What programmes need before they onboard with Cohorting as a Service (CaaS)

The CaaS onboarding process is designed to help eligible healthcare programmes use the service.

To be eligible for CaaS, the programme must: 

• be part of NHS England
• support direct care

Requestor

A requestor is the individual or team responsible for initiating a cohort request. They will be the primary point of contact for all interactions and communications. 

A requestor will need to complete a new business requirement form. This form is used to capture business and technical requirements. The onboarding team can provide support with this. 

Commissioner

A commissioner refers to the relevant healthcare programme that is overseeing the campaign that requires a cohort. 

CaaS would need to know: 

• the name of the healthcare programme
• information about the programme lead or main contact
• any other details about the commissioner's involvement in the cohorting request

 Identifying the requestor and the commissioner helps ensure effective communication and coordination throughout the cohorting process.

CaaS uses a cost model where the requesting programme pays for building and running the cohort.

Costs vary based on the complexity of the request. Any bespoke features may incur additional charges.

After an initial feasibility assessment, CaaS will provide an estimated cost.

It's important to make sure the necessary funds are secured before beginning the cohort build phase, as this is a requirement of the service.

Data Protection Impact Assessment (DPIA) 

A DPIA is a document and governance process that helps a programme identify, analyse, and mitigate the data protection risks of specific projects, plans or activities.

It helps assess and show compliance with a programmes’ data protection obligations. This is a legal requirement when sharing the health and care data of citizens.

The DPIA process involves: 

• thoroughly documenting the nature, scope, context, and purpose of the data being processed
• evaluating the likelihood and severity of potential privacy risks, and implementing appropriate control
• incorporating the findings and recommendations early in the project lifecycle

The requesting program must inform CaaS of their assigned IG lead and clinical safety officer. Both roles are essential, as they will be responsible for the governance and compliance aspects of the cohorting request.

Before submitting a cohorting request, requesting programmes must make sure they have a valid legal basis under UK General Data Protection Regulation (GDPR) rules.  

The primary lawful basis that can be relied upon is Article 6(1)(e) - the "public task" lawful basis. 

This allows for the processing of personal data, including cohorting of citizens, when it is necessary for:

• performing a task carried out in the public interest
• exercising official authority vested in the controller
• qualifying as a public health task for infection control 

For cohorting requests made through CaaS, programmes can reference Article 6(1)(e) by showing that: 

• cohorting citizens with the same infection is a core public health function
• it is necessary for statutory NHS duties around infection prevention and control
• these public tasks have a basis in NHS policies, guidance, and regulations

Complete the online enquiry form to schedule an early engagement call.

The information provided on the form will help the team understand your requirements and provide support throughout the onboarding process.