Part of IG framework for integrated health and care: Shared care records
Journey 2
Sharing personal or confidential patient information (CPI) between health and social care bodies across geographical boundaries for the individual care of patients or service users
Summary
Sharing personal or confidential patient information (CPI) between health and social care bodies across geographical boundaries for the individual care of patients or service users
This journey covers individual care across geographical ShCR boundaries. Where relationships are required or already exist with neighbouring ShCRs such as shared clinics etc, then DSAs should be developed or already in place. For existing DSPAs these will need to be reviewed against the NHS England joint DSPA.
There may also be circumstances for ad hoc information sharing. In such circumstances, professional judgement needs to be exercised. There must also be an awareness of professional guidance or ethical rules that are likely to be relevant to the type of decisions about information sharing across care settings. The ICO data sharing code of practice provides information for such circumstances.
It is important that information is available at the point of care for a patient or service user. ShCRs need to have in place, an effective access control model which:
- allows proportionate access to appropriate and relevant data held within an individual’s health and care record by the health and care professional(s) and only if there is a legitimate relationship between the professional and the individual
- creates robust audit on each access which can be investigated and challenged, if deemed inappropriate
Where a person receives care at a venue outside of their home ShCR, there is a need to discover where data is held so the data can be retrieved. The requesting organisation will be responsible for ensuring the request is valid.
The intent is for the following capabilities to support the discovery of the location of data for journey 2:
- Personal Demographics Service (PDS): provides an API that will return the patient's demographic information and may, in future, return a pointer to their main record
- National Record Locator Service (NRLS): enables authorised users to find specific patient records that are held on different health care systems
- ShCR Application Programming Interfaces (APIs): to enable retrieval of data included in health and care records subject to authentication and authorisation
This example tasklist will enable ShCRs to consider their data protection requirements prior to undertaking the processing of personal data. It will help to comply with privacy by design and default. It will also help you to evidence your compliance with UK GDPR Article 30 requirements for ROPA.
Example tasklist (not exhaustive)
| Task | Complete |
|---|---|
| Understand what data you require | |
| Identify the lawful basis for your data sharing activities and allocate them | |
| Describe your care system’s structure | |
| Define how your care system will govern data use | |
| Demonstrate how you will protect the data | |
| Ensure appropriate contracts and agreements are in place | |
| Assure your population that processing is fair and transparent |
- completed and signed off Information Sharing Agreements between neighbouring ShCRs
- cross-ShCR Information Sharing materials that are available to patients or service users at the Point of Care
- effective Role Based Access Controls (RBAC)
Last edited: 29 April 2026 12:29 pm