Information sharing between private health care services and NHS England guidance for IG professionals

NHS England has legal powers to collect, analyse and link information from health and social care organisations, including private healthcare providers, where specific directions are given by the Secretary of State.

These powers are established under section 259 of the Health and Social Care Act 2012, which also sets aside the duty of confidence to patients (see the Common law duty of confidentiality section for more information).

As part of the development of a direction, NHS England is required to consult with key stakeholders on the scope of the information they are requesting. This includes representative groups advocating on behalf of private healthcare providers where they are relevant to the collection.

NHS England consults with stakeholders on:

• the information needed for the collection
• the necessity of the information being requested
• the proportionality of the information being requested

When NHS England is exercising its legal powers under section 259, it will create a data provision notice (DPN) which it will make available to your organisation.

The DPN will contain information about:

• what information is being requested
• why it is being requested
• whether your organisation is legally required to supply the information
• the legal basis for the collection
• the time frame for the collection
• representative groups who have been consulted for the collection

Reviewing the information provided in the DPN will help you comply with your professional responsibilities and legal obligations when responding to the request.

If you require information which goes beyond what the DPN contains, NHS England can provide additional information where practical to assist you with your queries.

Depending on the service(s) the request relates to, you may have a legal obligation to share the information.

Although sharing in response to NHS England information requests is not always required by law, it is always encouraged to help NHS England better understand, manage and improve healthcare services across England.

Your legal bases under the UK GDPR for sharing the patient or service user information will depend on the service which the information has been collected for.

If the information has been collected for a service commissioned by the NHS in England, sharing is a legal obligation. The UK GDPR legal bases most likely to apply are:

• Article 6(1)(c) legal obligation – to comply with a DPN issued under section 259(1)(a) of the Health and Social Care Act 2012
• Article 9(2)(h) managing health and social care services - to manage health care systems or services

If the information is not used for any services commissioned by the NHS in England, while sharing is not a legal obligation, you can rely on other GDPR lawful bases to share. Each case should be assessed individually to determine the most appropriate UK GDPR legal bases. Those most likely to apply are:

• Article 6(1)(f) legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party, in this case NHS England’s compliance with a Direction under s.254 of the Health and Social Care Act 2012
• Article 9(2)(h) managing health and social care services - to manage health care systems or services

Where the information is legally required, the common law duty of confidentiality is met because providing the information is a legal obligation under section 259(1)(a) of the Health and Social Care Act 2012.

Where the information is only requested under section 259(1)(b) of the Health and Social Care Act 2012, section 259(10) of the same legislation provides a permissive legal gateway for the information to be shared, provided it is not subject to other legal restrictions. This means that if NHS England makes a request under section 259, you can generally share information with NHS England without breaching duties of confidence owed to people you have cared for.

NHS-commissioned services

If your services have been commissioned by the NHS, then you are legally required to share the information with NHS England. This means that:

• you cannot offer a local opt out
• you would not need to apply the national data opt out when you send data to NHS England this is because the national data opt-out does not apply to legally required data disclosures

Privately-funded services

If NHS England requests information for privately-funded services, sharing is not a legal obligation. For privately-funded services:

• it is best practice to have a local opt-out in place
• the national data opt-out does not need to be applied before submitting data to NHS England, as it does not apply to private patient data held by private providers

A local opt-out allows patients and service users to make a choice about whether they want their information to be shared. NHS England will provide guidance within the publicly available DPN on whether to anonymise, pseudonymise or otherwise redact information before sharing or whether to withhold data entirely if the data is of no use without patient identifiers.

Opt outs table

This table explains the rationale for applying local opt-outs and the national data opt-out to data collections requested by NHS England.

You should carry out a data protection impact assessment (DPIA) and document the data flow to NHS England in your information assets and flows register (IAFR). The information you need should be covered in the DPN and data specification made available by NHS England.

Any decisions made to share or not share information should be recorded in a disclosure log, including details of:

• when the request was made
• nature and quantity of information requested
• details of the requester
• nature and quantity of information given
• names and roles of decision makers
• justifications for any decisions taken
• risk assessments carried out

The documentation outlined above will help you demonstrate that you have assessed the privacy risk associated with the sharing and made adequate security arrangements for the transfer.

There are some types of information which your organisation is legally restricted from providing to NHS England for the purpose of establishing information systems. For example:

• protected information as defined in the Gender Recognition Act 2004
• certain information defined within the Human Fertilisation and Embryology Act 1990

NHS England will assess legal restrictions which apply as part of the development of the collection. These legal restrictions will be highlighted in the DPN, and instructions will be provided on how to appropriately anonymise relevant records.

Your privacy information should reflect that you share information with NHS England in line with NHS England exercising its legal powers, and the UK GDPR legal basis you rely on for sharing information with them.

It should also outline your approach to sharing information with NHS England to help better manage health and care services where the NHS England collection is not a legal obligation. As part of this, you can invite individuals to contact you to find out more about any specific local opt-outs that apply to NHS England collections.

Some example text is provided below, matching the format and style of NHS England’s universal IG privacy notice template.

Updating your privacy information is sufficient for notifying both past and future patients that their information will be used for NHS England information collections, as informing each patient individually would constitute a disproportionate effort.