Part of IG framework for integrated health and care: Shared care records
Journey 1 Sharing personal or confidential patient information (CPI) between health and social care bodies within a ShCR for the individual care of patients or service users
For individual care purposes, service providers can receive and share special category personal data or CPI by ensuring that they meet the lawful processing conditions as controllers.
When sharing you need to be very clear about the purpose for which the information is being used. If it does not fit into the definition for individual care set out in Appendix 1, it will not be considered as individual care and therefore the way in which the IG rules apply will change.
This example tasklist will enable ShCRs to consider their data protection requirements prior to undertaking the processing of personal data. It will help to comply with privacy by design and default. It will also help you to evidence your compliance with UK GDPR Article 30 requirements for ROPA.
Example tasklist (not exhaustive)
| Task | Complete |
|---|---|
| Understand what data you require | |
| Identify the lawful basis for your data sharing activities and allocate them | |
| Describe your care system’s structure | |
| Define how your care system will govern data use | |
| Demonstrate how you will protect the data | |
| Ensure appropriate contracts and agreements are in place | |
| Assure your population that processing is fair and transparent |
Last edited: 29 April 2026 12:28 pm