Information Governance Framework for Integrated Health and Care: Shared Care Records
Published 7 September 2021
The aim of Shared Care Records (ShCR) is to help local organisations move from today's position, where each health and care organisation holds separate records for the individuals they care for, to one where an individual’s record is shared across the health and care system. This will help health and care professionals to use information safely and securely as the people they care for move between different parts of the NHS and social care. It will also enable patients and service users to access their record irrespective of where they receive care.
ShCR was formerly known as the Local Health and Care Record (LHCR) programme. For the ShCR (LHCR programme), exemplar areas were identified. Other ShCR geographies are being onboarded to ensure full national coverage. The exemplar areas are:
- Yorkshire and Humber
- Thames Valley and Surrey
- Greater Manchester
The Information Governance (IG) Framework is intended for IG professionals. It has been developed to provide a structured approach to ensure ShCRs meet their legal obligations. This includes when they are planning, preparing and delivering data sharing.
It is based on a model where controllership continues to remain local. Local agreements will be in place to set out what data is shared and who can access it in a safe, secure and appropriate manner. This approach recognises the variance in how data is captured and represented in local systems.
ShCRs will initially focus on individual care. This is covered in two journeys:
- Journey 1: Sharing personal or confidential patient information (CPI) between health and social care bodies within a ShCR for the individual care of patients or service users.
- Journey 2: Sharing personal or CPI between health and social care bodies across geographical boundaries for the individual care of patients or service users.
The following requirements are essential for IG compliance and good practice and need to be considered for both journeys.
Each ShCR should:
- have a consistent approach to IG policies, processes and systems to ensure good practice
- identify the flows of data, and at each point in the process to determine who the controllers and/or processors are
- identify and understand the legal basis for processing data for every function including ensuring transparency about purpose and process, supporting good practice, and promoting public engagement
- manage access controls and records management
- consider patient and service user objections to processing
- adhere to current published guidance on cyber security for health and care
- ensure that any relevant due diligence checks are carried out where processors or sub-processors are involved
- document the decision-making process to demonstrate accountability
Each requirement has a set of checkpoints. Every ShCR will need to gain satisfactory assurance on each checkpoint before proceeding with data sharing across the ShCR member organisations. Where a ShCR already has a shared local health and care record in place, they should use the checkpoints to assure themselves. Also have an independent assurance panel to ensure that they are compliant.
ShCRs must meet the requirements set out in this IG Framework. Other areas, that are delivering integrated care, are not presently
Thank you to colleagues from the ShCR (LHCR) IG Steering Group, ShCR (LHCR) IG Leads, critical friends and stakeholders who have helped in the development of this document.