Time is running out for COPI notices. How can the NHS prepare for continued data sharing across the healthcare network?

During the pandemic, the Department of Health and Social Care issued COPI notices to healthcare organisations, GPs, local authorities and arm's length bodies so that they could share information to support efforts against coronavirus (COVID-19). These notices are due to expire on the 31st March 2022.

Ahead of this date, organisations who wish to continue accessing patient information and sharing data for inclusion in the "Shared Care Record" are being encouraged to transition to a more long-term legal basis. This legal basis is known as Regulation 5 of the Health Service (Control of Patient Information).

The sharing of healthcare data for research and planning purposes during the pandemic has proven invaluable in the UK’s response to COVID-19. Indeed, the NHS Long Term Plan sets out a vision for how patient data should be shared effectively across the United Kingdom to allow clinicians to access all patient records nationally.

Integrated Care Systems are currently in the process of being defined and the NHSX frontline digitisation programme is providing investment and guidance on the adoption of integrated EPR (Electronic Patient Record) solutions.

However, underpinning this broader strategy requires organisations to undertake Data Protection Impact Assessments (DPIA's) and implement robust Data Sharing Agreements as part of the Information Governance process. This is to ensure confidentiality, integrity, and availability of "Shared Care Records".

From our extensive public sector data programme experience, we recommend that ICSs and the broader NHS consider the importance of a joined-up strategy for how data should be shared across the system. Read next: Pocket guide: Realising a data mesh architecture

Credera’s data recommendations

When it comes to data sharing internally and externally by Trusts, there are three key considerations to be taken into account:

• Regulatory considerations and options to overcome the perceived risk factors inhibiting data sharing – in this case, COPI and GDPR being the most relevant.

• The interventions necessary to uplift data governance, data quality, and data management capabilities to support data sharing processes.

• The technology platforms available to increase data consumption and provide secure access to disparate data sources.

Sharing data is already difficult due to the various technology environments and entities which make up the NHS. On top of this are core legal risk barriers limiting data sharing (GDPR), which requires careful thought around patient confidentiality, lawful basis, and purpose limitation. However, with COPI and the “Shared Care Record”, there is much that can be done to share data within these limitations. To balance compliance with innovation and value, the establishment of an NHS risk model based on real scenarios (such as PII Data, Governance Enabling, Patient Profiling etc.) rather than individual use cases should be considered. This, coupled with an effective data governance approach, would quickly establish data sharing scenarios that are safe to share, have robust controls, and enable data across healthcare organisations, GPs, local authorities, and arm's length bodies. Data governance

Effective data and information governance begins with a consistent and centralised data strategy. This would ideally be defined and implemented in conjunction with the NHSX frontline digitisation programme and designed with patients, operations, and technology end data consumers in mind. In addition, a nation-wide / cross-entity data operating model should be included as part of this to define the right levels of access, ownership, and security around the data to be shared.

Data Quality (DQ) would also be of some concern within the data sharing space and topics such as issue management processes, tooling, and rules will need to be reviewed and agreed in a post COPI notice world. The development of a standardised data management framework to establish consistent approach for metadata definition and identification (i.e., CDEs, lineage etc.) would also support this. Finally, data culture is a core capability which should be fostered so that data users are not afraid to raise issues, discuss sharing arrangements, and improve data management. Therefore, establishing data forums hosted between NHS Trust data teams to cross pollinate ideas and build relationships with counterparts could be an effective way to drive this transformation. Technology The technology arrangements between healthcare organisations, GPs, local authorities, and arm's length bodies are as varied as the organisations themselves. This leads to issues with integration and the sharing of data nationally. Therefore, a key recommendation would be to develop a national consolidated platform strategy (e.g. looking at a data mesh) and ensure that the data sharing controls are embedded throughout the process. The technology arrangements between healthcare organisations, GPs, local authorities, and arm's length bodies are as varied as the organisations themselves. This leads to issues with integration and the sharing of data nationally. Therefore, a key recommendation would be to develop a national consolidated platform strategy (e.g. looking at a data mesh) and ensure that the data sharing controls are embedded throughout the process. As mentioned above, the alignment and integration of catalogue and metadata tooling is vital to ensure consistency and support in the centralisation of DQ rules and definitions. In a nutshell The end of the COPI notice and the introduction of “Shared Care Records” and Integrated Care Systems (ICS) provides the NHS with an opportunity to act proactively instead of reactively to data sharing across the healthcare network. Creating a joined up data strategy that aims to eliminate siloed data governance, practices, and technology whilst empowering local data owners via a mesh architecture will require a lot of up front commitment and planning. However, this will secure longer term benefits due to a streamlined adoption of the right data behaviours and processes.