In 2013 NHS England gained approval from Secretary of State, through the Confidentiality Advisory Group, for its application for the disclosure of commissioning data sets and GP data for risk stratification purposes to data processors working on behalf of GPs.
The application was made by NHS England on behalf of GPs and CCGs, as the relevant data controllers. It will enable GPs, supported by Clinical Commissioning Groups (CCGs), to target specific patient groups and enable clinicians with the duty of care for the patient to offer appropriate interventions.
NHS England has given an undertaking to the Secretary of State for Health to seek assurance from eligible organisations and to provide a register of approved organisations for the receipt and processing of the patient data for risk stratification. NHS England is seeking assurance from Clinical Commissioning Groups and their appointed risk stratification suppliers that processing of the data is in accordance with the Data Protection Act 1998 and that the conditions set out for processing of personal confidential data are undertaken and maintained.
This approval only applies to the use of GP and Secondary User Services data. It does not cover disclosure of social care data for risk stratification. Where social care data are to be used then the relevant parties need to assure themselves there is a legal basis for the disclosure and linkage for this purpose. This can be achieved either by using a third party and pseudonymised data, or with consent.
A further extension until 31 March 2017 has recently been approved for application CAG 7-04(a)/2013 for risk stratification but with additional conditions attached which require CCGs to update their Fair Processing/Privacy notices (FPNs).
All CCGs will be contacted in due course and provided with guidance on what information needs to be added to their FPNs. Please note: In order to provide assurance that your organisation and risk stratification supplier are in full compliance of the conditions for processing patient data, please read the Risk Stratification Assurance Statement (CAG 7-04(a)/2013 compliance for CCGs) and work with your risk stratification suppliers to complete and return section A and Annex 1 of the document.
Please note that the risk stratification suppliers included in the ‘List of risk stratification approved organisations’ document below are those that are allowed to use the Section 251 CAG 7-04(a)/2013 application. They have a lawful basis for appropriate data use under the application, provided that the conditions of processing are met. The document does not form a list of risk stratification suppliers endorsed by NHS England.
- Risk Stratification Assurance Statement letter
- Fair Processing Advice for CCGs and GPs on information governance and risk stratification (NB: Advice on information governance and risk stratification is currently being updated and will be added shortly)
- Next steps for risk stratification in the NHS
- List of risk stratification approved organisations* – (Dated 3 November 2016)
Please note: If you are a CCG which is undertaking risk stratification in agreement with your GP practices and have not submitted a Risk Stratification Assurance Statement and therefore are not included on the NHS England register, you may not be able to receive Secondary Use Services (SUS) data which is supplied from the HSCIC regional offices (DSCRO’s) for this purpose. The HSCIC and NHS England are working together to verify that any data sharing agreements received by the HSCIC from CCGs which require data for risk stratification purposes are listed on NHS England’s list of approved organisations.
*This a list of the CCGs approved to use the application and this will list (a) the risk stratification supplier approved to use the application they are using and (b) the DSCRO they are working with. You will find the list of suppliers approved to use the application in the latest version of the assurance statement.