Risk Stratification

Changes to data controller organisations for risk stratification

From 1 July 2022, clinical commissioning groups (CCGs) will be replaced with integrated care boards (ICBs) under the Health and Care Act 2022. CAG have confirmed that an administrative amendment will be supported to allow the processing of patient confidential data in line with the new Act by the ICB and data processors on behalf of GPs. The formal outcome has now been provided by CAG.

As responsible data controllers, ICBs will be required to undertake a review of their processing activities and update their own privacy notices in order to ensure transparency and transfer of data controller responsibilities.

CAG Approval CAG 7-04(a)/2013 extended to the end of September 2022

In 2013 NHS England gained approval from the Secretary of State, through the Confidentiality Advisory Group for its application for the disclosure of Secondary Use Services (SUS), commissioning data sets (approved under CAG 2-03(a)/2013) and GP data for risk stratification purposes to data processors working on behalf of GPs and CCGs.

The application was made by NHS England on behalf of GPs and CCGs, as the relevant data controllers. It will enable GPs, supported by Clinical Commissioning Groups (CCGs), to target specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate interventions.  It will also support Commissioners to understand service use and to target interventions to improve care pathways.

In August 2020, NHS England applied to the Confidentiality Advisory Group for an extension of the Risk Stratification CAG approval which was due to expire at the end of September 2018. The Confidentiality Advisory Group has confirmed that support for the use of GP’s and CCGs Secondary Use Data can continue risk stratification purposes until the end of September 2022.

The CAG register can be found on the NHS Health Research Authority website.

NHS England has given an undertaking to the Secretary of State for Health to seek assurance from eligible organisations and to provide a register of approved organisations for the receipt and processing of the patient data for risk stratification. NHS England is seeking assurance from Clinical Commissioning Groups and their appointed risk stratification suppliers that processing of the data is in accordance with the Data Protection Act 2018 and that the conditions set out for processing of personal confidential data are undertaken and maintained.

This approval applies to the use of GP and Secondary User Services data (including commissioning data processed under CAG 2-03(a)/2013). It does not cover disclosure of social care data for risk stratification. Where social care data are to be used then the relevant parties need to assure themselves there is a legal basis for the disclosure and linkage for this purpose. This can be achieved either by using a third party and pseudonymised data, or with consent.

In order for CCG’s/GP’s to undertake Risk Stratification they must provide assurance to NHS England that they or their risk stratification tool providers meet the CAG approval conditions, as set out in the Risk Stratification Assurance Statement.

A documented Risk Assessment Assurance action plan should be completed to demonstrate evidence of implementation of the requests.

Please note: that the risk stratification suppliers included in the ‘List of risk stratification approved organisations’ document below are those that are allowed to use the Section 251 CAG 7-04(a)/2013 application. Under the application they have a lawful basis for appropriate data use, provided that the conditions of processing are met. The document does not form a list of risk stratification suppliers endorsed by NHS England.

Related documents

Please note:  If you are a CCG which is undertaking risk stratification in agreement with your GP practices and you have not submitted a Risk Stratification Assurance Statement and therefore are not included on the NHS England register, you may not be able to receive Secondary Use Services (SUS)/Commissioning data which is supplied from the NHS Digital regional offices (DSCRO) for this purpose.  NHS Digital and NHS England are working together to verify that any data sharing agreements received by NHS Digital from CCGs which require data for risk stratification purposes are listed on NHS England’s list of approved organisations.

*This a list of the CCGs approved to use the application and this will list (a) the risk stratification supplier approved to use the application they are using and (b) the DSCRO they are working with. You will find the list of suppliers approved to use the application in the latest version of the assurance statement.

If you have any queries relating to the above, please email them to england.riskstratassurance@nhs.net