NHS Policy Position
Overview
In 2021 PKB started a piece of work with NHSX (now NHS England Transformation Directorate) and NHS Digital to reach an agreement regarding the most appropriate model for PKB and NHS Providers to adopt when deploying PKB, this work was completed in 2022 with the output of the following policy position statement.
After many months of working directly with NHSX and NHS Digital colleagues, a consensus was reached. The following policy position identifies the appropriate Information Governance and Data Protection model to be adopted by PKB and used with NHS Providers. The following document summarises that work and the findings of that collaboration.
NHS statement: January 2022
NHSX policy position on data controller arrangements for NHS services.
The following sets out the NHS policy position where a third-party organisation is engaged to provide services to the NHS which involve the processing of patients’ personal data/confidential patient information.
Where an organisation supplies a service to an NHS Provider and this service uses patients’ personal data provided by the NHS, and where there is no information provided directly by a patient, then in data protection terms, that service provider will be a data processor. This means that the service provider will work on behalf of and under the instruction of the NHS Provider which commissioned them.
In circumstances where individual patients have the choice to add their own further information in addition to that provided by the NHS, then the organisation providing the service will be the data controller for the processing of the additional information.
Where that information is shared with an NHS Provider then the service provider and
the NHS organisation will be joint data controllers. Prior to any arrangement being entered into, the organisation providing the service and the NHS Provider must agree on how the patient information will be dealt with when no longer required. This should include scenarios where the patient information is shared with other NHS Providers and who, for good reason, may require the relevant patient information to be kept beyond what was originally agreed with the NHS Provider who contracted the service.
Background to the position
Patients Know Best ("PKB") is a developer and operator of a technology platform for
health information. There are two parts to the service provided by PKB:
The first part of the service is a Patient Record. This allows an NHS Provider to enter patient data into the PKB system. The data is accessible by clinicians and enables the sharing of personal data between NHS Providers.
The second element is a Patient Account. For this, the patient enters their own data and NHS Providers can, with the consent of the patient, access this data.
The issue concerns PKB’s role with the Patient Record.
For the Patient Account PKB will either be the data controller or a joint data controller depending on whether other organisations are using patient data held in the Account.
The issue is that PKB has received legal advice that they are possibly a joint data controller with regard to the Patient Record. This is a concern for the NHS because a third party are a data controller rather than a data processor, in theory, it would potentially allow them to process the patient's data outside of NHS control.
It would also set a precedent with respect to other organisations providing services to the NHS and using patient information to do so. It is worth noting at this point that PKB is limited by what they can do with the data under the GDPR and contractually by what has been agreed with the NHS body.
How PKB works
The NHS Provider holds the patient data initially and is a data controller for the data.
Once the PKB service is engaged PKB and the NHS Provider process the data for:
The provision of health and social treatment and care
Providing a platform for patients to access and add to their PKB health record thus creating a ‘Patient Account’.
Allowing patients to determine which organisations can view their profile
The maintenance by PKB of the PKB platform and data held on it whilst the parties agree on how the data will be used, it is all, legally, for the benefit of the NHS Provider (accepting that patients benefit practically), as the data controller, because it allows them to deliver their NHS services.
For the Patient Record, PKB only decides how to store the data and the security processes around the data. PKB cannot process the data for anything other than the stated purposes. When the relationship between the NHS Provider and PKB comes to an end, PKB provides the patient Record to the NHS Provider and then deletes it.
The legal background under the UKGDPR a 'controller' means "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data".
A 'processor' means "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
The ICO has identified that the key question in relation to determining who is the data controller or data processor is - who determines the purposes for which the data is processed and the means of processing?
Controllers exercise overall control over the purposes and means of processing personal data. Processors act on behalf of, and on the instructions of, the relevant controller. In this example, it is the NHS Provider that determines the ‘purposes and means’ of the processing of the relevant personal data for the Patient Record.
PKB, as the service provider, only decides on the storage of the data and the security measures around it.
Conclusion
Hence for the Patient Record, it is the NHS Provider which is the data controller and PKB is a data processor operating under the instructions of that NHSProvider.
NHSX January 2022.