Sharing information relating to Infected Blood Compensation Authority claims guidance for IG professionals

You should nominate a single point of contact for Infected Blood Compensation Authority (IBCA) to contact in relation to any requests for information relating to compensation claims and send this to [email protected].

The single point of contact should be someone who can respond to IBCA within 7 working days, providing:

• the requested data, where this can be obtained within this timeframe
• failing that, an acknowledgement of the request with an estimated timeline for providing the information

You will need to consider within your organisation who is best placed to be the single point of contact, and this is likely to vary from one organisation to another. For example, for some trusts the subject access request (SAR) team may be best placed to manage the request (although requests from IBCA should not be processed as SAR requests, see the legal basis for sharing section), whereas for others the data protection officer (DPO) may wish to coordinate.

For DPOs that support GP practices, you will need to consider who the single point of contact is for the GP practices you support. This could be a single point of contact for each practice or one individual who coordinates for multiple practices.

Once the single point of contact is confirmed, they will need to work through the processes within your organisation for gathering the requested information.

Victims and Prisoners Act

IBCA has been created through the Victims and Prisoners Act 2024 (VAP), which sets out its duties and obligations.

Section 53 of the VAP provides IBCA with the legal power to require information from NHS organisations when needed to process an infected blood compensation claim.

It also provides NHS providers with a legal power to provide information to IBCA for the purposes of any matter connected with the administration of the compensation scheme, which includes personal data such as medical records or information. The Act imposes a duty upon NHS providers to comply with requests for information from IBCA. Section 53 also allows IBCA to seek a court order in the event a notice to provide information is not complied with.

The requirement to send information to IBCA is not therefore a subject access request on behalf of the patient, or a request under the Access to Health Records Act where the patient is deceased, but a request for information using the statutory powers of the VAP.

Section 53 of the VAP sets aside the common law duty of confidentiality and gives you the legal power to provide the information to IBCA upon request. This includes information relating to deceased individuals where someone is making a claim on their behalf. This means that you do not need the consent of the patient to share information with IBCA. You also do not need a patient’s consent to share information from their records to support the claim of someone who has been indirectly infected, such as a current or former partner.

Under UK GDPR the legal bases which are most likely to apply are:

Correspondence from IBCA should not be treated as a subject access request, or a request under the Access to Health Records Act where the patient is deceased (see the legal basis for sharing section).

Patients will be asked to provide medical information to their claim managers where they hold it. They will not be asked by IBCA to contact you directly to request their information, although this does not prevent an individual, or a legal representative on their behalf, submitting a subject access request.

You should add information about these sharing requirements with IBCA in your privacy notice and signpost to IBCA’s privacy notice so that patients can find out more about this sharing.

NHS England has developed a privacy notice template that you can use to develop your wider privacy notices, and some recommended wording below that you can include:

You can also refer individuals to the patient section of this guidance.

IBCA will have a body of information required for each claim, some of which will be provided by the person claiming compensation.

Where gaps in evidence are identified, IBCA will contact your single point of contact to obtain copies of any evidence required. They will be provided with the necessary details of the person claiming compensation and the information required.

The single point of contact will consider how best to source the information requested (see the common types of information requested paragraph of the guidance for health and care professionals section above for further information).

At this time, IBCA is processing the claims of individuals who have chosen to register with the 4 national Infected Blood Support Schemes (IBSS). You do not require any further evidence that IBCA is acting on behalf of the person claiming compensation given that individuals have decided to apply for these schemes and IBCA would not be processing a claim without their authorisation.

IBCA has processes in place to verify the identity of the individual. This includes checking identity documents from the person claiming compensation. You should not therefore repeat this process with the patient.

All correspondence from IBCA will come from an email address ending in ibca.org.uk. IBCA has been assigned an Organisation Data Service (ODS) code of Y2Y5B – INFECTED BLOOD COMPENSATION AUTHORITY.

Correspondence from IBCA will set out clearly their powers for requiring their information.

If you have any questions about the request itself, for example if your records had slightly different details to the information requested you should contact the claim manager for clarification. You should also speak to your Caldicott Guardian if you have any concerns.

It is important to provide information to IBCA as soon as possible to avoid any delay to a claim for compensation. Where a person claiming compensation is nearing the end of their life, IBCA will confirm this in their request, and such requests should be dealt with as a priority. The single point of contact should respond to IBCA within 7 working days, providing:

• the requested data, where this can be obtained within this timeframe
• failing that, an acknowledgement of the request with details of what information is held and where this is currently located, and the estimated time it will take to retrieve and supply this. For example, if records are held off site, then you will need to factor in the time to retrieve them into your estimated timeline

Whilst recognising that organisations are managing multiple requests for information simultaneously which can create a significant burden, your support in responding to correspondence from IBCA promptly would be valued.

IBCA will ensure that their processes and sharing are compliant by:

Ensuring that correspondence includes details of:

• the information required
• the lawful basis for requiring the information and
• why the information is necessary, proportionate and relevant

Only requiring information on behalf of a person claiming compensation where the information is needed to support a claim, and after its necessity has been discussed with the person claiming compensation.

Ensuring that all claims managers and IBCA staff processing personal data have been adequately trained on their role and responsibilities in relation to data protection.

Ensuring that personal data is only processed for the purpose of administrating the compensation scheme. Further details about the specific purposes of processing can be found in their privacy notice.

Providing access to transparency information on how IBCA processes personal data, through their privacy notice, including details of how data subject access rights requests and complaints are managed.

IBCA has put in place security measures to ensure the security of the information they receive. These include:

• data encryption: to ensure that data is protected both in transit and at rest. Files are currently shared between organisations via the Egress system. IBCA has recently been assigned an Organisation Data Service (ODS) code of Y2Y5B – INFECTED BLOOD COMPENSATION AUTHORITY and is also applying for the DCB1596 NHS Secure Email Standard to improve efficiency and security of information sharing
• firewalls and intrusion detection systems: to ensure the prevention of unauthorised access to systems and data
• access controls: restricting access to data based on need-to-know principles with managed and approved authorised access
• data backups: to ensure that data can be recovered in case of system failures
• pseudonymisation: where appropriate removing or masking personal data identifiers
• antivirus and anti-malware software: protecting against malicious software
• audits: IBCA also has its own quality team that carries out audits for the infected blood compensation claim process, to ensure all legislation and compliance requirements (including data protection) are adhered to

For most cases, IBCA will retain the information they receive for 8 years. There may be exceptions to this for example where there was a late diagnosis. IBCA will delete the copies of information it holds at the end of the retention period.

It is good practice to document this data sharing on your organisation’s information asset and data flow register.

NHS England guidance on the importance of retaining information that might be required in connection with the Infected Blood Compensation Scheme and support schemes.