Thames Valley and Surrey shared care records do NOT include the Thames Valley and Surrey SDE (Secure Data Environment) and data is NOT shared from the Thames Valley and Surrey shared care records into the Thames Valley and Surrey SDE that is managed by Oxford University Hospital. (SDEs can also sometimes be referred to as Sub-national Secure Data Environments (SNSDEs).)

How long is my data kept?

The policy for retention of data within the Thames Valley and Surrey shared care records system is for data to be kept for the same duration as it is kept in the source data controllers’ systems. Source data controllers keep data in accordance with The records management code of practice.

How can I be sure my information is being kept safe?

There are multiple Controls in placeto protect your information.

One of these controls is the Qualifying Standard which sets out the criteria that all of the Thames Valley and Surrey shared care records joint data controllers need to meet.

The Qualifying Standard also needs to be met or exceeded by the Thames Valley and Surrey shared care records system suppliers and processors before

Contracts are signed with the organisations.

Who can see my information?

The Thames Valley and Surrey shared care records joint data controllers (Identities of the controllers for the shared care records), where the controllers concerned have a legitimate relationship with you can see your identifiable data.

Access to your identifiable data by individual health and social care professionals also requires a legitimate relationship and is controlled by Role-Based Access Controls.

What is anonymised information?

Please see Types of processing.

What is pseudonymised information?

Please see Types of processing.

What are the main uses of data in the Thames Valley and Surrey shared care records?

Please see Purpose of the shared care record processing.

What is the legal basis for processing data within the Thames Valley and Surrey shared care records?

Please see Legal basis for the processing.

Who are the data controllers?

Please see Identities of the controllers for the shared care records.

I live in the Thames Valley and Surrey region but am registered at a GP practice outside of this area. Am I still included?

Not currently. Your data would not currently be accessible by means of the Thames Valley and Surrey shared care records because information availability is determined by the participation of individual’s registered practices.

There is an intention to create links between the Thames Valley and Surrey shared care records system and equivalent neighbouring systems at some point in the future. However, at the time of responding to this FAQ a timescale has not been set.

What rights do I have?

Please see Your rights.

How can I access my information?

Please see Your rights.

To access your information relating to a specific Thames Valley and Surrey shared care records data controller please contact the organisation concerned.

To access your information relating to the Thames Valley and Surrey shared care records themselves please contact The lead data controller

What is a Subject Access Request and how do I make one?

Subject Access Requests are a right provided by article 15 of the General Data Protection Regulation. Subject Access Requests (with some limitations) allow individuals access to their own records.

Please see Your rights.

Can I object to my information being processed in the Thames Valley and Surrey shared care records?

Yes, but with some restrictions. Please see Your rights.

Individual direct care

Doesn’t everyone involved in my health and care already have access to my information?

No, data is held by each organisation in its own database.

No, some roles should not have access to an individual’s identifiable and sensitive data because there is no natural legitimate relationship between the role and the individual.

While some roles may have access to an individual’s data, the access may be restricted certain types of information.

Please see Role-Based Access Controls.

Can I object to my information being processed for direct care?

Yes, but with some restrictions. Please see Your rights.

Population health

What is Population Health?

Please see Managing the health and care of the population as a whole and Purpose of the shared care record processing.

What is Risk Stratification?

Risk stratification is an assessment process that supports many of the processing purposes listed in Purpose of the shared care record processing above. It involves reviewing multiple aspects of an individual’s condition or conditions to assess and suggest the overall severity and impact on the individual and the likelihood of complications developing.

Risk stratification for the shared care records is carried out within the shared care record analytics solutions and utilises tried and tested Johns Hopkins Adjusted Clinical Group (ACG) methodology.

What is Segmentation?

Segmentation is an assessment process that supports many of the processing purposes listed above in Purpose of the shared care record processing and is based on risk stratification. It involves reviewing multiple aspects of an individual’s condition or conditions to assess and suggest the overall severity and impact on the individual and the likelihood of complications developing.

Segmentation supports care professionals in planning for and delivering the most appropriate care for an individual.

Segmentation for the shared care records is carried out within the shared care record analytics solutions.

Can I object to my information being processed for population health?

For an individual to object to data being processed for population health purposes there are two options that are available:

1. Make use of the National Data Opt-out (please see The National Data Opt-out); or
2. Object to all processing through the Thames Valley and Surrey shared care records.

For further information please see Purpose of the shared care record processing, Types of processing and Your rights.

Planning and research

Will my personal details be shared for planning research?

For planning see Managing the health and care system (the ICS) as a whole and Commissioning local health and care services.

For research please see Research.

Please also see Types of processing and The National Data Opt-out.

Can I be identified when my data is used for planning or research?

Generally the answer is very dependent on the type of research. In some cases the research can be based on anonymised data. In others, because the individual is directly involved as a participant in the research the individual is identified.

Please see Research.

Why is my information used in health and care for planning and research?

For planning see Managing the health and care system (the ICS) as a whole and Commissioning local health and care services.

For research please see Research.

Please also see Types of processing and The National Data Opt-out.

How is my information used in planning and research?

For planning see Managing the health and care system (the ICS) as a whole and Commissioning local health and care services.

For research please see Research.

Please also see Types of processing and The National Data Opt-out.

Can I object to my information being processed for planning and research?

For an individual to object to data being processed for planning and research purposes there are two options that are available:

1. Make use of the National Data Opt-out (please see The National Data Opt-out); or
2. Object to all processing through the Thames Valley and Surrey shared care records.

For further information please see Purpose of the shared care record processing, Types of processing and Your rights.