Legislative changes and mandatory Information Standards

A mandatory Information Standard is a standard in relation to the processing of information. They set out requirements that must be followed when health and adult social care information is used, processed and shared.

Information Standards are published under section 250 of the Health and Social Care Act 2012, as amended by the Health and Care Act 2022.

NHS England (on behalf of the Department of Health and Social Care) maintains a list of published Information Standards. Information Standards are approved for publication by the Data Alliance Partnership Board (on behalf of Secretary of State).

The publication of an Information Standards Notice sets out the legal basis for an Information Standard, the nature of the legal duty and to whom it applies. An Information Standards Notice is accompanied by a suite of supporting documents to assist with the successful implementation of an Information Standard.

Providers should be aware that as amendments made by the Health and Care Act 2022 have now started, you could be asked to provide information on your compliance with an Information Standard for the purposes of monitoring and compliance.

Before these amendments, public health and adult social care providers had a statutory duty to 'have regard' to Information Standards but were not obliged to comply if there was a justification.

The law has now changed which means both public and private health and adult social care providers will have a statutory duty to comply with any mandatory Information Standards that apply to them.

The legislative changes will also allow for monitoring and enforcement action to be taken against private health and adult social care providers where they fail to comply.

NHS bodies are required to comply with a mandatory Information Standard as a condition of the provider licence.
These legislative changes are part of a wider suite of reform. Forthcoming changes in the Data Use and Access Act (2025) will create mandatory Information Technology standards for providers of information technology, IT services or processing of information using IT in the provision of health care and adult social care.

This will ensure that both providers and IT suppliers are working towards a consistent set of rules – making seamless and safe information exchange possible across the health and adult social care system.

Providers and IT suppliers have told us that they would welcome greater clarity on priority Information Standards and where they should apply.

Inconsistent adoption of Information Standards continues to limit seamless data sharing between health and adult social care providers.

By strengthening previous legislation, we can enforce compliance with priority Information Standards and ensure that information can be shared more effectively across our health and adult social care system.

An Information Standard Notice will set out the statutory duty that is placed on providers. Providers are then required to meet their statutory duty to comply with a mandatory Information Standard within the specified timeframes.

Providers should be aware that they could be asked to provide information on their compliance with Information Standards for the purposes of monitoring compliance.

NHS bodies are required to comply with an Information Standard Notice as a condition of the provider licence. In the future, private providers may face enforcement action if they fail to evidence compliance with mandatory Information Standards within the specified timeframes.

Enhanced assurance of Information Standards will ensure that consideration has been given to how conformance will be monitored and enforcement action taken - and to ensure that the statutory duty that is being placed on providers is realistic and achievable.