If you are involved in the world of health and social care at the moment, and not just from a data protection standpoint, then you will have realised that change is coming. Basically, if it starts with the word “integrated”, then chances are that it’s happening within our national health service or it’s going to be happening. You will have sat down in many meetings where the acronyms ICBs, ICSs and ICPs are iterated, and you won’t have been the first or the last person in the room who is wondering what those acronyms stand for. Let’s tackle the easy part first and foremost, i.e., what they stand for. They can be described as follows:
- ICPs- The Integrated Care Provider (“ICP”) Contract is one of the available options for systems to enable joined up decision making and integration of services. It will enable commissioners to award a single contract to a provider that is responsible for the integrated provision of general practice, wider NHS and potentially local authority services;
- ICSs – Integrated Care Systems (“ICS”) are partnerships that bring together providers and commissioners of NHS services across a geographical area with local authorities and other local partners to collectively plan health and care services to meet the needs of their population. The central aim of ICSs is to integrate care across different organisations and settings, joining up hospital and community-based services, physical and mental health, and health and social care. All parts of England are now covered by one of 42 ICSs;
- ICBs – The current proposals mean that each ICS would be led by an NHS Integrated Care Board (ICB), an organisation with responsibility for NHS functions and budgets, and an Integrated Care Provider (ICP), a statutory committee bringing together all system partners to produce a health and care strategy. When ICBs are legally established, NHS clinical commissioning groups (“CCGs”) will be abolished.
Time will tell whether these changes will make any difference to improving patient care, but even a lay person such as myself can understand that integrating the provision of health and social care should ideally lead to a net positive benefit to the general population. However, in order for these organisations to truly deliver on their modus operandi, having good data to underpin decision making is not only necessary but crucial. In order to have data available across all of these organisations, they need to have good data sharing arrangements in place, and all good sharing arrangements should be underpinned by adherence to data protection law and sound information governance.
The standard sound bites made by NHS leaders usually revolves around transparency and trust. Whilst these are certainly important, in the context of vast quantities of data being shared, we must recognise that the issue is just about upholding people’s privacy as it is about transparency. Data Protection and Data Privacy may very well overlap and complement each other very well but they are fundamentally two different entities. In order to truly convince the millions of people whose personal data we are going to share and/or use, we must be prepared to demonstrate that whilst sometimes we have no choice but to use the personally identifiable data, wherever possible we are also going to continue to implement and to develop privacy enhancing techniques in order to ensure that their confidentiality is maintained.
Too often, I see organisations bear the opinion that data protection laws only expect them to carry out data protection impact assessments (“DPIAs”) and that’s the be-all and end-all of it. However, whilst DPIAs are a useful tool (we certainly love drafting them), it’s the findings and implementation of those findings that is really crucial in ensuring that we are upholding people’s privacy and data protection rights.
Furthermore, given the large number or organisations that will be involved in ICSs, ICBs and ICPs, clarifying concepts around data controllership, processors and sub-processors is fundamental in ensuring the longevity of these collaborations. Understanding who is and is not a legal entity, especially when it comes to the make-up of ICPs and ICSs, is important because it then allows you to work out salient matters, such as who can be a party to a sharing agreement or a data processing agreement and generally where liability falls.
There is a lot to do when it comes to remaining compliant with data protection laws, and there is even more to do when it comes to implementing privacy enhancing solutions – what most people see, and tackle, is just the tip of the iceberg. As we carry on along this path to having ICPs, ICBs and ICSs, we need to ensure that we don’t just address the tip but rather the entirety of it because this will allow organisations to realise their ambitions to deliver excellent care to our population. NHS leaders should be aware that tackling data protection and privacy compliance as a tick box exercise and narrowing it down to just transparency alone is a sure-fire way of losing the public’s trust. Yes, we care about transparency, but we also care about our public bodies not getting lazy when it comes to protecting people’s rights to privacy and data protection.
If you are one of our clients then you will know these are the issues we talk about and tackle alongside you and for you on a day-to-day basis, and if you are any other citizen of the world then know that we will advocate for your data protection and privacy rights in circumstances under our control. Many of us will accept that a social contract exists between us and our health and social care providers, that is they need our personal data to deliver good health and social care, but their obligation to us must be that they won’t get lazy and will always seek to protect our privacy and uphold our rights.