The 2012 Act [1] allows certain health and social care organisations to make a Request to NHS England to collect and/or analyse information (Request). The Request is made under section 255 of the 2012 Act, the requirements of which are explained below. Before a formal Request can be made, the requesting organisation must consult with us. To support this consultation, the requestor must provide details about their proposed Request.
Acceptance of a Request does not result in an automatic right to the information by the requestor; access to information is managed via an application to our Data Access Request Service and will require the requesting organisation to enter into a Data Sharing Agreement.
If a Request is refused, we will explain why in writing. You will have the opportunity within 3 calendar months to ask for an internal review of this decision by a director who was not involved in the original decision. As part of this review, you will be able to make representations as to why you consider we should comply with your Request.
1. NHS England must have regard to4
- any information standards published, or guidance issued to us by the Secretary of State for Health and Social Care.
- the need to respect and promote the privacy of recipients of health services and of adult social care in England.
- the need to promote the effective and efficient planning, development and provision of health services and of adult social care in England.
- the need to promote the effective, efficient and economic use of resources in the provision of health services and of adult social care in England.
2. We must consider whether compliance with the Request would impose burden on those we collect information from and how we could seek to minimise that burden5
3. In relation to a Non-mandatory Request, we must consider whether compliance with the Request would interfere to an unreasonable extent with our ability to exercise our functions6.
4. In relation to a Non-mandatory Request,, we may take into account whether the requestor handles information in line with the Code of Practice on Confidential Information (or a replacement Code) and guidance we have provided on Confidentiality in Health and Social Care7.
5. We may consider whether the requestor has followed any advice and guidance the Information Commissioner’s Office, or the National Data Guardian have given regarding transparency requirements, to consider whether people are being appropriately informed about the use of their personal data in accordance with UK GDPR and the Caldicott Principles.
6. We may notify the Secretary of State for Health and Social Care about a Non-mandatory Request proposal, as they may choose to direct us about the exercise of our functions8.