Regional Health and Social Care ISA

Category: RegISA Introduction

The Agreement

Every health and social care organisation in the country is identifying substantial requirements to share and use personal confidential data in order to achieve planned improvements in care delivery and in financial efficiency.

It is also the case that many opportunities to improve care are delayed or lost due to the challenges associated with designing and agreeing information sharing agreements on a project by project basis.

The regional Information Governance Steering Group (IGSG) which is chaired by the Chairman of the Berkshire Local Medical Committee at the time of writing manages the agreement and the membership of the agreement on behalf of the members. The Administrator (Frimley Health NHS Foundation Trust at the time of writing) maintains and publishes the agreement documentation and supporting schedules and registers on behalf of the member organisations and IGSG.

This agreement has been reviewed by Queens Counsel and in his opinion it is both lawful and fit for its purpose. A summary of the QCs opinion is attached below.

This agreement builds on the success of the similarly structured prior agreements for the sharing of information for the provision of care and for secondary uses agreements in use since 2013 and replaces the current 2023 version of the agreement. The aims of the agreement are:

1. To provide a clear framework for the secure sharing of personal confidential data for the delivery of care and for the management of the health and social care system (in particular in respect of data controller organisations' responsibilities in respect of GDPR art.26 (Joint Controllers);
2. To accelerate the pace with which regional and local sharing requirements can be agreed; and
3. To reduce the costs of developing and agreeing individual sharing requirements.

Very specifically, this latest iteration of the agreement is designed to better support the development of:

1. Federated working and networks;
2. Integrated working and care delivery models;
3. Real time risk stratification at the point of care for patients with the most complex needs; and
4. Latest guidance on data controllership resulting from the implementation of GDPR.

Each organisation remains responsible for the control and use of personal confidential data within the organisation as required by the legislation and the Schedule F and Schedule CDE Mapping pages are designed to actively support data controller organisations' responsibilities under GDPR art.30 (Records of Processing).

Structure of the Agreement

The Regional Health and Social Care Information Sharing Agreement is executed as a subscription agreement. This form of agreement allows controlled processing and sharing to begin as soon as two controllers have signed their sharing documentation. Unlike the traditional multi-party agreement models, processing and sharing does not need to wait until all parties have executed the agreement.

Organisations become members of the agreement by signing up to the master agreement that sets out the scope and terms of membership for the agreement as well as the roles of IGSG, Lead Controllers and the Administrator. The Administrator accepts the new member’s signed master agreement on behalf of the members as a whole.

Implementation

Implementation of the agreement is as follows:

1. Every member of the framework needs to sign the master agreement;
2. The agreement is currently and will in future be presented through an electronic signature process as a single document;
3. Data controller organisations that contribute data to the shared pool as a data flow or information asset are presented with one or more additional documents describing each specific processing and sharing arrangement the controller is expected to contribute to;
4. Where the master agreement and one or more individual processing and sharing arrangement(s) are executed contemporaneously all documents are presented through an electronic signature process as a single document … with signatures required for each item requiring approval; and
5. Where subsequent individual processing and sharing arrangements are executed non-simultaneously the documents are presented individually through an electronic signature process for approval.

 

Some supporting documents are presented below.

Records of Processing - Buckinghamshire and Oxfordshire arrangements

Category: Processing and Sharing Specifications

Records of Processing - Buckinghamshire and Oxfordshire

The links below refer to the Regional Health and Social Care Information Sharing Agreement Schedule K documents, DPIAs, policies and other supporting collateral that apply to the arrangements in place for Buckinghamshire and Oxfordshire.

---

 The documents and schedules are:

1. My Care Record and TVS joint processing and sharing specification (Schedule K).  https://www.regisa.uk/documents/KB000001MCRcurrent.pdf 
2. My Care Record and Connected Care System Insights joint processing and sharing specification (Schedule K).  https://www.regisa.uk/documents/KB000002MCRSIcurrent.pdf 
3. The deployment of Connected Care and Docobo in support of Oxfordshire practices (Schedule K). https://www.regisa.uk/documents/KX000001oxGPcurrent.pdf 
4. The IGSG policy decision setting out the Regional ISA terms of reference for the Buckinghamshire IGSG within the Regional ISA.   https://www.regisa.uk/documents/BucksIGSGsubGroupTermsOfReference.pdf   
5. The IGSG policy decision setting out the Regional ISA terms of reference for an Oxfordshire IGSG within the Regional ISA. https://www.regisa.uk/documents/OxonIGSGsubGroupTermsOfReference.pdf  
6. Queen's Counsel's and Solicitor's opinion in respect of the Regional ISA.  https://www.regisa.uk/documents/02aQCopinionSummary136472122_1.pdf

 

 

Records of Processing - All processing and sharing arrangements

Category: Processing and Sharing Specifications

Records of Processing

The links below refer to pages that present a variety of views on the processing and sharing specifications in place for the Regional Health and Social Care Information Sharing Agreement.

 

The schedules are:

1. Schedule C to the Regional ISA - Schedule C - Joint processing and sharing arrangements presents a list of the Schedule K documents that define the joint processing and sharing arrangements in place (or planned to be in place) under the Regional ISA. 
2. Schedule D to the Regional ISA - Although the details are included as part of Schedule C, for ease of access, Schedule D - Other (including Secondary) Uses processing and sharing has been prepared to present the arrangements where there is a non-direct care element to the processing.
3. Schedule P to the Regional ISA - Schedule P - Data Protection Impact Assessments presents a list of the DPIAs underpinning and supporting the arrangements described in the main Schedule K documents.

 

There are also 4 Records of Processing schedules that show the mapping of Schedules C and D against the core Schedule E - Membership Register.  These are:

1. Mapping of ACTIVE Schedule K arrangements by Organisation (including Information Asset details) ... Active Schedules C, D and E and Information Assets by Organisation.
2. Mapping of ALL Schedule K arrangements by Organisation (active and planned) ... Mapping of Schedules C, D and E by Organisation.
3. Mapping of ALL Schedule K arrangements by Organisation (including Information Asset details) ... Mapping of Schedules C, D and E and Information Assets by Organisation.
4. Mapping by Schedule K joint processing and sharing agreement specification of ALL Organisations taking part in the arrangement (active and planned) ... Mapping of Schedules C, D and E by Agreement.

 

 

Schedule P - Data Protection Impact Assessments have moved

Category: Data Protection Impact Assessments

 

Schedule P - Data Protection Impact Assessments

 

The DPIA page has moved https://www.regisa.uk/documents/schedp.html

 

End of Schedule P

Master Agreement

Category: Master Agreement Documents

We have compiled an example Master Agreement and its associated annexes and schedules into the document attached below.

The Master Agreement comprises the core membership agreement document that defines the

1. Scope of the agreement
2. Agreement principles and policies
3. Terms and conditions 
4. Operational commitments made between members
5. Administration arrangements 

The core agreement terms need to be signed and accepted by members.

The Master Agreement also includes three annexes

1. Information Governance Steering Group terms of reference
2. Joint control arrangements – Lead Controller terms of reference
3. Notification and reporting arrangements applying to all members of the agreement

The Master Agreement also includes:

Schedule A – Risk Sharing and Indemnity Arrangements (where a signature is also required)

Schedule B – Qualifying Standard (where a signed statement confirming the prospective members compliance with the Qualifying Standard is required)

 

Some supporting documents are presented below.

 

FAQs - frequently asked questions

Category: FAQs

Who do I contact for support with signing the agreement?

Please contact us on fhft.icsinformationgovernance@nhs.net

Who do I contact for support with understanding the agreement?

Please contact us on fhft.icsinformationgovernance@nhs.net

How do I find out who else is a member of the agreement?

The Members Register (Schedule E) provides a list of all signatories to the agreement.

Our Caldicott Guardian has left the organisation and is not in a position to sign the documentation. How can we get it signed?

Near the bottom of the email sent to your former Caldicott Guardian there is a "delegate" link.

Your former Caldicott Guardian can use the "delegate" link to forward the document to an alternative member of staff for approval.

For anti-fraud reasons, it is preferable to use the "delegate" link rather than simply forwarding the email to the second person.

Our Caldicott Guardian is not in a position to sign the documentation. How can we get it signed?

Near the bottom of the email sent to your Caldicott Guardian there is a "delegate" link.

Your Caldicott Guardian can use the "delegate" link to forward the document to an alternative member of staff for approval.

For anti-fraud reasons, it is preferable to use the "delegate" link rather than simply forwarding the email to the second person.

What if individuals names and/or the organisations identity have changed?

For anti-fraud reasons you cannot change agreement documents directly. Please see "Our Caldicott Guardian has left the organisation and is not in a position to sign the documentation. How can we get it signed?"

For anything else, we requested details of any changes before the documents when out for signature. However, if the name of your organisation as a legal entity is incorrect or if the registered address is incorrect then corrections will need to be made.

If the details are not simply the name of the Caldicott Guardian, please decline the documents and send us an email (the details are at the bottom of the original request for signature). Please provide full details for what needs to change.

There are one or more errors in our details in the documents sent through for signature. How do we change them?

For anti-fraud reasons you cannot change agreement documents directly. Please see "Our Caldicott Guardian has left the organisation and is not in a position to sign the documentation. How can we get it signed?"

For anything else, we requested details of any changes before the documents when out for signature. However, if the name of your organisation as a legal entity is incorrect or if the registered address is incorrect then corrections will need to be made.

If the details are not simply the name of the Caldicott Guardian, please decline the documents and send us an email (the details are at the bottom of the original request for signature). Please provide full details for what needs to change.

We've signed our copy of the documents. So why do we keep getting reminders?

It is most likely because the final step of the signing process was missed or because you skipped one of the required signatures.

When signing you will have the option to sign with mouse, touchpad or touch screen. You can also type in your signature or upload a previously scanned signature image.

Don’t forget to select the “click to sign” button in your browser or the “tap to sign” button on your smartphone to finalise the signing process.

Why can't I sign my copy of the agreement?

For anti-fraud reasons, only the Caldicott Guardian's copy of the agreement can be signed.

See also "Our Caldicott Guardian is not in a position to sign the documentation. How can we get it signed?"

How do I know my signature was received?

You will have received an email from Adobe Sign with PDF copies of your signed documents.

Please also see "We've signed our copy of the documents. So why do we keep getting reminders?".

If the problem persists, please also feel free to contact us using fhft.icsinformationgovernance@nhs.net

I can’t see/open the document. What do I need to do?

Please try copying the signature URL to a different browser. To do this, Right-Click and Copy Hyperlink on the signature link in the email and then paste the URL into the different browser.

If the problem persists, please also feel free to contact us using fhft.icsinformationgovernance@nhs.net

Can we sign paper copies of the agreements?

Yes. The Caldicott Guardian's document can be downloaded with all the necessary fields pre-populated and then printed.

The printed document can be signed, scanned and uploaded instead of providing an electronic signature.

When signing you will have the option to sign with mouse, touchpad or touch screen. You can also type in your signature or upload a previously scanned signature image. Don’t forget to select the “click to sign” button in your browser or the “tap to sign".

Why do we need to sign these documents again?

Because the framework has been updated to incorporate and offer better legal certainty the revised agreement terms need to be approved for the better legal certainty to apply.

It would have been more complicated and would have required more input from you to transfer the documents across unchanged.

We have already signed these documents. Why do we need to sign them again?

Because the framework has been updated to incorporate and offer better legal certainty the revised agreement terms need to be approved for the better legal certainty to apply.

It would have been more complicated and would have required more input from you to transfer the documents across unchanged.

What happens if we don't sign the latest documents?

Your current sharing arrangements will apply until their respective end dates.

Your organisation and your data subjects will not be able to benefit from the sharing arrangements that require the additional IG features and capabilities.

Can we withdraw our approval?

Yes. As part of the framework your organisation as data controller can withdraw at any time.

Please see section 30 of the master agreement for more details.

Please also feel free to contact us using fhft.icsinformationgovernance@nhs.net

Can we terminate our membership?

Yes. As part of the framework your organisation as data controller can terminate membership at any time.

Please see section 30 of the master agreement for more details.

Please also feel free to contact us using fhft.icsinformationgovernance@nhs.net

Can I decline or refuse to sign?

Yes. As part of the signature dialogue you can decline instead of signing.

Your current sharing arrangements will apply until their respective end dates.

Your organisation and your data subjects will not be able to benefit from the sharing arrangements that require the additional IG features and capabilities.

Why don't the organisation name and my personal details appear in my copy of the agreement?

The full details only appear in the Caldicott Guardian's copy of the document.

For anti-fraud reasons, only the Caldicott Guardian's copy of the agreement can be signed.

See also "Our Caldicott Guardian is not in a position to sign the documentation. How can we get it signed?"

Why have the direct care and secondary uses sharing been combined into a single agreement?

IG Steering Group took the decision to combine the two frameworks after consulting with a range of different types of members.

Direct care and other (secondary) uses processing and sharing specifications are still defined separately within the framework.

See Schedule C for both direct care and other uses processing and sharing arrangements and Schedule D for other (including secondary) uses.

Have the sharing documents changed a lot and do we have to check all the fine details of these documents?

The data flow requirements (Schedule K processing and sharing specifications) have changed only as far as is necessary to record the revised framework requirements.

These additional requirements include: Lead Controller details; Indemnity applicability; Data Processor details; representation of user organisations as classes of organisation rather than by naming every organisation.

Have the master agreement documents changed a lot and do we have to check all the fine details of these documents?

The master agreement itself has changed somewhat and there are several new annexes and attached schedules.

The additional Annexes are: The role of the IG Steering Group; the role of Lead Controllers; the requirements for notifications, issues, breaches and reporting.

The additional Schedules are: Risk Sharing and Indemnity; Register of Shared Information Assets. The Provision of Care and Secondary Uses frameworks have been combined into a single agreement.

Who should I consult when deciding what data to process and share?

Consultation is generally covered by each organisation in a manner that is compatible with the organisations relationship with its data subjects.

Follow the links on www.regisa.uk (here and here) to find the advice and policy section covering communications and engagement.

Please also feel free to contact us using fhft.icsinformationgovernance@nhs.net