Risk Stratification

In 2013 NHS England gained approval from Secretary of State, through the Confidentiality Advisory Group, for its application for the disclosure of commissioning data sets and GP data for risk stratification purposes to data processors working on behalf of GPs.

The application was made by NHS England on behalf of GPs and CCGs, as the relevant data controllers. It will enable GPs, supported by Clinical Commissioning Groups (CCGs), to target specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate interventions.

NHS England has given an undertaking to the Secretary of State for Health to seek assurance from eligible organisations and to provide a register of approved organisations for the receipt and processing of the patient data for risk stratification. NHS England is seeking assurance from Clinical Commissioning Groups and their appointed risk stratification suppliers that processing of the data is in accordance with the Data Protection Act 1998 and that the conditions set out for processing of personal confidential data are undertaken and maintained.

This approval only applies to the use of GP and Secondary User Services data. It does not cover disclosure of social care data for risk stratification. Where social care data are to be used then the relevant parties need to assure themselves there is a legal basis for the disclosure and linkage for this purpose. This can be achieved either by using a third party and pseudonymised data, or with consent.

A further extension until 31 March 2017 has recently been approved for application CAG 7-04(a)/2013 for risk stratification but with additional conditions attached which require CCGs to update their Fair Processing/Privacy notices (FPNs).

All CCGs will be contacted in due course and provided with guidance on what information needs to be added to their FPNs. Please note: In order to provide assurance that your organisation and risk stratification supplier are in full compliance of the conditions for processing patient data, please read the Risk Stratification Assurance Statement (CAG 7-04(a)/2013 compliance for CCGs) and work with your risk stratification suppliers to complete and return section A and Annex 1 of the document.

Please note that the risk stratification suppliers included in the ‘List of risk stratification approved organisations’ document below are those that are allowed to use the Section 251 CAG 7-04(a)/2013 application. They have a lawful basis for appropriate data use under the application, provided that the conditions of processing are met. The document does not form a list of risk stratification suppliers endorsed by NHS England.

Related documents

Please note:  If you are a CCG which is undertaking risk stratification in agreement with your GP practices and have not submitted a Risk Stratification Assurance Statement and therefore are not included on the NHS England register, you may not be able to receive Secondary Use Services (SUS) data which is supplied from the HSCIC regional offices (DSCRO’s) for this purpose.  The HSCIC and NHS England are working together to verify that any data sharing agreements received by the HSCIC from CCGs which require data for risk stratification purposes are listed on NHS England’s list of approved organisations.

*This a list of the CCGs approved to use the application and this will list (a) the risk stratification supplier approved to use the application they are using and (b) the DSCRO they are working with. You will find the list of suppliers approved to use the application in the latest version of the assurance statement.

Urgent update regarding S251 CAG Approvals – 28 March 2017

Confidentiality Advisory Group (CAG) s251 Approvals for Risk Stratification (CAG 7-04)(a)/2013) and Invoice Validation (CAG 7-07(a-c)/2013)

NHS England attended the Confidentiality Advisory Group meeting in late February 2017 with a view to requesting the extension of the current CAG approvals for Risk Stratification and Invoice Validation – both of which include the use of all datasets listed under CAG 2-03(a)/2013 until the end of Sept 2018. CAG indicated that they did not envisage any issues with the request and they will provide their response in due course and that in the meantime, the current approvals do not expire. This would ensure that all processing under the above s251 approvals can continue.

During the course of the discussion with CAG members, it was also felt that to ensure sufficient legal cover continues to be in place to enable the de-identification of data previously processed under CAG 2-03(a)/2013 (ASH) and currently held by CCGs/CSUs in an identifiable format, this approval be also extended but only for a period of 4 months to the end of July 2017. This would support the de-identification of data in line with the ICO Anonymisation Code of Practice.

NHS England will update the website again as soon as NHS England receives a formal response from CAG.

If you have any queries relating to the above, please email them to england.riskstratassurance@nhs.net.