"GDPR Says No"

1. Investigate the priority use cases for proactive data sharing and the statutory frameworks which support them:

Health and social care, including:

• NHS

• Private healthcare providers

• Local authority social care

• Care technology services

• Care providers.

Other local authority services including:

• Housing, starting with the HACT UK Housing Data Standards.

• Public health; environmental health; community safety; trading standards

• Planning; building control; LLPG

• Emergency planning

2. Investigate the data sharing regime during Covid.  How much of it actually needed legislative changes and how much was simply a suspension of cultural assumptions by the professions concerned?

3. Investigate routes through the regulatory framework and approaches to GDPR training for DPOs and frontline staff by engaging with:

• Information Commissioner’s Office

• Office of the National Data Guardian/UK Caldicott Guardian Council

• LGA/ADASS

• DHSC/NHS England

• Health and Care Information Governance Panel (if it still exists)

• Health and social care Strategic Information Governance Network

• SAVVI

How does the Digital Economy Act intersect with GDPR 9 (2)(h)? 

4. Fire and Rescue Services have a statutory duty under the Fire and Rescue Services Act 2004 to “make arrangements for obtaining information needed for the purpose [of discharging its statutory functions], specifically for the purposes of:

• (a) extinguishing fires in its area, and (b) protecting life and property in the event of fires in its area (s.7 (2)(d));

• (a) rescuing people in the event of road traffic accidents in its area, and (b) protecting people from serious harm, to the extent that it considers it reasonable to do so, in the event of road traffic accidents in its area (s.8 (2)(d));

• fulfilling any additional duties placed on them by secondary legislation (s.9 (2)(d)).

Lines of enquiry:

• Investigate how FRSs approach this and whether they can easily access the data they need, both about buildings and about people.

• How could other public bodies co-operate with Fire and Rescue’s duty to gather information?

• Note the ICO's guidance on sharing information in an emergency, including comments on forward planning 

5. Other lines of enquiry

• Contact Coroners about PFD report trends/findings

• Police? - welfare check visits?

Following through on the issues discussed under Consent or Public Task?, my questions are:

• From a legal, ethical and practical point of view, is it reasonable to share confidential data with professionals under GDPR Art. 9 (2)(h) without reference to the question of consent?

• Does GDPR Art. 89 (1) (statistical purposes) allow for service planning?

• If so, what steps should be taken to inform, educate and reassure the public about this?

Investigate the above questions by engaging with:

• Information Commissioner’s Office

• Office of the National Data Guardian/UK Caldicott Guardian Council

[The above two are my top priority contacts]

• Think Local Act Personal (TLAP)

• LGA/ADASS

• DHSC/NHS England

• Health and Care Information Governance Panel (if it still exists)

• Health and social care Strategic Information Governance Network

1. Investigate consent-based sharing (over and above information shared under other lawful bases) by engaging with:

• Champions of the “About Me” data standard and the Accessible Information Standard

• whatweneed.support

• Experian Support Hub

• Priority Support Registers/Share Once Support Register

2. Consider perceptions and reality of information ownership. For example:

• NDG's survey includes the comment (p18): “…we query the use of the term 'own' data. From a legal perspective, an individual cannot 'own' individual data or their records”

• TLAP Data for People states (p10): “Data about individuals’ care and support belongs to them – people need choice and control over how their data is collected, used and shared, even when it is shared anonymously, and options to opt out of data sharing if they choose”

3. How is the "About Me" data standard currently being used? Could we run a proof of concept exercise, e.g.:

• Establish a role for hospital volunteers to spend time with patients coming up to discharge to capture "About Me" content. This could be particularly effective for non-English speaking patients, and it could focus at first on people being discharged home who are likely to need some degree of intermediate care. There would be immediate evidence of its usefulness to hospital staff as part of the discharge process.

• Take the same approach after admission (once the person is settled in and stable) to see how much difference it makes to the person's stay in hospital.

• Work with a local authority focusing on the "vital few" to see how "About Me" content can be shared across services to make for a more person-centred approach.

• Work with a local authority to gather "About Me" data for those on the waiting list for assessment - could this help to prioritise the waiting list and/or to offer targeted support to carers during the waiting process?

• In any of the above cases, see how the narrative content can be translated into structured data and incorporated into the Accessible Information Standard, Experian Support Hub and similar tools.

Investigate the current extent of use of UPRNs in:

• NHS (Personal Demographics Service; Organisation Data Service)

• Social care (local authorities and providers)

• Social housing (including Stock Condition Surveys)

• Utilities (re Priority Services Registers)

• Care technology services (via TSA and TechUK)

• VIPER; SAVVI; JIGSO

• DWP

Clarify with ICO the extent to which data can be shared at household/UPRN level without incurring the wrath of GDPR. (Consider GDPR 6 (1)(e), 9 (2)(c), 9 (2)(h) and s.35 DEA.)

What monitoring/enforcement is taking place in respect of central government mandating the UPRN as the national data standard?

Is there a network of LLPG custodians and would there be value in engaging with them?

Questions for GeoPlace:

• What quality standards exist for UPRNs?

• What proportion of UPRNs/LLPGs meet the quality standard?

• What regulatory and/or incentive-based systems are in place to improve data quality?

• How consistently are UPRN classifications managed by LLPGs?  What do they tell us?

• What tools and/or good practice exists to cleanse legacy address datasets? Who is using these tools? What are the costs/resource commitments involved?

• What is known about software systems’/applications’ ability to capture and/or share UPRNs? Are there sectors which are more advanced than others? – Council Tax, benefits, planning/building control? Are there tools or methodologies which could be adopted/adapted by other sectors?

Is there scope for a two-pronged approach?

A baseline information sharing regime at UPRN level:

• Based on GDPR 6 (1)(e), 9(2)(c), 9(2)(h) and Digital Economy Act s.35

• Not relying on consent to share, but could perhaps include a voluntary opt-out if this helps to build or retain public confidence

• Role-based access control

• “Digital Firebox” concept? – information curated in a secure environment and only released when needed/appropriate?

• Linked to person-specific data (SCR, ShCR etc) for those with a legitimate and  lawful need to know

An enhanced, consent-based regime, where an additional level of detail is provided by the person and cascaded to everyone involved

• Could be built on the Accessible Information Standard and the About Me standard

• Would need a mechanism for people to update, amend or withdraw their data, perhaps built on the new Digital Verification Service (DVS) model to be introduced under the Data (Use and Access) Bill

• Would need to encourage service organisations to commit to respecting and responding appropriately to the information provided

What kind of system architecture would be needed to make this work in practice?

Could it be set up at a national level, with a visibly trustworthy and independent body (e.g. the Caldicott Guardians' Council?) as its custodian, and with a standard set of DPIAs/DSAs in place?

Could it offer multiple lawful bases for accessing data, including vital interests (GDPR 9 (2)(c)) and health and social care (GDPR 9 (2)(h))?

Could initially be set up for the emergency services - clearly defined users with clear lawful bases for processing