ANSWERS TO QUESTIONS RECEIVED FROM MEMBERS OF THE INFORMATION GOVERNANCE ALLIANCE (NHS TRUST REPRESENTATIVES)

The Private Healthcare Information Network 11 Cavendish Square London W1G 0AN 020 7307 2862 www.phin.org.uk ANSWERS TO QUESTIONS RECEIVED FROM MEMBERS OF THE INFORMATION GOVERNANCE ALLIANCE (NHS TRUST REPRESENTATIVES) The answers below include the following terms as defined within the Competition and Markets Authority Private Healthcare Market Investigation Order (2014). They are reproduced here for the aid of clarity and interpretation. AEC means adverse effect on competition for the purposes of section 134(2) of the Act; PPU means a private patient unit, which is a facility within a national health service providing inpatient, day-case patient or outpatient privately-funded healthcare services to private patients; such units may be separate units dedicated to private patients or be facilities within a main national health service site which are made available to private patients either on a dedicated or nondedicated basis; private healthcare facility means any facility providing privately-funded healthcare services on an inpatient, day-case and/or outpatient basis, and may include a PPU; private healthcare provider means a person providing privately-funded healthcare; private hospital means a facility which provides privately-funded inpatient hospital services, and may include a PPU; private hospital operator means a person operating a private hospital including where relevant a national health service in relation to a PPU providing privately-funded inpatient healthcare services and for the avoidance of doubt includes all interconnected bodies corporate within the meaning of section 129(2) of the Act. 1. What is the legal status of PHIN? In company law, the Private Healthcare Information Network Limited (PHIN) is a company limited by guarantee without shareholding, meaning that it is a not-for-profit company. PHIN is approved by the Competition & Markets Authority (CMA) as the Information Organisation pursuant to the Private Healthcare Market Investigation Order 2014. The Order specifies requirements for the composition of the Information Organisation s Board of Directors and membership to ensure credibility and independence. PHIN meets

these criteria. PHIN has interests created under the Order, including in receiving the information to be supplied and the amount to be paid by private hospital operators, which are enforceable under s167 of the Enterprise Act 2002. 2. How was PHIN selected by the CMA? The CMA invited expressions of interest from organisations interested in becoming the Information Organisation. PHIN was selected from those organisations who submitted an expression of interest. 3. Who are the members of PHIN? PHIN has two categories of member: general members: private hospital operators participating in PHIN s services voting members as defined in company law, playing a role in PHIN s governance. Private hospital operators, as defined by the CMA Order, may become and remain general members of PHIN by signing the Subscription & Information Sharing Agreement (SISA), paying their fees in full and submitting the required data to PHIN. Looking at the UK as a whole, as at June 2017 164 private healthcare operators had been sent an Agreement and 108 have signed it (66%). For England alone these figures are 153 and 100 (65%). PHIN currently has 21 voting members, a list of which is available on PHIN s website or from the Company Secretary. As per Article 24.2 of the Order, voting membership is offered to private healthcare providers and private medical insurers and to some bodies representing consultants. As at June 2017, PHIN believes that there are 189 legal entities operating 500 private healthcare facilities across the whole of the UK that are subject to the Order. Per our Articles of Association, any such qualifying body may apply to the Board to become a voting member. PHIN s Board would welcome applications to voting membership from participating NHS Organisations, but please be aware in advance that this requires commitment to membership at a corporate level. Full information is published on PHIN s website at https://www.phin.org.uk. 4. Who has agreed the fees that PHIN charges for the collection and processing of the data? Under the Order the information organisation may seek subscriptions from its members in order to carry out the duties specified in this order, and may with agreement of its members Printed versions of this document are uncontrolled Page 2 of 14

grant licensed access, which is in accordance with the Data Protection Act 1997, to its database. PHIN, as the as the approved information organisation has an explicit and enforceable right created under the Order to raise subscriptions to cover its reasonable costs (see Articles 21.4 and 24.3). PHIN s annual budgets are determined by PHIN s Board, the composition of which was dictated by the Order (Article 23.2) and subsequently approved by the CMA as part of PHIN s five-year plan, published in accordance with Article 24.4(b). PHIN publishes an annual report in accordance with Article 24.4(e). These documents are available on PHIN s website or in hard copy upon request. As a not-for-profit company limited by guarantee without shareholding, PHIN s Board is accountable to its voting members, which include representative private hospital operators in accordance with Article 24.2. 5. What about the direct costs for hospital operators? Private hospital operators will also incur direct costs of complying with the Order, other than subscriptions due to PHIN. These costs were explicitly considered in the CMA s Private Healthcare Market Investigation Final Report in terms of proportionality, including costs of applying clinical coding (Paragraph 11.588), collecting PROMs (11.589) and other staff time (11.590). The CMA noted (11.591) that The incremental costs of providing the information set out above are between 6.0 million and 6.5 million per year, which equates to less than 0.2 per cent of the total annual expenditure on private healthcare services and a cost of around 8.50 to 9.25 per private patient. The CMA concluded (11.593) that the likely costs of collecting and disseminating performance information on both consultants and hospitals were relatively low in comparison with the potential quality and price improvements that could be expected as a direct result of publishing this information. On this basis (11.594), we concluded that our remedy was both effective and proportionate as a means to address the AEC arising from insufficient publicly available performance information. The Order applies equally to all private healthcare facilities and private hospital operators, as defined, explicitly including NHS Private Patient Units (PPUs) where (Article 2.1 Interpretations): PPU means a private patient unit, which is a facility within a national health service providing inpatient, day-case patient or outpatient privately-funded healthcare services to private patients; such units may be separate units dedicated to private patients or be facilities within a main national health service site which are made available to private patients either on a dedicated or non-dedicated basis. Compliance costs may, therefore, be considered a necessary and unavoidable operating cost Printed versions of this document are uncontrolled Page 3 of 14

for private hospital operators. 6. Where PHIN requests information that is not specified in the Order, are members obliged to provide this information to PHIN? Yes, if it falls within the scope of the Order (Article 21.1), which states that private healthcare facilities must supply the information organisation (PHIN) with data which is sufficiently detailed and complete to enable the information organisation to publish the types of performance measures (listed at Article 21.1) by procedure at both hospital and consultant levels. Clearly, the specific information items listed at Article 21.2 are necessary but not in themselves sufficient to enable publication on the performance measures specified at Article 21.1. It falls to the information organisation to specify the information required, and private healthcare facilities to supply it. PHIN has published its high-level approach to producing the performance measures in its Strategic Plan 2015-2020, and has published data specifications following consultation with its members, which may be revised and updated from time to time. 7. The information that is shared with PHIN is not for direct care. How is this permissible under the Data Protection Act (DPA)? Under the Data Protection Act, for the sharing to be lawful, at least one condition from Schedule 2 must be met and, for the processing of personal sensitive data, at least one condition from Schedule 3 must also be met. PHIN concludes that all the following conditions are met: the processing is necessary for compliance with any legal obligation to which the data controller is subject, the processing is necessary for the exercise of any functions conferred on any person by or under any enactment the processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. the processing is necessary for exercising statutory or governmental functions. the data subject has given his explicit consent to the processing of the personal data. In addition, the Data Protection (Processing of sensitive data) Order 2000 includes several conditions which are also met http://www.legislation.gov.uk/uksi/2000/417/schedule/made 8. The use of the NHS Number and the level of information going to PHIN as a consequence exceeds what we can at times send to our commissioners. The CMA Order places an enforceable duty on private hospital operators (as defined in the Printed versions of this document are uncontrolled Page 4 of 14

Order to include NHS PPUs) to provide PHIN with the NHS Number (or equivalent identifier in Scotland, Wales and Northern Ireland). In practice PHIN has itself, by agreement with NHS Digital, narrowed the application of the requirement to seek the NHS Number only where explicit consent has been given by the patient. A consent model and process for obtaining this consent has been approved by NHS Digital and is to be implemented by private healthcare facilities. We do not believe that a correlation can be drawn between data that is shared for the purposes of the Order and data that is shared for commissioning purposes. The rules about the use of identifiable data for commissioning purposes (within health and social care) are covered under Caldicott 2. 9. What security and confidentiality arrangements does PHIN have in place for handling this information? PHIN has robust policies and procedures in place to protect the confidentiality, integrity and availability of data and to ensure compliance with relevant legislation and guidance (including the Data Protection Act, the Common Law Duty of Confidence, the Human Rights Act (Article 8) and the Caldicott Principles). PHIN s staff are appropriately trained and aware of their responsibilities for information security and confidentiality. Data is transferred securely between private hospital operators and PHIN and between PHIN and NHS Digital (and other equivalent bodies in Scotland, Wales, and Northern Ireland), in line with Principle 7 of the DPA, using robust encryption methods so that the data cannot be intercepted. The NHS Number is encrypted upon receipt. PHIN does not store the unencrypted NHS Number on its systems. PHIN does not have the means to look up NHS Numbers to reidentify patients. PHIN has ISO 27001:2013 Certification and has completed the Information Governance Toolkit. 10. Why can t we send the data directly to NHS Digital? Sending data directly to NHS Digital has been discussed but is not currently the chosen option, and to date a robust technical solution has not been found (noting that a solution has to work for all providers, not just NHS providers in England). We are open to the idea that a technical solution may be identified in the future, and the process could be revised. However, PHIN is the Information Organisation pursuant to the Order, and has a legal basis for receiving the data. A process, requiring explicit consent, has been specified by PHIN and approved by NHS Digital. Trusts have been asked to collect consent and NHS Numbers form 1 July 2017, which is already 18 months later than the start point originally intended. Printed versions of this document are uncontrolled Page 5 of 14

As such, we have a process that will work and has been approved, and must start on that basis. 11. Why is the patient s full postcode needed? The full postcode is needed so that the data can be risk adjusted according to where the patient lives, (using the Indices of Multiple Deprivation (IMD) scores for those areas). For some diagnoses and/or procedures, people who live in deprived areas have an increased risk of poorer outcomes. Levels of socio-economic deprivation can be very localised and can vary enormously over relatively small distances. Deprivation scores, such as the IMD, are developed to be available for small areas (in the case of the IMD, down to Lower Super Output Area) in order to identify local variation and discriminate between the characteristics of a population. Postcode sectors can have very large geographical extents which may overlap several of the deprivation score geographical units with widely differing deprivation score values. If deprivation scores are calculated for larger areas, for example the first four digits of a postcode, then their ability to identify local heterogeneity is lost. Also, the IMD score changes every four years. For these reasons, the full postcode is required. 12. Can the full postcode be an identifier in a rural area? The ICO Code of Practice for anonymisation states that data that cannot identify an individual from a group of individuals is not personal data. Therefore, a postcode would rarely, if ever, be a direct identifier. Identification of an individual becomes a consideration when data is made publicly available. PHIN publishes only aggregate data at a level where no individual can be identified from the data, or where the risk of identification is remote, in line with ICO Code of Practice. PHIN does not publish the postcode. 13. It is likely that the numbers of patients we will treat for each procedure will be low. Considering ICO guidance, that counts of less than five should be excluded, should these patients be excluded? Small numbers exclusions are applied by PHIN before publishing information, but cannot be applied by providers prior to submission of data to PHIN. The ICO Code of Practice for anonymisation draws a distinction between publication to the world at large and disclosure on a limited basis. Concerns about identification relate to publication of data. The information that PHIN publishes on its public website (phin.org.uk) is aggregated and presented at a level where no individual can be identified, or where the possibility of identification is remote, in line with the ICO Code of Practice. Printed versions of this document are uncontrolled Page 6 of 14

The legal duty falling on private hospital operators under the Order is to supply information as regards every patient episode of all private patients treated at that facility which is sufficiently detailed and complete to enable the information organisation to publish performance measures by procedure at both hospital and consultant level. This translates to record-level data, which follows closely the format and data specification of the admitted patient care records routinely submitted by NHS hospitals via SUS, per the data specification published by PHIN. 14. If patients refuse consent, is the alternative of providing an anonymous record respecting this decision? Yes, anonymous data is not personal data under the Data Protection Act. PHIN's consent model requires patients to be provided with a copy of our Privacy Notice which explicitly states that "If a patient does not consent, the hospital will provide a record of their treatment to PHIN, but will not provide the NHS Number or postcode." PHIN does not and will not hold any other data that would enable it to re-identify an individual patient through association. PHIN only publishes aggregate data from which an individual cannot be identified, in line with the ICO Code of Practice on anonymisation. 15. Presumably this will involve small numbers of records so that even if identifiers are removed the result may not be anonymous. How is anonymity achieved? The data collected by PHIN is for the purposes specified in the Order and is, therefore, for a limited purpose. The ICO Code of Practice for anonymisation draws a distinction between publication to the world at large and disclosure on a limited basis. Concerns about identification relate to publication of data. The information that PHIN publishes on its public website (phin.org.uk) is aggregated and presented at a level where no individual can be identified, or where the possibility of identification is remote, in line with the ICO Code of Practice. The information that we make available back to the hospitals that supplied it and their consultants through our secure portal for the purposes of quality assurance is sufficiently detailed that that hospital and/or consultant is likely to be able to recognise their own patients in the data. This is not a disclosure to a third party. This is intentional, and has been reviewed and approved by NHS Digital. It is the responsibility of Private Hospital Operators to ensure that staff given access to PHIN s secure portal have been authorised to view such data. PHIN itself has no need or ability to re-identify patients. 16. I thought that record level data was not shared with PHIN? Printed versions of this document are uncontrolled Page 7 of 14

The legal duty falling on private hospital operators under the Order is to supply information as regards every patient episode of all private patients treated at that facility which is sufficiently detailed and complete to enable the information organisation to publish performance measures by procedure at both hospital and consultant level. This translates to record-level data, which follows closely the format and data specification of the admitted patient care records routinely submitted by NHS hospitals via SUS, per the data specification published by PHIN. 17. What is the consent model for this information use? NHS Digital has approved a form of words for inclusion in patient registration forms, together with some stipulations about how that must be implemented, including that PHIN s Privacy Notice must be made available to the patient. The consent model must be followed by all private hospital operators so that patients are aware that their data is shared with PHIN and other named third parties, and for what purposes. Private hospital operators must include patient consent in their registration and/or admission process. This is so that their data can be used for data linkage. If a patient does not want their personal data shared in this way, their record is sent to PHIN (as required by the Order) but minus their NHS Number and postcode. PHIN only collects the minimum personal data needed for the required purpose. 18. Do I have to use PHIN s Privacy Notice and Consent Model? Yes, this is the process that has been approved by NHS Digital. A copy of PHIN s Privacy Notice should be given to all private patients upon admission. This only covers the data processing activities that concern PHIN. Your organisation may have another Privacy Notice that covers other uses of patient data that you hand to patients as well. One does not preclude the other. However, you must use not materially alter PHIN s Model Consent Wording, which should be included in your registration/admission forms that are signed by patients upon admission. This is because the Model Consent Wording and the Privacy Notice were provided by PHIN to NHS Digital as part of our application for data linkage. It was a condition of NHS Digital s and IGARD s approval that there must be no material changes to any of the documentation or processes that were included in our application. PHIN has raised with NHS Digital, IGARD and other stakeholders whether private hospital operators can incorporate the material messages into their own consent documentation. Unfortunately, this suggestion has so far been rejected but we hope to revisit it again in the future. Printed versions of this document are uncontrolled Page 8 of 14

19. The GDPR permits a maximum financial penalty of 2% of global turnover. 1m is therefore potentially not sufficient. How is it appropriate that PHIN is charging members the cost of this indemnity? PHIN is a not-for-profit organisation wholly funded by subscriptions from its members. As such all costs borne by PHIN are charged to its members. During the consultation that produced the SISA, PHIN invited members to propose a value for indemnity cover, noting that it could be any figure that members thought appropriate but that they would collectively bear the corresponding premium. At the time, 1m was agreed. PHIN would be happy to revisit this in the light of the GDPR. As a factor to consider, it seems to us unlikely that any private hospital operator would be substantially fined in respect of errors on PHIN s part given that participation is mandatory. We may seek further advice on this point. Please also note that any insurance arranged by PHIN does not preclude members having their own indemnity cover or making a claim against their own liability insurance instead. 20. Is there any liability for the private care providers as Data Controller once data is released to PHIN? This question is too general for PHIN to provide a definitive answer, as it would depend on the individual circumstance. PHIN will be a data controller with respect to all patient data that private care providers transfer to PHIN. Therefore, PHIN will be responsible for its own compliance with data protection laws and will be liable for any breach of such laws by PHIN. Note that each party has an obligation to comply with the data protection laws under clause 5.1 of the SISA and PHIN is subject to additional data protection obligations in clause 5.4. However, it is important to note that you are responsible for the accuracy and validity of the data, obtaining explicit consent, and not submitting personally identifiable data (i.e. with the NHS Number and postcode included) where valid consent has not been obtained. See clause 5.3 of the SISA. Note that the SISA was developed in consultation with providers and is in part intended to help evidence a provider s compliance with its obligations under data protection laws in terms of data sharing. Those providers who have not signed a SISA will not benefit from this. The wider issue of liability will be looked at as part of the upcoming SISA review. 21. Has the Information Commissioner s Office (ICO) reviewed the Information Sharing Agreement? Not that PHIN is aware of. As before, when the SISA is reviewed this will also be with regard to the ICO Code of Practice for Data Sharing, to ensure that this is appropriately complied Printed versions of this document are uncontrolled Page 9 of 14

with. 22. The Subscription and Information Sharing Agreement (SISA) reads more like a contract. Why has it not been drafted more like the conventional NHS Information Sharing Agreement (ISA)? The current document covers arrangements for both subscriptions and information sharing. It was decided at the time to produce a single document to cover both information sharing arrangements and payments. These documents will be reviewed and consulted upon over the next few months. 23. The SISA needs to be reviewed as soon as possible. I can t sign it as it is not fit for purpose. PHIN does not accept that the SISA is not fit for purpose. It was widely consulted upon with members and with extensive legal input, and has been reviewed and signed by over 100 organisations a mixture of both NHS and private. We have committed to reviewing the Agreement through consultation and that work will commence in the coming months. Experience suggests, however, that it will not be possible to fully reconcile the highly divergent comments and issues received from various parties. We are confident that the balance of risk for any potential member would be in favour of signing the Agreement as currently available, rather than submitting data without signing it. Potential members may submit data and pay subscriptions without signing the Agreement to meet minimum obligations under the Order, but in doing so potential members may exclude themselves from various indemnities and services normally offered by PHIN. 24. Effectively, the SISA is an End User License Agreement (EULA) which is resolvable. If a Trust is paying the subscription but cannot sign the SISA then the portal could have the EULA at the point of sign on. A signed SISA or ISA is not the same thing as a EULA. An ISA covers the data that the private hospital operator is required to submit to PHIN, and when and how the data will be shared, in order to ensure timely and secure transfer of the data. It also covers how PHIN will make the data output available to members prior to publication (via a secure portal), to ensure accuracy of the data. Before a member can access PHIN s portal (i.e. to check and quality assure their submitted data and view user friendly aggregate reports), they have to read and accept, by means of an electronic tick box, the portal terms and conditions of use. These cover access and use, confidentiality requirements, Intellectual Property Rights, liability, links to third party websites, cookies, relevant legislation and jurisdictions. The portal displays record level data. The SISA sets out the provider s obligations in using the portal. The portal s terms and conditions of use bind the individual and not the private Printed versions of this document are uncontrolled Page 10 of 14

hospital operator. Therefore, PHIN does not make portal access available to any organisation that does not have a signed SISA with PHIN. The SISA is not a pre-requisite to publication, but it must be signed in order for the provider to use the additional services that PHIN provides, such as the Portal, because these are not covered under the Order. 25. My Trust was told that even though it was sending data to PHIN, because the Trust had not signed the SISA, their data would not be published. Is this correct? That may have been correct at that point in time, but is no longer the case. All data successfully submitted, conforming to the required data specification and deemed to be sufficiently complete and accurate will be published on PHIN s public website in the form of the prescribed performance measures. PHIN acts on legal advice received to protect its own position, and also seek to be as fair as possible to all members. Our position on this issue has evolved over time. Our lawyers advise that there is little practical risk to PHIN where the SISA is not signed, whereas there is a higher level of risk to a hospital in submitting data in the absence of a signed SISA. 26. Why has PHIN has failed to understand the impact between the Order and employment contracts with NHS consultants and the fundamental impact on reconfiguring PPUs to make them compliant with the Order. PHIN interprets this as two separate questions, the first relating to the contractual arrangements between NHS Trusts and their consultants and the second to the financial and legal implications arising from NHS Trusts potentially having to reconfigure their PPU arrangements. In answer to the first question, PHIN is not aware of any way in which its approach to the implementation of the Order, as opposed to the Order itself, would impact on any contractual relationships between PPUs and their consultants. We are implementing part of an Order that was made law in 2014, following four years of investigation and consultation by the CMA (then the Office of Fair Trading and the Competition Commission). In answer to the second question, as highlighted in Question 5 above, the CMA was clear that there would be a direct cost to private hospital operators to comply with the Order. The scale of this will vary between providers, but it will mean that information such as clinical coding and Patient Reported Outcome Measures (PROMS) will need to be collected. PHIN does understand that this may require some reconfiguration of processes at some PPUs in order to fully comply with the Order. 27. Why has PHIN refused to agree that data provided will be restricted to the CMA mandate and not used for commercial purposes outside of the CMA Order? We do not recognise this attributed refusal. Printed versions of this document are uncontrolled Page 11 of 14

PHIN has no plans to use the data for commercial purposes and there are legal and contractual restrictions on us doing so. These include restrictions in the Order, in the SISA, under the Data Protection Act 1998 and the forthcoming GDPR, as well as through company law, as PHIN is a not-for-profit organisation bound to pursue the Objects stated in its Articles of Association, and on which basis it is accountable to its voting Members. The Order provides at Article 24.3 that the Information Organisation may with the agreement of its members grant licensed access, which is in accordance with the Data Protection Act 1998, to its database. We have sought to provide some guidance on how this might be interpreted at page 16 of our Strategic Plan 2015-2020. There is likely to be a real but finite range of legitimate (non-commercial) purposes for which members might wish to approve licensing of some information derived from the data, though it seems highly unlikely that there would be any circumstances in which members might license the sharing, through PHIN, of any underlying data. 28. BUPA has confirmed that they are going to use PHIN data for quality assurance assessment. Is this not for a commercial purpose? We have considered the circumstances in which some information beyond that available on the website might be shared with insurers at page 17 of our Strategic Plan 2015-2020. This would never include record-level data that could identify an individual. Insurers have no automatic right of access to information from PHIN. However, they do have a legitimate interest in understanding quality of care on behalf of their policyholders and in understanding PHIN s information in this regard, since they are required by Article 25 of the Order to endorse and direct their policyholders to PHIN s website. It is an explicit intention of the CMA s remedies, not an unintended consequence, that the publication of better information should result in (our synopsis): patients tending to make better-informed and more rational choices; the market responding by competing on the basis of quality and value; commercial benefit accruing to providers that offer better quality; and better value and better evidence of both to patients and the public. To the extent that the use of data for quality assessment is a commercial purpose, it therefore seems to us to be legitimate and intended. PHIN would not support any use of data which might tend to reduce competition, value or quality for patients, or would in any way contravene our contractual obligations, the Order, company law or data protection law. 29. So if PHIN is not publishing activity numbers and not publishing statistically irrelevant Printed versions of this document are uncontrolled Page 12 of 14

measures, does that not create a barrier to entry to the market for places that provide complex procedures to low number of patients who will think that the procedure is not offered by that hospital? We collectively face many challenges in ensuring that the information published on PHIN s website is comprehensive, accurate, meaningful, and fair. This is arguably easier for more common, simpler procedures and harder for rarer procedures and specialist providers. Nonetheless, all private hospital operators in the UK are legally obliged to submit data, and PHIN will endeavour to publish in accordance with both the letter and the principles of the Order. We will work with all concerned parties to the best of our abilities, within the scope of our role as the information organisation and the law, to ensure that the published information promotes rather than defeats effective competition. The performance measures published by PHIN are currently based on an aggregation of patient records and presented in statistical form (rates, averages, etc). Where measures are derived from small patient numbers (e.g. a rare disease or procedure), the measure will still be published but may not be given any measure of statistical significance as a result of the small patient cohort size, i.e. it will state that there is a high degree of uncertainty because the volume is small. Therefore, our intent is that no provider should be disadvantaged as a result of the size or complexity of their caseload. If this appears not to work in practice, we will adjust accordingly. That said, the current website represents only a starting position for what all would recognise as a very diverse market. We also recognise both the potential commercial concerns and concerns in relation to small numbers in publishing activity numbers, and are actively seeking feedback on how we can address these concerns and maintain and improve the value and clarity of the performance measures. When time, resources and data quality permit, PHIN would like to consider introducing a different approach to searches for patients looking for specific, rare or more complex procedures, or for non-procedural admissions. 30. What is the scope of PHIN s ISO 27001 Certification? Originally PHIN said they did not need to comply with the Information Governance Toolkit. PHIN s ISO 27001 accreditation is with ISO 27001:2013 and the scope of our accreditation is for The collection of health data from private healthcare providers and authoritative sources, and the analysis, storage and online publication of the data for the purpose of improving health quality and outcomes. PHIN undergoes an external surveillance audit every six months and has to undergo a full re-accreditation every three years. In addition to ISO 27001 Certification, PHIN chose to make an Information Governance Toolkit (IGT) submission, as it is the standard to which NHS bodies and those organisations that provide services to the NHS must comply. Printed versions of this document are uncontrolled Page 13 of 14

PHIN s Data Sharing Framework Contract with NHS Digital requires PHIN to have either an IG Toolkit score, ISO 27001 Certification, or an equivalent other information assurance in place PHIN has the first two. 31. Now that the consent process has been clarified, should private care providers catch up with data provision and can they send patient information without consent? PHIN does not require providers to send personal data retrospectively. Data submitted as pseudonymised records up to 30 June 2017 can remain pseudonymised. For all discharges from 1 July 2017 onwards, private hospital operators should be seeking consent using the approved process and, therefore, supplying records including personal information where consent has been duly obtained. For the avoidance of doubt, providers should continue to submit records minus the NHS Number and the postcode where consent has not been obtained. Consent is not strictly speaking required for the data mandated by the Order (including the NHS Number or equivalent) to be disclosed to PHIN. This is because the Order, on its own, provides the legal basis for disclosure. However, consent is still required for the data to be linked by NHS Digital (and other equivalent bodies in Scotland, Wales, and Northern Ireland). Because PHIN only uses the NHS Number for data linkage, PHIN does not collect the NHS Number or the postcode where consent has been withheld. Records of those episodes where consent has been withheld should be marked appropriately using the Consent Flag (Witheld Identity Reason) and submitted without the NHS Number or postcode. PHIN will monitor the consent levels achieved by providers. Printed versions of this document are uncontrolled Page 14 of 14