The Department of Health has issued guidance for organisations working in shared records environments saying they are data controllers “in common."
It recommends that each shared record community create an information governance steering group to establish “effective (information governance) arrangements for the shared record.”
This group should be chaired by a Caldicott Guardian and make sure that each organisation complies with minimum IG standards, as weak or ineffective IG controls in one organisation “present a risk to the whole shared record community.”
The Information Governance Toolkit website says that in some areas a shared record environment has been created where data is held, but where there is no single data controller, for example areas using TPP systems.
In these areas, each NHS organisation contributes some or all of its records to the shared environment, but does not relinquish any control over its contributions.
“By recording patient information to the shared environment information an organisation is, in effect, disclosing information to other organisations operating within the shared environment,” the guidance says.
“Provided they are involved in a patient’s care, these other organisations may view and copy this data and use it for their own purposes.
“There is no single data controller responsible for the shared environment – participating organisations are therefore data controllers in common for the information within the shared environment.”
The guidance says organisations need to ensure that all data protection requirements are being satisfied.
It proposes that local health communities establish an information governance steering group and create framework agreements describing the governance arrangements for the shared record environment.
These groups should include representatives from each of the organisations party to the shared record, and should be chaired by a Caldicott Guardian.
The ITK checklist includes questions about whether patients are fully informed about the shared record environment and understand the circumstances in which staff working in another organisation might access their medical record.
It adds that organisations need to have written contracts with their system suppliers to say that they may not extend access to the shared record to new organisations without prior approval.