NEMS Data Sharing Arrangement: Digital Child Health (DCH)

Term	Description
Agreed Purposes	Shall have the meaning as set out in Annex 1 of this arrangement.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing	Shall have the meanings as set out in the Data Protection Legislation in force at the time.
Data Protection Legislation	Means the retained Regulation (EU) 2016/679 (UK GDPR) and the Data Protection Act 2018 (DPA 2018) as applicable to general processing of personal data (UK GDPR regime)and any national implementing laws, regulations and secondary legislation, for so long as the UK GDPR is effective in the UK, and (ii) any other laws and regulations relating to the processing of personal data and privacy which apply to a party and, if applicable, the guidance and codes of practice issued by the relevant data protection or supervisory authority;
Party, Parties	Means the named party signed up to this arrangement and any Permitted Recipient receiving the Shared Personal Data.
Permitted Recipients	Means those organisations either providing child health services themselves, commissioned by NHS England or a Local Authority in England pursuant to the NHS Act 2006 s.7 (or under any other legal obligation to do so) or those providing child health information services (CHIS) for the purpose of such child health services as detailed in Annex 1 of this arrangement, the Party to this arrangement.
Shared Personal Data	Means Personal Data sent from one Party to a Permitted Recipient for the Agreed Purposes set out in Annex 1 of this arrangement.

 

1. With respect to Personal Data provided by one Party to another Party for which each Party acts as Controller but which is not under the joint control of the Parties, each Party shall comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Controller and shall not cause the other Party to breach their Data Protection Legislation obligations.
2. Any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 days of written notice from the other Party, give grounds to the other Party to terminate their arrangement with immediate effect.
3. Each Party shall Process the Shared Personal Data only for the Agreed Purposes as set out in Annex 1 of this arrangement.
4. Each Party shall give full information to any Data Subject whose Personal Data may be Processed under this arrangement of the nature such Processing. This includes giving notice that, on the termination of this arrangement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees.
5. Where a Party has provided Shared Personal Data to the other Party, the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other Party may reasonably require.
6. The Parties shall be responsible for their own compliance with Articles 13 and 14 UK GDPR in respect of the Processing of Personal Data for the purposes of this arrangement.
7. The Parties shall only provide Personal Data to each other under this arrangement:
   • to the extent necessary to perform their respective obligations
   • in compliance with the Data Protection Legislation; and
   • for the Agreed Purposes
8. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall, with respect to its Processing of Personal Data as Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR.
9. A Party Processing Personal Data for the Agreed Purposes shall maintain a record of its Processing activities in accordance with Article 30 GDPR and shall make the record available to the other Party upon reasonable request.
10. Where a Party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other Party for the Agreed Purposes (“Request Recipient”):
    1. the other Party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or
    2. where the request or correspondence is directed to the other Party and/or relates to that other Party's Processing of the Personal Data, the Request Recipient will:
       • promptly, on receipt of the request or correspondence, inform the other Party that it has received the same and shall forward such request or correspondence to the other Party; and
       • provide any information and/or assistance as reasonably requested by the other Party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation
11. Each Party shall promptly notify the other Party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other Party for the Agreed Purposes and shall:
    1. do all such things as reasonably necessary to assist the other Party in mitigating the effects of the Personal Data Breach.
    2. implement any measures necessary to restore the security of any compromised Personal Data.
    3. work with the other Party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and
    4. not do anything which may damage the reputation of the other Party or that Party's relationship with the relevant Data Subjects, save as required by Law.
12. Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s respective obligations for the Agreed Purposes.

We accept the terms set out in this arrangement and the Annex.

Identity of Controller for each Category of Personal Data

The Parties acknowledge that they are independent Controllers for the purposes of the Data Protection Legislation.

The recipient Controllers are, providers of the section 7A services, Child Health Information Services (CHIS) and other child health organisations with a legal or statutory obligation.

The publishing Controllers are Public Health England via their processor’s, health screening services, Northgate. Publishers are also the other CHIS and child health organisations and those with a statutory and legal obligation for child health.

Agreed purposes

The processing of the Shared Personal Data is necessary for NHS England (NHSE) and the Local Authorities in England to meet their legal obligations to the Secretary of State pursuant to section 7A services NHS Act 2006.

The agreed purposes are those listed in this Annex. These include the direct care functions set out in a), b) c) described as section 7A services.

Controllers for other secondary uses where there is a legal obligation in order to fulfil the section 7A services requirements as set out in d).

The data may also be used for other purposes where there is a legal obligation, or a statutory duty as described in e).

a) “Section 7A services” Services commissioned by NHS England 2019-20

The Public Health Functions Agreement sets out the statutory arrangements under which the Secretary of State delegates to NHS England (NHSE) responsibility for certain elements of the Secretary of State’s public health functions. The commissioning of these services imparts a legal obligation for the processing of this data on the controllers; this includes both the direct care and secondary purposes. This data will be used to support the provisions required in order to achieving positive health outcomes for the population and reducing inequalities in health as set out in Annex A and B of the Public Health Functions Agreement 2019/20 and are listed as:

Immunisation programmes

Neonatal hepatitis B immunisation programme
Pertussis pregnant women immunisation programme
Neonatal BCG immunisation programme
Immunisation against diphtheria, tetanus, poliomyelitis, pertussis, Hib and hepatitis B
Rotavirus immunisation programme
Meningitis B (Men B) immunisation programme
Meningitis ACWY (Men ACWY) immunisation programme
Hib/ Men C immunisation programme
Pneumococcal immunisation programme
DTaP/IPV and dTaP/IPV (pre-school booster) immunisation programme
Measles, mumps and rubella (MMR) immunisation programme
Human papillomavirus (HPV) immunisation programme
Human papillomavirus (HPV) immunisation programme for men who have sex with men
Td/IPV (teenage booster) immunisation programme
Seasonal influenza immunisation programme
Seasonal influenza immunisation programme for children
Shingles immunisation programme

Population screening programmes

NHS Infectious Diseases in Pregnancy Screening Programme
NHS Fetal Anomaly Screening Programme - Screening for Down’s, Edwards’ and Patau’s Syndromes (Trisomy 21, 18 & 13)
NHS Fetal Anomaly Screening Programme - 18+0 to 20+6 weeks fetal anomaly scan
NHS Sickle Cell and Thalassemia Screening Programme
NHS Newborn Blood Spot Screening Programme
NHS Newborn Hearing Screening Programme
NHS Newborn and Infant Physical Examination Screening Programme
NHS Diabetic Eye Screening Programme
NHS Abdominal Aortic Aneurysm Screening Programme
NHS Breast Screening Programme
NHS Cervical Screening Programme
NHS Bowel Cancer Screening Programme (including the Bowel Scope Screening Programme)

b) “Section 7A services”: Health Visiting and School Nursing Services commissioned by Local Authorities in England

The Health and Social Care Act 2012 sets out a local authority’s statutory responsibility for delivering and commissioning public health services for children and young people aged 5-19 years. Responsibility for children's public health commissioning for 0–5-year-olds, specifically Health Visiting and School Nursing services transferred from NHS England to local authorities in 2015.

The services include:

• 10 health reviews

Anti-natal health promoting visit
New baby review
6–8-week assessment
1 year review
2-2.5-year review
4–5-year health needs assessment 
10–11-year health needs assessment
12–13-year health needs assessment
School leavers – post 16 review
Transition to Adult Services review

• delivering against the 6 high impact areas 
• transiting of family public healthcare from maternity to health visiting services 
• contributing to safeguarding and supporting vulnerable children and families 
• contributing to the troubled families programme (or local equivalent)

PHE provide full-service specifications for Health Visiting and School Nursing services.

c) Child Information Service (‘CHIS’)

Where CHIS system and services currently provide a local call and recall function for routine immunisation continue to perform this function until a suitable, quality assured alternative is in place. Quality assurance to include maintained or improved immunisation coverage measured biannually.

Maintain the safe, efficient and effective delivery of the Child Information Services to support the delivery of the Healthy Child Programme, as set out in the CHIS Provider Service Specification, which includes the delivery of the Digital Personal Child Health Record.

Implement the Professional Record Standard Body (PRSB) Child Health Standard which defines the formats for the capture and display of the child health information and is a foundation for information sharing as described in the operating models for the Healthy Child Programme and supporting IT.

d) Performance Indicators and Key Deliverables:

i) For services commissioned by NHS England

Public Health Functions Agreement 2019/20 requires child health providers to produce management information through the biannual assurance process that includes information on health inequalities.

Performance indicators for services provided pursuant to the agreement in relation to:

• Immunisation programme
• National Screening programme

This Public Health Functions Agreement is subject to amendment for 2020/2021 and subsequent years.

ii) For Health Visiting and School Nursing Services commissioned by Local Authorities in England 

The services must provide performance Indicators on the agreed high impact areas.

Accurate and appropriate data must be made available to the Child Health Information Systems (CHIS) to enable local, regional and national data reporting. This will support the delivery, review and performance management of services.

Must provide the delivery metrics and outcomes indicators for the 0-19 Healthy Child Programme in a way that supports local data collection in the standard national format, including a responsibility to submit monthly data to the community services dataset (CSDS) formerly the children and young people’s data set (CYPHS) from 2017 to NHS Digital.

e) Further purposes

The Shared Personal Data received by Permitted Recipients as controllers may be used to fulfil other statutory duties or legal obligations that the controller is subject to. These include but are not limited to:

• Children Act 1989
• Children Act 2004
• Children and Families Act 2014
• National Health Service Act 1977
• National Health Service Act 2006
• Special Education Needs and Disability Regulations 2014

The Local Authorities (Public) Health Functions and Entry to Premises by Local Healthwatch Representatives) and Local Authority (Public Health, Health and Wellbeing Boards and Health Scrutiny) (Amendment) Regulations 2015.

Updated by:

• The Local Authorities (Public Health Functions and Entry to Premises by Local Healthwatch Representatives) Regulations 2013 and;
• The Local Authorities (Public Health Functions and Entry to Premises by Local Healthwatch Representatives) (Amendment) Regulations 2017

Duration of the processing

The duration of the processing will be until the Controllers withdraw from the arrangement.

Nature of the processing

Event messages will be processed via the National Event Management Service. This service is a message exchange between the publishing Controllers and receiving subscribing Controllers.

The National Event Management Service (NEMS) is a messaging service that facilitates the sharing of nationally defined patient/service user events between approved health and care organisations, services, care-settings, professionals, and patients/service users in near-real time. The publishers and receivers of the events are sharing information as independent data Controllers. NEMS provides the means for the data sharing and only collects the limited data necessary to audit and monitor the processing, to evidence the activity and support the publishing and subscribing Controllers.

Type of personal data

NHS Number, health and social care data, demographic data, education data.

Categories of data subject

Children, health workers and care workers, parents.