Guidance

Investigating healthcare incidents where suspected criminal activity may have contributed to death or serious life-changing harm (accessible version)

Published 17 December 2024

Applies to England

A memorandum of understanding (MoU) between regulatory, investigatory and prosecutorial bodies.

1. Signatories

1.1 This MoU has been agreed and signed by the following organisations:

• Care Quality Commission (CQC)
• Crown Prosecution Service (CPS)
• Health and Safety Executive (HSE)
• National Police Chiefs’ Council (NPCC)
• NHS England
• General Medical Council (GMC)
• Nursing and Midwifery Council (NMC)
• General Dental Council (GDC)
• Health and Care Professions Council (HCPC)
• General Pharmaceutical Council (GPhC)
• General Optical Council (GOC)
• General Chiropractic Council (GCC)
• General Osteopathic Council (GOsC)

1.2 The roles and responsibilities of each signatory, as well as links to strategic aims, can be found at annex A.

James Bullion
Interim Chief Executive
CQC

Nick Price
Head of Crime and Counter Terrorism Division
CPS

David Murray
Director, Planning, Finance and Procurement
HSE

Kate Meynell
Chief Constable
NPCC

Nick Jones
Chief Executive and Registrar
GCC

Tom Whiting
Chief Executive and Registrar
GDC

Charlie Massey
Chief Executive and Registrar
GMC

Leonie Milliner
Chief Executive and Registrar
GOC

Matthew Redford
Chief Executive and Registrar
GOsC

Duncan Rudkin
Chief Executive and Registrar
GPhC

Bernie O’Reilly
Chief Executive and Registrar
HCPC

Helen Herniman
Acting Chief Executive and Registrar
NMC

Aidan Fowler
National Director of Patient Safety
NHS England

2. Introduction and background

This document incorporates defined terms identified by inverted commas (‘’).

2.1 This document has been produced to help deliver early, co-ordinated and effective action following incidents where there is ‘reasonable suspicion’ that a patient or service user’s death or ‘serious life-changing harm’ occurred as a result of an incident where there is suspected criminal activity in the course of healthcare delivery. See annex B for a definition of terms used in this document. This document will:

• assist those responsible for carrying out any safety, regulatory or criminal investigation
• provide clarity for all involved on their responsibilities and liabilities
• help to ensure that such investigations are handled correctly

As a result, the document should help to protect the public and facilitate both justice and learning.

2.2 The document has been developed in consultation with the signatories named in section 1, together with the Department of Health and Social Care (DHSC), and is based on an earlier protocol first published in 2006.

2.3 Professor Sir Norman Williams’ review into ‘gross negligence manslaughter (GNM)’ in healthcare settings, published in June 2018, recommended that a new MoU be agreed between relevant bodies to replace the 2006 protocol. It recommended that, as a minimum, the MoU should:

• establish a common understanding of the respective roles and responsibilities of the organisations involved
• support effective liaison and communications
• cover what is expected of ‘expert witnesses’, in particular that they should consider the ‘wider system’ as a whole in which the actions of an individual took place; this includes examining aspects of the organisation’s culture, work patterns and leadership as well as a consideration of job workload, procedures and the working environment

2.4. This document will be disseminated by signatories to promote a greater understanding of legal issues among healthcare professionals and of healthcare issues among non-healthcare signatories. It has been drafted with a view to supporting the development of a ‘just culture’ in healthcare, which recognises the need to consider the wider context and circumstances in which any incident involving a breach of a duty of care occurs. This includes considering the wider systems in place at the time of the incident, to support a fair and consistent evaluation of the actions of individuals.

3. Aims and purpose

3.1 This MoU sets out how healthcare organisations, regulatory bodies, investigatory bodies and prosecutorial bodies in England will work together in cases where there is suspected criminal activity on the part of an individual in relation to the provision of clinical care or care decision-making. It covers any such incidents occurring in the course of healthcare delivery where suspected criminal activity on the part of an individual is believed to have ‘led to or significantly contributed to’ the death or serious life-changing harm (whether of a physical or psychological nature) of a patient or service user.

3.2 An outcome from the use of this MoU is to help support the development of a ‘just culture’ in healthcare which recognises the impact of wider systems on the provision of clinical care or care decision-making, as set out in recommendation 3.5 of the Williams’ review into GNM in healthcare.

3.3 The signatory organisations are independent from each other and have different legal remits and obligations for safety, regulatory and criminal investigations, and patient safety learning responses. Those which have a remit for such investigations and learning responses should, wherever possible (that is, insofar as their legal and investigatory policies allow), co-ordinate activities and share information where it is appropriate, lawful and reasonable to do so. Information should not be shared where doing so conflicts with statutory obligations; the duty to comply with statutory obligations must take precedence.

3.4 This MoU aims to:

• facilitate efficient and effective co-ordination of appropriate approaches, patient safety learning responses and investigations, while taking steps to avoid prejudicing regulatory or criminal investigations or criminal proceedings
• ensure relevant information and ‘confidential information’ is quickly, lawfully and efficiently shared between the relevant signatories where necessary to progress learning responses, investigations and proceedings
• ensure evidence is quickly identified, secured and handled in accordance with best practice
• allow steps to be taken quickly to manage ongoing risk and as far as possible protect the public and service users

4. When the MoU applies

4.1. The MoU applies when more than one of the signatories needs to investigate, in parallel, any incident where there is a reasonable suspicion that a criminal offence has or may have been committed by an individual ‘providing healthcare services’ in a health or care setting that leads to or significantly contributes to the death or serious life-changing harm of a patient or service user.

The MoU therefore only covers the most serious cases: acts of deliberate harm or circumstances where the acts or omissions of a member of healthcare staff amount to a breach of duty of care which results in death or life-changing harm, and are so reprehensible and fall so far below the standards to be expected (taking into account relevant qualifications, experience and responsibilities) that it amounts to a crime.

4.2 The MoU has been signed by NHS England on behalf of the wider NHS in England. It should therefore be used when incidents as described in paragraph 4.1 occur in the delivery of NHS-funded healthcare and in the delivery of privately funded or local authority-funded healthcare that occurs on NHS premises. While no organisation is appropriately placed to sign this MoU on behalf of private healthcare organisations, DHSC has consulted with the Independent Healthcare Providers Network (IHPN)^{[footnote 1]} on its drafting and it is expected that the principles contained within it should also apply when incidents requiring investigation as described in paragraph 4.1 occur in the delivery of privately funded healthcare outside of NHS premises or as part of NHS service provision.

4.3 The MoU applies to such incidents occurring in England only.

4.4 The processes outlined in this MoU should be put in place as soon as is practical to ensure that:

• all parties to the response are properly co-ordinated
• evidence is properly secured
• investigations and patient safety learning responses take place effectively and efficiently
• affected patients or service users, families, carers and loved ones are kept well informed and supported, and are also provided with the opportunity to be actively involved throughout the investigative process

4.5 It may not be immediately clear following the incident that a criminal offence may have been committed. The types of incident that may prompt an NHS organisation to involve the police are those that display one or more of the following characteristics:

• reasonable suspicion that the actions leading to harm were intended to cause harm
• reasonable suspicion of ‘gross negligence’ and/or ‘recklessness’

Where a local concern, review or investigation identifies reasonable suspicion of a criminal offence, the procedures set out in the MoU should be instigated. The police should consult the CPS where they consider it necessary to do so, when parties need to determine whether the decision, act or omission under investigation amounts to a criminal offence.^{[footnote 2]} Such consultation will assist the investigation and in cases where the CPS advises that the incident does not meet the threshold for a criminal offence, will allow it to be concluded early.

4.6 The MoU covers incidents that are concerning the individual actions, inactions, decisions or indecisions of those providing healthcare or care services. Deaths requiring investigation that occur in healthcare environments and that are not related to individual clinical care or individual care decision-making are covered by ‘Work-related deaths: a protocol for liaison’ (available to download on HSE’s Work-related Death Protocol (WRDP) page), which sets out a step-by-step approach to the joint investigation of fatalities arising out of - or occurring in connection with - work.

Where both definitions apply, this MoU and the WRDP should be used in conjunction.

4.7. All patient safety incidents involving NHS provided or funded care should be considered as set out in the Patient Safety Incident Response Framework (PSIRF). The vast majority of patient safety incidents in the NHS can and should be dealt with under the PSIRF without any need for this MoU to be invoked. Where the NHS is conducting a learning response under the PSIRF and this MoU has been invoked, then the NHS bodies should follow the advice of the incident co-ordination group (ICG) in how they manage that learning response to ensure any other response - particularly any criminal investigation - is not adversely affected.

4.8. Where signatories to the MoU have independent working arrangements or agreements (for example, under the MoU held between HSE and CQC), this MoU should not affect their operation, but should be used in conjunction with them.

4.9 The NHS in England may apply the principles and processes of this MoU to other incidents of suspected criminality connected to a patient safety incident^{[footnote 3]} on a case-by-case basis at the discretion of the relevant signatories on consideration of, for example, the seriousness and impact of the offending.

5. MoU - incident co-ordination group

5.1 Where one or more parties to the MoU identifies a reasonable suspicion of a criminal offence of the nature outlined in paragraph 4.1, an initial meeting of the ICG,^{[footnote 4]} either in person or virtually, will be held as soon as is practical.^{[footnote 5]} This also includes cases where the complaint has been made directly to the police.

Setting up the ICG

5.2 The party who first establishes the reasonable suspicion outlined in paragraph 4.1 will, by default, convene, chair and minute that meeting. To ensure co-ordination and investigatory direction, and prevent any duplication of any undertakings, the ICG should agree a lead. This will not prevent urgent action being taken in advance of the ICG meeting. The MoU will take effect from the convening of the ICG. Advice on items to be discussed at ICG meetings can be found in annex D. Future meetings may be either in person or virtually and will be chaired by the agreed lead.

5.3 The ICG will be instigated when the party first to have reasonable suspicion contacts the relevant (one or more) other signatory bodies, found in annex C. That party will make its suspicion known and request attendance by a representative from each of the signatory bodies it considers relevant (note the initial assessment of relevance of signatory bodies by the first party can be updated as understanding of the events increases). The lead for each signatory body should provide contact details for its nominated representative and its availability for the first ICG meeting. Routine patient safety event recording via the Learn from patient safety events (LFPSE) service, Medicines and Healthcare products Regulatory Agency (MHRA) Yellow Card or other system does not constitute instigation of the ICG.

5.4 Engagement of the signatory bodies should be informed by a clear understanding of legal responsibilities and accountabilities. The ICG will usually include any NHS providers in which the events took place (unless deemed inappropriate as per paragraph 5.24). As set out in the NHS PSIRF, management of the learning response to any patient safety incident in the NHS should be led as close as possible to the events in question while maintaining appropriate objectivity and independence. From a patient safety perspective, the NHS focus is on learning and improvement and any NHS patient safety investigation must be managed entirely separately from any employment investigation, fitness to practise assessment, claims liability or other purpose, while ensuring there is no prejudice to a potential police, HSE or CQC investigation, especially during the collection of evidence. The work of the NHS provider to manage that learning response should be co-ordinated with the work of any parallel criminal or other investigation, via the ICG. It may be that reasonable suspicion of criminal activity only arises part-way through an NHS-led learning response. Co-ordination of parallel responses should begin via the ICG once that reasonable suspicion is identified.

5.5 The NHS providers involved should inform their integrated care board (ICB) and NHS England regional team that an ICG has been established. Whether it is appropriate for the ICB or NHS England regional team to sit on the ICG as well will depend on the nature of the events. It is more likely to be appropriate where the events are high profile with significant media or political interest, are complex and/or require co-ordination across multiple NHS providers or systems.

5.6 CQC, or the relevant regulator (where the healthcare setting is not regulated by CQC), should be informed so that it can consider whether to carry out a parallel, but separate, monitoring, assessment and/or investigation of the healthcare provider to determine the impact of wider systems at the time of the incident.

5.7 CQC or the relevant regulator should make available the latest inspection reports of the quality of care provided by a particular organisation. The inspection reports along with any previously notified deaths should be considered when CQC or the relevant regulator decides whether to carry out a parallel investigation or inspection to identify the impact of wider systems.

5.8 CQC should be invited to each ICG meeting but will have discretion over its attendance. CQC will most likely attend the ICGs where the possibility of wider systems failures, including those that might give rise to provider level failure to provide safe care, are under consideration. In cases where CQC declines to send a representative, minutes from the first and any subsequent ICG meetings should be sent to the CQC contact detailed at annex C within 14 days of the ICG. In cases where, after the first ICG meeting or during subsequent investigation, a signatory body identifies the possibility of wider systems failures, including those that might give rise to provider level failure to provide safe care, CQC should be notified by that body (using the CQC contact detailed at annex C) within 14 days of identifying that possibility. Where CQC does not oversee the care provider, the relevant regulatory body should be invited to the ICG meeting, but will have discretion over its attendance, taking into account its investigation policies.

5.9 Where a concern is raised about the fitness to practise of a professional in one of the regulated professions, the appropriate signatory regulator should be invited to join the ICG.

5.10 Where relevant (that is, when the incident involves early neonatal deaths, intrapartum stillbirths, severe brain injury in babies born at term following labour or maternal deaths), the Maternity and Newborn Safety Investigations (MNSI) programme should also be informed so it can ensure it is able to discharge its functions.

5.11 In instances of suspicious death, the ICG should ask the coroner if it wishes to send a representative to the meeting in addition to the police. In instances of the unexpected death of a child where an investigation under child protection procedures might be appropriate, the ICG may decide to ask children’s social services if it wishes to send a representative to the meeting. In instances of the unexpected death of a vulnerable adult, the ICG may decide to ask adult social services if it wishes to send a representative to the meeting.

5.12 The ICG should consider whether other investigation bodies such as MHRA should be informed or involved - for example, where there is evidence of use of counterfeit medicines or medical devices. Similarly, it may be considered appropriate to refer the events to the Health Services Safety Investigations Body (HSSIB). Where these other bodies become involved, they should be invited to join the ICG.

5.13 If additional organisations are required to join the ICG, the following stages should be followed:

• proposing the addition of a new member
• convening to discuss the expertise and potential role of the new member, and the impact of their joining the group
• before introduction, to approve the new member by majority vote
• the new member must be sighted on the MoU and agree to its terms by signature

5.14 Each signatory body nominating a representative to the ICG meetings should ensure that its own nominated representative has sufficient seniority to take decisions on behalf of their organisation, understands the wider implications of the incident and has the appropriate skills, training (including on equality and diversity) and expertise to deal with any immediate concerns.

5.15 The ICG should consider, and take steps wherever possible to address, its own diversity, particularly with reference to the protected characteristics under the Equality Act 2010.

5.16 Once the police are alerted to a suspected criminal offence, they will appoint a senior investigating officer (SIO). The SIO will usually be responsible for seeking advice from the CPS and the views of an expert witness.

5.17 While recognising the importance of adhering to the procedures set out in this MoU, it may not always be appropriate for the police to attend meetings and/or share information when there is an ongoing police investigation and the police reasonably consider that such attendance or sharing of information may compromise the wider interests of justice. Such decisions should be reviewed on a regular basis and attendance or sharing of information should take place as soon as practicable.

5.18 The expert witness is accountable to the police. The terms of reference for the expert witness should be drawn up by the police and the CPS, according to CPS legal guidance. The terms of reference should include an explanation of the law relating to GNM (if that is the crime under suspicion) and of the legal requirement to provide an objective and unbiased opinion. Expert witnesses should consider the effects of the wider systems in place during the incident.

5.19 Where the police refer a case to the CPS, the police must inform CQC within 7 working days so that CQC can consider whether to:

• undertake monitoring, inspection and/or civil enforcement functions regarding any ongoing risk of harm to patients or service users
• carry out a parallel, but separate, investigation of the healthcare provider to determine if it has breached any relevant regulations, including failure to meet regulations 12, 13, 14 or 22 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (see annex A)

5.20 Where a healthcare setting is not regulated by CQC, the relevant regulator must be informed by the police within 7 working days of a police referral to the CPS so that it can consider, taking into account its investigation policies, whether to carry out a parallel, but separate, investigation of the healthcare provider to determine if it has breached any relevant regulations, and to identify any action that may be required in line with its functions.

5.21 Where there is a police investigation and CQC decides to carry out a parallel investigation, the latest MoU between CQC and the police should be followed (available to download on CQC’s Joint working agreements page). CQC (in conjunction, where relevant, with MNSI) should consider evidence regarding wider systems. This should be promptly shared with the police so that it can be considered by expert witnesses and prosecutorial authorities when making decisions about charges and continuance of proceedings.

5.22 CQC or the relevant regulator, where it has decided to investigate, should consider the findings of its investigation in deciding whether to undertake any follow up action (such as monitoring, or civil or criminal enforcement) if it has not done so already in relation to the provider and/or any wider review of system issues.

5.23 Throughout the investigation, consideration of the wider systems at play during the incident should be made by all parties, including members of the ICG, expert witnesses and those tasked with securing and gathering evidence.

ICG tasks

5.24 The ICG will:

• confirm that the incident is one for which use of this MoU is appropriate (see paragraph 4.1)
• identify the appropriate lead for co-ordination of the response and if at any stage primacy for the investigation changes, co-ordinate a handover
• confirm the appropriate signatories to attend future ICG meetings related to the response
• consider how organisations can work together to ensure a co-ordinated approach that allows the effective discharge of legal and regulatory duties while ensuring the rights of those potentially subject to a criminal investigation or prosecution to:
  • have a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law
  • be presumed innocent until proved guilty according to law
  • be informed promptly, in a language which they understand and in detail, of the nature and cause of the accusation against them
  • have adequate time and facilities for the preparation of their defence
  • be able to defend themselves in person or through legal assistance of their own choosing or, if they have not sufficient means to pay for legal assistance, to be given it free when the interests of justice so require
  • examine or have examined witnesses against them and to obtain the attendance and examination of witnesses on their behalf under the same conditions as witnesses against them
  • have the free assistance of an interpreter if they cannot understand or speak the language used in court
• ensure that members of the ICG follow their own existing guidelines in providing support to any individual who is suspected of criminal activity in the incident
• comply with the guidelines on data sharing in annex E as per each individual case
• ensure that any evidence is secured and preserved as soon as possible, with receipts obtained when any items are passed to other agencies
• ensure that further necessary learning responses, including investigations, by the NHS or relevant regulatory authorities can be conducted in such a way as to avoid the danger of prejudicing the police and/or HSE and/or CQC investigations - for example, by obtaining information from members of staff who may subsequently give evidence at court
• identify ways of working and engagement that are proportionate and effective as investigations progress
• establish arrangements for co-ordinating safety learning responses by healthcare organisations alongside any regulatory or criminal investigation
• co-ordinate liaison with the patient or service user or family members, loved ones, carers or advocates throughout the patient safety learning responses and investigations in a managed and reasonable manner, ensuring that they are involved and supported from the outset and throughout, and kept informed of the progress and outcome, potentially through a single point of contact
• agree a communications strategy for dealing with the media
• convene at appropriate intervals throughout the regulatory or criminal investigation to share findings, reflect on ways of working and address issues
• ensure that an official written record of each meeting of the ICG is contemporaneously made (ideally by the lead ICG member), detailing matters discussed, decisions reached, any agreed actions and the names of those responsible for them. A completed action plan setting out what is to be done, by whom and by when should be circulated to all participants shortly after the meeting

5.25 It may sometimes be necessary for the police and/or HSE and/or CQC to interview NHS staff. All efforts should be made following an incident in scope of this MoU to support NHS staff to make statements as requested by the relevant authorities. Where necessary, NHS staff should be given access to legal representation for this purpose following the guidelines in paragraph 5.24.

5.26 If at any point during the regulatory or criminal investigation a health or care provider becomes a potential defendant in criminal proceedings (for example, if there is suspicion of provider-level failure or organisational abuse), representatives from the provider should be removed from the ICG. The remaining members of the ICG should then consider whether this has any impact on their own investigations and form a decision as to whether they will need to exclude the existing input from the provider or should nominate a suitable alternative to represent healthcare, such as an ICB or NHS England regional team.

5.27 The organisations will progress their own patient safety learning responses, investigations and actions in parallel, without - as far as is possible - infringing on the work of other organisations. The ICG should consider any potential impacts the individual processes of any party may have on the work of others.

5.28 Decision-making throughout the process should:

• operate in line with relevant law and best practice (for example, in the sphere of information sharing)
• be prompt and efficient
• consider the issues and concerns of affected patients or service users, their families or carers in shaping the patient safety learning responses and investigations, within the bounds of the investigations’ remit underway, and involve these people wherever appropriate
• be informed by the best available evidence
• take the public interest into account
• be communicated promptly to relevant healthcare professionals, witnesses, patients or service users and families or carers as appropriate

5.29 Outcomes of relevant investigations should be reported to the board of the relevant healthcare provider and shared with relevant regulatory, statutory, advisory and professional bodies.

5.30 The ICG has no role in directing the patient safety learning responses and investigations of the NHS, CQC, police, regulators and/or HSE.

5.31 Should the police and HSE decide they have no further role in the matter, it may be decided that the other bodies should investigate further and, if more evidence comes to light, convene another meeting of the ICG to discuss its findings. The police or HSE can then decide if they need to conduct their own investigation or if some other course of action is appropriate.

5.32 At the conclusion of any investigation, the ICG should meet to consider what went well and what could be improved to help inform future investigations.

5.33 This MoU should be reviewed every 3 years at a minimum (and more frequently if necessary) to assess its efficacy in meeting its objectives and to make amendments and improvements as required. DHSC will be responsible for commencing each 3-yearly review.

Annex A: roles and responsibilities of signatories

Care Quality Commission

CQC is the independent regulator of health and adult social care in England. Its purpose is to make sure healthcare services provide people with safe, effective, compassionate and high-quality care, and to encourage them to improve. CQC does this by registering, monitoring, assessing, inspecting and regulating hospitals, adult social care services, dental and general practices and other care services in England, to make sure they meet fundamental standards of quality and safety.

Where appropriate, CQC will pursue civil and/or criminal enforcement action against registered persons (registered providers and/or registered managers) who provide health and social care services for breaches of health and social care law. CQC can:

• use requirement notices or warning notices to set out improvements a care provider must make and by when
• make changes to a care provider’s registration to limit or require what they may do - for example, by imposing positive or negative conditions for a given time, suspending registration or cancelling registration
• place a provider in special measures, where CQC closely supervises the quality of care while working with other organisations to help them improve within set timescales
• hold a care provider to account for their failings by:
  • issuing simple cautions
  • issuing fines
  • prosecuting registered persons (registered providers and/or registered managers) for offences set out in the Health and Social Care Act 2008 (HSCA 2008) and associated regulations, including the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (RAR 2014) and the Care Quality Commission (Registration) Regulations 2009 (RR 2009)
• in particular, investigate and prosecute registered persons under regulation 22(2) of RAR 2014. These provisions empower CQC to prosecute a registered provider and/or a registered manager for failure to comply with regulations 12(1) (safe care and treatment), 13(1) to (4) (safeguarding service users from abuse and improper treatment) or 14 (nutritional and hydration needs) and that failure results in avoidable harm to service users or in service users being exposed to a significant risk of exposure to avoidable harm. All harm is considered ‘avoidable harm’ as defined at regulation 20(5B(b)) of the HSCA 2008 unless the person providing the care cannot reasonably avoid it, whether because it is an inherent part or risk of a regulated activity or for another reason - for instance, because of the natural course of the service user’s illness or because of the service user’s underlying health condition

Where a relevant offence is proved to have been committed by a registered provider that is a body corporate or unincorporated association, CQC also has the power, where it is appropriate to do so, to investigate and prosecute individual real or purported directors, managers or secretaries, officers or members (relevant to English NHS bodies or local authorities), in circumstances where the registered person offence was committed by or with that individual’s consent or connivance or attributable neglect. CQC does not have the power under regulation 22(1) or (2) of RAR 2014 to prosecute individuals for failures in their individual clinical care or care decision-making.

Crown Prosecution Service

The CPS prosecutes criminal cases that have been investigated by the police and other investigating organisations in England and Wales. The CPS is independent and makes decisions independently of the police and government. The CPS:

• decides which cases should be prosecuted
• determines the appropriate charges in more serious or complex cases, and advises the police during the early stages of investigations
• prepares cases and presents them at court
• provides information, assistance and support to victims and prosecution witnesses

The CPS has signed this MoU on the understanding that it will only be involved in cases where legal advice on a potential criminal offence is needed.

Health and Safety Executive

HSE aims to prevent workplace death, injury or ill health by helping people manage risks at work. It does this by:

• providing advice, information and guidance
• raising awareness in workplaces
• influencing and engaging
• operating, permissioning and licensing activities in major hazard industries
• carrying out targeted inspections and investigations
• taking enforcement action to prevent harm and hold those who break the law to account

In England, CQC is the lead inspection and enforcement body for safety and quality of treatment in care matters involving patients and service users in receipt of a health or adult social care service from a registered provider.

HSE or local authorities are the lead inspection and enforcement bodies for health and safety matters involving patients and service users who are in receipt of a health or care service from providers not registered with CQC. HSE will only be involved in cases where a serious incident occurs that resulted in significant harm or death in an unregistered care facility. 

HSE or local authorities are the lead inspection and enforcement bodies for health and safety matters involving workers, visitors and contractors, irrespective of registration.

The Health and Safety Executive provided a limited amount of support to DHSC in producing this guidance.

Healthcare professional regulators

There are 9 healthcare regulators for different healthcare professional groups in England (although the majority also operate on a UK-wide basis). They are:

• the General Medical Council (GMC)
• the Nursing and Midwifery Council (NMC)
• the General Dental Council (GDC)
• the Health and Care Professions Council (HCPC)
• the General Pharmaceutical Council (GPhC)
• the General Optical Council (GOC)
• the General Chiropractic Council (GCC)
• the General Osteopathic Council (GOsC)
• Social Work England (SWE) (which is not a signatory as the focus of this MoU is healthcare settings not social care)

Their functions include:

• setting standards of competence and conduct that healthcare professionals must meet in order to be registered and practise. Some regulators also register and set standards for businesses and premises
• checking the quality of education and training courses to make sure they give students the skills and knowledge to practise safely and competently
• maintaining a register that everyone can search
• investigating concerns about healthcare professionals on their register and deciding if they should be allowed to continue to practise (with or without restriction) or should be struck off the register - either because of problems with their conduct or their competence

National Police Chiefs’ Council

NPCC brings police forces in the UK together to help policing co-ordinate operations, reform, improve and provide value for money.

NHS England

NHS England aims to support the NHS and help improve care for patients. It leads the NHS in England and supports NHS foundation trusts and NHS trusts to provide patients with consistently safe, high quality, compassionate care within local health systems that are financially sustainable.

NHS England has signed this MoU on behalf of the wider NHS in England. In practice it is likely that individual NHS provider organisations will sit on individual ICGs, and that representatives from NHS England will only sit on the ICG in cases where it is appropriate.

Note: as stated in paragraph 4.8, where the above signatories have independent working arrangements or agreements (for example, under the MoU held between HSE and CQC), this MoU should not affect their operation, but should be used in conjunction with them.

Annex B: definition of terms

Confidential information

‘Confidential information’ means all information (however recorded or preserved) relating to the aims and purpose of this MoU (as set out in section 3) (excluding this memorandum) that is disclosed or made available whether before or after the date of this MoU (in any form or medium), whether true or false and whether or not marked ‘confidential’ directly or indirectly, by a ‘provider’ to a ‘recipient’. This is likely to include (but is not limited to):

• written documents shared (at meetings of the ICG or otherwise)
• electronic communications between the parties in connection with the aims and purpose of the MoU, including but not limited to the contents of electronic mail including attachments
• details of verbal discussions between the parties relating to the aims and purpose of the MoU, unless all parties agree in writing that specific documents or details of verbal discussions are not confidential
• personal information relating to individuals (which the parties agree must not be shared except in compliance with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation 2016/679 (UK GDPR)) shared in connection with the aims and purpose of the MoU
• the terms of this agreement
• any analysis or documents created from the ‘confidential information’

Expert witnesses

‘Expert witnesses’ are defined as individuals instructed (usually) by and reporting to the police, often on the advice of the CPS, who have experience and knowledge of the area under investigation and are able to provide an objective and unbiased opinion on the matters being investigated.

Gross negligence

‘Gross negligence’ is defined as a negligent act or omission that involves a gross breach of a duty of care to an individual that is so reprehensible and falls so far below the standards to be expected of the healthcare staff member (taking into account their qualifications, experience and responsibilities) that it is “truly exceptionally bad” and amounts to a crime.

Gross negligence manslaughter (GNM)

‘Gross negligence manslaughter (GNM)’ is defined as a negligent act or omission that both:

• involves a gross breach of a duty of care to an individual

• causes (that is, made a more than minimal contribution to) the death of that individual

Note that there is a high bar for prosecution for GNM: the CPS guidance summarises legal principles setting out that, where it is reasonably foreseeable that there is a serious and obvious risk of death, the act or omission of an individual that leads to the breach of the duty of care and which results in death must be so reprehensible and fall so far below the standards to be expected of a person in the individual’s position (taking into account their qualifications, experience and responsibilities) that it is “truly exceptionally bad” and amounts to a crime.

See CPS legal guidance on gross negligence manslaughter. All CPS decisions are made in accordance with the Code for Crown Prosecutors.

Just culture

A ‘just culture’ considers wider systemic issues where things go wrong, enabling professionals and those operating the system to learn without fear of retribution. A just culture is one where inadvertent human error, freely admitted, is not normally subject to sanction to encourage reporting of safety issues. In a just culture, investigators principally attempt to understand why failings occurred and how the system led to sub-optimal behaviours. However, a just culture also holds people appropriately to account where there is evidence of gross negligence or deliberate acts.

Definition of just culture is taken from the Williams review into GNM in healthcare.

Led to or significantly contributed to

An act or omission will be taken to ‘lead to or significantly contribute to’ death or serious life-changing harm if, in this context, it is related directly to the death or serious life-changing harm and the death or serious life-changing harm is not related to the natural course of the service user’s illness or underlying condition.

Provider

‘Provider’ (in template agreement wording within ‘Annex E: information sharing and data handling’ and ‘Annex F: confidentiality agreement’) means any party to this agreement which discloses or makes available directly or indirectly ‘confidential information’ to one or more parties to this agreement.

Providing healthcare services

‘Providing healthcare services’ in this context means individual clinical care or individual care decision-making. Note that relevant acts of omission are included within the remit of this MoU.

Reasonable suspicion

A person is taken to have a clear and ‘reasonable suspicion’ in this context if they have clear, objective, specific facts, observations or evidence that justify that suspicion. The grounds for suspicion are taken to be objective if a reasonable person given the same information would form the same suspicion.

Recipient

‘Recipient’ (in template agreement wording within ‘Annex E: information sharing and data handling’ and ‘Annex F: confidentiality agreement’) means any party to this agreement which receives or obtains directly or indirectly ‘confidential information’ from another party to this agreement.

Recklessness

‘Recklessness’ is unjustified risk taking. Someone acts recklessly with respect to:

• a circumstance when they are aware of a risk that it exists or will exist

• a result when they are aware of a risk that it will occur; and

it is in the circumstances known to them unreasonable to take the risk. Failure to consider a risk - however obvious it might be - does not give rise to recklessness; but closing one’s mind to a risk requires first realising that there is one and this is equivalent to awareness.

Definition taken from LexisNexis practical guidance and legal research - legal glossary: recklessness, accessed on 12 August 2024.

Serious life-changing harm

‘Serious life-changing harm’ includes any serious injury that leads to a lessening of bodily, sensory, motor, physiologic, cognitive or emotional function that changes an individual’s life permanently, leading to long-term medical problems, or reduced life-expectancy. (This is similar to ‘catastrophic injury’. See also ‘severe harm’ as defined in the RAR 2014.)

The wider system

The ‘wider system’ is defined as the work system in which events of interest took place. Taking a systems-based approach means considering the event in the context of the wider system:

• identifying the different components of the socio-technical work system and how they interact
• looking beyond the immediate events, to organisational or management decisions, policy and regulations that influenced the events of interest

Consideration of the ‘wider system’ shifts the focus from looking at an incident in isolation to understanding the complex inter-connected relationships between components of the system. Those components of the system can include:

• organisational factors, such as staffing levels, shift patterns and education and training provision
• task factors, such as the complexity of medical interventions, processes and procedures
• technological and tools-related factors, such as the availability of health information systems, equipment, medication and diagnostics, the design of tools and equipment, and how they are used
• environmental factors, such as the physical estate, its layout and maintenance, and how factors such as lights and sound can influence performance
• person-related factors, including fatigue, familiarity, clinical knowledge and experience
• external factors, including demand, financial pressures and regulatory interventions

Annex C: signatory contact information

Note: only relevant signatories should be contacted when instigating an ICG. NPCC and NHS England should only be contacted where appropriate. In many cases it will be more appropriate to contact the relevant police constabulary or NHS trust. The CPS will only be involved in cases where legal advice on a potential criminal offence is needed and will not be involved as an investigatory body.

Table 1: signatory contact information

Signatory body	Named signatory	Department contact	Contact details
CQC	James Bullion, Interim Chief Executive	Deputy Director of Enforcement	strategicenforcementqueries@cqc.org.uk
CQC	James Bullion, Interim Chief Executive	Director of MNSI	enquiries@mnsi.org.uk (for enquiries specifically relating to MNSI)
CPS	Nick Price, Head of Special Crime and Counter Terrorism Division	Special Crime Division	dls.team@cps.gov.uk
HSE	David Murray, Director, Planning, Finance and Procurement	Health and Social Care Services Sector	public.services-sector@hse.gov.uk
GDC	Tom Whiting, Chief Executive and Registrar	Chief Executive and Registrar	fitnesstopractise@gdc-uk.org
GCC	Nick Jones, Chief Executive and Registrar	Investigation	investigation@gcc-uk.org
GMC	Charlie Massey, Chief Executive and Registrar	Fitness to Practise	practise@gmc-uk.org
GOC	Leonie Milliner, Chief Executive and Registrar	Case Progression	ftp@optical.org
GOsC	Matthew Redford, Chief Executive and Registrar	Regulation Team	regulation@osteopathy.org.uk
GPhC	Duncan Rudkin, Chief Executive and Registrar	Concerns	concerns@pharmacyregulation.org
HCPC	Bernie O’Reilly, Chief Executive and Registrar	Fitness to Practise	ftp@hcpc-uk.org
NMC	Helen Herniman, Acting Chief Executive and Registrar	Chief Executive’s Office	ceoffice@nmc-uk.org
NPCC	Kate Meynell, Chief Constable	NPCC Chair of the Homicide Working Group	info@npcc.police.uk
NHS England [see note]	Aidan Fowler, National Director of Patient Safety	NHS National Patient Safety Team	patientsafety.enquiries@nhs.net

Note: NHS England has signed this MoU on behalf of the wider NHS and general queries about NHS policy in relation to this MoU can be directed to the NHS National Patient Safety Team. However, any operational queries regarding specific incidents and their management, including involvement of NHS Providers, ICBs or NHS regional teams need to be directed to the relevant NHS bodies who are or should be involved in the ICG in question and not to the NHS National Patient Safety Team.

Annex D: ICG meetings - suggested items for discussion

Table 2: suggested items for discussion at ICG meetings

What should be discussed	What to consider
Nature of the incidents	- What has happened, when and how? - Who is involved?
Reasons for meeting, including an explanation from the organisation responsible for calling the meeting	- Why has the meeting been called? - Are other parties involved - for example, relatives, the coroner?
Consider make-up of the ICG	- Who will lead? - Which signatories will attend future ICG meetings? - Are those attending senior enough? - Is the ICG diverse enough with regard to the protected characteristics under the Equality Act 2010? - Are diverse viewpoints represented and if not, do new group members need to be added?
Needs of and support to patients, relatives and NHS staff (revisit this question at the beginning and end of every ICG meeting)	What are these, how are these to be met and by whom?
NHS actions to date, including the outcome of any learning responses or improvement work	- What has the NHS done to date? - What is the organisation’s patient safety incident response plan? - How was a decision about the response to the incident made? - Are written reports available? - Have themes from the incident had improvement work?
Public safety concerns	- Does this matter raise such concerns? - If so, what are they? - Does any immediate action need to be taken to ensure public protection?
Safety of NHS systems and the need for continuity of patient care	- Is there a need for remedial action, risk management, patient safety learning response and/or other processes or further investigation by the NHS? - Does the matter need to be reported to another body - for example, MHRA or professional body?
The extent of further, immediate NHS patient safety learning responses or other investigations and how these may need to be constrained in subject matter or format by the needs and requirements of the police and/or CQC or HSE	- Is patient safety at risk? - If so, what has to be done to minimise this risk?
Ensure a consideration of the impact of wider systems is made	- Are wider systems being considered in all aspects of the investigations? - How will it be ensured that expert witnesses consider wider systems? - Who will ensure CQC or other relevant body is informed where necessary as soon as any signatory identifies the possibility of wider systems failures (within 14 days)?
Collection of evidence	What evidence needs to be collected and how will it be secured, preserved and transferred?
Determine which body is responsible for regulating the healthcare setting	- Is the healthcare setting regulated by CQC? - If so, who will inform CQC? - If not regulated by CQC, determine who the relevant regulator is and who will inform them - Can relevant inspection reports be obtained? - Who will ensure the relevant body receives minutes of the meetings if they choose not to attend?
Consider whether other safety bodies should be involved	- Should MHRA be involved? - If the incident is maternity related, should MNSI be informed?
Consider the rights of those potentially subject to a criminal investigation or prosecution	What steps will be taken to ensure the investigation considers the rights of those under potential investigation?
Role and responsibilities of the NHS, police and/or CQC or HSE and next steps to be taken (except where this would jeopardise any investigation or subsequent legal proceedings)	Each organisation should describe what it needs to do next and how it will fit - or conflict - with what others propose to do
If the police refer the case to the CPS, ensure relevant healthcare setting regulator is informed	Who will ensure CQC, or other relevant regulator, is informed within 7 days of a police referral to the CPS?
Other statutory responsibilities	- Do the organisations have other statutory responsibilities they should consider - for example, are there any safeguarding considerations in respect of a child or a vulnerable adult? - Should social services be informed?
Need to inform professional regulatory bodies - for example, GMC, GDC, NMC	- Does this individual need to be referred? - Who should do this? - At what stage should this referral be made?
Securing and preserving evidence	- Has this been done and by whom? - What has been preserved and where located?
Sharing information	- What information is available? - When is the information required? - What may be shared and what is the legal basis for sharing that information - is consent required? - Consult with Caldicott Guardian
Information to other interested parties - for example, the coroner	- Who else needs to know? - What can they be told?
Handling communications and media	- Is the incident likely to attract the attention of the media? - What will be said in response? - Who will say it and in what circumstances? - Has a joint media strategy been agreed?
Future handling and co-ordination, including the appointment of a liaison officer from each organisation	Who from each organisation is to act as single point of contact and lead (SPOC)?
Freedom of information or disclosure	Agree protocol for material ownership, retention and return

Annex E: information sharing and data handling

This annex:

• is not intended as a data sharing agreement
• is intended as a useful resource for signatories considering their data sharing requirements
• provides some template wording for an agreement
• provides a section to help consider the legal basis for data that needs to be shared and the lawful basis for sharing

Signatories should consider independently whether a separate stand-alone data sharing agreement is required following their own legal advice.

DHSC is the co-ordinator of this MoU and will not be involved in handling or sharing any data.

Scope

‘Parties’ explicitly refers to the organisations within the ICG who will be involved in handling and sharing data. This may include:

• NHS bodies such as ICBs, NHS trusts, NHS foundation trusts and NHS England
• NPCC
• CQC
• CPS
• HSE
• GMC
• NMC
• GDC
• HCPC
• GPhC
• GOC
• GCC
• GOsC

The agreement will apply for the entire duration of the investigatory and/or prosecutorial process for any individual case.

This agreement is not intended to conflict with parties’ statutory obligations. Where such a conflict occurs, statutory obligations take precedence.

The data and obligations referred to in this agreement relate only to data shared in connection with the work of the ICG, the terms of reference for which are set out at section 3 of the MoU (aims and purpose). This may include, but is not limited to, the following purposes:

• to fulfil a request for information from an ICG party in relation to a case under investigation
• to proactively assist another ICG party in determining whether there is an incident which may require a criminal investigation and/or prosecution
• to help another ICG party carry out its functions as set out in this MoU to ensure investigations are handled correctly

Information sharing and data handling

The parties formally acknowledge their explicit commitment to maintaining the confidentiality, safety, security and integrity of all confidential and personal data which may be shared in connection to the work of the ICG.

The parties are aware of their statutory obligations regarding information sharing, obtaining, handling and usage, and understand and follow provisions within the common law on confidentiality, DPA and the UK GDPR. If parties decide that a more comprehensive data sharing agreement is needed, one may be drawn up and utilised as parties see fit. However, no additional data sharing agreement should be followed in any event where doing so prevents any party from discharging its statutory duties.

The parties will ensure the timely sharing and usage of information - in line with sharing obligations - throughout the duration of the investigatory process subject to avoiding prejudice to any investigation, and subject to the legal obligations on any member under the UK GDPR, DPA, European Convention on Human Rights Article 8, the common law on confidentiality and any other rule of law governing information sharing.

The parties are committed to the fair, lawful and transparent handling of data. Only those personnel that need access to and use of the personal data in order to carry out their assigned duties correctly will be permitted access to the data held. All personnel handling data should be made fully aware of their individual responsibilities and should be appropriately trained to handle such data.

The parties must comply with the following when processing personal data:

• personal data must be stored on a secure system or in a secured place with appropriate authority and access controls
• personal data must always be handled with care and must not be shared with any colleague or any third party without authorisation
• personal data must not be transferred to any device personally belonging to an employee or transferred or uploaded to any personal file sharing, storage, communication, or equivalent service (such as a personal cloud service)
• personal data may only be transferred to devices belonging to agents, contractors or other parties working on behalf of the parties where the party in question has agreed to comply fully with the letter and spirit of the law (which may include demonstrating that all suitable technical and organisational measures have been taken, or by entering into a data processor contract)
• all personal data stored electronically shall be backed up regularly and securely

In addition to the obligations set out above, all personnel involved in processing personal data are required to read and adhere to the parties’ information security policies.

The parties shall each implement appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of personal data. Such measures shall be proportionate to the risks associated with the processing activities in question, and shall include (without limitation):

• encryption and pseudonymisation of personal data where appropriate
• policies relating to information security, including the secure processing of data
• information security awareness training, including the secure handling of personal data
• business continuity and disaster recovery capabilities to ensure the ongoing availability of and access to personal data
• upon reasonable requests, demonstrate evidence of processes for regularly testing the technical and organisational measures implemented to ensure the security of the processing

If a data incident, data breach or near miss occurs involving personal data, the designated contacts of all parties involved in investigating the incident must be notified without delay, and in any event within 24 hours of any party becoming aware of it.

Once assessment of any data incident, data breach or near miss has been completed by all parties, the next course of escalation shall be mutually agreed prior to informing the Information Commissioner’s Office (ICO), the regulatory authority for such matters. The data protection officer for the party or parties responsible for the breach should follow their established breach processes, including making the decision of whether to report to the ICO, and inform the relevant parties of the outcome. If responsibility for the breach has not been established, is unclear or is disputed between parties then the party that discovered the breach will be responsible for informing the ICO.

If an identified data breach is likely to result in a risk to the rights and freedoms of data subjects, the appropriate data protection authority must be notified of the breach without delay, and in any event within 72 hours of any party becoming aware of it.

Further, in the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, all affected data subjects are to be informed of the breach directly and without undue delay. Paragraph 2, schedule 2 of the DPA provides an exemption from the obligation to notify data subjects of a high risk breach involving data processed for the prevention or detection of crime, or the prosecution of offenders where doing so would be likely to prejudice those matters. The party responsible for notification of the breach should consult as appropriate with relevant parties (in particular, the originator of the data and the lead authority for any anticipated prosecution) in determining whether notification to data subjects would be likely to cause such a prejudice.

The parties will not retain any personal data for longer than is necessary. Thereafter, they will be securely destroyed in a manner that ensures that they can no longer be used or accessed and in compliance with the parties’ corporate information retention and disposal policy.

The parties are subject to the Freedom of Information Act 2000, the DPA and the UK GDPR. If one organisation receives a request for information that originated from another, the receiving organisation will discuss the request with the other before responding. The ultimate decision on the release of information, however, will remain with the organisation that has been requested to release it. Freedom of information policies for each organisation should remain available upon request.

Nature and purpose of data processing

The nature and purpose of data processing, in line with the scope of the MoU, are satisfied when more than one of the parties needs to investigate, in parallel, any incident (occurring in England only) where there is a reasonable suspicion that a criminal offence has been committed by an individual providing healthcare services in a health or care setting that led to or significantly contributed to the death or serious life-changing harm of a patient or service user.

Parties are independent controllers of any personal data shared under this MoU.

The following section indicates the lawful grounds for sharing the data for each party.

1. NHS bodies, England

Lawful basis of the ‘provider’ and the ‘recipients’ is likely to be as follows.

Data protection:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, for the purposes set out in section 3 of this MoU and to enable the NHS to provide a safe and effective health service
• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the functions of NHS bodies to enable them to provide a safe and effective health service, and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

Confidentiality:

• sharing would not breach any obligations of confidentiality owed on the basis that it would be in the public interest for the purposes set out in section 3 of this MoU

2. National Police Chiefs’ Council

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows:

• DPA schedule 1, paragraph 10

Recipients

Lawful basis of the ‘recipients’:

• DPA schedule 2, paragraph 2(1)(a) and (b), and paragraph 5(2) as applicable

3. Care Quality Commission

Lawful basis of the ‘provider’ and ‘recipients’ is likely to be as follows:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions, recognising in particular that CQC’s primary objective in performance of its functions under section 3 of the HSCA 2008 is to protect and promote the health, safety and welfare of people who use health and social care services; and also recognising that in relation to CQC’s general powers and duties under schedule 1, paragraph 2 of HSCA 2008, CQC may do anything which appears to it to be necessary or expedient for the purposes of or in connection to the exercise of its functions
• section 79 of the HSCA 2008 also sets out permitted disclosures that CQC can make
• in relation to special category data, CQC can rely upon Article 9(2)(g) (substantial public interest on the basis of UK law), (h) (management of health and social care systems) and (i) (public health or ensuring high standards of quality and safety of healthcare)
• the offence for disclosure of confidential patient information section 76 of the HSCA 2008 (subject to defences under section 77 of the HSCA 2008) provides the required safeguards for data subjects’ rights

4. Crown Prosecution Service

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows:

• DPA schedule 1, paragraph 6 and/or 7

Recipients

Lawful basis of the ‘recipients’:

• DPA schedule 1 paragraph 2, 3, 7 or 11 depending on the relevant circumstances

Special conditions of processing

In rare occasions the CPS may commission a report which proves relevant to be shared - where this is the case, the CPS would rely on the processing conditions cited already under the DPA for law enforcement, or under UK GDPR:

• Article 6(1)(e) and 9(2)(g) for special category data - sharing would have to be in the public interest and a case specific assessment would be made to determine whether disclosure is lawful or appropriate

5. Health and Safety Executive

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows.

Either 1 or 2:

1. UK GDPR Article 6(1)(e): the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, functions set out in the Health and Safety At Work etc. Act 1974, any agency agreement or similar and/or as set out in this MoU to prevent workplace death, injury or ill health by helping people manage risks at work.

Where special category data is processed, HSE relies on Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the functions of HSE.

2. DPA section 35(2)(b): processing is necessary for the performance of a task by a competent authority. Where sensitive processing is undertaken, schedule 8, condition 1 (statutory purpose), and/or condition 4 (safeguarding of children or individuals at risk) will be met, as appropriate.

Recipients

Lawful basis of the ‘recipients’.

Either:

• UK GDPR Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions. For special category data, Article 9(2)(g): processing is necessary for reasons of substantial public interest, supported by schedule 1, condition 6 (statutory functions)

• DPA schedule 2, paragraph 2(1)(a) and (b), and paragraph 5(2) as applicable

6. General Medical Council

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows.

Data protection:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, for the purposes set out in section 3 of this MoU and to enable the GMC to regulate the medical profession

• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 11 (protecting the public against dishonesty, and so on) where the processing is necessary for the exercise of a protective function. A protective function means a function which is intended to protect members of the public against:

  • dishonesty, malpractice or other seriously improper conduct
  • unfitness or incompetence
  • mismanagement in the administration of a body or association
  • failures in services provided by a body or association and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

Confidentiality:

• sharing would not breach any obligations of confidentiality owed on the basis that it would be in the public interest for the purposes set out in section 3 of this MoU

Recipients

Lawful basis of the ‘recipients’:

Data protection:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, for the purposes set out in section 3 of this MoU and to enable the NHS to provide a safe and effective health service
• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the functions of NHS bodies to enable them to provide a safe and effective health service, and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

Confidentiality:

• sharing would not breach any obligations of confidentiality owed on the basis that it would be in the public interest for the purposes set out in section 3 of this MoU

7. Nursing and Midwifery Council

Lawful basis of the ‘provider’ and ‘recipients’ is likely to be as follows.

Data protection:

• Article 6(1)(c): processing is necessary for compliance with a legal obligation
• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions
• where information includes special category data, the NMC’s legal basis is Article 9(2)(g): processing is necessary for reasons of substantial public interest
• under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law
• processing is necessary to discharge the functions of NHS bodies to enable them to provide a safe and effective health service, and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU
• NMC is also required to co-operate with the signatories of this MoU in exercise of its functions in pursuance of public protection (the overarching objective under Article 3(4) of the Nursing and Midwifery Order 2001

Confidentiality:

• sharing would not breach any obligations of confidentiality owed on the basis that it would be in the public interest for the purposes set out in section 3 of this MoU

8. General Dental Council

Lawful basis of the ‘provider’ and ‘recipients’ is likely to be as follows.

Personal data:

• Article 6(1)(e): the processing is necessary to perform a task in the public interest or for your official functions, to meet the GDC’s overarching objective to protect, promote and maintain the health, safety and well-being of the public (section 1(1ZA) and 1(1ZB) of the Dentist Act 1984)

Special category data:

• Article 9(2)(g): the processing is necessary for reasons of substantial public interest, to meet the GDC’s overarching objective to protect, promote and maintain the health, safety and well-being of the public (section 1(1ZA) and 1(1ZB) of the Dentist Act 1984)

Criminal data:

• under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the GDC’s overarching duty to protect the public and the objective to protect, promote and maintain the health, safety and well-being of the public (sections 1(1ZA) and 1(1ZB) of the Dentists Act 1984) and the GDC’s duty to co-operate including with public bodies that carry out activities in connection with national health services (section 2A of the Dentists Act). As in the above text, the necessity comes from the purposes set out in section 3 of the MoU

9. Health and Care Professions Council

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows:

• Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• the HCPC is exercising official authority in the performance of its functions under Articles 3, 5 and 21 of the Health Professions Order 2001

Recipients

Lawful basis of the ‘recipients’:

• Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special conditions of processing

Article 9(2)(g) - processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. The substantial public interest includes statutory and government purposes and the protection of the public.

10. General Pharmaceutical Council

Lawful basis of the ‘provider’ and ‘recipients’ is likely to be as follows:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of the GPhC’s statutory functions and overarching objective under the Pharmacy Order 2010 to protect, promote and maintain the health, safety and well-being of users of pharmacy services and for the purposes set out in section 3 of this MoU
• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge public functions set out in the Pharmacy Order 2010 and its overarching objective to protect, promote and maintain the health, safety and well-being of users of pharmacy services and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

Enforcement powers and duties

In addition, GPhC has enforcement powers and duties under the Poisons Act 1972, the Medicines Act 1968, the Humans Medicines Regulations 2012 and the Veterinary Medicines Regulations.

Confidentiality

Sharing would not breach any obligations of confidentiality owed on the basis that it would be in the public interest for the purposes set out in section 3 of this MoU.

11. General Optical Council

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows:

• under section 13C(3) of the Opticians Act, the GOC “may disclose to any person any information” relating to registrants’ fitness to practise, fitness to carry on business and/or fitness to undertake training, which it considers to be in the public interest to disclose

Recipients

Lawful basis of the ‘recipients’:

• section 13B(1) of the Opticians Act 1989 empowers the GOC to “require a registrant or any other person to supply any information or produce any document” which it considers relevant to its functions regarding registrants’ fitness to practise, fitness to carry on business and/or fitness to undertake training. Under section 13B(4) of the Opticians Act, it is to be assumed for the purposes of the DPA that such disclosure is covered by the exemption for disclosures required by law

Special conditions of processing

Section 13B(3) of the Opticians Act: that the information is put into a form that is not capable of identifying the individuals.

12. General Chiropractic Council

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows:

Data protection:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, for the purposes set out in section 3 of this MoU and to enable the GCC to provide a safe and effective health service
• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the functions of GCC to enable it to protect the public, and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

Confidentiality:

• sharing would not breach any obligations of confidentiality owed on the basis that it would be in the public interest for the purposes set out in section 3 of this MoU

Recipients

Lawful basis of the ‘recipients’:

Data protection:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, for the purposes set out in section 3 of this MoU and to enable the GCC to protect the public
• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the functions of the GCC to enable it to protect the public, and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

13. General Osteopathic Council

 

Provider

Lawful basis of the ‘provider’ is likely to be as follows:

Data protection:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, for the purposes set out in section 3 of this MoU and to enable the GOsC to provide a safe and effective health service
• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the functions of GOsC to enable it to protect the public, and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

Confidentiality:

• sharing would not breach any obligations of confidentiality owed on the basis that it would be in the public interest for the purposes set out in section 3 of this MoU

Recipients

Lawful basis of the ‘recipients’:

Data protection:

• Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller by virtue of its statutory functions - that is, for the purposes set out in section 3 of this MoU and to enable the GOsC to protect the public
• Article 9(2)(g): processing is necessary for reasons of substantial public interest. Under section 10(3) of the DPA, this requires a condition in part 2 of schedule 1 of the DPA to be met. The relevant condition is paragraph 6 (statutory purpose), as the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law. Processing is necessary to discharge the functions of the GOsC to enable it to protect the public, and is necessary for reasons of substantial public interest, for the purposes set out at section 3 of this MoU

Data sharing

The information to be shared will be based on a determination of necessity to be made on a case-by-case basis based on parties’ guidance or other appropriate guidance at local police force level. Systematic sharing of personal data is not proposed as part of this agreement. However, should such sharing become necessary in the future, a data protection impact assessment would need to be conducted before any systematic sharing took place.

Each party is responsible for effectively managing its responsibilities for the review, retention and secure disposal of personal data, shared under this MoU, in accordance with the requirements of the DPA and other current data protection legislation.

The section below provides a useful starting point for parties considering their data sharing requirements.

Examples of categories of data subject

This list is non-exhaustive and will depend on the nature of the incident being investigated.

The following categories of data subjects will be disclosed to the recipients:

[Insert details - for example, patients.]

Examples of type of data

Includes personal data and special categories of personal data which will all be pseudonymised, not contain identifiers and will be linked via the pseudonymous unique serial number identifier. This list is non-exhaustive and will depend on the nature of the incident being investigated.

The following types of personal data will be disclosed to the recipients:

[Insert details.]

Data transfer or permitted transfer

[Insert details of any permitted data transfers by the recipients to other recipients.]

Consent process

[Insert details of consent process and specify where the consent is recorded.]

File type

[Insert details of electronic file type.]

Frequency of transfer

[Insert details of frequency - for example, ad hoc, ongoing.]

Transfer mechanism

[Insert data security details including:

• method of sharing (for example, specify encrypted site to be used for sharing)
• any minimum expectations on technical and organisational measures to be used]

Data processors or sub-processors

[Insert details of the relevant persons responsible including names and job title.]

Data storage location

[Insert details.]

Duration of processing

[Insert details with reference to the principle set out in Article 5(1)(e) of UK GDPR.]

Plan for return or destruction of personal data upon termination of the agreement

[Insert procedure that recipients must follow for deletion of shared personal data.]

Annex F: confidentiality agreement

This annex is intended as a useful resource for signatories considering issues around ‘confidential information’ and provides some template wording.

Background

All members of the ICG, with the exception of DHSC, may acquire or have access to confidential information (as defined below) and must consider the terms below in respect of such information.

This agreement is not intended to conflict with statutory obligations. Where such a conflict occurs, statutory obligations take precedence. In relation specifically to CQC, where information is shared under this MoU with CQC and that information identifies a known risk to a service user and/or information relevant to the discharge of its regulatory functions, the exercise of CQC’s statutory functions will take precedence over this MoU and that information will be capable of informing the exercise of CQC’s regulatory and/or enforcement processes.

In some cases, as to be decided by the ICG, it may be appropriate to set out in an additional written agreement:

• what information will be shared
• when and how information will be shared
• when and how information may be returned or destroyed
• the legal basis for all of the above

Agreed terms on disclosure

1. The parties to this agreement wish to exchange information with each other in connection with the work of the ICG, the terms of reference for which are set out at section 3 of the MoU (aims and purpose).

2. In consideration of a ‘provider’ agreeing to disclose confidential information to one or more ‘recipients’, each recipient undertakes to that provider that it shall:

• keep the confidential information secret and confidential
• store the confidential information securely and take all reasonable steps to prevent access to it by unauthorised individuals
• not copy the confidential information save as for bringing the terms of this agreement into effect
• not use or exploit the confidential information or any part or extract in any way, except for or in connection with the section 3 of the MoU (aims and purpose)
• only make disclosure of the confidential information in accordance with clause 3 and clause 4 below

Any other disclosure can only be made with the Provider’s prior written consent.

3. Each party may disclose the confidential information to any of its officers, employees, legal advisers and insurers that need to know the relevant confidential information for the purpose only, provided that it procures that each such person to whom the confidential information is disclosed complies with the obligations set out in this agreement on terms that preserve confidentiality.

4. Each party may disclose the confidential information to the minimum extent required by either:

• any order of any court of competent jurisdiction or any regulatory, judicial, governmental or similar body or taxation authority of competent jurisdiction
• the laws or regulations of any country to which its affairs are subject

Annex G: useful links

Information about health and safety and HSE’s guidance is available on the HSE website.

‘Work-related deaths: a protocol for liaison’ is available to download on HSE’s Work-related Death Protocol (WRDP) page.

CPS publications are available on the CPS website.

See the latest statement of law on GNM on the CPS website.

NPCC publications are available on the NPCC website.

The Patient Safety Incident Response Framework (PSIRF) is published by NHS England. It details the requirements for NHS funded organisations in relation to their response, review and investigation of patient safety incidents.

CQC publications are available on the CQC website.

MHRA publications are available via MHRA’s homepage on GOV.UK.

1. While IHPN is the only membership organisation for the independent healthcare sector, it is not the case that all independent healthcare providers are members. ↩

2. In normal circumstances it will be the senior investigating officer (SIO) appointed by the police who will contact the CPS for such advice. ↩

3. The PSIRF defines patient safety incidents as “unintended or unexpected events (including omissions) in healthcare that could have or did harm one or more patients”. ↩

4. The ICG is a group including the relevant signatories of this MoU. It is likely to include representatives from the relevant healthcare organisations, regulatory bodies, investigatory bodies and prosecuting bodies. NHS England has signed this MoU on behalf of the wider NHS. In practice it is likely that individual NHS provider organisations will sit on individual ICGs, and that representatives from NHS England will only sit on the ICG in cases where it is appropriate. The CPS will provide legal advice on a potential criminal offence; it will not act as an investigatory body. ↩

5. Under the National Quality Board’s (NQB) Risk response and escalation guidance, this is the equivalent of a rapid quality review meeting. This guidance is used to manage quality risks, concerns and issues arising in providers, systems and more widely. The principles of the NQB guidance and this MoU are the same, and what framework is used does not matter if the same principles are adopted. ↩