Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Panel, including the Information Commissioner’s Office (ICO) and National Data Guardian (NDG).

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at england.igpolicyteam@nhs.net.

Virtual wards

Integrated care Sharing with other sectors COVID-19 Enabling remote working Template Confidentiality Comms with patients or service users UK GDPR and data protection
Reducing Chronic Obstructive Pulmonary Disorder (COPD) and asthma readmissions with continuous vital sign monitoring and virtual visits 4

Published: June 2022

Updated: August 2023

Virtual wards support people, who would otherwise be in hospital, to receive the care and treatment they need in their own home or usual place of residence. Virtual wards are suitable for a range of conditions that can be safely and effectively monitored at home including respiratory conditions, heart failure and COVID-19.

NHS England has provided further guidance about virtual wards. This guidance focuses on information governance.

Guidance for patients and service users

Virtual wards allow people to get the care they need at home, safely and conveniently, rather than being in hospital.

If you are cared for in a virtual ward, relevant confidential patient information will be used and shared with those directly involved in caring for you. This may include staff in hospitals, community teams, care homes and GPs. For example, a registered nurse monitoring your health and care measurements which could include blood pressure, pulse, temperature and oxygen levels. This will enable the nurse to make an assessment of your current health and wellbeing and whether any changes to your care are needed. If you are in a virtual ward for COVID-19, your information may be shared to help manage the pandemic.

Virtual wards can use remote monitoring technology such as apps and medical devices to assess your health while you are cared for at home. For example, you may be asked to wear a pulse oximetry device on the end of your finger to check your oxygen levels. Technology providers will need to use confidential patient information such as your oxygen level or blood pressure readings in their systems, to allow your care team to observe your readings.

Any use of confidential patient information is strictly restricted and under the control of the NHS. Technology providers must go through a rigorous approval and assurance process to ensure that health and care data will be managed securely, appropriately and legally, before they are permitted to access it. They also can’t use the information for any purpose other than supporting the virtual ward.

As your data is being shared in order to provide you with care, your consent is implied and you do not need to give it explicitly. If you have concerns about your information being shared as part of a virtual ward, then you should speak to those caring for you.

To find out about how your information will be used and shared, you can look at your health and care organisation's privacy notice. If, for example, you are invited by your GP practice to be part of a virtual ward, you could look at your GP practice’s privacy notice on their website or ask the receptionist to see a copy.

Guidance for healthcare workers

As a health and care team, you may be asked to work as part of a virtual ward. The care team for the virtual ward may be drawn from different organisations. You have a duty to share information to support individual care and so you should feel confident about sharing information. Implied consent can be used when sharing relevant information with those directly involved in providing care as part of the virtual ward. Controls should be built into the process so that staff can only access the information they need for their role.

You will receive information generated by remote monitoring in different ways depending on the system and set up. How you receive the information should be agreed with the virtual ward team. The monitoring information may feed directly into the health and care record or you might only receive notifications, for example, of a sudden change in readings such as oxygen levels. It is important that an accurate record of activity is kept in health and care records. For example, you should record any notable events such as high blood pressure reading and the clinical action taken.

If a new organisation requires access to confidential patient information as part of the virtual ward, you should raise this with the virtual ward operational lead so that they can ensure relevant IG documentation is kept up to date. In an emergency situation, if you need to share information for individual care, you should do so. You should take a note of what was shared, with who and for what reason. This should be communicated to the operational lead and IG lead within your organisation at the earliest opportunity.

Your organisation’s privacy notice will provide detail about how information is being used and shared. If a patient or service user objects to sharing information, you should discuss their concerns with them. If they do not want to share their information, then it may be that a compromise can be reached, for example, withholding a piece of information which they are sensitive about. However, if they do not want any information shared, it may be that a virtual ward is not suitable due to its reliance on sharing and monitoring information. You should seek advice from your IG team, Caldicott Guardian or senior staff.

Guidance for IG professionals

You can set up virtual wards in your organisation in a lawful and secure way. This guidance sets out the actions required by:

(i) the lead commissioner and

(ii) all organisations that are part of the virtual ward

The IG team may not be responsible for all actions listed below, but should be involved. A number of templates are available for you to adapt if you wish to. Please note that these are currently being updated to our new universal IG template format. As soon as they are ready, the new versions will be made available here.

As the lead commissioner you must take the following actions, working with suppliers:

Check the procurement process

Ensure your procurement process includes sufficient weighting for IG considerations. For example, bidders should confirm that they are suitably accredited by demonstrating compliance with the Data Security and Protection Toolkit (DSPT). This will ensure that if a bidder has poor IG in place, they should not be able to win the contract despite performing well in other areas.

Review the suppliers Digital Technology Assessment Criteria (DTAC) submission

You should review section C2 of the supplier’s DTAC submission. The ICT lead should review section C3 and C4 with your input.

Complete a Data Protection Impact Assessment

A DPIA must be completed to assess data protection risks of the service prior to implementation. You should review the DPIA regularly to ensure that it reflects any changes to the service. The DPIA template details the UK GDPR legal bases which can be relied upon and how common law can be satisfied. It also provides a steer on controller arrangements.

Ensure you have a contract with the supplier

The NHS terms and conditions is a suitable option with a linked data processing agreement to define the processing allowed. The data processing agreement may be included as a schedule of the contract, or it may be a standalone document, which is referenced within the contract. A template data processing agreement can be used.

Check the end user licence agreement (EULA) or terms and conditions

Check the end user licence agreement (EULA) or terms and conditions that are required to be accepted in order to use the solution. This must be reviewed for IG compliance.

Prepare a Data Sharing Agreement

You may have an existing arrangement within your Integrated Care System (ICS) which you can adopt, for example a framework for shared care records. You can add to this framework a secondary schedule to detail the specific data share for virtual wards. Alternatively, a template data sharing agreement has been provided. You should undertake due diligence checks on behalf of the organisations signing the agreement. This should include a check of the DSPT status and obtaining assurances that confidentiality will be maintained particularly if an organisation does not need to complete the DSPT. You must ensure that all organisations participating in virtual wards sign up to the agreement.

A checklist for suppliers has been prepared to help them prepare for the information you may request.

As an organisation taking part in virtual wards, you will need to take the following actions:

Sign a Data Sharing Agreement

All organisations who are part of the virtual ward will all need to sign the data sharing agreement usually prepared by the lead commissioner.

Complete and display a privacy notice

A privacy notice must be available at all organisations participating in the virtual ward before the remote monitoring starts. The template privacy notice can be adapted, or you can update your existing privacy notice.

Reducing Chronic Obstructive Pulmonary Disorder (COPD) and asthma readmissions with continuous vital sign monitoring and virtual visits 4