Regional Health and Social Care ISA

Category: RegISA Introduction

The Agreement

Every health and social care organisation in the country is identifying substantial requirements to share and use personal confidential data in order to achieve planned improvements in care delivery and in financial efficiency.

It is also the case that many opportunities to improve care are delayed or lost due to the challenges associated with designing and agreeing information sharing agreements on a project by project basis.

The regional Information Governance Steering Group (IGSG) which is chaired by the Chairman of the Berkshire Local Medical Committee at the time of writing manages the agreement and the membership of the agreement on behalf of the members. The Administrator (Frimley Health NHS Foundation Trust at the time of writing) maintains and publishes the agreement documentation and supporting schedules and registers on behalf of the member organisations and IGSG.

This agreement has been reviewed by Solicitors and by King's Counsel and in their opinions it is both lawful and fit for its purpose. Summaries of their opinions can be found at the Legal Opinion Summaries page.

This agreement builds on the success of the similarly structured prior agreements for the sharing of information for the provision of care and for secondary uses agreements in use since 2013 and replaces the current 2023 version of the agreement. The aims of the agreement are:

1. To provide a clear framework for the secure sharing of personal confidential data for the delivery of care and for the management of the health and social care system (in particular in respect of data controller organisations' responsibilities in respect of GDPR art.26 (Joint Controllers);
2. To accelerate the pace with which regional and local sharing requirements can be agreed; and
3. To reduce the costs of developing and agreeing individual sharing requirements.

Very specifically, this latest iteration of the agreement is designed to better support the development of:

1. Federated working and networks;
2. Integrated working and care delivery models;
3. Real time risk stratification at the point of care for patients with the most complex needs; and
4. Latest guidance on data controllership resulting from the implementation of GDPR.

Each organisation remains responsible for the control and use of personal confidential data within the organisation as required by the legislation and the Schedule F and Schedule CDE Mapping pages are designed to actively support data controller organisations' responsibilities under GDPR art.30 (Records of Processing).

Structure of the Agreement

The Regional Health and Social Care Information Sharing Agreement is executed as a subscription agreement. This form of agreement allows controlled processing and sharing to begin as soon as two controllers have signed their sharing documentation. Unlike the traditional multi-party agreement models, processing and sharing does not need to wait until all parties have executed the agreement.

Organisations become members of the agreement by signing up to the master agreement that sets out the scope and terms of membership for the agreement as well as the roles of IGSG, Lead Controllers and the Administrator. The Administrator accepts the new member’s signed master agreement on behalf of the members as a whole.

A list of the various classes of organisation is presented in the Classes of Organisation page.

Implementation

Implementation of the agreement is as follows:

1. Every member of the framework needs to sign the master agreement;
2. The agreement is currently and will in future be presented through an electronic signature process as a single document;
3. Data controller organisations that contribute data to the shared pool as a data flow or information asset are presented with one or more additional documents describing each specific processing and sharing arrangement the controller is expected to contribute to;
4. Where the master agreement and one or more individual processing and sharing arrangement(s) are executed contemporaneously all documents are presented through an electronic signature process as a single document … with signatures required for each item requiring approval; and
5. Where subsequent individual processing and sharing arrangements are executed non-simultaneously the documents are presented individually through an electronic signature process for approval.

Some supporting documents are presented below.

Membership Schedule and Records of Processing - Up to April 2023

Category: Processing and Sharing Specifications

Records of Processing

The links below refer to pages that present snapshots of the processing and sharing specifications in place for the Regional Health and Social Care Information Sharing Agreement as of April 2023 when the then current arrangements expired.

Generally these arrangements have been extend through to April 2028.

The schedules are:

1. Schedule C to the Regional ISA - April 2023 Schedule C - Joint processing and sharing arrangements presents a list of the Schedule K documents that define the joint processing and sharing arrangements in place (or planned to be in place) under the Regional ISA. 
2. Schedule D to the Regional ISA - Although the details are included as part of Schedule C, for ease of access, April 2023 Schedule D - Other (including Secondary) Uses processing and sharing has been prepared to present the arrangements where there is a non-direct care element to the processing.
3. Schedule P to the Regional ISA - April 2023 Schedule P - Data Protection Impact Assessments presents a list of the DPIAs underpinning and supporting the arrangements described in the main Schedule K documents.

There are also 4 Records of Processing schedules that show the mapping of Schedules C and D against the core April 2023 Schedule E - Membership Register.  These are:

1. Mapping of ACTIVE Schedule K arrangements by Organisation (including Information Asset details) ... April 2023 Active Schedules C, D and E and Information Assets by Organisation.
2. Mapping of ALL Schedule K arrangements by Organisation (active and planned) ... April 2023 Mapping of Schedules C, D and E by Organisation.
3. Mapping of ALL Schedule K arrangements by Organisation (including Information Asset details) ... April 2023 Mapping of Schedules C, D and E and Information Assets by Organisation.
4. Mapping by Schedule K joint processing and sharing agreement specification of ALL Organisations taking part in the arrangement (active and planned) ... April 2023 Mapping of Schedules C, D and E by Agreement.

Records of Processing - Buckinghamshire and Oxfordshire arrangements

Category: Processing and Sharing Specifications

Records of Processing - Buckinghamshire and Oxfordshire

The links below refer to the Regional Health and Social Care Information Sharing Agreement Schedule K documents, DPIAs, policies and other supporting collateral that apply to the arrangements in place for Buckinghamshire and Oxfordshire.

 The documents and schedules are:

1. My Care Record and TVS joint processing and sharing specification (Schedule K).  https://www.regisa.uk/documents/KB000001MCRcurrent.pdf 
2. My Care Record and Connected Care System Insights joint processing and sharing specification (Schedule K).  https://www.regisa.uk/documents/KB000002MCRSIcurrent.pdf 
3. The deployment of Connected Care and Docobo in support of Oxfordshire practices (Schedule K). https://www.regisa.uk/documents/KX000001oxGPcurrent.pdf 
4. The IGSG policy decision setting out the Regional ISA terms of reference for the Buckinghamshire IGSG within the Regional ISA.   https://www.regisa.uk/documents/BucksIGSGsubGroupTermsOfReference.pdf   
5. The IGSG policy decision setting out the Regional ISA terms of reference for an Oxfordshire IGSG within the Regional ISA. https://www.regisa.uk/documents/OxonIGSGsubGroupTermsOfReference.pdf  
6. Queen's Counsel's and Solicitor's opinion in respect of the Regional ISA.  https://www.regisa.uk/documents/02aQCopinionSummary136472122_1.pdf

Records of Processing - All processing and sharing arrangements

Category: Processing and Sharing Specifications

Records of Processing

The links below refer to pages that present a variety of views on the processing and sharing specifications in place for the Regional Health and Social Care Information Sharing Agreement.

The schedules are:

1. Schedule C to the Regional ISA - Schedule C - Joint processing and sharing arrangements presents a list of the Schedule K documents that define the joint processing and sharing arrangements in place (or planned to be in place) under the Regional ISA. 
2. Schedule D to the Regional ISA - Although the details are included as part of Schedule C, for ease of access, Schedule D - Other (including Secondary) Uses processing and sharing has been prepared to present the arrangements where there is a non-direct care element to the processing.
3. Schedule P to the Regional ISA - Schedule P - Data Protection Impact Assessments presents a list of the DPIAs underpinning and supporting the arrangements described in the main Schedule K documents.

There are also 4 Records of Processing schedules that show the mapping of Schedules C and D against the core Schedule E - Membership Register.  These are:

1. Mapping of ACTIVE Schedule K arrangements by Organisation (including Information Asset details) ... Active Schedules C, D and E and Information Assets by Organisation.
2. Mapping of ALL Schedule K arrangements by Organisation (active and planned) ... Mapping of Schedules C, D and E by Organisation.
3. Mapping of ALL Schedule K arrangements by Organisation (including Information Asset details) ... Mapping of Schedules C, D and E and Information Assets by Organisation.
4. Mapping by Schedule K joint processing and sharing agreement specification of ALL Organisations taking part in the arrangement (active and planned) ... Mapping of Schedules C, D and E by Agreement.

Schedule P - Data Protection Impact Assessments have moved

Category: Data Protection Impact Assessments

Schedule P - Data Protection Impact Assessments

The DPIA page has moved https://www.regisa.uk/documents/schedp.html

End of Schedule P

Master Agreement

Category: Master Agreement Documents

We have compiled an example Master Agreement and its associated annexes and schedules into the document attached below.

The Master Agreement comprises the core membership agreement document that defines the

1. Scope of the agreement
2. Agreement principles and policies
3. Terms and conditions 
4. Operational commitments made between members
5. Administration arrangements 

The core agreement terms need to be signed and accepted by members.

The Master Agreement also includes three annexes

1. Information Governance Steering Group terms of reference
2. Joint control arrangements – Lead Controller terms of reference
3. Notification and reporting arrangements applying to all members of the agreement

The Master Agreement also includes:

Schedule A – Risk Sharing and Indemnity Arrangements (where a signature is also required)

Schedule B – Qualifying Standard (where a signed statement confirming the prospective members compliance with the Qualifying Standard is required)

This agreement has been reviewed by Solicitors and by King's Counsel and in their opinions it is both lawful and fit for its purpose. Summaries of their opinions can be found at the Legal Opinion Summaries page.

A list of the various classes of organisation is presented in the Classes of Organisation page.

Some supporting documents are presented below.