Home

Regional Health and Social Care ISA

Category: RegISA Introduction

The Agreement

Every health and social care organisation in the country is identifying substantial requirements to share and use personal confidential data in order to achieve planned improvements in care delivery and in financial efficiency.

It is also the case that many opportunities to improve care are delayed or lost due to the challenges associated with designing and agreeing information sharing agreements on a project by project basis.

The regional Information Governance Steering Group (IGSG) which is chaired by the Chairman of the Berkshire Local Medical Committee at the time of writing manages the agreement and the membership of the agreement on behalf of the members. The Administrator (Frimley Health NHS Foundation Trust at the time of writing) maintains and publishes the agreement documentation and supporting schedules and registers on behalf of the member organisations and IGSG.

This agreement has been reviewed by Solicitors and by King's Counsel and in their opinions it is both lawful and fit for its purpose. Summaries of their opinions can be found at the Legal Opinion Summaries page.

This agreement builds on the success of the similarly structured prior agreements for the sharing of information for the provision of care and for secondary uses agreements in use since 2013 and replaces the current 2023 version of the agreement. The aims of the agreement are:

  1. To provide a clear framework for the secure sharing of personal confidential data for the delivery of care and for the management of the health and social care system (in particular in respect of data controller organisations' responsibilities in respect of GDPR art.26 (Joint Controllers);
  2. To accelerate the pace with which regional and local sharing requirements can be agreed; and
  3. To reduce the costs of developing and agreeing individual sharing requirements.

Very specifically, this latest iteration of the agreement is designed to better support the development of:

  1. Federated working and networks;
  2. Integrated working and care delivery models;
  3. Real time risk stratification at the point of care for patients with the most complex needs; and
  4. Latest guidance on data controllership resulting from the implementation of GDPR.

Each organisation remains responsible for the control and use of personal confidential data within the organisation as required by the legislation and the Schedule F and Schedule CDE Mapping pages are designed to actively support data controller organisations' responsibilities under GDPR art.30 (Records of Processing).

Structure of the Agreement

The Regional Health and Social Care Information Sharing Agreement is executed as a subscription agreement. This form of agreement allows controlled processing and sharing to begin as soon as two controllers have signed their sharing documentation. Unlike the traditional multi-party agreement models, processing and sharing does not need to wait until all parties have executed the agreement.

Organisations become members of the agreement by signing up to the master agreement that sets out the scope and terms of membership for the agreement as well as the roles of IGSG, Lead Controllers and the Administrator. The Administrator accepts the new member’s signed master agreement on behalf of the members as a whole.

A list of the various classes of organisation is presented in the Classes of Organisation page.

Implementation

Implementation of the agreement is as follows:

  1. Every member of the framework needs to sign the master agreement;
  2. The agreement is currently and will in future be presented through an electronic signature process as a single document;
  3. Data controller organisations that contribute data to the shared pool as a data flow or information asset are presented with one or more additional documents describing each specific processing and sharing arrangement the controller is expected to contribute to;
  4. Where the master agreement and one or more individual processing and sharing arrangement(s) are executed contemporaneously all documents are presented through an electronic signature process as a single document … with signatures required for each item requiring approval; and
  5. Where subsequent individual processing and sharing arrangements are executed non-simultaneously the documents are presented individually through an electronic signature process for approval.

 

Some supporting documents are presented below.

Current Master Agreement for the period 1st April 2022 to 30th April 2028

Note, both versions of the agreement documents are active during the transition. No material changes other than the effective dates have been made between the documents.

Below you will also find details of the Regional ISA membership.

 

See also:

Records of Processing - All processing and sharing arrangements

Records of Processing - All processing and sharing arrangements

Category: Processing and Sharing Specifications

Records of Processing

The links below refer to pages that present a variety of views on the processing and sharing specifications in place for the Regional Health and Social Care Information Sharing Agreement.

 

The schedules are:

  1. Schedule C to the Regional ISA - Schedule C - Joint processing and sharing arrangements presents a list of the Schedule K documents that define the joint processing and sharing arrangements in place (or planned to be in place) under the Regional ISA. 
  2. Schedule D to the Regional ISA - Although the details are included as part of Schedule C, for ease of access, Schedule D - Other (including Secondary) Uses processing and sharing has been prepared to present the arrangements where there is a non-direct care element to the processing.
  3. Schedule P to the Regional ISA - Schedule P - Data Protection Impact Assessments presents a list of the DPIAs underpinning and supporting the arrangements described in the main Schedule K documents.

 

There are also 4 Records of Processing schedules that show the mapping of Schedules C and D against the core Schedule E - Membership Register.  These are:

  1. Mapping of ACTIVE Schedule K arrangements by Organisation (including Information Asset details) ... Active Schedules C, D and E and Information Assets by Organisation.
  2. Mapping of ALL Schedule K arrangements by Organisation (active and planned) ... Mapping of Schedules C, D and E by Organisation.
  3. Mapping of ALL Schedule K arrangements by Organisation (including Information Asset details) ... Mapping of Schedules C, D and E and Information Assets by Organisation.
  4. Mapping by Schedule K joint processing and sharing agreement specification of ALL Organisations taking part in the arrangement (active and planned) ... Mapping of Schedules C, D and E by Agreement.

 

 

Schedule P - Data Protection Impact Assessments have moved

Category: Data Protection Impact Assessments

 

Schedule P - Data Protection Impact Assessments

 

The DPIA page has moved https://www.regisa.uk/documents/schedp.html

 

End of Schedule P

Master Agreement

Category: Master Agreement Documents

We have compiled an example Master Agreement and its associated annexes and schedules into the document attached below.

The Master Agreement comprises the core membership agreement document that defines the

  1. Scope of the agreement
  2. Agreement principles and policies
  3. Terms and conditions 
  4. Operational commitments made between members
  5. Administration arrangements 

The core agreement terms need to be signed and accepted by members.

The Master Agreement also includes three annexes

  1. Information Governance Steering Group terms of reference
  2. Joint control arrangements – Lead Controller terms of reference
  3. Notification and reporting arrangements applying to all members of the agreement

The Master Agreement also includes:

Schedule A – Risk Sharing and Indemnity Arrangements (where a signature is also required)

Schedule B – Qualifying Standard (where a signed statement confirming the prospective members compliance with the Qualifying Standard is required)

This agreement has been reviewed by Solicitors and by King's Counsel and in their opinions it is both lawful and fit for its purpose. Summaries of their opinions can be found at the Legal Opinion Summaries page.

A list of the various classes of organisation is presented in the Classes of Organisation page.

Some supporting documents are presented below.

Current Master Agreement for the period 1st April 2022 to 30th April 2028

Note, both versions of the agreement documents are active during the transition. No material changes other than the effective dates have been made between the documents.

Below you will also find details of the Regional ISA membership.

 See also:

Records of Processing - All processing and sharing arrangements

 

Legal Opinion Summaries

Category: Uncategorised

While its member organisations extend beyond the following local health and social care economies, the Regional Health and Social Care Information Sharing Agreement primarily serves:

  1. Buckinghamshire Oxfordshire and Berkshire West ICS;
  2. Frimley ICS; and
  3. Surrey Heartlands ICS (where the Surrey Heartlands ISA is a derivative of the Regional ISA at the time of writing).

Together these ICSs serve over 3.5m residents across 19 local authorities and around 450 health and social care providers (including approximately 350 practices) - all of which are participants in the various local shared care records.

The local shared care records

There are three main types of shared care record in place within the three ICSs.  These are:

  1. Arrangements based on specialised clinical systems such as:
    - Diagnostic imaging
    - Pathology;
  2. Electronic Patient Record (EPR) systems such as:
    - General Practice systems that that been configured for use by multiple partners
    - Trust’s internal systems that have also been configured for use by multiple partners; and
  3. The traditional shared care record systems themselves that pool data from multiple sources into a single broadly accessible repository for both direct care and analytics purposes.

To confirm their lawfulness, the data sharing and processing arrangements represented by the shared care records have been subjected to extensive scrutiny by local subject matter experts.  The arrangements (with a particular emphasis on Graphnet-based solutions) have also been subjected to scrutiny by solicitors and by Kings Counsel and in general both have confirmed that the arrangements are suitably lawful and robust.

Connected Care and TVS

Connected Care began as the name for the Graphnet supplied shared care record solution that is now in use to support patients and residents across Berkshire, Buckinghamshire, Farnham, North East Hampshire and Surrey Heath. As the pivotal processing arrangements are the same for both Connected Care and the Thames Valley and Surrey Care Record (TVS), the statements that follow also apply to the TVS processing.

Connected Care now comprises the shared care record as well as an analytics solution that is known locally as Connected Care System Insights. While System Insights offered considerable value before the COVID pandemic hit us, it has been an incredibly important tool in helping us to address the pandemic pressures as well as our subsequent work on system recovery. Furthermore, as we move beyond dealing with the pandemic, System Insights is pivotal to our ability to bring insightful, evidence based and innovative solutions to our work establishing an Integrated Care System.

The opinion summaries

In 2019, Solicitors and King’s Counsel carried out a review of our local arrangements (including our legal bases for the processing) and observed that arrangements are fit for purpose and that communications and engagement are robust and wide-ranging. (A copy of this opinion summary can be found here https://regisa.uk/documents/2019QCopinion.pdf).

Solicitors confirm that this opinion continues to apply (https://regisa.uk/documents/2023DACBopinion.pdf) which means that our current legal bases for processing remain consistent and compatible with data protection legislation and common law.

Solicitors also confirm the lawfulness of our approach to the provisioning of and access control for: anonymous data (for planning and system management); pseudonymous data (for managing cohorts); and identifiable data (for direct care) https://regisa.uk/documents/2023DACBdatamartOpinionFinal.pdf.

In late 2022, we again approached Counsel and instructed him to review and advise on the lawfulness of our approaches to four specific topic areas where analytics are performed for direct care as well as other (secondary) uses. These are:

  1. Our approach to pseudonymisation and anonymisation;
  2. Our approach to the processing of data for risk stratification;
  3. Our approach to the processing of Secondary Uses Service (SUS) data; and
  4. Our application of the National Data Opt-out.

Counsel supports our position on these topics and brief summaries of Counsel’s advice in respect of the above can be found at https://regisa.uk/documents/2023KCopinion1.pdf and https://regisa.uk/documents/2023KCopinion2.pdf

Copyright 2018-2025 SPL (publishing as the Regional Health and Social Care Information Sharing Agreement). 

Privacy: 1. Personal identifiable data is not processed by this site; and 2. This site is not configured to use cookies.

See also: the Information Commissioner and the Data Security and Protection Toolkit