Integrated Care Boards (ICBs) have only existed since 1 July 2022, but some ICBs sensed the direction of travel in advance, and were already engaged in projects aimed at meeting their new statutory responsibilities. Mills & Reeve is advising ICBs on such projects, and here we will outline one project type, in the IT and data category, that is close to being “item 1” on any ICB’s critical path for IT infrastructure and information management.
The project involves moving towards centralising the ICB’s primary care data. We will summarise why ICBs need to consider this change, the challenges and headwinds that they face, and key factors and milestones that must be managed and delivered (based on our experience of advising ICBs on this).
New responsibilities for ICBs
The responsibilities of ICBs are broader than those of their predecessor Clinical Commissioning Groups. Each ICB is responsible for people who usually reside in the ICB’s area and who are provided with primary care services. The requirement is for a single primary care service in the ICB’s area. It is a requirement that puts the patient first, across the ICB’s region. No allowance is made for local differences in GP practices.
The new responsibilities present significant challenges for ICBs. There are many elements of the existing primary care system, and the wider landscape, that create headwind:
- Whilst ICBs bear statutory responsibility for primary care, GPs are commissioned to provide it, and they are commissioned by NHS England, not the ICB.
- The staffing resource for delivering primary care services is held in containers the size and shape of GP practices. Each ‘container’ does not have sufficient resource, on its own, to deliver primary care across the ICB’s region. On many days an individual practice may lack sufficient resource to meet demand amongst its own patients. ICBs need to break the resource out of its ‘containers’.
- Data protection and cyber security laws require GP practices to protect the medical and staff records. If anything, GP IT is focused on enabling GP practice staff to use data, rather than easy (but secure) data sharing.
- Individual GP practices choose their own IT (within certain parameters). Retro-fitting secure data sharing is consequently complex and expensive.
- ICBs inherit the awkward restrictions imposed on CCGs, which mean they can control personal data but not ‘handle’ it except for the purposes of ‘risk stratification’.
The statutory responsibilities of ICBs take no account of these challenges, and make no allowances.
For an ICB to provide a regionalised primary care service, it will need insights, almost in real time, about GP practice patients and staff. The legacy position is that the relevant data is locked away from ICBs, as part of the resources that are tied into those ‘containers’. The objective therefore has to be to release medical and staff data, from the containers to a centralised location.
Factors and milestones
Each ICB’s path to achieving the objective is likely to be different, but based on our experience we can single out six factors and milestones that are likely to be key:
1. Defined and secure infrastructure
The ICB needs to be clear about where the data will be centralised (and how it will be transferred), and the infrastructure must be highly secure. There are several options that could be considered, each with differing pros and cons, including NHS facilities such as the service operated by NHS Digital via Clinical Support Units (known as the Data Services for Commissioners Regional Offices), and UK locations offered by providers such as Amazon Web Services and Microsoft Azure.
2. Defined purposes
This is currently (six months on from the establishment of ICBs) particularly challenging. ICBs and their statutory responsibilities are new. We can see the need for regional centralisation of GP practice patient and staff data at scale, but the specific purposes doing it are difficult to bring into focus.
3. Due diligence and planning
The objective is to achieve change, and the ICB needs key information about its ‘as is’ position before it can confidently plan and deliver the change. Due diligence and planning should cover each of the other five areas in this list.
4. Specialised contracts
To effect the changes, contracts need to be put in place between the ICB and participating GP practices, and with providers of IT infrastructure. The contracts with GP practices need to have built-in flexibility to deal with changes in GP practices, and the evolution of the technologies used to centralise primary care data.
5. Robust, documented compliance measures
Data protection impact assessments (to identify and manage risk) and Privacy Notices (to inform affected patients and staff) are mandatory to comply with data protection law. GP practices may already have Privacy Notices, but are likely to need to revise or supplement them.
6. Management of the human element of change
Individual patients, and a range of organisations (and some of their staff) will be affected by data centralisation. A data centralisation project will either not progress, or is likely to encounter significant challenge later on (including, potentially, legal challenge), unless the ICB obtains the support of key stakeholders and groups. This can be time-consuming, so the ICB should start managing stakeholders at an early stage. Stakeholders may raise legal and compliance questions, and concerns raised may be relevant to the ICB’s risk assessments.
If you would like to discuss any of the issues raised here do please get in touch.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.