All organisations included within the Share2Care programme conform to the General Data Protection Regulation (GDPR) and the data protection principles and ensure that personal data is collected fairly, processed lawfully, kept as accurate as possible and only kept for only as long as is necessary. Additionally, data is only processed for legitimate purposes and currently this covers data being utilised for direct care or treatment only, therefore it cannot be utilised for any other reason such as for population health management.
The Cheshire and Merseyside Health and Care Partnership does have a separate population health management platform called CIPHA (Combined Intelligence for Population Health Action), which was launched during the COVID-19 pandemic, under the COVID-19 COPI notice, which provided a temporary legal basis for processing confidential patient information without consent to support relevant research and planning activities, in order to aid our region’s response to the COVID-19 emergency. However it’s important to note that the Share2Care programme has not progressed at this stage to cover population health management.
The General Data Protection Regulation (GDPR) applies to all individuals and organisations (including hospitals, clinics and general practices) who have day-to-day responsibility for data protection. Under GDPR, the organisations you attend for your health and care are known as ‘Data controllers’ as they alone or jointly with others, determine the purposes and means of the processing of personal data. As data controllers, these organisations are responsible for complying with the UK GDPR and they must be able to demonstrate compliance with the data protection principles, and take appropriate technical and organisational measures to ensure that their processing is carried out in line with the UK GDPR.
In addition to the GDPR and other data protection principles, patient confidentiality is supported by compliance with the common law duty of confidentiality and the Caldicott Principles covering the use of personal information of patients. Additionally, all health and care professionals must undertake and pass mandatory ‘information governance and data security training’ before they start in their roles, and this training is refreshed on a twelve month rolling basis.
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. So, if you are aware of any inaccuracies in personal information that is held by an organisations you attend for your health and care, please inform a member of staff from the organisation or inform the organisation directly in writing.