Skip to main content

Making a request to collect and/or analyse information under section 255 of the Health and Social Care Act 2012

Details of our procedures for the making of and the consideration and re-consideration by us of requests to collect and/or analyse information under section 255 of the Health and Social Care Act 2012.

Summary

The 2012 Act [1] allows certain health and social care organisations to make a Request to NHS England to collect and/or analyse information (Request). The Request is made under section 255 of the 2012 Act, the requirements of which are explained below. Before a formal Request can be made, the requesting organisation must consult with us. To support this consultation, the requestor must provide details about their proposed Request.

Acceptance of a Request does not result in an automatic right to the information by the requestor; access to information is managed via an application to our Data Access Request Service and will require the requesting organisation to enter into a Data Sharing Agreement.

If a Request is refused, we will explain why in writing. You will have the opportunity within 3 calendar months to ask for an internal review of this decision by a director who was not involved in the original decision. As part of this review, you will be able to make representations as to why you consider we should comply with your Request.

1. NHS England must have regard to4

  • any information standards published, or guidance issued to us by the Secretary of State for Health and Social Care.
  • the need to respect and promote the privacy of recipients of health services and of adult social care in England.
  • the need to promote the effective and efficient planning, development and provision of health services and of adult social care in England.
  • the need to promote the effective, efficient and economic use of resources in the provision of health services and of adult social care in England.

2. We must consider whether compliance with the Request would impose burden on those we collect information from and how we could seek to minimise that burden5

3. In relation to a Non-mandatory Request, we must consider whether compliance with the Request would interfere to an unreasonable extent with our ability to exercise our functions6.

4. In relation to a Non-mandatory Request,, we may take into account whether the requestor handles information in line with the Code of Practice on Confidential Information (or a replacement Code) and guidance we have provided on Confidentiality in Health and Social Care7.

5. We may consider whether the requestor has followed any advice and guidance the Information Commissioner’s Office, or the National Data Guardian have given regarding transparency requirements, to consider whether people are being appropriately informed about the use of their personal data in accordance with UK GDPR and the Caldicott Principles.

6. We may notify the Secretary of State for Health and Social Care about a Non-mandatory Request proposal, as they may choose to direct us about the exercise of our functions8.

Consultation

Before we can collect information to fulfil a Request, we are required to consult with all of:

  • the requestor
  • representatives of those who are likely to use the information collected
  • representatives of those from whom the information will be collected
  • any other person we believe it is appropriate to consult12

Our powers to collect information needed for a Request

Where providing NHS England with information is legally required

We can instruct certain bodies to provide information to us where it is necessary or expedient for us to do so to satisfy a:

  1. Mandatory Request, or
  2. Non-mandatory Request that is not a Confidential Collection Request, or
  3. Non-mandatory Confidential Collection Request if the requestor can legally require that body to disclose the information to the requestor or to us.13

The following bodies must comply with the instruction:

  • public bodies that have health or adult social care functions in England, or
  • non-public bodies that provide health or adult social care services in England under a contract with a public body that has health or adult social care functions14

Starting the request process

To start the Request process please complete the Section 255 request proposal form

The proposal form has a number of sections for you to complete, with questions requiring in-depth responses. We suggest that before you start to complete the form, you take time to gather the evidence you need to demonstrate the value and legal basis of your proposal. In particular, be prepared to answer questions which explore:

 

  • what information you want and where it could come from
  • what sort of information you want (for example personal, confidential etc)
  • your organisation’s legal powers
  • requirements for analysis and linkage
  • how you will receive and use the data once available
  • consultation with other organisations

Assessing your proposal

The information that you provide on the Request proposal form will be reviewed by the relevant NHS England business area and by our Information Governance specialists and Legal Team.

If the information is already collected we will advise you of this and how to access the information via our Data Access Request Service.

We will review the legal bases you have recorded as part of your Request to ensure that we can legally collect the required information.

We will assess the benefit to health or adult social care services of carrying out the work, including whether the information collected could support similar Requests.

We will assess how complicated the Request would be to fulfil, including which organisations the information is to be collected from, and the work to be carried out.

We will assess whether collecting the information will have a negative impact on other work we are required to carry out, and whether we have sufficient staffing and other resources to meet your Request.

Where appropriate, we will review whether you have complied with the Code of Practice on Confidential Information and any other relevant advice given by us.

Following the review, and if your proposal is valid we will notify our colleagues in the Department of Health and Social Care and in NHS England of your proposal as the 2012 Act gives them the power to instruct us not carry out the work. if they decide not to exercise this power, you will be informed whether we will provide initial support for your proposal.

If this is a new collection of data and it also relates to collections in England, this may need a burden assessment by the Data Alliance Partnership Board, which has a remit to reduce burden on collections.


Where we decide to support your Request proposal

Fees and provision of services agreement

You will need to meet our costs of complying with the Request and therefore will need to pay a fee. We will agree with you what the fee will be before we start any work. We will also agree a Provision of Services Agreement and Work Package for the work.

Consultation requirements

Before we can collect information to fulfil a Request, we are required to consult with:18

  • you - which we will do throughout the Request process
  • representatives of those who are likely to use the information collected - during our assessment of your Request, we will consider with you whether the information to be collected might be of use to other organisations involved with health or adult social care services, and if so, we will consult representatives of those organisations
  • representatives of those from whom the information will be collected - when we collect information for a Request issued to NHS England under section 255 of the 2012 Act, we issue a Data Provision Notice (DPN) to those from whom the information will be collected using our powers under Section 259 of the 2012 Act. As part of the DPN process we notify and consult with representatives of those organisations
  • any other person we believe it is appropriate to consult - this is assessed on a case by case basis as it will depend on the type of information you are requesting us to collect. It might include patient representative groups or professional bodies

Formalising the Request

With our support, you will draft a Request letter that meets the requirements of Section 255 of the 2012 Act. You will also receive our support in order to draft a Specification document to set out in greater detail matters such as:

  • the source of the information to be collected
  • the type of information to be collected and data items
  • the analysis to be carried out
  • where relevant, any linkage to information we already hold
  • any proposed dissemination or sharing of the information collected
  • how and when results of the analysis are to be published

Where we decide not to support your Request proposal

During the assessment of your Request proposal we might be unable to proceed to a formal Request, for example:

  • if the Secretary of State has instructed us not to comply with the Request, 
  • if we consider that compliance with the Request would interfere to an unreasonable extent with our functions, or
  • where we do not consider that you have complied with the Code of Practice on Confidential Information, or any other relevant advice given by us, or
  • where we do not consider that you have complied with UK GDPR or the Caldicott Principles, or
  • where the collection would result in an inappropriate burden on others, in particular those from whom the data would be collected

Reconsidering your Request – Review

Your Request for reconsideration will be reviewed by a Director who was not involved in the original decision (Review). The Director undertaking the Review will write to you to acknowledge your Request for reconsideration, will outline the timescales for carrying out the Review and ask for any additional information required to support the review.

We would expect to complete the Director Review within 20-40 Working Days, depending on the complexity of the original Request, the additional information we need from you, how quickly that is provided, and the reasons for the original refusal of the Request. If we are not able to complete the Review within 40 Working Days, the reviewing Director will write to you to provide an estimate for when they would expect to complete the Review.

The Review will include speaking to you so that you can make representations to us, seeking advice from the Information Governance, Caldicott Guardian and Legal Teams where appropriate, as well as discussing the reasons for refusal with the relevant Executive Director for the business area concerned.

The reviewing Director will write to you with the outcome either:

  • Recommending that we could proceed with your Request, in which case the letter may identify changes that may be required to the Request, or actions you may be required to take, in order that we would be prepared to recommend acceptance of the Request to our Director of Transformation, Medical Director or CEO; or
  • Recommending that our original decision to refuse the Request is upheld, in which case the letter will explain why, including with reference to the matters we are required to take into account under section 255(8) of the 2012 Act, and any steps that you could take in order to make a new Request

If you are unhappy with the outcome of the Review, you can make a complaint in accordance with our complaints procedure.

Footnotes

1. Health and Social Care Act 2012 c.7

2. Section 255(4)(b)

3. Section 255(2)

4. Section 253(1)

5. Section 253(2)(a)

6. Section 255(8)(a)

7. Section 255(8)(b)

8. Section 13ZC of the NHS Act 2006

9. Section 256(1)

10. Section 256(2)(a)

11. Section 256(2)(b) and (c)

12. Section 258(1)

13. Section 259(2(a) and Section 256(2)(a) and (b)

14. Section 259(2)

Last edited: 7 September 2023 3:48 pm