Shared Care Record

This request has been withdrawn by the person who made it. There may be an explanation in the correspondence below.

Dear NHS Leicester, Leicestershire and Rutland Integrated Care Board,

I would like to make a request under the FOI Act.

For the purposes of the Act, please take the date of your receipt of this request as Friday 30th December 2022.

I am interested in the governance around your shared care record (ShCR), the LLR Care Record.
https://leicesterleicestershireandrutlan...

• Please could you kindly send me your latest DPIA undertaken for direct care purposes (processing) of the Shared Care Record, with respect to the disclosure of, and access to, personal confidential information from contributing data controllers, such as GP surgeries
• Please could you identify the data processor for your ShCR, if not clear from the DPIA

Your website states:
"An additional benefit is that people’s data, when fully anonymised, will provide intelligence that can be used to inform and plan services that better meet the local population’s needs in the future." Such processing - de-identification/anonymisation, data analysis, planning, commissioning - would be secondary uses of that informatiom.

If the Shared Care Record scheme permits processing of data uploaded to the processor for direct care purposes only (such that "implied permission" is the legal basis under the common law of confidentiality for such processing), then please say so.

Otherwise:

• Please could you kindly send me your latest DPIA undertaken for any secondary uses purposes (processing) of the confidential medical information ostensibly uploaded to the Shared Care Record for direct care purposes - e.g. population health management, commissioning, “data analytics”, risk stratification etc
• If secondary uses processing is undertaken by a sub-processor (i.e. your data processor discloses personal confidential information to a sub-processor for this purpose) then please identify the sub-processor, if not clear from your DPIA
• Please indicate the legal basis (that avoids a breach of confidence and misuse of private information) by which personal confidential information is lawfully disclosed from contributing data controllers to the data processor, and/or the data processor to any sub-processor, and processed (i.e. used) for purposes beyond direct medical care, if not clear from your DPIA. For example, HRA/CAG approval under Reg 5 of COPI 2002 (so-called "s251 approval"), such as recently obtained by Nottingham and Nottinghamshire ICB (22/CAG/0101) for secondary uses of information within their shared care record, as obtained by West Yorkshire ICB (22/CAG/0137) for secondary uses of information uploaded form GP surgeries, and as has been applied for by the Greater Manchester Care Record (22/CAG/0169 and 22/CAG/0170).

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request.

I wish to receive the information by email.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO (“It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with”).

Yours faithfully,

Dr Neil Bhatia