Risk Stratification

Changes to data controller organisations for risk stratification

From 1 July 2022, clinical commissioning groups (CCGs) will be replaced with integrated care boards (ICBs) under the Health and Care Act 2022. CAG have confirmed that an administrative amendment will be supported to allow the processing of patient confidential data in line with the new Act by the ICB and data processors on behalf of GPs. The formal outcome has now been provided by CAG.

As responsible data controllers, ICBs will be required to undertake a review of their processing activities and update their own privacy notices in order to ensure transparency and transfer of data controller responsibilities.

CAG Approval CAG 7-04(a)/2013 extended to the end of September 2024

In 2013 NHS England gained approval from the Secretary of State, through the Confidentiality Advisory Group for its application for the disclosure of Secondary Use Services (SUS), commissioning data sets (approved under CAG 2-03(a)/2013) and GP data for risk stratification purposes to data processors working on behalf of GPs and CCGs.

From 1 July 2022, clinical commissioning groups (CCGs) were replaced with integrated care boards (ICBs) under the Health and Care Act 2022. This resulted in CAG making an administrative amendment to allow the continued processing of patient confidential data in line with the new Act by the ICB and data processors acting on behalf of GPs.

As responsible data controllers, Integrated Care Boards will be required to undertake a review of their processing activities, update their own privacy notices in order to ensure transparency and transfer of data controller responsibilities.

In August 2022 a request for a further 12 month extension was made by NHS England on behalf of GPs and ICBs, as the relevant data controllers. CAG indicated that further assurance was required to enable continued support and subsequently agreed that NHS England will work with ICBs to understand ongoing processing requirements for risk stratification.  The plan is to create a standard CAG application for core risk stratification purposes, which ICBs will be able to take forward, working with their constituent GP practices to demonstrate the required assurance.  Extending the current approval will enable GPs, supported by ICBs, to continue to target specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate interventions.  It will also support Commissioners to understand service use and to target interventions to improve care pathways.

The Confidentiality Advisory Group has confirmed that support for the use of GP’s and ICBs Secondary Use Data can continue risk stratification purposes until the end of September 2023.

The CAG register can be found on the NHS Health Research Authority website.

NHS England has given an undertaking to the Secretary of State for Health to seek assurance from eligible organisations and to provide a register of approved organisations for the receipt and processing of the patient data for risk stratification. NHS England is seeking assurance from ICBs and their appointed risk stratification suppliers that processing of the data is in accordance with the Data Protection Act 2018. Also, the conditions set out within the approval for CAG 2-03(a)/2013) are undertaken and maintained to process personal confidential data.

This approval applies to the use of GP, Mental Health and Secondary User Services data. It does not cover disclosure of social care data for risk stratification. Where social care data is to be used , the relevant parties need to assure themselves there is a legal basis for the disclosure and linkage for this purpose. This can be achieved either by using pseudonymised data only via a third party or with consent.

In order for ICB’s/GP’s to undertake Risk Stratification they must provide assurance to NHS England that they or their risk stratification tool providers meet the CAG approval conditions, as set out in the Risk Stratification Assurance Statement.

A documented Risk Assessment Assurance action plan should be completed to demonstrate evidence of implementation of the requests.

Please note: that the risk stratification suppliers included in the ‘List of risk stratification approved organisations’ document below are those that are allowed to use the Section 251 CAG 7-04(a)/2013 application. Under the application they have a lawful basis for appropriate data use, provided that the conditions of processing are met. The document does not form a list of risk stratification suppliers endorsed by NHS England.

Related documents

  • List of risk stratification approved organisations (updated monthly) – This a list of the ICBs approved to use the application and this will list (a) the risk stratification supplier approved to use the application they are using and (b) the DSCRO they are working with. You will find the list of suppliers approved to use the application in the latest version of the assurance statement.

Please note:  If you are an ICB which is undertaking risk stratification in agreement with your GP practices and you have not submitted a Risk Stratification Assurance Statement and therefore are not included on the NHS England register, you may not be able to receive Secondary Use Services (SUS)/Commissioning data which is supplied from the NHS Digital regional offices (DSCRO) for this purpose.  NHS Digital and NHS England are working together to verify that any data sharing agreements received by NHS Digital from ICBs which require data for risk stratification purposes are listed on NHS England’s list of approved organisations.

If you have any queries relating to the above, please email them to england.riskstratassurance@nhs.net