Information sharing between private healthcare services and NHS England

NHS England might ask your private health or care organisation to share your personal information with them. This is because NHS England is required by law to collect information about care in NHS and private hospitals, hospices, clinics, care homes and dental practices.

The information helps NHS England to understand things like:

• the quality of health and care services
• the safety of health and care services
• whether people have had any health problems after being treated

By understanding this information, NHS England can improve health and care services for patients and service users.

Information shared with NHS England

If you have received care from a private health or care organisation, they may share information about you with NHS England. This includes:

• personal details such as your NHS number, name and postcode
• details of the private healthcare professional who treated you
• sensitive information about you from your patient record, such as your health information, the treatment you received or your ethnicity

Which information is shared depends on the specific request from NHS England. If it is not needed, NHS England will not request it.

Information never shared with NHS England

Some types of information are never shared with NHS England. These include:

• information about an application for a Gender Recognition Certificate, or what your gender was before you received one
• information about certain fertility treatments

Staff providing you with your private healthcare must carefully check the information that NHS England has requested and remove this information before it is sent.

Opting out of information being shared

Depending on the private healthcare services you receive, you may be able to opt out of your information being shared with NHS England.

If you are unsure whether your service is privately funded or paid for by the NHS, you can ask your private healthcare organisation.

How you will be informed

Your healthcare organisation will not specifically tell you about each information request NHS England makes. However, you can read your private healthcare organisation’s privacy notice to find out whether information is being shared with NHS England and what choices you can make for opting out.

The privacy notice for the healthcare organisation should be available on their website and you can also request a paper copy. This should include the contact details for the organisation’s data protection officer, who you can ask for more information if you need it.

Your private healthcare organisation’s responsibilities

Your private healthcare organisation must:

• only share the specific information that is needed for the request
• send information in a secure way
• be clear about information they are sharing in their privacy notice

Your private healthcare organisation must handle your information appropriately, securely and lawfully when responding to information requests from NHS England.

Your organisation may receive information requests from NHS England relating to the patients and service users you have cared for. NHS England makes these information requests so they can evaluate and improve the quality and safety of care across different healthcare settings.

NHS England will send its information requests to your data protection officer, IG team or other senior members of your organisation, who will involve your Caldicott Guardian as appropriate. As the information is not being provided for individual care, it is unlikely that you will be involved in dealing with these requests.

See Guidance for IG professionals section (below) for more information.

Legal powers for information requests

NHS England has legal powers to collect, analyse and link information from health and social care organisations, including private healthcare providers, where specific directions are given by the Secretary of State.

These powers are established under section 259 of the Health and Social Care Act 2012, which also sets aside the duty of confidence to patients (see Common law duty of confidentiality section for more information).

Scope of information collections

As part of the development of a direction, NHS England is required to consult with key stakeholders on the scope of the information they are requesting. This includes representative groups advocating on behalf of private healthcare providers where they are relevant to the collection.

NHS England consults with stakeholders on:

• the information needed for the collection
• the necessity of the information being requested
• the proportionality of the information being requested

Data provision notice

When NHS England is exercising its legal powers under section 259, it will create a data provision notice (DPN) which it will make available to your organisation.

The DPN will contain information about:

• what information is being requested
• why it is being requested
• whether your organisation is legally required to supply the information
• the legal basis for the collection
• the time frame for the collection
• representative groups who have been consulted for the collection

Reviewing the information provided in the DPN will help you comply with your professional responsibilities and legal obligations when responding to the request.

If you require information which goes beyond what the DPN contains, NHS England can provide additional information where practical to assist you with your queries.

Legal obligation to share

Depending on the service(s) the request relates to, you may have a legal obligation to share the information.

Although sharing in response to NHS England information requests is not always required by law, it is always encouraged to help NHS England better understand, manage and improve healthcare services across England.

UK General Data Protection Regulation (GDPR) legal basis

Your legal bases under the UK GDPR for sharing the patient or service user information will depend on the service which the information has been collected for.

For NHS commissioned services

If the information has been collected for a service commissioned by the NHS in England, sharing is a legal obligation. The UK GDPR legal bases most likely to apply are:

• Article 6(1)(c) legal obligation – to comply with a DPN issued under section 259(1)(a) of the Health and Social Care Act 2012
• Article 9(2)(h) managing health and social care services - to manage health care systems or services

For privately funded services

If the information is not used for any services commissioned by the NHS in England, while sharing is not a legal obligation, you can rely on other GDPR lawful bases to share. Each case should be assessed individually to determine the most appropriate UK GDPR legal bases. Those most likely to apply are:

• Article 6(1)(f) legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party, in this case NHS England’s compliance with a Direction under s.254 of the Health and Social Care Act 2012
• Article 9(2)(h) managing health and social care services - to manage health care systems or services

Common law duty of confidentiality

Where the information is legally required, the common law duty of confidentiality is met because providing the information is a legal obligation under section 259(1)(a) of the Health and Social Care Act 2012.

Where the information is only requested under section 259(1)(b) of the Health and Social Care Act 2012, section 259(10) of the same legislation provides a permissive legal gateway for the information to be shared, provided it is not subject to other legal restrictions (see Legal restrictions section below). This means that if NHS England makes a request under section 259, you can generally share information with NHS England without breaching duties of confidence owed to people you have cared for.

Opt-outs

NHS-commissioned services

If your services have been commissioned by the NHS, then you are legally required to share the information with NHS England. This means that:

• you cannot offer a local opt-out
• you would not need to apply the national data opt-out when you send data to NHS England - this is because the national data opt-out does not apply to legally required data disclosures

Privately-funded services

If NHS England requests information for privately-funded services, sharing is not a legal obligation. For privately-funded services:

• it is best practice to have a local opt-out in place
• the national data opt-out does not need to be applied before submitting data to NHS England, as it does not apply to private patient data held by private providers

A local opt-out allows patients and service users to make a choice about whether they want their information to be shared. NHS England will provide guidance within the publicly available DPN on whether to anonymise, pseudonymise or otherwise redact information before sharing or whether to withhold data entirely if the data is of no use without patient identifiers.

Opt-outs table

The table below explains the rationale for applying local opt-outs and the national data opt-out to data collections requested by NHS England.

Security and internal governance

You should carry out a data protection impact assessment (DPIA) and document the data flow to NHS England in your information assets and flows register (IAFR). The information you need should be covered in the DPN and data specification made available by NHS England.

Any decisions made to share or not share information should be recorded in a disclosure log, including details of:

• when the request was made
• nature and quantity of information requested
• details of the requester
• nature and quantity of information given
• names and roles of decision makers
• justifications for any decisions taken
• risk assessments carried out

The documentation outlined above will help you demonstrate that you have assessed the privacy risk associated with the sharing and made adequate security arrangements for the transfer.

Legal restrictions

There are some types of information which your organisation is legally restricted from providing to NHS England for the purpose of establishing information systems. For example:

• protected information as defined in the Gender Recognition Act 2004
• certain information defined within the Human Fertilisation and Embryology Act 1990

NHS England will assess legal restrictions which apply as part of the development of the collection. These legal restrictions will be highlighted in the DPN, and instructions will be provided on how to appropriately anonymise relevant records.

Transparency

Your privacy information should reflect that you share information with NHS England in line with NHS England exercising its legal powers, and the UK GDPR legal basis you rely on for sharing information with them.

It should also outline your approach to sharing information with NHS England to help better manage health and care services where the NHS England collection is not a legal obligation. As part of this, you can invite individuals to contact you to find out more about any specific local opt-outs that apply to NHS England collections.

Some example text is provided below, matching the format and style of NHS England’s universal IG privacy notice template.

Updating your privacy information is sufficient for notifying both past and future patients that their information will be used for NHS England information collections, as informing each patient individually would constitute a disproportionate effort.