Annex A - Transfer Regulations and Statutory Guidance

Regulations made by the Secretary of State under the Health and Care Act 2022 will transfer NHS Digital’s statutory functions to NHS England and abolish NHS Digital. This means that from the merger date NHS England will be responsible for discharging these functions. Under a separate Transfer Scheme, all of NHS Digital’s assets, liabilities, contracts and staff will transfer to NHS England.

The Transfer Regulations contain specific provisions which impose additional requirements on NHS England in relation to how they will be required to discharge the new, transferred data functions:

• A requirement to have regard to Statutory Guidance which the Secretary of State issues about the exercise by NHS England of the transferred data functions, and
• A requirement to publish information in its annual report about how effectively it has discharged the transferred data functions

The Statutory Guidance will provide guidance to NHS England on measures the organisation should take to protect confidential information when exercising the transferred data functions, so as to ensure NHS England acts as a safe and effective guardian of people's data collected from NHS and adult social care services. This includes:

• Ensuring that its governance supports the provision of a safe haven for data, reflecting the accountability of NHS England’s Board for the exercise of the transferred data functions
• Ensuring responsibilities and accountabilities for functions that are managing and using data, for example for analysis and planning, are organisationally separate from the functions providing assurance and advice, such as Information Governance and Caldicott Guardian functions
• Having processes and procedures in place for obtaining independent advice. This includes establishing a specific data advisory group to include independent advisers who can, individually and collectively, provide expert advice and assurance on both internal and external access to data for planning, commissioning and research purposes  
• Putting in place arrangements for engaging with key stakeholders in relation to the exercise of its transferred data functions
• Internal processes to facilitate regular review and discussion with devolved governments in relation to information systems established for devolved governments, their bodies or agencies 
• Ensuring various technical measures and controls continue to be in place to protect data and arrangements continue to be in place to ensure data processing arrangements comply with UK GDPR 
• Operating with the same degree of transparency as NHS Digital did in relation to the collection, analysis, publication and use of data and ensuring the same degree of objectivity and transparency over the publication of data, including data on the performance of NHS services, in line with its transferred data functions and the Code of Practice for Statistics
• Providing information in its annual report (for the first full year it exercises those functions and in subsequent years) about the steps taken by NHS England to follow the Statutory Guidance and to protect confidential information generally

All existing directions to NHS Digital will become functions of NHS England to discharge as if they were directions made by the Secretary of State to NHS England. This includes directions previously made by NHS England. NHS England will have no power to direct itself to set up data collections using the transferred data functions. All future directions to NHS England to collect data using these functions will only be made by the Secretary of State.

Where directed by the Secretary of State, NHS England will be able to require information from health and adult social care bodies (and those providing services for them), and request data from any other organisation where this is necessary for it comply with a direction. NHS England will continue to minimise the burden of their requests for data on providers.

NHS England will be required to publish data it has collected and analysed under the transferred data functions unless it is exempt from doing so, including where it is prevented from doing so by law (for example if the data made patients or users identifiable). Completely anonymous statistical data will continue to be published online for open access, including official statistics and management information and a range of statistical publications, in line with the Code of Practice for Statistics.

NHS England will only be able to share data where it has a legal power to do so and will not be able to provide access to or share confidential patient data unless the recipient has a legal basis under the common law duty of confidentiality to receive and process it. This means that NHS England may only share identifiable patient data:  

• For the direct care of the patient (with consent implied) OR
• Where a patient has expressly consented OR 
• Where there is a statutory gateway or legal requirement OR 
• Where there is an overriding public interest justification

NHS England will have processes for organisations to make for access to data for planning and research purposes. These will be subject to rigorous information governance requirements, to ensure the requesting organisation is accessing and using the data for appropriate purposes, sharing complies with UK GDPR and that data is protected and kept secure 

Where a request involves access to confidential information, the requester may need to have express patient consent or support from the Confidential Advisory Group (an independent body which provides expert advice on the use of confidential patient information) for approval under Regulation 5 of the Health Service (Control of Patient Information) Regulations (for example when it is impractical to obtain consent and another legal basis to meet the common law duty of confidence isn't in place). The principle of patient choice to opt-out will be applied in line with national policy where confidential data is requested.

A Data Sharing Agreement (DSA) will be required where an external organisation is accessing record-level data which NHS England has collected under the transferred data functions, setting out the requirements for security, use, and destruction.

This means that data will be collected appropriately, stored safely and securely, and only accessed and shared for appropriate, beneficial purposes, respecting the privacy of individuals.

NHS England will continue to ensure all its procedures and activities are fully compliant with the existing UK laws relating to the protection of people’s data, including the UK General Data Protection Regulation, the Data Protection Act 2018), and the Common Law Duty of Confidentiality. This also includes complying with the Caldicott Principles when collecting, using and sharing confidential patient data. More information on Data Protection Legislation can be found on the Information Commissioner’s website.