Integrated care systems (ICSs), integrated care boards (ICBs) and integrated care partnerships (ICPs) - a quick guide
A new structure was established in The Health and Care Act 2022 to enable a move toward closer working between organisations within the health and care system. This guidance advises information governance professionals on sharing information between organisations within different collaborative systems, as well as determining controllership arrangements.
Where this guidance refers to the law, this includes both UK GDPR and common law requirements. However, the guidance does not cover in detail the UK GDPR and common law requirements which must be met for any data use.
Integrated Care Boards (ICBs)
Description: ICBs have replaced Clinical Commissioning Groups (CCGs) and have taken on many of the responsibilities that CCGs used to have. ICBs also carry out several functions that were previously carried out nationally by NHS England. They facilitate integration between local NHS organisations in their area.
There is an ICB within each Integrated Care System (ICS), which has responsibility for commissioning most NHS services on behalf of the ICS.
Legal Entity: Yes. This means that ICBs are defined as a public authority with duties identified in law (the Health and Care Act 2022).
Data controller: In some circumstances, an ICB can be a controller as it is a legal entity. For example, where it collects relevant personal data from community providers, local authorities and others to provide continuing healthcare (CHC) services, or if it collects personal data from provider organisations in order to optimise the use of medicines.
An ICB has the legal powers to procure or commission services on behalf of organisations within the ICS. For example, an IT supplier for care planning software. In this scenario, the controllers would be the care provider organisations that the ICB has procured the IT services for. Instructions from the controllers (care providers in the example above) must be captured in a legally binding agreement, such as a data processing agreement (DPA), so that the processor (the IT supplier in the example above) is legally able to carry out its contracted services. Alternatively, the ICB may just be one party in the decision-making process for procurement of a service for the ICS. In this case, a joint controller arrangement may be appropriate. Decisions about procurement arrangements should be made on a case-by-case basis.
Integrated Care Systems (ICSs)
Description: An ICS is a partnership of organisations in the same geographical area that come together to plan and deliver health and care services to improve the lives of people who live and work in their area.
Legal entity: No
Data controller: No. An ICS is not a legal entity and so cannot be a controller.
Are individual organisations controllers? Yes. The organisations that make up the ICS are the controllers. In some circumstances, they will be joint controllers (where two or more organisations jointly decide on why and how to use and share data).
Relevant personal data can be shared with each organisation (controller) that makes up the ICS, such as hospital trusts, GP practices or local authorities where the law allows it. For example, relevant information can be shared between health and care professionals providing care to an individual. An example of this information sharing might be where several hospital trusts have decided to set up an imaging network to pool resources. This allows hospitals with capacity to offer appointment slots for scans to patients at other hospitals.
Integrated Care Partnerships (ICPs)
Description: ICPs are committees that aim to bring the NHS ICB, local authorities and providers of health and care together. The role of an ICP is to develop and set an integrated care strategy for joined up care for the ICS area.
Through the integrated care strategy, ICPs explore safe and appropriate data sharing with system partners and consider how health and care data is appropriately linked. ICBs, local authorities and NHS England must ensure that any commissioning they undertake is supported by the strategy.
Legal entity: No
Data controller: No. An ICP is not a legal entity and so cannot be a controller.
Are individual organisations controllers? Yes. Where the law allows it, relevant personal data can be shared between each organisation (controller) that makes up the ICP, such as the ICB and local authorities.
Place based partnerships
Description: Place-based partnerships are made up of NHS organisations, local councils, community and voluntary organisations such as charities, and other community partners with a role in supporting the health and wellbeing of the local population.
Place-based partnerships are typically smaller in geography than an ICS. An example is all the GPs, pharmacies, social care providers, voluntary organisations such as Age Concern and a local authority within an individual borough or city working in partnership to make the best use of collective resources.
Legal entity: No
Data controller: No.
Are individual organisations controllers? Yes. The organisations that make up the partnership are likely to be the controllers. In some circumstances they will be joint controllers (where two or more organisations jointly decide on why and how to use and share data).
Where the law allows it, relevant personal data can be shared with each organisation (controller) that makes up the place-based partnership. An example would be where social prescribing is in place so that local agencies such as charities, social care and health services can refer people to support provided in the community.
Description: Provider collaboratives are where two or more health and care organisations formally agree to work together at scale. They may mutually aid each other in order to be more efficient. There can be any number of provider collaboratives within each ICS, and provider collaboratives may consist of organisations from different ICS footprints in some cases. For example, organisations within a community health and care collaborative may collaborate on treatment plans in order to provide better outcomes for people using their services.
Legal entity: Provider collaboratives are not legal entities, so cannot be a single controller
Data controller: No. A provider collaborative cannot be a single controller.
Are individual organisations controllers? The provider organisations that make up the collaborative are likely to be the controllers. In some circumstances they will be joint controllers (where two or more organisations jointly decide on why and how to use and share data). It is possible to share relevant personal data between the individual organisations where the law allows it.
What IG documents should be in place?
Where there is collaboration between data controllers, or work that is happening in collaborative systems (i.e. between organisations within an ICS, ICP, Place based partnership or Provider collaborative) it is important to adequately manage and support the sharing of information.
UK GDPR/Common Law Duty of Confidentiality must be met when sharing information with any organisation. The following documents may be needed when sharing information:
Data Sharing Agreement (DSA) - Controllers should document the sharing of personal data with other controllers in a DSA as good practice.
Data Processing Agreement (DPA) - Where an organisation (processor) acts upon instruction from another organisation (controller), the controller must document this instruction and both the processor and controller must sign a legally binding agreement, which may be a contract, DPA or similar.
Data Protection Impact Assessment (DPIA) - Where the personal data being shared or used is high risk, for example due to the sensitive nature of health and care data, the controller must complete a data protection impact assessment (DPIA), such as the standardised DPIA template.
Transparency materials - It is important that people are made aware of how their information is shared. This can be through a privacy notice, as well as, for example, on organisations’ websites and in waiting rooms. Organisations should use a combination of methods to communicate with people to ensure a wider reach.