Home
Regional Health and Social Care ISA
- Category: RegISA Introduction
The Agreement
Every health and social care organisation in the country is identifying substantial requirements to share and use personal confidential data in order to achieve planned improvements in care delivery and in financial efficiency.
It is also the case that many opportunities to improve care are delayed or lost due to the challenges associated with designing and agreeing information sharing agreements on a project by project basis.
The regional Information Governance Steering Group (IGSG) which is chaired by the Chairman of the Berkshire Local Medical Committee at the time of writing manages the agreement and the membership of the agreement on behalf of the members. The Administrator (Frimley Health NHS Foundation Trust at the time of writing) maintains and publishes the agreement documentation and supporting schedules and registers on behalf of the member organisations and IGSG.
This agreement has been reviewed by Queens Counsel and in his opinion it is both lawful and fit for its purpose. A summary of the QCs opinion is attached below.
This agreement builds on the success of the similarly structured prior agreements for the sharing of information for the provision of care and for secondary uses agreements in use since 2013 and replaces the current 2023 version of the agreement. The aims of the agreement are:
- To provide a clear framework for the secure sharing of personal confidential data for the delivery of care and for the management of the health and social care system (in particular in respect of data controller organisations' responsibilities in respect of GDPR art.26 (Joint Controllers);
- To accelerate the pace with which regional and local sharing requirements can be agreed; and
- To reduce the costs of developing and agreeing individual sharing requirements.
Very specifically, this latest iteration of the agreement is designed to better support the development of:
- Federated working and networks;
- Integrated working and care delivery models;
- Real time risk stratification at the point of care for patients with the most complex needs; and
- Latest guidance on data controllership resulting from the implementation of GDPR.
Each organisation remains responsible for the control and use of personal confidential data within the organisation as required by the legislation and the Schedule F and Schedule CDE Mapping pages are designed to actively support data controller organisations' responsibilities under GDPR art.30 (Records of Processing).
Structure of the Agreement
The Regional Health and Social Care Information Sharing Agreement is executed as a subscription agreement. This form of agreement allows controlled processing and sharing to begin as soon as two controllers have signed their sharing documentation. Unlike the traditional multi-party agreement models, processing and sharing does not need to wait until all parties have executed the agreement.
Organisations become members of the agreement by signing up to the master agreement that sets out the scope and terms of membership for the agreement as well as the roles of IGSG, Lead Controllers and the Administrator. The Administrator accepts the new member’s signed master agreement on behalf of the members as a whole.
Implementation
Implementation of the agreement is as follows:
- Every member of the framework needs to sign the master agreement;
- The agreement is currently and will in future be presented through an electronic signature process as a single document;
- Data controller organisations that contribute data to the shared pool as a data flow or information asset are presented with one or more additional documents describing each specific processing and sharing arrangement the controller is expected to contribute to;
- Where the master agreement and one or more individual processing and sharing arrangement(s) are executed contemporaneously all documents are presented through an electronic signature process as a single document … with signatures required for each item requiring approval; and
- Where subsequent individual processing and sharing arrangements are executed non-simultaneously the documents are presented individually through an electronic signature process for approval.
Some supporting documents are presented below.
Current Master Agreement for the period 1st April 2022 to 30th April 2028
Note, both versions of the agreement documents are active during the transition. No material changes other than the effective dates have been made between the documents.
Below you will also find details of the Regional ISA membership.
See also:
Records of Processing - All processing and sharing arrangements
Records of Processing - Buckinghamshire and Oxfordshire arrangements
- Category: Processing and Sharing Specifications
Records of Processing - Buckinghamshire and Oxfordshire
The links below refer to the Regional Health and Social Care Information Sharing Agreement Schedule K documents, DPIAs, policies and other supporting collateral that apply to the arrangements in place for Buckinghamshire and Oxfordshire.
The documents and schedules are:
- My Care Record and TVS joint processing and sharing specification (Schedule K). http://www.regisa.uk/documents/KB000001MCRcurrent.pdf
- The deployment of Connected Care and Docobo in support of Oxfordshire practices (Schedule K). http://www.regisa.uk/documents/KX000001oxGPcurrent.pdf
- The IGSG policy decision setting out the Regional ISA terms of reference for the Buckinghamshire IGSG within the Regional ISA. http://www.regisa.uk/documents/BucksIGSGsubGroupTermsOfReference.pdf
- The IGSG policy decision setting out the Regional ISA terms of reference for an Oxfordshire IGSG within the Regional ISA. http://www.regisa.uk/documents/OxonIGSGsubGroupTermsOfReference.pdf
- Queen's Counsel's and Solicitor's opinion in respect of the Regional ISA. http://www.regisa.uk/documents/02aQCopinionSummary136472122_1.pdf
Records of Processing - All processing and sharing arrangements
- Category: Processing and Sharing Specifications
Records of Processing
The links below refer to pages that present a variety of views on the processing and sharing specifications in place for the Regional Health and Social Care Information Sharing Agreement.
The schedules are:
- Schedule C to the Regional ISA - Schedule C - Joint processing and sharing arrangements presents a list of the Schedule K documents that define the joint processing and sharing arrangements in place (or planned to be in place) under the Regional ISA.
- Schedule D to the Regional ISA - Although the details are included as part of Schedule C, for ease of access, Schedule D - Other (including Secondary) Uses processing and sharing has been prepared to present the arrangements where there is a non-direct care element to the processing.
- Schedule P to the Regional ISA - Schedule P - Data Protection Impact Assessments presents a list of the DPIAs underpinning and supporting the arrangements described in the main Schedule K documents.
There are also 4 Records of Processing schedules that show the mapping of Schedules C and D against the core Schedule E - Membership Register. These are:
- Mapping of ACTIVE Schedule K arrangements by Organisation (including Information Asset details) ... Active Schedules C, D and E and Information Assets by Organisation.
- Mapping of ALL Schedule K arrangements by Organisation (active and planned) ... Mapping of Schedules C, D and E by Organisation.
- Mapping of ALL Schedule K arrangements by Organisation (including Information Asset details) ... Mapping of Schedules C, D and E and Information Assets by Organisation.
- Mapping by Schedule K joint processing and sharing agreement specification of ALL Organisations taking part in the arrangement (active and planned) ... Mapping of Schedules C, D and E by Agreement.
Schedule P - Data Protection Impact Assessments
- Category: Data Protection Impact Assessments
Page last updated on: Monday, 08 August 2022 (08:28)
Schedule P - Data Protection Impact Assessments
This schedule to the Regional Health and Social Care Information Sharing Agreement sets out the Data Protection Impact Assessments (DPIAs) relating to the joint processing and sharing specifications in place and in development for the Regional Information Sharing Agreement.
Where available, links are provided to PDF versions of the DPIAs. (Please note that for security reasons some DPIAs are not published.)
This schedule was prepared on the date at the top of the page and does not reflect additions and changes to the registers and schedules thereafter.
Data Protection Impact Assessments
| Status | ID | Name | Processing Type | Review Date | Review Comment |
|---|---|---|---|---|---|
| DPIA0001 | Legacy | Connected Care Clinical Platform | Direct care | 30 April 2023 | Current |
| DPIA0002 | Legacy | Connected Care Analytics Platform | Both Direct Care and Other | 30 April 2023 | Current |
| DPIA0003 | Legacy | GP Extended Hours | Direct care | 30 April 2023 | Current |
| DPIA0004 | Legacy | Thames Hospice with Berkshire practices via EMIS | Direct care | 30 April 2023 | Current |
| DPIA0005 | Legacy | SCAS Activity Data | Other | n/a | |
| DPIA0006 | Legacy | Connected Care Personal Health Record (PHR) | Both Direct Care and Other | 30 April 2023 | Current |
| DPIA0007 | Legacy | PCN Analytics | Both Direct Care and Other | 30 April 2023 | Current |
| DPIA0008 | Legacy | Unscheduled Care Notifications | Direct care | 30 April 2023 | Current |
| DPIA0011 | Legacy | Integrated Care and Multidisciplinary Care | Direct care | 30 April 2023 | Current |
| DPIA0012 | Legacy | Integrated Decisions Recording in Connected Care | Direct care | 30 April 2023 | Current |
| DPIA0013 | Legacy | Child Health (CHIS) extract via Connected Care | Direct care | 31 March 2022 | Expired - Review required |
| DPIA0014 | Legacy | Connected Care Childrens Social Care | Direct care | 30 April 2023 | Current |
| DPIA0018 | Legacy | SCAS GP Encounter Data | Other | 30 April 2023 | Current |
| DPIA0019 | Legacy | SCAS 111 Direct Booking with GP Connect | Direct care | 30 April 2023 | Current |
| DPIA0021 | Legacy | Frimley ICS Community Services EMIS | Direct care | 30 April 2023 | Current |
| DPIA0022 | Legacy | Connected Care and BSPS Diagnostic Requests and Results | Direct care | 30 April 2023 | Current |
| DPIA0025 | Legacy | ORCHA Signposting to Accredited Apps | Direct care | 30 April 2023 | Current |
| DPIA0027 | Legacy | OOH Activity and Encounter Data | Both Direct Care and Other | 30 April 2023 | Current |
| DPIA0028 | Legacy | CMHTP/MHICS for Surrey and Frimley ICS | Direct care | 30 April 2023 | Current |
| DPIA0030 | Legacy | Connected Care and Thames Valley and Surrey LHCR | Direct care | 30 April 2023 | Current |
| DPIA0033 | Legacy | External Organisation Access to BHFT RIO | Direct care | 31 December 2022 | Current |
| DPIA0035 | Legacy | MHICS for Frimley ICS (East Berkshire) | Direct care | 30 April 2023 | Current |
| DPIA0036 | Legacy | BSPS Diagnostic Requests and Results | Direct care | 31 December 2022 | Current |
| DPIA0038 | Legacy | Test and Trace Data and Connected Care | Direct care | 31 December 2022 | Current |
| DPIA0039 | Legacy | Healthy IO Minuteful Kidney Testing | Both Direct Care and Other | 31 May 2022 | Expired - Review required |
| DPIA0040 | Legacy | Living With COVID Recovery | Both Direct Care and Other | 31 October 2022 | Current - Review due soon |
| DPIA0041 | Legacy | SABP and Connected Care | Direct care | 30 April 2023 | Current |
| DPIA0042 | Legacy | PHMDP in the Frimley ICS | Other | 30 April 2022 | Expired - Review required |
| DPIA0043 | Legacy | National Integration Index in Frimley ICS | Other | 30 April 2022 | Expired - Review required |
| DPIA0046 | Legacy | Waiting Lists DNAs Cancellations and Connected Care | Both Direct Care and Other | 30 April 2023 | Current |
| DPIA0047 | Legacy | ARRS for Berkshire West and East Berkshire | Direct care | 31 March 2022 | Expired - Review required |
| DPIA0048 | Legacy | Connected Care FHFT Interface Changes and Testing for EPIC | Both Direct Care and Other | 30 June 2022 | Expired - Review required |
| DPIA0050 | Legacy | Connected Care and Docobo for Remote Care and Monitoring | Direct care | 30 April 2023 | Current |
| DPIA2001 | Current | Connected Care Clinical Portal | Direct care | 30 April 2024 | Current |
| DPIA2002 | Current | Connected Care Analytics Platform | Both Direct Care and Other | 30 April 2024 | Current |
| DPIA2003 | Current | Connected Care and Docobo for Remote Care and Monitoring | Both Direct Care and Other | 30 April 2024 | Current |
| DPIA2004 | Current | Connected Care and Thames Valley and Surrey LHCR | Both Direct Care and Other | 30 April 2024 | Current |
| DPIA2005 | Current | Connected Care and BSPS Diagnostic Requests and Results | Both Direct Care and Other | 30 April 2024 | Current |
| DPIA2006 | Current | Waiting Lists DNAs Cancellations and Connected Care | Both Direct Care and Other | 30 April 2024 | Current |
| DPIA2007 | Current | Connected Care and Test and Trace Data | Direct care | 31 December 2022 | Current |
| DPIA2009 | Current | PCN and Federated and Extended Hours Working | Direct care | 30 April 2024 | Current |
| DPIA2010 | Current | Thames Hospice with East Berkshire practices via EMIS | Direct care | 30 April 2024 | Current |
| DPIA2011 | Current | Frimley ICS Community Services EMIS | Direct care | 30 April 2024 | Current |
| DPIA2012 | Current | External Organisation Access to BHFT RIO | Direct care | 30 April 2024 | Current |
| DPIA2013 | Current | External Organisation Access to FHFT EPIC | Direct care | 30 April 2024 | Current |
| DPIA2014 | Current | BSPS Diagnostic Requests and Results | Direct care | 30 April 2024 | Current |
An explanation of the values in the status field is presented in the Status field glossary.
The master documents are managed by the Administrator and can be viewed online at www.regisa.uk .
See also:
- Records of Processing - Mapping of Schedules C, D and E by Agreement
- Records of Processing - Mapping of Schedules C, D and E by Organisation
- Records of Processing - Mapping of Schedules C, D and E and Information Assets by Organisation
End of Schedule P
Master Agreement
- Category: Master Agreement Documents
We have compiled an example Master Agreement and its associated annexes and schedules into the document attached below.
The Master Agreement comprises the core membership agreement document that defines the
- Scope of the agreement
- Agreement principles and policies
- Terms and conditions
- Operational commitments made between members
- Administration arrangements
The core agreement terms need to be signed and accepted by members.
The Master Agreement also includes three annexes
- Information Governance Steering Group terms of reference
- Joint control arrangements – Lead Controller terms of reference
- Notification and reporting arrangements applying to all members of the agreement
The Master Agreement also includes:
Schedule A – Risk Sharing and Indemnity Arrangements (where a signature is also required)
Schedule B – Qualifying Standard (where a signed statement confirming the prospective members compliance with the Qualifying Standard is required)
Some supporting documents are presented below.
Current Master Agreement for the period 1st April 2022 to 30th April 2028
Note, both versions of the agreement documents are active during the transition. No material changes other than the effective dates have been made between the documents.
Below you will also find details of the Regional ISA membership.
See also:
Records of Processing - All processing and sharing arrangements
FAQs - frequently asked questions
- Category: FAQs
Who do I contact for support with signing the agreement?
Please contact us on fhft.icsinformationgovernance@nhs.net
Who do I contact for support with understanding the agreement?
Please contact us on fhft.icsinformationgovernance@nhs.net
How do I find out who else is a member of the agreement?
The Members Register (Schedule E) provides a list of all signatories to the agreement.
Our Caldicott Guardian has left the organisation and is not in a position to sign the documentation. How can we get it signed?
Near the bottom of the email sent to your former Caldicott Guardian there is a "delegate" link.
Your former Caldicott Guardian can use the "delegate" link to forward the document to an alternative member of staff for approval.
For anti-fraud reasons, it is preferable to use the "delegate" link rather than simply forwarding the email to the second person.
Our Caldicott Guardian is not in a position to sign the documentation. How can we get it signed?
Near the bottom of the email sent to your Caldicott Guardian there is a "delegate" link.
Your Caldicott Guardian can use the "delegate" link to forward the document to an alternative member of staff for approval.
For anti-fraud reasons, it is preferable to use the "delegate" link rather than simply forwarding the email to the second person.
What if individuals names and/or the organisations identity have changed?
For anti-fraud reasons you cannot change agreement documents directly. Please see "Our Caldicott Guardian has left the organisation and is not in a position to sign the documentation. How can we get it signed?"
For anything else, we requested details of any changes before the documents when out for signature. However, if the name of your organisation as a legal entity is incorrect or if the registered address is incorrect then corrections will need to be made.
If the details are not simply the name of the Caldicott Guardian, please decline the documents and send us an email (the details are at the bottom of the original request for signature). Please provide full details for what needs to change.
There are one or more errors in our details in the documents sent through for signature. How do we change them?
For anti-fraud reasons you cannot change agreement documents directly. Please see "Our Caldicott Guardian has left the organisation and is not in a position to sign the documentation. How can we get it signed?"
For anything else, we requested details of any changes before the documents when out for signature. However, if the name of your organisation as a legal entity is incorrect or if the registered address is incorrect then corrections will need to be made.
If the details are not simply the name of the Caldicott Guardian, please decline the documents and send us an email (the details are at the bottom of the original request for signature). Please provide full details for what needs to change.
We've signed our copy of the documents. So why do we keep getting reminders?
It is most likely because the final step of the signing process was missed or because you skipped one of the required signatures.
When signing you will have the option to sign with mouse, touchpad or touch screen. You can also type in your signature or upload a previously scanned signature image.
Don’t forget to select the “click to sign” button in your browser or the “tap to sign” button on your smartphone to finalise the signing process.
Why can't I sign my copy of the agreement?
For anti-fraud reasons, only the Caldicott Guardian's copy of the agreement can be signed.
See also "Our Caldicott Guardian is not in a position to sign the documentation. How can we get it signed?"
How do I know my signature was received?
You will have received an email from Adobe Sign with PDF copies of your signed documents.
Please also see "We've signed our copy of the documents. So why do we keep getting reminders?".
If the problem persists, please also feel free to contact us using fhft.icsinformationgovernance@nhs.net
I can’t see/open the document. What do I need to do?
Please try copying the signature URL to a different browser. To do this, Right-Click and Copy Hyperlink on the signature link in the email and then paste the URL into the different browser.
If the problem persists, please also feel free to contact us using fhft.icsinformationgovernance@nhs.net
Can we sign paper copies of the agreements?
Yes. The Caldicott Guardian's document can be downloaded with all the necessary fields pre-populated and then printed.
The printed document can be signed, scanned and uploaded instead of providing an electronic signature.
When signing you will have the option to sign with mouse, touchpad or touch screen. You can also type in your signature or upload a previously scanned signature image. Don’t forget to select the “click to sign” button in your browser or the “tap to sign".
Why do we need to sign these documents again?
Because the framework has been updated to incorporate and offer better legal certainty the revised agreement terms need to be approved for the better legal certainty to apply.
It would have been more complicated and would have required more input from you to transfer the documents across unchanged.
We have already signed these documents. Why do we need to sign them again?
Because the framework has been updated to incorporate and offer better legal certainty the revised agreement terms need to be approved for the better legal certainty to apply.
It would have been more complicated and would have required more input from you to transfer the documents across unchanged.
What happens if we don't sign the latest documents?
Your current sharing arrangements will apply until their respective end dates.
Your organisation and your data subjects will not be able to benefit from the sharing arrangements that require the additional IG features and capabilities.
Can we withdraw our approval?
Yes. As part of the framework your organisation as data controller can withdraw at any time.
Please see section 30 of the master agreement for more details.
Please also feel free to contact us using fhft.icsinformationgovernance@nhs.net
Can we terminate our membership?
Yes. As part of the framework your organisation as data controller can terminate membership at any time.
Please see section 30 of the master agreement for more details.
Please also feel free to contact us using fhft.icsinformationgovernance@nhs.net
Can I decline or refuse to sign?
Yes. As part of the signature dialogue you can decline instead of signing.
Your current sharing arrangements will apply until their respective end dates.
Your organisation and your data subjects will not be able to benefit from the sharing arrangements that require the additional IG features and capabilities.
Why don't the organisation name and my personal details appear in my copy of the agreement?
The full details only appear in the Caldicott Guardian's copy of the document.
For anti-fraud reasons, only the Caldicott Guardian's copy of the agreement can be signed.
See also "Our Caldicott Guardian is not in a position to sign the documentation. How can we get it signed?"
Why have the direct care and secondary uses sharing been combined into a single agreement?
IG Steering Group took the decision to combine the two frameworks after consulting with a range of different types of members.
Direct care and other (secondary) uses processing and sharing specifications are still defined separately within the frmework.
See Schedule C for direct care processing and sharing arrangements and Schedule D for other (secondary) uses.
Have the sharing documents changed a lot and do we have to check all the fine details of these documents?
The data flow requirements (Schedule K processing and sharing specifications) have changed only as far as is necessary to record the revised framework requirements.
These additional requirements include: Lead Controller details; Indemnity applicability; Data Processor details; representation of user organisations as classes of organisation rather than by naming every organisation.
Have the master agreement documents changed a lot and do we have to check all the fine details of these documents?
The master agreement itself has changed somewhat and there are several new annexes and attached schedules.
The additional Annexes are: The role of the IG Steering Group; the role of Lead Controllers; the requirements for notifications, issues, breaches and reporting.
The additional Schedules are: Risk Sharing and Indemnity; Register of Shared Information Assets. The Provision of Care and Secondary Uses frameworks have been combined into a single agreement.
Who should I consult when deciding what data to process and share?
Consultation is generally covered by each organisation in a manner that is compatible with the organisations relationship with its data subjects.
Follow the links on www.regisa.uk (here and here) to find the advice and policy section covering communications and engagement.
Please also feel free to contact us using fhft.icsinformationgovernance@nhs.net
Page 1 of 2