Joint Controller and Information Sharing Framework Agreement

NHS England and NHS Improvement are cooperating to establish a joint enterprise. This mirrors the focus of the NHS Long Term Plan on how we will deliver integrated care to patients at the local level, how they set the whole of the NHS up to do that and how it will benefit patients and communities.

To make sure that we comply with our data protection obligations the NHS England and NHS Improvement organisations have entered into a Joint Controller and Information Sharing Framework Agreement.

Read the Joint Controller and Information Sharing Framework Agreement.

Our joint enterprise is made up of three statutory organisations.

NHS England was established on the 1 April 2013 by the Health and Social Care Act 2012, and is responsible among other things, for the commissioning of NHS health services and the oversight of Clinical Commissioning Groups (CCGs).

Monitor and the Trust Development Authority (TDA) came together under the operational name of NHS Improvement in April 2016, combining the functions and responsibilities of the two statutory bodies in a single integrated organisation. NHS Improvement is responsible, among other things, for the oversight of NHS Trusts and NHS Foundation Trusts and the assessment of certain transactions into which such bodies may enter.

Although the three organisations are separate legal entities and remain individually responsible for meeting their statutory obligations, they may co-operate to perform closely related or general functions jointly, or to support each other in the delivery of their individual functions. So, our joint working is delivered by teams of staff who may be employed by any of the organisations that make up NHS England and NHS Improvement.

Where the work of our teams requires processing of personal data, the co-operating organisations may be individually or jointly responsible for the processing – as controllers or joint controllers as defined by the GDPR.

An example of a function that can only be performed by one of the organisations is NHS England’s commissioning of specialised services. NHS England is the sole controller for any processing of personal data in support of this function. However Specialised Commissioning teams may include employees of the NHS Improvement organisations, acting as agents for NHS England as the controller.

An example of a joint function is the integrated Human Resources and Organisational Development team.  Our organisations are joint controllers for the processing of personal data by this team.

The Joint Controller and Information Sharing Framework Agreement sets out our joint data protection responsibilities and the measures that we have put in place to ensure that we comply. The agreement describes scenarios in which we may act either as individual or joint controllers when processing personal data in support of our joint enterprise.

Our data protection commitments as joint controllers are set out below:

  • We will make sure that they are transparent about their joint purposes for processing personal data, and explain how data is used for these purposes
  • We will make sure that anyone who wants to have access to their personal data, or to exercise other legal rights, has an easily accessible point of contact to make their request
  • We will make sure that when they introduce new joint working practices, the privacy of the people whose information are held by the Parties will continue to be protected as necessary
  • We will only introduce new joint working practices after we have conducted an assessment of how we will comply with data protection legislation and this has been approved following a jointly agreed approval process.
  • We will make sure that their data protection policies properly govern the activities of the joint enterprise, and that staff have a confident understanding of their responsibilities.