Information standards for health and adult social care in England
Updated 22 November 2024
Applies to England
Introduction
Information standards in relation to the health and adult social care sector are standards relating to the processing of information, prepared and published under section 250 of the Health and Social Care Act (HSCA) 2012 as amended by the Health and Care Act (HCA) 2022, and as proposed to be amended by the Data Protection and Digital Information (DPDI) Bill, which is currently before Parliament.
Currently, the Secretary of State or NHS England may prepare and publish information standards, which the Secretary of State, NHS England and publicly funded health and adult social care organisations in England must have regard to.
NHS England maintains a list of all information standards, which is published on the NHS England standards directory.
The NHS number (ISB0149) is an example of an information standard. This standard is about how the NHS number is used to identify people receiving health and social care services, and in locating and communicating their health and care records and other information pertaining to the planning and provision of their care. It also sets standards for how information systems accept, store, process, display and transmit the NHS number, and standards to ensure correct use of the NHS number by organisations.
Changes made by the HCA 2022, once commenced, will make information standards binding - that is, they must be complied with unless this requirement is waived. However, the Secretary of State will continue only to be obliged to have regard to standards published by NHS England which apply to the Secretary of State, and will extend them so that they may also apply to Care Quality Commission (CQC)-regulated private health and adult social care providers.
Those changes also require regulations to make provision about the procedure to be followed in connection with the preparation and publication of information standards.
The Secretary of State is required, before laying a draft of the regulations before Parliament, to consult such persons as the Secretary of State considers appropriate. The Department of Health and Social Care (DHSC) is the responsible department for the development and delivery of the regulations.
This consultation sets out DHSC’s proposals for the procedure to be set out in regulations in connection with the preparation and publication of information standards, and invites views on those proposals.
The HSCA 2012 as amended by the HCA 2022 and amendments proposed by the DPDI Bill
Section 250 of the HSCA 2012 enables either the Secretary of State or NHS England to set information standards for health services or adult social care in England.
It defines an information standard as a document containing standards in relation to the processing of information. These may include:
- technical standards
- data standards
- information governance standards
Section 250 sets out those who must have regard to information standards as being:
- the Secretary of State
- NHS England
- public bodies exercising functions in connection with the provision of health services or of adult social care in England
- persons (other than a public body) who provide health services or adult social care in England pursuant to arrangements made with public bodies exercising functions in connection with the provision of such services or care
HCA 2022 amendments to section 250 of the HSCA 2012
The HCA 2022 amends section 250 in the following ways:
- it changes the definition of ‘an information standard’ to a standard in relation to the processing of information (as opposed to a document containing such standards), and sets out that an information standard must specify to whom it applies
- it describes the persons who an information standard may apply to as being:
- the Secretary of State
- NHS England
- any public body which exercises functions in connection with the provision of healthcare or adult social care in England
- any person other than a public body who is required to be registered (with CQC) under chapter 2 of part 1 of the Health and Social Care Act 2008 in respect of the carrying on of a regulated activity (thus additionally capturing CQC-regulated private providers)
- in place of the duty to have regard to information standards, it requires persons to whom information standards apply to comply with the standard - that is, it makes it mandatory to comply. However, the Secretary of State will continue only to be obliged to have regard to standards published by NHS England which apply to the Secretary of State
Other changes made in part 2 of the HCA 2022 (‘Health and adult social care: information’) include:
- power for the Secretary of State to require persons to submit documents, records or other information necessary to monitor whether they are compliant with information standards applicable to them
- provision for enforcement in respect of private providers of health or adult social care services, which are not subject to judicial review in the same way as public bodies - this allows for regulations to be made to enable imposition of financial penalties on private persons (private providers of health or adult social care services) who, without reasonable excuse, fail to comply with information standards or to provide information when required or who provide false or misleading information
The data provisions in the HCA 2022 are intended to work collectively, to enable improved sharing and more effective use of data across the health and adult social care system, through a standardised approach to the collection, storage and processing of data.
Proposed amendments in the DPDI Bill to section 250 of the HSCA 2012
Changes proposed in the DPDI Bill, which is currently going through the Parliamentary process, would extend the potential application of mandatory information standards to providers of IT products and services used in connection with the provision of health and adult social care in England.
Lack of interoperability between IT systems supplied by different IT providers causes problems for health and adult social care organisations. This can include friction and error as care providers:
- recollect data
- switch between different computer systems
- rely on physical records
- lack critical information
These changes are intended to:
- improve clinical outcomes for patients
- improve clinical decision making
- enable more effective procurement and commissioning of IT products and services by health and care providers
Our intention is to use these new powers to impose standards that would allow a common approach to information processing activities, such as:
- how care providers describe which roles should have which level of access to certain types of information
- the minimum information content that systems should be able to record for provision of care
- the format and structure of that information, and technical interfaces through which that information should be made available
- standards in connection with cyber security
Through a more standardised approach, technical barriers that prevent or limit data being available where it is needed to provide care can be overcome. Information standards would create binding rules for standardised processing of data (where it is otherwise lawful to process such data).
The process for preparing and publishing information standards
Section 251 of the HSCA 2012, as substituted by the HCA 2022:
- requires the Secretary of State, by regulations, to make provision about the procedure to be followed in connection with the preparation and publication of information standards under section 250
- enables the Secretary of State or NHS England to adopt an information standard prepared or published by another person
The regulations may require an information standard published under section 250 to be reviewed periodically in accordance with the regulations. Before laying the draft regulations before Parliament, the Secretary of State must consult such persons as the Secretary of State considers appropriate.
We are considering setting the following as important aspects of the procedures in connection with the preparation and publication of information standards:
- the obtaining by the Secretary of State or NHS England, as the case may be, (‘the decision maker’) of advice - for example, from persons with relevant expertise (such as an advisory board which includes representatives from the health or adult social care sector and can provide technical expertise)
- potential duties on the decision maker to consider certain factors before preparing an information standard - for example, capacity of the health or adult social care system or the need for alignment with pre-existing open or international standards where appropriate
- the need for published information standards to include certain information which could potentially include:
- the name of the information standard
- the date on which it was published
- the fact that it must be complied with
- the consequences of failure to comply
- the fact that the Secretary of State may require a person to provide the Secretary of State with documents, records or other information for the purposes of monitoring the person’s compliance with information standards
- information on any guidance about implementation of the standard (note)
- a list of changes to the information standard - for example, revisions over time
- the person who prepared the information standard and their contact details
- any other information standards to which the information standard relates
- information on the intervals at which the information standard is to be reviewed
- such other information as the decision maker considers appropriate
- a potential duty on the decision maker to review information standards at appropriate intervals
We are also considering whether there should be procedures relating to revision or revocation of information standards. If so, they could include some or all of the above procedure, or other procedures.
Our proposals are based on a procedure which is considered to be appropriate, workable and proportionate.
Note: we envisage that information standards will be supplemented by support and guidance, to facilitate their implementation. This will include technical guidance, virtual webinars or training sessions and/or explanatory material as appropriate.
Policy background
Data is an essential part of how health and care services are planned and delivered. However, we are not making the full use of health and care data and could be doing much more.
Instead of data flowing seamlessly between digital systems in different health and social care organisations, too often staff face ‘information jams’. Their time is wasted logging into disparate systems or searching for information in outdated formats.
In Data saves lives, the government’s data strategy for health and social care, we committed to introduce a power for the Secretary of State for Health and Social Care to mandate standards for processing of information, for both private and public health and adult social care bodies, as an important part of helping information flow through the system in a usable way.
This will help ensure that when information is accessed or provided it is in a standard form, both readable by, and consistently meaningful to, the user or recipient.
Standards and interoperability provide benefits to the system and citizens such as:
- improving patient safety by reducing errors from re-entering information across systems and care settings, and by ensuring clinicians and carers have the data they need on patients in transfers, discharges and referrals
- enabling better care by making relevant data available when clinicians need it, providing context and saving time for staff, patients and the public who draw on care and support
- avoiding vendor lock-in (vendor lock-in is characterised by extreme difficulty in moving from one provider to another, resulting in inability to cease using a product or service regardless of quality) and supporting innovation by enabling providers to choose from a diverse set of supplier products and systems, knowing they will not lose access to information and that the technology will meet standards to ensure it works with other parts of the health and care system
- supporting individuals to access their health and care data so they can access information and make informed decisions about their own care
If we get this right, we will not only deliver benefits to the public we serve, but we can also free up the time of health and care staff to focus on what they do best: giving the best possible care to everyone, while respecting the privacy of patient and service users’ data.
Consultation questions
We would welcome your views on the following questions.
Preparing and publishing mandatory information standards
Question
Do you think that, before preparing an information standard, the Secretary of State or NHS England should be required to obtain advice? (For example, from an advisory board or other persons)
- Yes
- No
- Don’t know
Question
Which of the following areas should be represented on such a board or included as other persons from whom advice is sought? (Select all that apply)
- Publicly funded health and care providers
- Privately funded health and care providers
- Health and care providers that are funded in part publicly and in part privately
- IT suppliers
- Patient and public representatives
- Representatives of NHS England
- Other (please specify)
Question
In addition to seeking advice, which of the following do you think the Secretary of State or NHS England should consider before preparing an information standard? (Select all that apply)
- Capacity of the health or adult social care system to implement a new standard
- The need for alignment with open or international standards
- Impact on the provision of health or adult social care services
- Cost of implementation
- Impact on existing contracts
- Other (please specify)
Question
In your opinion, which of the following should be included in an information standard when published? (Select all that apply)
- Name of the information standard
- Date on which it was published
- The fact that it must be complied with
- The consequences of failure to comply
- The fact that the Secretary of State may require a person to provide the Secretary of State with documents, records or other information for the purposes of monitoring the person’s compliance with information standards
- Information on any guidance about implementation of the standard
- A list of changes to the information standard - for example, revisions over time
- The person who prepared the information standard and their contact details
- Any related information standards
- Information on the interval at which the information standard is to be reviewed
- Such other information as the decision maker considers appropriate
- Other (please specify)
The regulations may require an information standard to be reviewed periodically. It is proposed that there could be a requirement for information standards to be reviewed at such intervals as the Secretary of State considers appropriate.
Question
What do you think would be an appropriate minimum interval for reviewing an information standard?
- No fixed interval - case by case decision
- Reviewed every 18 months
- Reviewed every 3 years
- Reviewed every 5 years
- Other (please specify)
Question
Should the regulations specify that minimum interval?
- Yes
- No
- Don’t know
Question
If you think that any other procedures should be followed in connection with the preparation and publication of information standards, please list them.
Revising information standards
Once issued, it may be necessary to revise an information standard.
Revisions could follow the same procedures as for preparing and publishing a new standard, a ‘light touch’ version of that procedure or different procedures. Alternatively, no procedure could be required.
Question
In your opinion, which procedure should revisions to an information standard follow?
- Revisions should go through the full procedure
- Revisions should go through a ‘light touch’ procedure
- Only some revisions should go through the full procedure - for example, those that the decision maker considers significant and that are not made in discharge of a legal obligation
- Only some revisions should go through a ‘light touch’ procedure - for example, those that the decision maker considers significant and that are not made in discharge of a legal obligation
- Revisions should not go through any procedure
- Revisions should go through other procedures (please specify)
Question
In your opinion, which steps should a ‘light touch’ procedure for revisions to an information standard include? (Select all that apply)
- Obtain advice, such as from an advisory board or other persons
- Consider capacity of the health or adult social care system to implement changes
- Consider alignment with open or international standards
- Consider impact on the provision of health or adult social care services
- Consider cost of implementation
- Consider impact on existing contracts
- Don’t know
- Other (please specify)
Revoking information standards
Once issued, it may be necessary to revoke (withdraw) an information standard.
Revoking (withdrawing) could follow the same procedure for preparing and publishing a new information standard, a ‘light touch’ version of that procedure or different procedures. Alternatively, no procedure could be required.
Question 10
In your opinion, which procedure should revoking (withdrawing) an information standard follow?
- Revocations should go through the full procedure, except those made in discharge of a legal obligation
- Revocations should go through a ‘light touch’ procedure, except those made in discharge of a legal obligation
- There is no need for revocations of information standards to go through any procedure
- Revocations, except those made in discharge of a legal obligation, should go through other procedures (please specify)
Question
In your opinion, which steps should a ‘light touch’ procedure for revocations of an information standard include? (Select all that apply)
- Obtain advice, from an advisory board or other persons
- Consider capacity of the health or adult social care system to implement changes
- Consider alignment with open or international standards
- Consider impact on the provision of health or adult social care services
- Consider cost of implementation
- Consider impact on existing contracts
- Don’t know
- Other (please specify)
Adopting information standards
It may be necessary to adopt an information standard prepared or published by another person. Adopted information standards could follow the same procedure for preparing and publishing a new information standard, a ‘light touch’ version of that procedure, or different procedures. Alternatively, no procedure could be required.
Question
In your opinion, what procedure should adopting information standards follow?
- Adopted information standards should go through the full procedure
- Adopted information standards should go through a ‘light touch’ procedure
- There is no need for adopted information standards to go through any procedure
- Adopted information standards should go through other procedures (please specify)
Question
In your opinion, which steps should a ‘light touch’ procedure for adopted information standards include? (Select all that apply)
- Obtain advice from an advisory board or other persons
- Consider capacity of the health or adult social care system to implement changes
- Consider alignment with open or international standards
- Consider impact on the provision of health or adult social care services
- Consider cost of implementation
- Consider impact on existing contracts
- Don’t know
- Other (please specify)
General
Question
Do you have any other feedback you’d like to share? (Maximum 150 words)
How to respond
This consultation closes at 11:59 pm on 28 March 2024. You can respond via our online survey.
If you have any queries on this consultation or require an alternative format, email information-standards-consultation@dhsc.gov.uk. Do not send any personal information to this email address.
Glossary
The definitions in this glossary reflect changes made to the HSCA 2012 by the HCA 2022 and proposed by the DPDI Bill.
Adult social care
Includes all forms of personal care and other practical assistance provided for individuals who, by reason of age, illness, disability, pregnancy, childbirth, dependence on alcohol or drugs, or any other similar circumstances, are in need of such care or other assistance.
It does not include anything provided by an establishment or agency for which His Majesty’s Chief Inspector of Education, Children’s Services and Skills is the registration authority under section 5 of the Care Standards Act 2000.
Healthcare
Includes:
- all forms of healthcare, whether relating to physical or mental health
- procedures that are similar to forms of medical or surgical care but are not provided in connection with a medical condition
Information standard
A standard in relation to the processing of information. It includes, among other things, a standard relating to information technology (IT) services used, or intended to be used, in connection with the processing of information.
Information technology (IT)
Includes:
- computers
- other devices whose uses include the processing of information by electronic means (‘IT devices’)
- parts, accessories and other equipment made or adapted for use in connection with computers or IT devices
- software and code made or adapted for use in connection with computers or IT devices
- networks and other infrastructure (whether physical or virtual) used in connection with other IT
IT service
Includes any service (whether physical or virtual) which consists of, or is provided in connection with, the development, making available, operation or maintenance of IT.
Open or international standards
Established and universally accepted guidelines, specifications or protocols that govern the creation, exchange, storage, processing and management of data and information across various industries and domains on a global scale. These standards are developed and maintained by international organisations, such as the International Organization for Standardization (ISO), International Telecommunication Union (ITU) and the International Electrotechnical Commission (IEC).
Private provider
Any person, other than a public body, who is required to be registered under chapter 2 of part 1 of the Health and Social Care Act 2008 in respect of carrying on of a regulated activity.
Public body
A body or other person whose functions are of a public nature, or include functions of that nature. But in the latter case, the body or person is a public body to the extent only of those functions.
Privacy notice
Summary of initiative and policy
Information standards in relation to the health and adult social care sector are standards relating to the processing of information, prepared and published under section 250 of the HSCA 2012 as amended by the HCA 2022.
We are consulting, via an online survey, on our proposals for the procedure to be set out in regulations in connection with the preparation and publication of information standards and collating responses to those proposals.
Data controller
DHSC is the data controller.
What personal data we collect
We will collect the following information about individuals:
- email address
- area in which they live
- information about their place of work:
- name of the organisation
- area of work
- where the organisation operates
How we use your data (purposes)
We will collect individuals’ personal information from their responses to the questions in the consultation’s online survey. We will use this information to analyse the feedback received.
Legal basis for processing personal data
Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for processing this information is:
- it is necessary for us to perform a task carried out in the public interest or in the exercise of our official authority
Data processors and other recipients of personal data
Responses to the consultation may be seen by:
- DHSC officials running the consultation process
- DHSC’s third party supplier (SocialOptic), who is responsible for running and hosting the online survey
We will not pass the data on to a third party (but will share analysis with NHS England).
International data transfers and storage locations
Storage of data by DHSC is provided via secure computing infrastructure on servers located in the European Economic Area. DHSC platforms are subject to extensive security protections and encryption measures.
Storage of data by SocialOptic is provided via secure servers located in the UK.
Retention and disposal policy
DHSC will hold the data for up to one year after the consultation closes. Anonymised information will be kept indefinitely.
We will ask SocialOptic to securely delete the information held on their system one year after the consultation closes.
How we keep your data secure
DHSC uses a range of technical, organisational and administrative security measures to protect any information we hold in our records from:
- loss
- misuse
- unauthorised access
- disclosure
- alteration
- destruction
We have written procedures and policies that are regularly audited and reviewed at a senior level.
Your rights as a data subject
By law, you have a number of rights and processing your data does not take away or reduce these rights, under the UK GDPR and the UK Data Protection Act 2018.
You have the right to:
- ask for, and receive, copies of personal information about you
- ask for personal information held about you to be corrected if you think it is inaccurate, and for personal information you think is incomplete to be completed
- ask for processing of personal information held about you to be restricted, in certain circumstances - for example, where you think information is inaccurate
- object to personal information being used in certain circumstances - however, this is not an absolute right, and continued use of the information may be necessary
- ask for personal information to be deleted in certain circumstances - this is not an absolute right, and continued use of the information may be necessary
Some of these rights might not apply in certain circumstances. We will let you know if this is the case.
Contact us or make a complaint
If you are unhappy or wishing to complain about how personal data is used as part of this consultation, contact data_protection@dhsc.gov.uk in the first instance or write to:
Data Protection Officer
39 Victoria Street
London
SW1H 0EU
If you are still not satisfied, you can complain to the Information Commissioner’s Office. You can find out how to contact them at the ICO website. Their postal address is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Automated decision-making or profiling
No decision will be made about individuals solely based on automated decision-making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.
Changes to this policy
We keep this privacy notice under regular review, and we will update it if necessary. All updated versions will be marked by a change note on the consultation page. This privacy notice was last updated on 15 February 2024.