Skip to main content

Part of Objective E – Using and sharing information appropriately

Principle E3: Using and sharing information

Previous Chapter

Principle E2: Upholding the rights of individuals

Current Chapter

Current chapter – Principle E3: Using and sharing information

View all

Next Chapter

Principle E4: Records management
Page contents

The organisation uses and shares information appropriately.

E3.a Using and sharing information for direct care

Description

You lawfully and appropriately use and share information for direct care.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Relevant staff members do not understand what direct care is, the activities it covers and when they should use and share information to facilitate it.

NA#2. Information is not always used or shared when it is needed for direct care.

NA#3. Information being used or shared for direct care is either inadequate or excessive.

NA#4. You are unsure whether individuals would reasonably expect their information to be used or shared in all instances where your organisation does so.

NA#5. There are no arrangements in place for routine information sharing for direct care.

NA#6. There is no process to share data for non-routine ad hoc direct care purposes, or it is not always followed.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Relevant staff understand what direct care is, the activities it covers, and when they should use or share information to facilitate it.

A#2. Information is used or shared for direct care when it is needed.

A#3. Information which is used or shared for direct care is relevant and proportionate.

A#4. When information is used or shared for direct care, individuals’ reasonable expectations and right to respect for a private life are considered.

A#5. Your organisation has a process in place to enable appropriate non-routine ad hoc data sharing for direct care purposes.

A#6. There are appropriate arrangements in place for information sharing for direct care.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

Assessing applicability – if an organisation has determined that outcome E3.a is not relevant because they do not use or share information for ‘direct care’, obtain evidence of the process the organisation has undergone to arrive at this determination. If you are satisfied that none of the organisation’s uses of information are for ‘direct care’, they can declare ‘Achieved’ for this outcome and it is not necessary to further audit the steps outlined below.

1. Policies and procedures - obtain and inspect documents provided by the organisation showing how they manage information sharing for direct care and assess whether they cover:

  1. Direct care information sharing the organisation routinely engages in as part of providing its essential services, including categories of organisations and individuals who information is shared with. (A#2, A#6)
  2. Health and care staff and support staff knowing that they should ask for advice from the Caldicott Guardian or IG team when dealing with difficult direct care information sharing requests. (A#2, A#6)
  3. How the organisation ensures information sharing is relevant and proportionate. (A#3)
  4. How the organisation ensures individuals’ reasonable expectations and right to respect for a private life are considered in sharing decisions where relevant. (A#4)
  5. A process to enable appropriate non-routine ad hoc data sharing for direct care. (A#5)

2. Staff awareness - obtain evidence of how the organisation:

  1. Identifies relevant staff roles who need to have an understanding of processes for direct care information sharing. (A#1)
  2. Makes relevant staff aware of scenarios where they should share information for direct care. (A#1, A#2)
  3. Makes relevant staff aware of scenarios where they should escalate direct care information sharing decisions to IG team or equivalent. (A#1, A#2)
  4. Makes relevant staff aware of their obligation to only share information which is proportionate and relevant. (A#3)

3. Data sharing arrangements - verify that:

  1. The organisation has agreed internal thresholds for direct care information sharing, which, when met, trigger a review of whether an arrangement such as a data sharing agreement, a sharing framework, a Data Protection Impact Assessment (DPIA), etc. is needed or would be beneficial. (A#6)
  2. The organisation has procedures for ensuring that sharing arrangements for direct care appropriately cover the nature of the information being shared, ensuring sharing is appropriate and proportionate, and clarifying roles and responsibilities in the sharing. (A#3, A#6)

Suggested documentation

Suggested documentation includes: 

  • evidence of policies and procedures for direct care information sharing
  • training needs analysis and materials used for staff awareness
  • documents related to data sharing arrangements for direct care

E3.b Using and sharing Information for other purposes

Description

You lawfully and appropriately use and share information for purposes outside of direct care.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Relevant staff members are not aware of the circumstances under which information might be used or shared outside of direct care.

NA#2. Your organisation’s practices for using and sharing information for purposes outside of direct care do not satisfy legal requirements including the common law duty of confidentiality UK GDPR or individuals’ right to respect for a private life.

NA#3. Individuals are not appropriately informed when their information is used or shared for purposes outside of direct care.

NA#4. There are no arrangements in place for routine information sharing outside of direct care.

NA#5. You don’t maintain an up-to-date disclosure log detailing requests for individuals’ information for purposes outside of direct care and sharing decisions your organisation has made.

NA#6. There is no record of the lawful basis for disclosures that you have made.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Relevant staff members understand which of your organisation’s activities for using and sharing information fall outside of direct care.

A#2. Your organisation’s practices for using and sharing information for purposes outside of direct care satisfy legal requirements including the common law duty of confidentiality, UK GDPR and individuals’ right to respect for a private life.

A#3. Your organisation clearly communicates to individuals where their information may be used or shared for purposes outside of direct care.

A#4. You maintain a disclosure log which details requests for individuals’ information for purposes outside of direct care and sharing decisions your organisation has made, including the lawful basis for the sharing where appropriate.

A#5. There are appropriate arrangements in place for information sharing outside of direct care.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Policies and procedures - obtain and inspect documents provided by the organisation showing how they manage information sharing for purposes outside of direct care and assess whether they cover:

  1. Scenarios where information sharing for purposes outside of direct care can be handled by non-IG staff roles. (A#2)
  2. Scenarios where information sharing for purposes outside of direct care requires escalation to IG team or equivalent. (A#2)
  3. How considerations around the common law duty of confidentiality, UK GDPR and individuals’ right to respect for a private life are factored into decision-making before information is shared. (A#2)

2. Staff awareness - obtain evidence of how the organisation: 

  1. Identifies relevant staff roles who need to have an understanding of processes for non-direct care information sharing. (A#1) 
  2. Makes relevant staff aware of scenarios where they should share information for non-direct care purposes, ensuring information is relevant and proportionate. (A#1)
  3. Makes relevant staff aware of scenarios where they should escalate non-direct care information sharing decisions to IG team or equivalent. (A#1)
  4. Makes relevant staff aware of scenarios where they may need to communicate non-direct care information sharing decisions to patients and service users. (A#3)

3. Communicating to individuals - obtain and inspect the organisation’s privacy information or equivalent, assessing whether it appropriately covers situations where information may be used or shared for purposes outside of direct care. (A#3)

4. Disclosure log - obtain and inspect the disclosure log if relevant, and assess whether it lists the requests for individuals’ information for purposes outside of direct care. This document should also include the result of the decision, the accountable owner for the decision, lawful basis for making this decision and the length of time for which the sharing agreement may last. (A#4)

Suggested documentation

Suggested documentation includes: 

  • evidence of policies and procedures for non-direct care information sharing
  • training needs analysis and materials used for staff awareness
  • privacy information or equivalent
  • documents related to data sharing arrangements for other purposes outside of direct care
  • disclosure log

Last edited: 5 March 2025 9:23 am

Previous Chapter

Principle E2: Upholding the rights of individuals

Next Chapter

Principle E4: Records management

Chapters

  1. Objective E – Using and sharing information appropriately
  2. Principle E1: Transparency
  3. Principle E2: Upholding the rights of individuals
  4. Principle E3: Using and sharing information
  5. Principle E4: Records management