NHSX publishes Information Governance Framework for Shared Care Records

NHSX has released an Information Governance Framework for Integrated Health and Care on Shared Care Records (ShCR).

Shared Care Records, the new programme name previously known as Local Health and Care Records, sets an aim to help local organisations move to a position where an individual’s record is shared across the health and care system.

Through its latest publication, which was released on 7 August 2021, NHSX aims to set out how that information should be accessed and managed.

The programme cites five exemplar programmes, including OneLondon, Yorkshire and Humber, Thames Valley and Surrey, Greater Manchester and in Wessex.

The full report, ‘Information Governance Framework for Integrated Health and Care: Part 1 – Shared Care Records’, will help areas to “demonstrate they are looking after information in accordance with good practice and the law”, as each Shared Care Record area will be required to show their compliance, in line with the framework, to an independent panel.

The Information Governance document has been released to provide an example of a structured approach to deliver a ShCR, based on a model where ‘controllership continues to remain local’. It states: “Local agreements will be in place to set out what data is shared and who can access it in a safe, secure and appropriate manner. This approach recognises the variance in how data is captured and represented in local systems.”

It’s expected that all Integrated Care Systems (ICSs) will develop or join a ShCR, to link up data safely and meet aims around improving care, population health and system management.

After consultation with patients, carers and health and care professionals, the information and content that can be included in the records will be based on professionally agreed standards developed by the Professional Records Standards Body (PRSB). Only those involved in a patient’s care will have access to their record and should only access the information they need to know – with patients able to see who has accessed it and why.

The framework explains how ShCR areas can ensure they are complying with the law, with healthcare professionals expected to make sure they have undertaken appropriate training, accept their responsibility for keeping data secure, only access the information of those they are caring for and that is relevant to their role, and understand what to do if a patient objects to their information being shared or submits a Subject Access Request (SAR).

However, Information Governance (IG) professionals are the main target audience for the framework and its guidance. The publication will help them to understand a number of topics, including good IG practice, legal requirements, data flows and controllership, records of processing activity, data access controls, review and retention, security, individual rights, service user objections, and accountability

The IG Framework also provides professionals with the tools and templates they need to support implementation of Shared Care Records.

The IG framework is structured around two ShCR ‘journeys’, which are explained as:

  • Journey 1: Sharing personal or confidential patient information (CPI) between health and social care bodies within a ShCR for the individual care of patients or service users.
  • Journey 2: Sharing personal or CPI between health and social care bodies across geographical boundaries for the individual care of patients or service users.

The following requirements are described as “essential for IG compliance and good practice and need to be considered for both journeys”, with NHSX saying that all ShCR’s should:

  • Have a consistent approach to IG policies, processes and systems to ensure good practice
  • Identify the flows of data, and at each point in the process to determine who the controllers and/or processors are
  • Identify and understand the legal basis for processing data for every function including ensuring transparency about purpose and process, supporting good practice, and promoting public engagement
  • Manage access controls and records management
  • Consider patient and service user objections to processing
  • Adhere to current published guidance on cyber security for health and care
  • Ensure that any relevant due diligence checks are carried out where processors or sub-processors are involved
  • Document the decision-making process to demonstrate accountability.

As each of the above requirements have an individual set of checkpoints, ShCR areas are expected to “gain satisfactory assurance on each checkpoint before proceeding with data sharing across the ShCR member organisations”, and if there is already a shared local health and care record in place, the checkpoints should be used for further assurance and have an independent panel in place to “ensure that they are compliant.”

The assurance checklist is also provided in appendix three, to “provide assurance to ShCRs that they are following the guidance outlined in the IG Framework”. While it is recommended that ShCRs should “complete a self-assessment by reading each assurance checkpoint and then ticking if they feel there is satisfactory evidence”, which can then be submitted to the IG Assurance Panel.

Along with other issues for IG professionals to consider, there is also a list of supporting tools and templates available at the end of the document.

To read or download the IG Framework in full, click here.