Confidentiality Advisory Group (CAG) approval to s251 support for invoice validation data processing (CAG 7-07(a-c)/2013)

The Secretary of State for Health previously approved the NHS England application for an extension (until the end of September 2022) for support under regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (section 251 support) which allowed clinical commissioning groups (CCGs) and commissioning support units (CSUs) to process personal confidential data which are required for invoice validation purposes, subject to a set of conditions.

From 1 July 2022, CCGs were replaced with integrated care boards (ICBs) under the Health and Care Act 2022. At that time, CAG supported an administrative amendment which allowed ICBs to legally process patient confidential data in line with the new Act.

The previous CAG approval for invoice validation which ended in September 2024 was renewed by NHS England, however this approval is for 12 months only.  It is envisaged that the Control of Patient Information Regulations 2002 will be amended to support the validation of invoices, which is critical to support NHS services, prior to September 2025.

Secretary of State for Health and Social Care support decision

The Secretary of State for Health and Social Care, having considered the advice from CAG as set out below, has determined the following:

1. The amendment to extend the duration of support for 1 year until 30 September 2025 is conditionally supported, subject to resolving the security assurances set out in this letter within 1 month, and continued adherence to the existing specific and standard conditions of support.

Amendment request

In this amendment, the applicants requested an extension to the duration of support to continue the legal basis permitting ICBs and CSUs to process confidential patient information under regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 for invoice validation purposes. Support is currently in place until 30 September 2024 and the applicants sought to extend this by a further 12 months until 30 September 2025.

As responsible data controllers, ICBs continue to be responsible for undertaking a review of their processing activities and updating their own privacy notices in order to ensure transparency around their data processing activities related to invoice validation.