The ICO exists to empower you through information.

Case studies and examples

Share

Our data sharing code provides real-world examples and case studies of different approaches to data sharing, including where organisations found innovative ways to share data while protecting people’s information.

Here are some case studies additional to those in the code.

Data sharing to improve outcomes for disadvantaged children and families

Social workers frequently need access to information about children and their families when deciding whether there is a safeguarding risk and what support is most appropriate.

Two councils in different areas of the UK partnered with a not-for-profit organisation to find a data sharing solution where social workers would have all the information they need from the start.

After extensive user research and workshops with stakeholders and families, they found that social workers needed access to the contact details of the lead practitioner of a case from other services (police, housing, schools and adult social care), and basic information about when the service was last involved with the family. The research found that sharing such data would:

  • reduce the amount of time social workers spend looking for information;
  • enable more joint working among services (eg children’s social care working more closely with adult social care);
  • ensure social workers have access to all the information they need when assessing safeguarding risk and making support decisions for children and their families; and
  • allow children and families to access better, more timely services.

At the same time, the two councils and the not-for-profit organisation explored the information governance and ethical implications of accessing and using sensitive personal data within social care. They ran ethics workshops with the project team and conducted user research with those most likely to be affected by the data sharing (residents who have had contact with social care and social workers).

The research enabled the two councils to design, build and embed a digital data sharing solution that empowers social workers, enables professional judgement, protects privacy, and ultimately enables children and their families to access the right support and reach their potential.

 

Sharing with partners in the voluntary or private sector

A group of voluntary sector organisations worked with health and social care partners (both private and public sectors) on a project to deliver improved outcomes for older people in the community and in hospital.

The project team recognised that it needed to establish a culture of shared information, along with a phased, proactive approach to seeking individuals’ consent. It also recognised that the involvement of volunteers could have implications for the sharing of data within the project team, as they have a different legal status to the agencies’ employees and might not have received the same level of training as employees in the work of the organisation.

The project was set up as follows:

  • The volunteers signed contracts setting out their roles, responsibilities and standards - including those for information security - equivalent to those of the agencies’ employees. The contracts were intended to formalise and support the volunteers’ responsibilities for gathering and sharing information. Training and ongoing support were provided to the volunteers.
  • GPs asked their elderly patients whether they would like to take part in the project. They were asked specifically whether they agreed to relevant information from their health record being shared with a multi-disciplinary project team consisting of health, social care and voluntary sector practitioners.
  • At the initial home visit, the volunteer explained the information-sharing aspects of the service and asked for written consent.
  • All of the organisations and GP practices involved in the project entered into a single data sharing agreement. This built accountability and trust between the agencies involved.

Note it was important to consider whether the necessary legal power or ability to share personal data was in place. The legal power is separate from the lawful basis for data processing.

 

Landlord and tenant data sharing

A housing association occasionally received requests from organisations such as utility companies, debt collectors and councils for information about current and former tenants. However it was considered not to be appropriate to enter into a data sharing agreement as the sharing was not on a regular basis.

On one occasion, a utility company contacted the housing association and asked for the forwarding address of a former tenant who was in arrears on his gas and electricity account. The housing association disclosed the information because they had advised tenants at the start of their tenancy that they would make such disclosures because of the contractual relationship between tenants and the utility company. All tenants had agreed to this.

On another occasion, a debt collection company acting for a third party contacted the housing association for the forwarding address of a former tenant. The housing association decided that it could not disclose the information because it had no lawful basis for the disclosure. It withheld the tenant’s new address from the debt collection company.

The housing association dealt with requests for information effectively because it had put a system in place which required a senior person or group of people, trained in data protection, to decide whether or not to release personal information on a case-by-case basis.

This involved verifying the identity of the requester, insisting that all requests were in writing and ensuring that the requester provided enough information to make a proper decision. If the housing association decided to share the information, they only provided relevant, necessary information and, in every case, they made a record of the disclosure decision.

 

Sharing medical records of care home residents

Staff in a privately-owned care home did not have access to the recent medical history of residents. Instead, the home used to phone the GP practice or call out a GP every time they needed more information. This could be a risk, as the staff might need to check quickly what medicines residents were taking and at what dosages.

To make the process more efficient, the care home and the local GP practice signed up to a formal data sharing agreement, so the care home staff would have access to their residents’ electronic medical records when necessary.

The GP practice and local Clinical Commissioning Group made potential residents aware that if they were admitted to the care home there was a possibility that their medical record would be accessed. In addition, when patients were admitted to the care home, their explicit consent - or that of their representatives – was sought before their electronic medical record was accessed. Where consent was not provided, the former system of contacting a GP would continue to be used.

Other key features of the data sharing agreement were:

  • access to residents’ records could only take place while they were under the care of the home;
  • access was restricted to the clinical and professional nursing staff at the care home;
  • access was only allowed where this was necessary to provide treatment and for residents’ safety;
  • access was restricted to information relevant to the provision of care to residents;
  • access to the information was by secure means; and
  • the information obtained was held securely and in accordance with good information management practice.

A formal data sharing agreement can put in place effective safeguards for residents and can ensure the various parties involved in data sharing are working to a common set of rules. An agreement can also help to deal with the ethical and confidentiality issues that can arise in health and social care.

Even if there is a data sharing agreement in place, organisations still need to make sure that individuals whose data may be shared are aware of what is taking place. This can be done through the privacy information they provide, using various methods. In the circumstances outlined here, it might be more effective to talk to individuals to explain the situation and to find out whether they agree to their information being shared. Their decision needs to be documented.

 

Ensuring children’s welfare: data sharing by local authorities with Ofsted, the regulator of social care and early years provision in England

Data sharing can help ensure the welfare of children and other vulnerable individuals.

This example concerns the sharing of personal data by staff in local authorities with Ofsted, in its role as the regulator of social care and early years provision in England.

The example focuses in particular on the role of the Local Authority Designated Officer (LADO), who is responsible for managing child protection concerns or allegations made against staff and volunteers who work with children and young people.

Data protection enables fair and proportionate data sharing. That means that LADOs should be confident they can share relevant information with other local authorities and with Ofsted. The information shared by LADOs helps Ofsted to build a complete picture about an individual’s suitability to provide services to children.

Example

Mr D wants to register with Ofsted to provide a holiday play scheme for children in the Westtown Borough Council area. He has previously worked in a setting providing social care to children in the Easttown Borough Council area. His home is in the Northtown Borough Council area.

In order for Ofsted to reach a properly informed judgement on the suitability of anyone to provide services to children, it needs all relevant information about them. It is essential for the LADOs in Easttown and Northtown to share the information about Mr D with Ofsted when requested. This is the case irrespective of where Mr D lives or works.

This data sharing is vital, in order for Ofsted’s registration system to be effective in ensuring the safety of children.

Effective information sharing between the police and Ofsted in England

The Chief Constable in Barsetshire police force promotes a culture where the safety of children is paramount. That includes officers in the force alerting authorities and sharing information appropriately to protect children from harm.

Officers are familiar with the role of Ofsted as the regulator in England of early years settings including childminders and nurseries, and of children’s social care services including children’s homes. Because of this, officers know that the information they share can be used by Ofsted to make children safe.

The force has provided a named contact that Ofsted staff can get in touch with, if they need to talk about concerns at any institution that Ofsted inspects or regulates. The police have been given a regional contact in Ofsted that they can get in touch with about any new information.

Case study

Police receive a call-out to a children’s home because a child has gone missing. This is not the first occasion that this child has gone missing. The child has a history of unexplained absences and is found hanging around in a local park with older young people, some of whom are known to police as gang members.

The police officers have two linked concerns that lead to them sharing information with authorities: the safety of the child who went missing, and the safety of the children’s home.

Actions taken by the police officers:

1. To safeguard the child, they contact the children’s social care team in the local authority and share information with social workers about the child’s involvement with the gang.

2. The police also contact Ofsted to tell them they are concerned that there have been multiple police call-outs to this children’s home because of children going missing. The children are vulnerable and the police consider they are at a high risk of involvement with a local gang.

This information is valuable to Ofsted who can use it to help the young people concerned. The children’s home had notified Ofsted about the child going missing, but they did not include information about the child being at risk of gang involvement.

Ofsted now considers the intelligence from police and, under its regulatory role, decides to visit the children’s home to find out what the manager and staff are doing to keep children safe and to reduce the risk of children being groomed by local gangs.

An inspector from Ofsted visits the home and finds that staff were unaware of the possible gang involvement by children in the home. Staff had not talked to children to find out where they were going or what they were doing, and although they had noticed some changes in the behaviour of the child who went missing, they had not recorded this or notified the child’s social worker. The inspector’s view is that safeguarding arrangements in the home do not appear to comply with the relevant regulations.

Because of the information shared by the police and the findings of the inspector, Ofsted is able to take regulatory action to ensure that safeguarding arrangements at the children’s home are improved. Ofsted schedules further visits to monitor practice at the home and to check that improvements have been made. The inspector continues to liaise with police to monitor the welfare of children in the home.

Sharing medical records between a GP practice and hospital trust

These scenarios apply to England only, but the general principles are relevant in  Northern Ireland, Scotland and Wales where health services are a devolved matter.

A GP practice received a request for the records of one of their patients. They are receiving care in a hospital in another part of the country. This is outside of the local shared care record initiative, which is a system that governs patient records sharing locally. The practice is confused about whether they require the patient’s consent to share the data.

Health and care settings often use the concept of consent. However, it is often misunderstood due to the use of the term in different contexts. In this case, the consent required to view and share confidential medical information is different from the consent that the data protection legislation defines as a lawful basis for processing personal data.

To help the GP practice, the hospital directs them to information available on the NHS IG Portal, a service that provides specific information governance advice to organisations that provide care services. The hospital also reminds the care setting of their responsibilities under the Health and Social Care (Quality and Safety) Act 2015 and Caldicott Principle 7. This allows them to share someone’s personal data where it is likely to enable them to receive health or social care, and this is in their best interests.

After reading the guidance, the practice understands how this separate legal requirement for consent in a health and social care context interacts with consent as a lawful basis under data protection legislation. In this circumstance (they are sharing data for direct care purposes), they can share the data without the explicit consent of the patient. Their consent is implied due to the provision of health and care (ie, it is within the reasonable expectation of the patient for the care home to share information for these purposes). In addition, health and care staff have a legal duty to share information to support direct care.

Through the use of sector-specific guidance, organisations can reach a shared understanding of the data protection requirements for sharing data. This can reduce the friction that occurs between organisations as they consider their separate obligations under data protection law.

Improving data sharing processes and practices at an NHS trust

These scenarios apply to England only, but the general principles are relevant in  Northern Ireland, Scotland and Wales where health services are a devolved matter.

After receiving criticism that their procedures are hindering data sharing, an NHS trust’s information governance department establishes a new process within the organisation. This ensures people consult them in good time as part of any new processing activity that requires personal data.

In order to do this, they:

  • seek senior or executive level support for the proposal eg by the Senior Information Risk Owner (SIRO) or board where applicable;  
  • identify and review the points within the organisation where they establish new data processing activities and build information governance into business case and procurement checklists;
  • ensure timescale allocation for setting up required legal and governance documents such as data sharing agreements;
  • devise new template data protection impact assessments and data sharing agreements for organisations to use to simplify their processes;
  • provide training to the relevant staff and issue further communications across the organisation to highlight the new processes;
  • build professional networks with information governance colleagues in local organisations to learn best practice approaches and improve the information governance culture;
  • establish a review process to help understand occasions where they could not share data and apply the lessons learnt to future data sharing plans; and
  • hold a drop-in ‘meet the team’ session or issue an information sheet about their work and how their early participation will benefit colleagues.

Following this review and process redesign, the information governance team are now informed in good time about any new processing. They can ensure the team takes the appropriate governance steps before new processing takes place.

Improving health services with responsible data sharing

These scenarios apply to England only, but the general principles are relevant in  Northern Ireland, Scotland and Wales where health services are a devolved matter.

A healthcare care provider is looking to improve the services they offer their patients. By sharing appropriate levels of data with other care organisations in the area, the organisation realises they can improve services. However, the organisation traditionally avoids risk when it comes to sharing data. This adversely impacts the quality of care they can provide.

As the organisation looks to improve their data sharing practices, they decide to find ways they can assure themselves that whenever they shares data, they are doing so responsibly. They want to make sure they are adhering to the requirements of data protection law, common law and their responsibilities to their service users.

They refer to the considerations the ICO lays out in the data sharing checklist in the data sharing code of practice. The organisation builds on this by adding the following checks:

  • The status of the organisation (with respect to the legal powers provided by the Health and Social Care Act 2015 etc).
  • The nature of the processing and purpose for which the organisation needs to share data.
  • The status of the organisation they plan to share the data with, which could include reviewing the information in the NHS Data Security and Protection Toolkit (DSPT).
  • Other appropriate due diligence checks such as the NHS Digital Technology Assessment Criteria (DTAC).
  • The amount of data being requested for the purpose or purposes they are using it for.
  • The necessity for the data sharing (does it need to happen, or can the organisation achieve the purpose another way, for example using anonymised data?)
  • Ensuring the organisation has suitably informed the patients or service users of the proposed sharing and of their data subject rights.

After implementing this approach, the organisation feels more confident about sharing data. By keeping a record of their decisions, they are also demonstrating their accountability for their actions.

Sharing health data for research purposes

These scenarios apply to England only, but the general principles are relevant in  Northern Ireland, Scotland and Wales where health services are a devolved matter.

A hospital trust is preparing to trial a medical device that they are developing to support clinical decision-making for patients suffering from heart disease. The device is a data-driven app that applies a risk model based on details from the patient’s medical history. Although members of the trust’s clinical team developed the risk model, a third-party private company are developing the app itself.

The trust wishes to use patient data to support the research phase of the app development, which is part of the approval process for medical devices. This involves sharing patient data with the app’s developers for research purposes. As the app developer will need health information, which is capable of identifying people for this research, the hospital trust needs a legal basis for lifting the common law obligation of confidentiality to disclose and use the information for the purposes of this research programme. Before the trust shares the data, they consider a number of questions as part of their data protection impact assessment (DPIA), which include the following:

  • What is the lawful basis under UK GDPR to process this data?
  • What can they do to minimise the amount of data they need to process to effectively perform this task?
  • Will the trust be able to get explicit consent (common law) from each patient to view their medical information for this purpose? Is this practical? Are there other ways to satisfy the common law?
  • What approvals do they require in order to carry out the research?

Following a review of guidance relating to confidentiality and consent available on the NHS IG Portal, the Trust understands that they can identify a lawful basis under UK GDPR. However, for common law purposes they need to make an application to the Confidentiality Advisory Group (CAG) under section 251 of the NHS Act 2006 for advice on whether the research group can access the data without the patients’ explicit consent. This is because the purpose of the processing is not direct care, and they do not have the implied consent of the patient to access this data (under common law).

Following a successful CAG application and approval, the trust could share the information from their patient records in order to carry out this research. Analysis of the confidential patient information meant that the trust could confirm the effectiveness of their risk model and seek approval for their medical device.