Virtual wards guidance for IG professionals

You can set up virtual wards in your organisation in a lawful and secure way. This guidance sets out the actions required by:

(i) the lead commissioner and

(ii) all organisations that are part of the virtual ward

The IG team may not be responsible for all actions listed below, but should be involved. A number of templates are available for you to adapt if you wish to. 

• Suppliers checklist
• Template data sharing and processing agreement (DSPA)
• Template privacy notice
• Template data protection impact assessment (DPIA)

As the lead commissioner you must take the following actions, working with suppliers:

Ensure your procurement process includes sufficient weighting for IG considerations. For example, bidders should confirm that they are suitably accredited by demonstrating compliance with the Data Security and Protection Toolkit (DSPT). This will ensure that if a bidder has poor IG in place, they should not be able to win the contract despite performing well in other areas.

You should review section C2 of the supplier’s DTAC submission. 

A DPIA must be completed to assess data protection risks of the service prior to implementation. You should review the DPIA regularly to ensure that it reflects any changes to the service. The DPIA template details the UK GDPR legal bases which can be relied upon and how common law can be satisfied. It also provides a steer on controller arrangements.

The NHS terms and conditions is a suitable option with a linked data processing agreement to define the processing allowed. The data processing agreement may be included as a schedule of the contract, or it may be a standalone document, which is referenced within the contract. A template data sharing and processing agreement can be used.

Check the end user licence agreement (EULA) or terms and conditions that are required to be accepted in order to use the solution. This must be reviewed for IG compliance.

You may have an existing arrangement within your Integrated Care System (ICS) which you can adopt, for example a framework for shared care records. You can add to this framework a secondary schedule to detail the specific data share for virtual wards. Alternatively, a template data sharing and processing agreement has been provided. You should undertake due diligence checks on behalf of the organisations signing the agreement. This should include a check of the DSPT status and obtaining assurances that confidentiality will be maintained particularly if an organisation does not need to complete the DSPT. You must ensure that all organisations participating in virtual wards sign up to the agreement.

A checklist for suppliers has been prepared to help them prepare for the information you may request.

As an organisation taking part in virtual wards, you will need to take the following actions:

All organisations who are part of the virtual ward will all need to sign the data sharing and processing agreement usually prepared by the lead commissioner.

A privacy notice must be available at all organisations participating in the virtual ward before the remote monitoring starts. The template privacy notice can be adapted, or you can update your existing privacy notice.