Federated Data Platform: information governance framework

1. Purpose and overview of this document

The purpose of this document (document) is to set out the information governance framework for the Federated Data Platform (FDP) Programme. The framework sets out minimum information governance requirements to be applied in the implementation and operation of FDP, with the aim of ensuring a consistent approach and high standard of information governance and transparency across the FDP user organisation community. This framework includes:

  • working within the contractual documentation associated with the Programme. This document identifies these and sets out how these work together
  • clearly identifying the various parties involved in delivering the Programme, explaining their data protection roles, and setting out their information governance responsibilities
  • laying out the core information governance principles of the Programme
  • identifying the information governance documentation that will be required to be put in place and who is responsible for producing and supporting the production of it
  • setting out the procedure for reporting security breaches and personal data breaches relating to data processed in the Federated Data Platform
  • setting out how freedom of information requests will be handled
  • setting out the governance arrangements relating to how the parties will work together and the various governance groups to be established to facilitate this
  • identifying the supporting IG documentation for the Programme and where it can be accessed.
  • explaining how the framework will be reviewed, changed, and published to provide transparency over the framework

2. Definitions

The following terms used in this document have the following meaning:

  • Aggregated data: counts of data presented as statistics so that data cannot directly or indirectly identify an individual
  • Anonymisation: anonymisation involves the application of one or more anonymisation techniques to personal data. When done effectively, the anonymised information cannot be used by the user or recipient to identify an individual either directly or indirectly, taking into account all the means reasonably likely to be used by them. This is otherwise known as a state of being rendered anonymous in the hands of the user or recipient
  • Anonymised data: personal data that has undergone Anonymisation.
  • Anonymous data: anonymised data, aggregated data and operational data
  • Approved use cases: means one of the five initial broad purposes for which products in the Federated Data Platform can be used as outlined in Part 1 of Schedule 2 (approved use cases and products), or any subsequent broad purpose agreed to be a use case through the Data Governance Group
  • Categorisation of data: means one of the following categories of data:
    • directly identifiable personal data
    • pseudonymised data
    • anonymised data
    • aggregated data
    • operational data

In the case of directly identifiable personal data or pseudonymised data this could be Personal Data or Special Category Personal Data.

  • Commissioned health service organisations: means organisations who provide health services in England pursuant to arrangements made with an NHS Body exercising functions in connection with the provision of such services
  • Common law duty of confidentiality: the common law duty which arises when one person discloses information to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence
  • Confidential patient data: information about a patient which has been provided in circumstances where it is reasonable to expect that the information will be held in confidence, including confidential patient information.
  • Confidential patient information: has the meaning given in section 251(10) and (11) of the NHS Act 2006. See Appendix 6 of the National Data Opt Out Operational Policy Guidance for more information
  • Contract documentation: the Platform Contract, the NHS-PET Contract, the the Memorandum of Understanding (MoU) and the Data Processing Agreements (DPAs)
  • Controller: Has the meaning given in UK General Data Protection Regulation (GDPR) being the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data (subject to Section 6 of the Data Protection Act 2018)
  • Data Governance Group: means a national group established by NHS England to provide oversight to the approach to data processing and sharing across all Instances of the Federated Data Platform and NHS privacy enhancing technology (NHS-PET) which will include membership from across FDP user organisations
  • Data loss incident: means any event that results, or may result, in unauthorised access to personal data held by the FDP contractor under the contractual documentation, and/or actual or potential loss and/or destruction of personal data in breach of the contractual documentation, including any personal data breach
  • Data processing agreement: The form of data processing agreement to be entered into between each of the FDP contractors and an integrated care board (ICB), an NHS trust or another NHS body in the form as required by the Platform Contract, the NHS-PET Contract and the MoUs
  • Data processing schedule: the schedule containing Processing instructions in the form set out in the data processing agreement
  • Data protection legislation: The Data Protection Act 2018, UK GDPR as defined in and read in accordance with that Act, and all applicable data protection and privacy legislation, guidance, and codes of practice in force from time to time
  • Data Security and Protection Toolkit (DSPT): the Data Security and Protection Toolkit is an online self-assessment tool that FDP user organisations are required to complete annually to demonstrate they are meeting required data protection and security standards
  • Direct care: a clinical, social, or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care .
  • Directly identifiable personal data: personal data that can directly identify an individual.
  • DPA(s): Data Processing Agreements between each of the FDP user organisations and each of the FDP contractors in the form required under the Platform Contract, the NHS-PET Contract, and the MoU
  • DPIA(s): Data Protection Impact Assessments in a form that meets the requirements of UK GDPR
  • Federated Data Platform: the NHS Federated Data Platform
  • FDP: the NHS Federated Data Platform
  • FDP Contract: the NHS-PET Contract and the Platform Contract
  • FDP contractor(s): the NHS-PET Contractor and/or the platform contractor
  • FDP Data Principles: means the principles set out in Part 2 of Schedule 3 (FDP Data Principles)
  • FDP Incident Management Protocol: means an incident management protocol to be agreed between the FDP contractors, NHS England and FDP user organisations and approved by the Data Governance Group
  • FDP Information Governance (IG) Audit and Assurance Framework: means a document setting out the types of assurance reviews and audits that should be carried out by FDP user organisations, including frequency, reporting and follow up actions, to assure compliance with the MoU and this IG Framework document
  • FDP Programme: the NHS England Programme responsible for the procurement and implementation of the FDP across the NHS
  • FDP Specialist External Information Governance (IG) Advisory Group: the advisory group established by NHS England to provide specialist IG advice to the FDP Programme which includes membership from external organisations including the Office of the National Data Guardian and the Information Commissioner’s Office
  • FDP user organisations: NHS England, integrated care boards (ICBs), NHS trusts and other NHS bodies (including a commissioned health service organisation) who wish to have an Instance of the Federated Data Platform and who have entered into an MoU with NHS England. In the case of a commissioned health service organisation, the MoU is also to be entered into by the relevant NHS Body who has commissioned it
  • General FDP Privacy Notice: a privacy notice providing information on the personal data processed in the Federated Data Platform and by NHS-PET generally, including the approved use cases for which products will process personal data
  • ICB: integrated care board
  • ICS: integrated care system
  • IG documentation: The information governance documentation referred to in Section 7 (information governance documentation)
  • IG Framework document, or document: means this information governance framework document
  • Incident: an actual or suspected security breach or data loss incident
  • Instance: a separate instance or instances of the Federated Data Platform deployed into the technology infrastructure of an individual FDP user organisation
  • Joint controller: has the meaning given in UK GDPR, being where two or more controllers jointly determine the purposes and means of processing personal data
  • Joint controller arrangement: Has the meaning given in UK GDPR being an arrangement between two or more joint controllers who shall in a transparent manner determine their respective responsibilities for compliance with the obligations under UK GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of UK GDPR and reflecting the respective roles and relationships of the joint controllers with the data subjects. The essence of the arrangement shall be made available to the data subject
  • Local FDP user organisation: An FDP user organisation other than NHS England
  • Machine data: AWS monitoring data and logs of engineering activity e.g. environment stand up
  • MoU: the Memorandum of Understanding signed between NHS England and an NHS Trust, ICB or other NHS Body as may be amended from time to time in accordance with its terms
  • National Data Opt Out: The Department of Health and Social Care’s policy on the National Data Opt Out which applies to the use and disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England. See the National data opt out overview and Operational policy guidance for more information
  • Near miss: means circumstances in which a personal data breach could have occurred
  • NHS body: Has the meaning given in the NHS Act 2006
  • NHS FDP System IG Group: The user group established by NHS England for local information governance (IG) leads to discuss and agree IG documentation for the initial and the subsequent deployment of other local Products
  • NHS-PET Contract: the Contract between NHS England and the NHS-PET Contractor relating to the NHS-PET Solution dated 28 November 2023 as may be amended from time to time in accordance with its terms
  • NHS-PET contractor: IQVIA Ltd
  • NHS-PET solution: The privacy enhancing technology solution which records data flows into the Federated Data Platform and where required treats data flows to de-identify them
  • Ontology: is a layer that sits on top of the digital assets (datasets and models). The ontology creates a complete picture by mapping datasets and models used in products to object types, properties, link types, and action types. The ontology creates a real-life representation of data, linking activity to places and to people. 
  • Operational data: items of operational data that do not relate to individuals eg stocks of medical supplies.
  • Parties: NHS England, the platform contractor, the NHS-PET contractor, and FDP user organisations
  • Personal data: Has the meaning given in UK GDPR being any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person . For the purposes of this IG Framework document this also includes information relating to deceased patients or service users. Personal data can be directly identifiable personal data or pseudonymised data.
  • Personal data breach: Has the meaning given in UK GDPR being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise Processed
  • Platform contract: The agreement between NHS England and the platform contractor in relation to the Federated Data Platform dated 21 November 2023 as may be amended from time to time in accordance with its terms
  • Platform contractor: Palantir Technologies UK Ltd
  • Product: a product providing specific functionality enabling a solution to a business problem of an FDP user organisation operating on the Federated Data Platform. A list of approved products is set out in Part 2 of Schedule 2
  • Product Privacy Notice: A privacy notice providing information on the personal data processed in the Federated Data Platform and by NHS-PET in relation to each product, including the purposes for which the product processes personal data
  • Process or processing: has the meaning given in UK GDPR being any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction
  • Processor: Has the meaning given in UK GDPR being a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller
  • Programme The Programme to implement the Data Platform and NHS-PET across NHS England, NHS Trusts and ICBs
  • Pseudonymisation Has the meaning given in UK GDPR being the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person
  • Pseudonymised Data Personal Data that has undergone Pseudonymisation
  • Purpose Based Access Controls or PBAC Means user access to data is based on the purpose for which an individual needs to use data rather than their role alone as described more fully in Part 2 of Schedule 3
  • Role Based Access Controls or RBAC Means user access is restricted to systems or data based on their role within an organisation. The individual’s role will determine what they can access as well as permission and privileges they will be granted as described more fully in Part 2 of Schedule 3
  • Security Breach Is a breach of security, and includes in the case of the Platform Contractor, a Breach of Security as defined in Schedule 2.4 (Security Management) of the Platform Contract
  • Special Category Personal Data Means the special categories of Personal Data defined in Article 9(1) of UK GDPR being Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Transition Phase Is the first phase of rolling out the Data Platform which involves NHS England and Local FDP user organisations who currently use Products, moving their existing Products onto the new version of the software that is in the Data Platform. There is no change to the data that is being processed, the purposes for which it is processed or the FDP user organisations who are processing the data during the Transition Phase. The Transition Phase will start in March 2024 and is expected to run until May 2024.
  • User organisation System FDP user organisation IT systems from which source information is obtained that is Processed within the Data Platform and NHS-PET
  • User organisation system contractor: Third party contractors providing user organisation systems to FDP user organisations as their processor
  • UK GDPR UK GDPR as defined in and read in accordance with the Data Protection Act 2018

3. FDP contractual structure

The Contractual Documents consist of the following documents:

3.1 Platform contract

This is the Agreement entered into between the Platform Contractor and NHS England for the design, implementation, and operation of national and local Instances of the Data Platform. It requires:

  • NHS England to enter into an MoU in the form set out in the Platform Contract with each of the FDP user organisations who choose to deploy a local Instance of the Data Platform
  • the Platform Contractor to enter into a DPA with each FDP user organisation who chooses to deploy a local Instance of the Data Platform
  • The Platform Contractor to comply with this IG Framework Document

3.2 NHS privacy enhancing technology (NHS-PET) contract

This is the Agreement entered into between the NHS-PET Contractor and NHS England for the implementation and operation of the NHS-PET Solution. It requires:

  • the NHS-PET Contractor to enter into a DPA with each FDP user organisation who chooses to deploy a local Instance of the Data Platform
  • The NHS-PET Contractor to comply with this IG Framework Document

3.3 Memorandum of Understanding (MoU)

This is the Agreement entered into between NHS England and an ICB, a Trust or another NHS Body in the form required by the Contract Documentation which sets out the arrangements as between those parties in relation to funding, technical and information governance arrangements for the use of the Data Platform, Products and NHS-PET by the ICB or NHS Trust. It flows down a number of required contractual provisions to the ICB or Trust from the Platform Contract and the NHS-PET Contract. It requires:

  • NHS England to procure the use of the Data Platform for the FDP user organisation on the terms set out in the MoU, including compliance by the FDP user organisations with the authorised user terms
  • NHS England and FDP user organisations to comply with Data Protection Legislation in connection with the MoU, observe the FDP Data Principles and comply with various provisions in relation to data Processing set out in clause 7
  • The FDP user organisation to enter into an DPA with the FDP Contractors in the form required by the MoU

3.4 Data Processing Agreements (DPA)

This refers to the form of data processing agreement (“Data Processing Agreement”) to be entered into between each of the FDP Contractors and an ICB, an NHS Trust or another NHS Body as required by the Platform Contract, the NHS-PET Contract and the MoUs. It sets out the terms upon which the FDP Contractor is appointed as a Processor and upon which it will Process Personal Data on behalf of the ICB, NHS Trust or other NHS Body who is the Controller of that Personal Data.

A diagram showing this contractual structure is set out in Part 1 of Schedule 1 (Contractual Documentation).

4. Parties

This IG Framework Document applies to the following Parties:

  • NHS England
  • The platform contractor
  • The NHS-PET contractor
  • The local FDP user organisations

5. Data protection roles and information governance responsibilities

5.1 Data protection roles – contractual documentation

The parties have the following data protection roles under the contractual documentation:

  • NHS England: is the sole Controller of the Personal Data Processed by the Platform Contractor and the NHS-PET Contractor in the national Instance of the Federated Data Platform. See the diagram at Part 4 of Schedule 1 (Diagrams) in relation to national and local Instances
  • Local FDP user organisation: is the sole Controller of the Personal Data Processed by the Platform Contractor and the NHS-PET Contractor in a local Instance of the Data Platform, subject to what is said below regarding joint controllership. See the diagram at Part 4 of Schedule 1 (Diagrams) in relation to national and local Instances
  • NHS England and each Local FDP user organisations are joint controllers in relation to the following aspects of the Local FDP user organisation’s local Instances of the Federated Data Platform and NHS-PET (as the case may be): NHS England broadly provides the parameters for the use of FDP and the NHS-PET solution for the design, governance, and service management.  The Local FDP user organisations decides whether to use FDP, what Products to use, what data to commit to FDP and how to use it within the parameters set by NHS England.    Respective responsibilities are set out in Schedule 7 (Joint Controller Table)
  • FDP Contractor: is the Processor of the Personal Data for NHS England or a Local FDP user organisation processed in the national and local Instances of the Federated Data Platform
  • NHS-PET contractor: is the processor of the personal data for NHS England or a Local FDP user organisation processed using NHS-PET prior to it entering or leaving a national or local instance of the Federated Data Platform.

5.2 Controller responsibilities

It will be the responsibility of each Controller to ensure in relation to its Processing of Personal Data in the Federated Data Platform and NHS-PET that:

  • it complies with Data Protection Legislation and the Common Law Duty of Confidentiality
  • it is a Controller of the Personal Data it is Processing within its own Instance of the Federated Data Platform and the NHS-PET
  • where it is a Joint Controller other than with NHS England, it has the approval of the other Joint Controller(s) to Process jointly controlled Personal Data
  • where NHS England and the Local FDP user organisation are Joint Controllers, that they each comply with their responsibilities as a Joint Controller as set out in Schedule 7 (Joint Controller Table)
  • subject to case-by-case exceptions approved by the Data Governance Group, it can demonstrate annual compliance to the Data Security and Protection Toolkit (DSPT) to standards met
  • Iit has a lawful basis to Process all Personal Data within the Federated Data Platform and NHS-PET under the Common Law Duty of Confidentiality and Data Protection Legislation. For information on the lawful basis to Process Personal Data, Special Categories of Personal Data and Confidential Patient Data, see Schedule 4 (Lawful Bases)
  • it respects and complies with the National Data Opt Out where it applies to any Processing of Confidential Patient Information in the Federated Data Platform and NHS-PET
  • it produces, obtains internal approval, FDP Contractor approval for and publishes (redacted as necessary) Overarching DPIAs and Product DPIAs for all Personal Data it Processes in the Federated Data Platform and NHS-PET. See below at Section 7.1 to 7.3 (Information Governance Documentation) in relation to DPIAs
  • it produces, obtains internal approvals for, and publishes transparency information and a Privacy Notice for all Personal Data it Processes in the Federated Data Platform and NHS-PET. See below at Section 7.4 (Information Governance Documentation) in relation to this
  • it produces and obtains internal approvals for its underlying data flow DPIAs, data sharing agreements and non-NHS England Joint Controller Arrangements and keeps these up to date to reflect the Processing of Personal Data being carried out on the Federated Data Platform and NHS-PET, including any Personal Data it shares with or receives from NHS England and/or other Local FDP user organisations through the Data Platform and NHS-PET
  • it provides the FDP Contractors with relevant Processing instructions through a Data Processing Schedule and otherwise operates in accordance with its responsibilities under the terms of the DPAs, or in the case of NHS England, under clause 23 of the Platform Contract and clause 17 of the NHS-PET Contract DPAs. See below at Section 7.5 (Information Governance Documentation) in relation to Processing instructions.
  • it maintains its own information asset registers and record of Processing activities with relevant details of the Data Processed in the Federated Data Platform and NHS-PET
  • it operates in accordance with its responsibilities in the MoU and under this IG Framework Document
  • it reports any Incident in accordance with its responsibilities under Section 9 (Incident Reporting & Management Procedure) below
  • it puts in place and maintains appropriate Role Based Access Controls and Purpose Based Access Controls to control its own users’ access to Personal Data Processed in the Federated Data Platform in accordance with the Role Based and Purpose Based Access Control Principles in Part 2 of Schedule 3 (FDP Design and IG Principles)
  • it will carry out appropriate assurance reviews and audits of its Processing activity in the Federated Data Platform and NHS-PET in line with the FDP IG Audit and Assurance Framework to assure that it is complying with the MoU and this IG Framework Document. A summary of assurance reviews and audits carried out and the key recommendations and actions will be shared with the Data Governance Group
  • it ensures that any Personal Data stored in the Federated Data Platform and NHS-PET is not accessible by its own personnel or contractors from outside the UK. This does not apply to Machine Data which is not Personal Data

5.3 Processor responsibilities

It will be the responsibility of each of the FDP Contractors to ensure in relation to its Processing of Personal Data in the Federated Data Platform and NHS-PET as a Processor that:

  • it Processes Personal Data only in accordance with the relevant Processing instructions provided in the approved product Data Processing Schedules by:
    • NHS England in relation to the national Instance and
    • Local FDP user organisations in relation to the local Instances of the Federated Data Platform and NHS-PET
  • it operates in accordance with its responsibilities under the terms of the DPAs, or in the case of NHS England, under clause 23 of the Platform Contract and clause 17 of the NHS-PET Contract and this IG Framework Document
  • it operates in accordance with its responsibilities under the FDP Contact and the NHS-PET Contract in relation to data security and cyber security, including implementing NHS England and Local FDP user organisation Role Based and Purpose Based Access Controls
  • it reports any Incident in accordance with its responsibilities under Section 9 (Incident Reporting & Management Procedure) below
  • it provides monthly reports to the Data Governance Group of the planned and actual deployment of all new Instances and new Products within the national and local Instances of the Federated Data Platform and NHS-PET
  • it co-operates and collaborates with NHS England and Local FDP user organisations to support them in their implementation of this IG Framework Document. Such co-operation and collaboration will include supporting the development of the FDP Audit and Assurance Framework and carrying out its own assurance reviews and audits of its compliance with the FDP Contracts and this IG Framework Document
  • its solutions shall provide effective and robust cyber security controls (in technology, process, and governance) to ensure the integrity, confidentiality and availability of the Federated Data Platform and NHS-PET and of the data that will be Processed in them. These cyber security controls must meet the security requirements stipulated within the relevant FDP Contract
  • it ensures that any Personal Data stored in the Federated Data Platform and NHS-PET, is stored in the UK and is not accessible by its own personnel or contractors from outside the UK. This does not apply to Machine Data which is not Personal Data
  • it can demonstrate annual compliance to the Data Security and Protection Toolkit (DSPT) to standards met.

6. FDP information governance principles

The following principles apply to the operation of the Federated Data Platform and NHS-PET and all Parties agree to comply with these principles in relation to the design, development and deployment of the Data Platform and NHS-PET:

6.1 FDP data principles

See the principles attached to Part 1 of Schedule 3 (FDP Principles).

6.2 Role based access controls and purpose based access control principles

See the principles attached to Part 2 of Schedule 3 (FDP Principles).

7. Information governance documentation

The following Information Governance Documentation (IG Documentation) will consistently be put in place in relation to all Instances of the Federated Data Platform and NHS-PET:

7.1 Overarching DPIAs

NHS England will produce an overarching DPIA for each of the Federated Data Platform and NHS-PET with assistance and co-operation in line with the Contractual Documentation from the FDP Contractors in order to discharge its responsibilities as a Controller for the Personal Data that it will Process on the Federated Data Platform as part of the national Instance. It will co-operate with the Local FDP user organisations for the deployment in the production of the initial DPIAs and with all Local FDP user organisations in relation to any updates to these DPIAs through the NHS FDP System IG Group.

NHS England will make these overarching DPIAs available to Local FDP user organisations who will be responsible for producing or adopting and approving these DPIAs for their own use in relation to their local Instances. NHS England provides the DPIAs for information only, and it is the responsibility of each FDP user organisation to ensure that the overarching DPIAs meet their own requirements and enable them to comply with data protection legislation.

7.2 National ontology DPIA

NHS England will produce a DPIA for the transition into FDP of the national data ontology that underpins the use of data within all of the Products in the national Instance of the Federated Data Platform (ontology DPIA).

The FDP Contractors will co-operate with NHS England in relation to the creation and maintenance of the national Ontology DPIA.

7.3 Product DPIAs

7.3.1 National product DPIAs

NHS England will produce DPIAs for Products in the national Instance of the Federated Data Platform with assistance and co-operation in line with the Contractual Documentation from the FDP Contractors in order to discharge its responsibilities as a Controller for the Personal Data that it will Process in Products on the Data Platform as part of the national Instance.

7.3.2 Local product DPIA templates

NHS England will produce DPIA Templates for Products to be deployed in the local Instances of the Federated Data Platform, including for Products in existing use and which will migrate from the existing local instances of Foundry to the Data Platform. The FDP Contractors will assist and co-operate with NHS England and Local FDP user organisations in line with the Contractual Documentation on the production of DPIA Templates for Products to be deployed in local Instances in order to support the Local FDP user organisations in the discharge of their responsibilities as a Controller for the Personal Data that they will Process in the Products on local Instances of the Federated Data Platform.

Local FDP user organisations will co-operate with each other, NHS England, and the FDP Contractors in the production of the DPIA Templates for the Products to be deployed in the local Instance of the Data Platform and in relation to any updates to these Templates, through the NHS FDP System IG Group.

NHS England will make the DPIA Templates for the Products to be deployed in the local Instances of the Federated Data Platform available to Local FDP user organisations who will be responsible for producing or adopting and approving these Templates for their own use as DPIAs in relation to the Products they use in their local Instances. NHS England provides the DPIA Templates for local Products for information only, and it is the responsibility of each Local FDP user organisation to adapt these Templates to create their own FDP Product DPIAs so as to meet their own requirements and enable them to comply with Data Protection Legislation.

7.3.3 Dataset and dataflow DPIAs

NHS England and local FDP user organisations will each be responsible for updating or producing their own DPIAs for the source systems, data, and dataflows which they each use to flow data into the national or local Instances of the Federated Data Platform, for example DPIAs relating to their electronic patient record system and staff rostering system. These existing DPIAs for source systems, data and dataflows are not part of this IG Framework Document.

A diagram explaining the approach to the production of DPIAs is set out in Part 2 of Schedule 1 (diagrams)

7.4 Privacy notices

NHS England will produce:

  • general transparency information about the Federated Data Platform and NHS-PET, including a general FDP and NHS-PET Privacy Notice (General FDP Privacy Notice), which must be approved by the Data Governance Group and which it will publish on its website.
  • Template transparency information for each Product in the national and local Instance that Processes Personal Data, which must be approved by the Data Governance Group and which it will publish on its website.

NHS England will co-operate with the Local FDP user organisations in the production of transparency information and the General FDP Privacy Notice and with all Local FDP user organisations in relation to any updates to these through the NHS FDP System IG Group. It will also seek internal and external stakeholder review and feedback on the development of the transparency information and the General FDP Privacy Notice.

Local FDP user organisations may use the template Product transparency information for each Product in the local Instances of the Federated Data Platform which they deploy.

It is the responsibility of Local FDP user organisations to ensure that the general transparency information, template Product transparency information and General FDP Privacy Notice published by NHS England meets their own requirements and enables them to comply with Data Protection Legislation or to produce such additional material as they feel is required to enable them to do so.

7.5 Data processing schedules

NHS England will produce a template Data Processing Schedule for each Product in the national Instance of Federated Data Platform and complete this in accordance with the terms of the Platform Contracts before any Personal Data is Processed by the national Product on the Data Platform.

Local FDP User Organisations will produce a template Data Processing Schedule for each Product in the local Instance of the Federated Data Platform and complete this in accordance with the terms of the MoU and the DPAs before any Personal Data is Processed by the local Product on the Federated Data Platform.

Local FDP User Organisations, NHS England the FDP Contractors will co-operate and assist each other in the production of template Data Processing Schedules, through the NHS FDP System IG Group. There will be one template Data Processing Schedule for each Product only. All Data Processing Schedule templates must be approved by the Data Governance Group.

It is the responsibility of FDP User Organisations to ensure that the approved template Data Processing Schedules meet their own requirements and to complete the templates so as to enable them to comply with their responsibilities under the MoU, this IG Framework Document, DPAs and Data Protection Legislation.

7.6 Documentation relevant for the deployment of each Product

The FDP Local User Organisation FDP and NHS-PET Deployment Pack will be developed by NHS England and Local User Organisations as part of the Transition Phase of the Programme and will contain more detail on how the required IG Documentation is to be developed as part of the implementation of a local instance of the Federated Data Platform and NHS-PET.

8. Freedom of information (FOI) protocols

The FDP Contractors and NHS England will follow the process set out in Part 1 (FDP Contractor and NHS England FOI Handling Process) of Schedule 5 (FOI Protocols) in relation to the handling of requests made under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004.

The FDP Contractors, NHS England and Local FDP User Organisations will collaborate to put in place an FOI Protocol for handling FOI requests received by Local FDP User Organisations which will be approved by the Data Governance Group and become Part 2 of Schedule 5 of this Document.

9. Incident reporting and management procedure

In the event of an actual or suspected Security Breach or Data Loss Incident (Incident) in any Instance of the Federated Data Platform or NHS-PET, any Party who becomes aware of the Incident will immediately notify NHS England of the Incident by calling NHS England’s National Service Desk on 0113 518 0000 providing as much information as it can at the time of notification.

In the case of the Platform Contractor such notification will be made in accordance with its obligations under:

  • clause 20 (Authority Data and Security Requirements), clause 23 (Protection of Personal Data) and Schedule 2.4 (Security Management) of the Agreement;
  • and clause 6 of the FDP Data Processing Agreement.

In the case of the NHS-PET Contractor such notification will be made in accordance with its obligations under:

  • clause 17 (Protection of Personal Data) and Schedule 3 (Cyber Security and Information Governance) of the Contract; and
  • clause 6 of the NHS-PET Data Processing Agreement.

The FDP Contractor will notify NHS England of all Incidents.

The FDP Contractor and FDP User Organisations will co-operate with NHS England’s service bridge, cyber, security, data protection and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the FDP Incident Management Protocol. For the avoidance of doubt, the relevant Controller will report any Personal Data Breach to the Information Commissioner’s Office in line with its responsibilities under UK General Data Protection Regulation (GDPR), section 5.2 above and Schedule 7(Joint Controller Table).

NHS England and the FDP Contractors will co-operate with the Local FDP User Organisation’s cyber, security, data protection and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the FDP Incident Management Protocol.

A Near Miss will be reported by each party in accordance with the process set out in the relevant Part of Schedule 5 (ways of working).

Brief details of all Personal Data Breaches, including their root cause, will be reported by NHS England, the FDP Contractor, or the Local FDP User Organisation (depending on who the Controller and Processor is in relation to the Personal Data Breach) to the Data Governance Group. Each party will co-operate with the other impacted parties in the production of the reports.

10. Governance arrangements

The following governance groups will be put in place:

10.1 FDP IG nominated leads

Each Local FDP user organisation will nominate a named IG Lead and a deputy who will be responsible for attending the NHS FDP System IG Group and who will work with NHS England and other local FDP user organisations on the completion of the IG documentation for their instances of the Federated Data Platform and NHS-PET.

Each Local FDP user organisation will ensure that the contact details for their data protection officer, caldicott guardian, SIRO and chief information security officer provided to NHS England under the MoU are kept up to date.

10. 2 NHS FDP System IG Group

NHS England will establish an NHS FDP System IG Group.

The NHS FDP System IG Group will be established to provide a forum for FDP User Organisations to collaborate and co-operate with each other in the application of good information governance, the development and completion of the IG Documentation and the implementation of this IG Framework Document. The Group’s role will include:

  • developing ways of working on information governance matters with the FDP Contractors, NHS England and across Local FDP user organisations
  • developing a draft FDP IG Audit and Assurance Framework for consideration and approval by the Data Governance Group

The NHS FDP System IG Group will meet monthly, will be chaired by NHS England and will be made up of representatives of NHS England, at least one IG or cyber lead from each of the local FDP user organisations, and representatives of the FDP contractors who will attend for relevant parts of the meeting.

NHS England will produce terms of reference for the NHS FDP System IG Group, which will be approved by the NHS FDP System IG Group, arrange meetings, and provide secretariat services for the group. The terms of reference will be published on the NHS England website.

10.3 FDP Data Governance Group

A national FDP Data Governance Group (Data Governance Group) will be established by NHS England to provide FDP Programme oversight of the information governance arrangements for the FDP including to the approach to data Processing and sharing across all Instances of the Federated Data Platform and NHS-PET. The Group’s role will include:

  • facilitating consistency over IG Documentation through approving template documentation as required by section 7 (Information Governance Documentation) above.
  • providing advice to NHS England and Local FDP User Organisations on the approach to consistent data Processing and sharing within the Federated Data Platform and NHS-PET as requested.
  • on a case-by-case basis, approving a Local FDP User Organisation for existing and new local Instances of the Federated Data Platform, where an NHS Body who applies to become a Local FDP User Organisation or a User Organisation System Contractor cannot demonstrate compliance to the Data Security and Protection Toolkit (DSPT) to standards met as required by Section 5.2 (Controller Responsibilities) above. Approval may be subject to such conditions as the Data Governance Group require.
  • approving the FDP IG Audit and Assurance Framework, receiving, and considering IG audit and assurance reports and advising on any actions in relation to the same.
  • approving the FDP Incident Management Protocol.
  • approving the FOI Protocol.
  • providing oversight of information governance issues relating to:
    • the establishment of new Instances of the Federated Data Platform and NHS-PET;
    • the use of Products within the Federated Data Platform and NHS-PET;
    • receiving and considering reports on any Incidents; and
    • considering and recommending any changes to this IG Framework Document.

All products of the Federated Data Platform will require the approval from the Data Governance Group prior to going live. The Data Governance Group will work in collaboration with Cyber Security Group and the Clinical Safety Group to approve all new products which will require approval from all three Groups before going live.

The Data Governance Group will be chaired by NHS England and meet monthly. It will be made up of NHS England representatives, at least one representatives of the Local FDP user organisations for each region, who should be a senior IG specialist, and representatives of the FDP Contractors who will attend for relevant parts of the meeting. NHS England will also invite a member of the NHS England Advisory Group for Data to attend meetings in an advisory capacity and may invite other external stakeholders to attend as required, including representatives of the National Data Guardian and the Information Commissioner’s Office.

NHS England will produce Terms of Reference for the Data Governance Group, schedule meetings and provide secretariat services for the Group. The Group will approve the Terms of Reference and any subsequent changes made to them. Details of members, the Terms of Reference and Approvals and Actions from meetings (subject to confidentiality restrictions) will be published on the NHS England website.

10.4 FDP Specialist External IG Group

An FDP Specialist External IG Group will be established by NHS England to provide external IG stakeholder advice on the approach to data Processing and sharing across all Instances of the Federated Data Platform and NHS-PET. The Group’s role will include providing external stakeholder advice to NHS England on the approach to consistent data Processing and sharing within the Federated Data Platform and NHS-PET as requested.

The FDP Specialist External IG Group will meet at least monthly during the deployment and at least quarterly thereafter. It will be independently chaired and made up of external stakeholders with expertise in information governance, patient engagement and communication, and will include at least one representative of the National Data Guardian, the Information Commissioner’s Office, and the Department for Health and Social Care.

NHS England will produce terms of reference for the FDP Specialist External IG Group, schedule monthly meetings and provide secretariat services for the Group. The group will approve the terms of reference and any subsequent changes made to them. Details of members, the terms of reference, and actions from meetings (subject to confidentiality restrictions) will be published on the NHS England website.

10.5 Supporting documentation and guidance

NHS England will establish and maintain a document site where it will publish all approved template IG documentation, supporting IG documentation, reference material and guidance to support Local FDP user organisations to deploy local Instances of the Federated Data Platform and NHS-PET.

A list of initial IG documentation to be made available is set out in Schedule 6 (IG documentation).

11. Changes to this document, review and publication

This document will be reviewed at least annually, and any updates must be approved by the Data Governance Group and the FDP contractors, with approval not to be unreasonably withheld or delayed.

Once approved by the Data Governance Group this document will be published on the NHS England website.

12. Version control

A record of each version of this information governance framework document and its approval data will be maintained at Schedule 8 (version control log).

Schedule 1 – diagrams

Part 1 – diagram of the contractual documentation

This diagram shows the contractual structure for the federated data platform (FDP) and the privacy enhancing technology NHS-PET. It also shows the relationship of responsibilities between the two processors, Palantir (FDP) and IQVIA (NHS-PET), and the three controllers, NHS England, integrated care boards and acute trusts.

Part 2 – diagram of the approach to DPIAs

This diagram shows the levels of DPIAs in an umbrella level – with the overarching FDP DPIAs as the top level, national and local product DPIAs in the middle and local DPIAs at trust/ICB level at the bottom. The diagram also shows to the left side the responsible parties for each level with NHS England at the top and middle levels and trusts/ICB at the bottom.

Part 3 – approved use cases and products within the Federated Data Platform

This diagram shows the 5 use cases and 1 future use case, and the number of products that fall within each use case. The diagram also has a colour code for products which identifies the supplier; data platform supplier, supplier 1, supplier 2 and supplier 3 e.g. SME.

Part 4 – FDP national and local instances

This diagram shows the instances of the NHS Federated Data Platform those being: national, local 1 and local 1. It also identifies who these instances are used by; NHSE, FDP user organisation 1 and FDP user organisation 2 and how many products fall within each instance.

Schedule 2 – approved use cases and products

Part 1 – approved use cases

The following Use Cases have been approved by the Programme:

  • Elective recovery – to address the backlog of people waiting for appointments or treatments.
  • Care coordination – to enable the effective coordination of care between local health and care organisations and services, reducing the number of long stays in hospital.
  • Vaccination and immunisation – to continue to support the vaccination and immunisation of vulnerable people while ensuring fair and equal access and uptake across different communities.
  • Population health management – to help integrated care systems proactively plan services that meet the needs of their population.
  • Supply chain management – to help the NHS put resources where they are needed most and buy smarter so that we get the best value for money.

Any change to these Approved Use Cases, or new use cases will require further engagement with public, patient and stakeholder assurance and advisory groups, including the Specialist IG Advisory Group and approval from the Data Governance Group.

A diagram showing how approved use cases and products work together is set out in Part 3 of Schedule 1.

Part 2 – approved products

Approved products will be published on NHS Futures.

Schedule 3 – FDP principles

Part 1 – FDP data principles

1. No personal data will be processed within the Federated Data Platform unless:

  • the purpose of the processing falls within one of the approved use cases; and
  • the product has been approved by the Data Governance Group.

2. All data flowing into and out of the Data Platform must be registered using the NHS-PET Solution. Registration will include details of the individual data items in a data flow, the Categorisation of Data, the source of the data items, the purpose for which the data is to be Processed under an Approved Use Case and the Approved Product to which it relates.

3. The Parties will observe and comply with the requirements of Data Protection Legislation, the Common Law Duty of Confidentiality, and the requirements of any relevant guidance, including in relation to Confidential Patient Data, the Caldicott Principles in their Processing of Personal Data within the Data Platform and NHS-PET.

4. The Parties will observe and comply with the National Data Opt Out Operational Policy Guidance[1] in relation to the application of the National Data Opt Out in relation to all Confidential Patient Information Processed within the Data Platform and NHS-PET.

5. The Parties will ensure that any data sharing between them which relates to Personal Data Processed in the Data Platform or NHS-PET complies with the Parties’ legal, statutory, and common law duties, including under the Data Protection Legislation and the Common Law Duty of Confidentiality, and the requirements of any relevant guidance, including in relation to Confidential Patient Data, the Caldicott Principles.

6. No Personal Data will be shared by NHS England and the Local FDP User Organisations through the Data Platform with each other without first agreeing the legal basis for such data to be shared, and unless the Personal Data is shared by the Local FDP User Organisation with NHS England under section 259 of the Health and Social Care Act 2012, to enter into a written data sharing agreement before sharing the Personal Data, the details of which those Parties will publish.

7. The Parties will maintain appropriate policies and procedures to meet NHS requirements for Data Protection, Data Security and Confidentiality.

8. Subject to any exceptions agreed by the Data Governance Group, the Parties will maintain ‘Standards Met’ in respect of all requirements under the NHS Data Security and Protection Toolkit.

9. The Parties will each ensure effective procedures are in place:

  • to ensure transparency for data subjects, including publishing privacy notices in relation to their use of Personal Data within or connected to the use of the Data Platform and NHS-PET;
  • to address complaints and the exercise of individual rights relating to their use of Personal Data within or connected to the use of the Data Platform and NHS-PET;
  • to notify each other promptly and co-operate in relation to investigations by the Information Commissioner’s Office or threatened or actual legal proceedings in relation to their Processing of Personal Data within or connected to the use of the Data Platform and NHS-PET.

10. All Data Processed in the Data Platform and NHS-PET will be defined within the relevant Product DPIA as Personal Data, Special Category Personal Data, and/or Confidential Patient Data using the following categorisation (as per their definition in Section 2 above) for each type of data ingested, Processed, and accessed or shared (which shall include for these purposes all Data Processed about a deceased individual):

  • directly identifiable personal data
  • pseudonymised data (which is personal data)
  • anonymised data (which is anonymous data)
  • aggregated data (which is anonymous data) or
  • operational data (which is anonymous data) 

Part 2 – role based and purpose based access control principles

1. Introduction

This section sets out the principles for role-based access control (RBAC) and purpose-based access control (PBAC) which will be utilised within FDP.

This section explains technical aspects of RBAC and PBAC as well as the roles and responsibilities of the organisations involved with FDP.

RBAC and PBAC can be described as follows:

  • RBAC is a mechanism that enables an individual to access restricted systems or data based on their role within an organisation. The individual’s role will determine what they can access as well as permission and privileges they will be granted.
  • PBAC is an additional layer of access control that can be used to support RBAC. For PBAC, access to data is based on the purpose for which an individual needs to use data rather than their role alone.

2. How RBAC and PBAC operates

RBAC works in line with FPD User Organisation existing RBAC policies set by their Registration Authority. For more information see What is a Registration Authority (RA)? – NHS Digital.

Within FDP, PBAC will operate as follows:

  • An operational decision maker within an FDP User Organisation identifies a purpose for using data within that Organisation’s Instance. For the use of FDP, the purpose must be aligned to one of the five approved use cases (see the IG Framework Document for details of the approved use cases).
  • If the purpose is approved by the FDP User Organisation, a secure access-controlled space within the Instance is created.
  • Data within the Instance, which the FDP User Organisation has approved as being necessary and proportionate to achieve the purpose, is added to the secure purpose space.
  • If an individual within the FDP User Organisation is tasked with working on the purpose, they can apply for access to the secure purpose space, and the data within it. In the application, the individual will need to explain the level of permissions which they require and the reason why they require access to the purpose space.
  • The individual does not apply for access to specific data – their application is based on the purpose and the FDP User Organisation will already have determined which data is necessary and proportionate to achieve that purpose.
  • The request and approval process are documented within FDP at every step for a clear audit trail.

3. Roles and responsibilities

The roles and responsibilities for:

  • NHS England (FDP and NHS-PET): For the FDP and NHS-PET, NHS England will be responsible for overseeing the technical design, governance, and service management of RBAC and PBAC mechanisms which are implemented by the suppliers of FDP and NHS-PET and available to be used by the FDP User Organisations.
  • NHS England (the national Instance): For its FDP Instance, referred to as the national Instance, NHS England will be responsible for establishing, operating, and approving:
    • The necessary processes and procedures required to implement the RBAC mechanism applied to its Instance of FDP, including identification of roles which require access to FDP and maintaining a robust ‘joiners, movers, leavers’ (JML) process.
    • The purposes for accessing data within its Instance.
    • The data which is necessary and proportionate to achieve the purpose which will be added to the secure purpose space within the Instance.
    • The processes and procedures for submitting, reviewing, and approving applications for access to any secure purpose space within its Instance.
    • A clear process for managing the removal of access when an individual no longer requires access for the purpose.
    • Designating Administrators who will have privileged access to the national FDP Instance to manage its national Instance users.
  • FDP User Organisations: For their local Instances, FDP User Organisations will be responsible for establishing, operating, and approving:
    • The necessary processes and procedures required to implement the RBAC mechanism applied to its Instance of FDP, including identification of roles which require access to FDP and maintaining a robust ‘joiners, movers, leavers’ (JML) process.
    • The purposes for accessing data within its Instance.
    • The data which is necessary and proportionate to achieve the purpose which will be added to the secure purpose space within the Instance.
    • The processes and procedures for submitting, reviewing, and approving applications for access to any secure purpose space within its Instance.
    • A clear process for managing the removal of access when an individual no longer requires access for the purpose.
    • Designating Administrators who will have privileged access to its local FDP Instance to manage local instance users.
  • FDP and NHS-PET suppliers: As instructed by NHS England, the suppliers of FDP and NHS-PET are responsible for:
    • Designing, implementing, and managing the RBAC and PBAC model and mechanism which is available to be used by all FDP User Organisations.
    • As instructed by the FDP User Organisation, updating the RBAC and PBAC model and mechanisms for that User’s individual Instance to ensure that the IG Framework Document and principles have been adhered to.
    • Informing NHS England of any additions, changes, or updates to the RBAC and PBAC model prior to implementation.
  • Use of Smartcards: Users accessing the platform will be required to pass a strong 2-Factor Authentication (2FA) challenge to verify their identity. This check can either be performed by the identity provider chosen by the Trust (such as smartcard verification through the CIS2 service) or by the platform natively (via a phone authenticator challenge). The Trust may configure multiple identity providers for different users, although it must be ensured that all users do pass a strong 2FA challenge. Authentication through the CIS2 service will require further configuration and acceptance of the CIS2 End User Agreement.  

Schedule 4 – lawful bases

1.1 Statutory authority

NHS England has various statutory functions that enable it to procure and provide FDP for itself and for other FDP User Organisations. These include:

Section 270 of the Health and Social Care Act 2012 (2012 Act), to establish and provide FDP for as a service to NHS Trusts and ICBs pursuant to NHS England’s power to supply services to any person and provide new services. The supply of FDP involves, and is connected with, the collection, analysis, publication, or other dissemination of information.

Section 13D of the National Health Service Act 2006 (NHS Act), as part of its duty as to effectiveness, efficiency.

Section 13K of the NHS Act, as part of its duty to promote innovation.

Section 1H(2) of the NHS Act as part of its duty under Section 1(1) to promote a comprehensive health service.

The duty to have regard to the need to respect and promote the privacy of recipients of the health services and of adult social care in England under S253(1) ca of the 2012 Act.

Section 2(2) to do anything which is calculated to facilitate, or is conducive or incidental to, the discharge of any of its functions. Under Section 13Y of the NHS Act this expressly includes the power to enter into agreements.

In relation to the procurement and provision of FDP for itself and for other FDP User Organisations, NHS England relies on the following legal basis in relation to its Processing of Personal Data and Special Category Personal Data:

Article 6 – required when Processing Personal Data

  • Article 6 (1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of the statutory functions referred to above (Public Task);

Article 9 – required when Processing Special Category Personal Data

  • Article 9(2)(g): processing is necessary for reasons of substantial public interest (Public Interest). Under section 10(3) of the Data Protection Act 2018 (DPA), this requires a condition in Part 2 of Schedule 1 of the DPA. NHS England relies on paragraph 6 (Statutory Purpose), as the processing—
    • is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge NHS England’s statutory functions set out above, and
    • is necessary for reasons of substantial public interest. This is to enable the safe, secure, efficient processing of patient data to deliver more effective and efficient healthcare services.

Where NHS England or a Local FDP User Organisations is Processing Personal Data or Special Category Personal Data, they will each separately as Controllers identify:

  • a relevant condition for Processing under Articles 6 and 9 of UK GDPR and Schedule 1 of the DPA, and
  • a legal basis under the Common Law Duty of Confidentiality.

This will be determined at a Product level for the Personal Data and Special Category Personal Data being Processed through FDP and reflected in the relevant national or local Product DPIA and Product Privacy Notice.

Under Article 6, it is expected that the legal basis for Processing Personal Data in FDP would include:

  • Article 6(1)(c) Legal Obligation, for example where NHS England collects and analyses data under a Direction.
  • Article 6(1)(e) Public Task, for example where a Local FDP User Organisations Processes Personal Data for the purposes of providing an individual with care and treatment. Also, where NHS England shares data with NHS Trusts or ICBs through the Platform relying on its powers to disseminate data under Section 261 of the 2012 Act.

Under Article 9, it is expected that the legal basis for Processing Special Category Personal Data in FDP would include:

  • Article 9(2)(g) Public Interest,
  • Article 9(2)(h) for medical diagnosis, the provision of health care, or the treatment or management of health care services and system (Health Care),
  • Article 9(2)(i) for public health purposes (Public Health)

Under Schedule 1 of the DPA it is expected the additional conditions of Processing relating to Special Category Personal Data would include:

  • paragraph 2 (Health Care),
  • paragraph 3 (Public Health),
  • paragraph 4 (Statistical Purposes), and
  • paragraph 6 (Statutory Purpose).

1.4 Common Law Duty of Confidentiality

Under the Common Law Duty of Confidentiality where Confidential Patient Data is Processed within FDP, it is expected that one of the following legal bases would be relied on:

  • implied consent where the Processing of Confidential Patient Data in any particular circumstances is carried out for the purpose of the Direct Care of a patient.
  • legal obligation, including:
    • under section 254 of the 2012 Act in relation to data that NHS England has been directed to collect and/or analyse pursuant to a direction issued by the Secretary of State for Health and Social Care (Direction) that may be Processed in the national Instances for purposes covered by a Direction.
    • Under section 259 of the 2012 Act in relation to data that NHS England has required is supplied to it by a Local FDP User Organisation in response to a data provision notice so that it can comply with its duty to collect and analyse data under a Direction. This may apply to data shared from a local to a national Instance.
  • statutory authority which expressly sets aside the Common Law Duty of Confidentiality including:
    • Regulation 3 of the National Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations)
    • Regulation 5 of the COPI Regulations in relation to medical purposes approved by the Secretary of State with support from the Confidentiality Advisory Group, also known as an approval under Section 251 of the NHS Act 2006.

It is not expected that any Processing of Confidential Patient Data within the FDP would rely on a public interest justification.

Schedule 5 – Freedom of information (FOI) protocols

Part 1 – FDP contractor and NHS England FOI handling process

FOI process for FOIs received via NHS England’s central contact centre

The diagram shows a step-by-step journey of how to log and respond to FOIs received by the NHS England central contact centre from the first step of receiving to the last step of confirming the FOI is complete.

FOI process for FOIs received via suppliers

The diagram shows a step-by-step journey of how to log and respond to FOIs received by the suppliers from the first step of receiving to the last step of confirming the FOI is complete.

FOI process for FOIs received via the Federated Data Platform team

The diagram shows a step-by-step journey of how to log and respond to FOIs received by the FDP programme from the first step of receiving to the last step of confirming the FOI is complete.

Part 2 – FDP contractor, NHS England, and local FDP user organisation FOI protocol

To be developed and once approved by the Data Governance Group will form Part 2 of this Schedule.

Schedule 6 – IG documentation

All IG documentation will be shared with local FDP user organisations by the NHS England FDP IG Team. Core documentation is listed below and a list with approved version information will be provided by the NHS England FDP IG Team.

NoDocument
1.IG Framework Document
2.Form of MoU
3.Form of Data Processing Agreement – Platform Contractor
4.Form of Data Processing Agreement – NHS-PET Contractor
5.Template Data Processing Schedule Annex
6.Overarching DPIA for Data Platform
7.Overarching DPIA for NHS-PET
8.Template local FDP Product DPIAs
9.Template national FDP Product DPIAs
10.General FDP Privacy Notice
11.Template Local Product Privacy Notices
12.Template National Product Privacy Notices

Schedule 7 – joint controller table

1. Introduction

The purpose of this Table is to set out the Joint Controller Arrangement between NHS England and each Local FDP User Organisation (each a Party in this Schedule) regarding the Personal Data Processed in the Data Platform and NHS-PET in order to clarify roles and responsibilities for the purposes of Article 26 of the UK GDPR. 

Article 26 of the UK GDPR governs the relationship between joint controllers. Article 26(1) of the UK GDPR provides that “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.”

Under Article 26(2) of the UK GDPR, “The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.”

2. Transparent manner

The Table below can be referred to in relevant Data Protection Impact Assessments (DPIAs). It will also stand as a stand-alone document which can be issued to anyone who requests it. It transparently sets out each Party’s respective obligations and responsibilities as joint Controllers in relation to the Data Platform and NHS-PET.

3. Respective responsibilities for compliance, in particular with regard to exercise of data subject rights and duties to provide information in Articles 13 and 14

The Table below sets out each Controller’s responsibilities for:

  • compliance with the obligations under UK GDPR which apply to Controllers,
  • compliance with duties to provide the information referred to in Article 13 and Article 14, and
  • compliance with the obligations under UK GDPR as regards the exercise of data subjects’ rights. 

This Table constitutes the arrangement referred to in Article 26.

4. The arrangement may designate a contact point for data subjects

NHS England is designated as a contact point, for data subjects,

  • in the Table below for FDP Programme-wide queries and queries concerning the national Instance; and
  • in the General FDP Privacy Notice and in the transparency information, for queries concerning each Product in the national Instance.  

NHS England’s Data Protection Officer is also named in the General FDP Privacy Notice and the transparency information for each Product in the national Instance of FDP as a contact point. 

Local FDP User Organisations are designated as a contact point, for data subjects,

  • in the Table below for queries concerning their use of the local Instances;
  • in the General FDP Privacy Notice for each Product in their local Instance; and
  • in the transparency information they provide for each Product in the local Instance which they deploy.

The Local FDP User Organisation’s Data Protection Officer should also be named in such transparency information of the Local FDP User Organisation.

5. The arrangement must reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects

In accordance with Article 26 of the of the UK GDPR this Table sets out the roles and responsibilities of the following Parties:

  • NHS England
  • Local FDP user organisations

(together referred to as the FDP User Organisations), in relation to the Processing of Personal Data in the Data Platform and, when Processing of Personal Data commences, in the NHS-PET.  

The FDP is a series of individual platforms referred to as Instances and each of NHS England and the Local FDP User Organisations have their own Instance and they each control the Personal Data held and Processed within their own Instances.  

NHS England is the Controller for the Personal Data which flows into, and is processed within, any approved Products it chooses to use within the national Instance.  

NHS England is a joint Controller with each Local FDP User Organisation in relation to the local Instances for design, governance, and service management of the Data Platform.  This is because NHS England broadly determines the parameters for the use of the Data Platform.  

Local FDP User Organisations are Controllers for the Personal Data they flow into and Process in their local Instances.  Each Local FDP User Organisation decides whether to use the Data Platform, what data to commit to the Data Platform and how to use it within those parameters.

Where the NHS–PET Contractor Processes Personal Data prior to it entering or leaving the national Instance then NHS England is the Controller of such Personal Data Processing.

Where the NHS-PET Contractor Processes Personal Data prior to it entering or leaving the local Instance then the Local FDP User Organisation is the Controller of such Personal Data Processing.

NHS England are a joint Controller with each Local FDP User Organisation in relation to the Local FDP User Organisation’s engagement of the NHS-PET Contractor to Process Personal Data prior to it entering or leaving a local Instance, specifically in relation to the design, governance, and service management of the NHS-PET Solution.

6. The essence of the arrangement shall be made available to the data subject

The essence of this arrangement is described in the General FDP Privacy Notice referred to above. This document is publicly available and can also be provided to data subjects on request to NHS England.

Key to roles and responsibilities in the table below.

To assist, where a party:

  • has compliance responsibilities this has been identified with a ‘tick’
  • does not have compliance responsibilities, this has been identified with a ‘cross’

Download a word version of this table.

Schedule 8 – version control log

VersionDate approved by Data Governance GroupSummary of changes
V1.0First version