Good TREs work

NHS Counter Fraud Authority projects

9 data files in total were disseminated unsafely (information about files used safely is missing for TRE/"system access" projects).


For the purposes of the prevention and detection of crime. — DARS-NIC-736310-S6T1Z

Type of data: information not disclosed for TRE projects

Opt outs honoured: Anonymised - ICO Code Compliant (Does not include the flow of confidential data)

Legal basis: Health and Social Care Act 2012 – s261(2)(a)

Purposes: No (Agency/Public Body)

Sensitive: Non-Sensitive

When:DSA runs 2024-04-17 — 2024-08-16 2024.04 — 2024.11.

Access method: System Access
(System access exclusively means data was not disseminated, but was accessed under supervision on NHS Digital's systems)

Data-controller type: NHS COUNTER FRAUD AUTHORITY

Sublicensing allowed: No

Datasets:

  1. SUS - CFA (Counter Fraud Authority)

Objectives:

The NHS Counter Fraud Authority (NHSCFA) requires access to NHS England data for the purpose of preventing and detecting fraud and other cinrimal offences within the NHS therefore pre-empting the potential commencement of a criminal investigation.

This purpose is supported in the Directions to NHS Trusts and Special Health Authorities 2017 and the NHS Act 2006.

The NHSCFA, established under the NHS Act 2006, is mandated to prevent, detect, and investigate fraud, corruption, and unlawful activities within the English health service. The NHSCFA has been given the express function of the prevention, detection and investigation of fraud, corruption and unlawful activities against or affecting the health service in England. NHS bodies including Special Health Authorities (such as NHS England) are directed to cooperate with the NHSCFA and to enable the NHSCFA to efficiently and effectively carry out its functions as specified in paragraph 3(1)) of the NHS Counter Fraud Authority and supplemental directions 2017 (https://www.gov.uk/government/publications/nhs-counter-fraud-authority-and-supplemental-directions-2017).

The following NHS England Data will be accessed:
• Secondary Use Services (SUS) Episodes (Uncurated Low Latency Hospital Datasets) – necessary to conduct the necessary work to address several explicit problems highlighted by NHS England and other counter fraud organisations.

The level of the Data will be:
• Pseudonymised

The Data will be minimised as follows:
• Limited to the minimum Data required for the purpose of the work including any initial discovery work that is needed to ensure relevant data and data elements are appropriate to cover the problems identified.
• Limited to the activity period from April 2018 to the latest available.

NHSCFA is the controller as the organisation responsible for ensuring that the Data will only be processed for the purpose described above.

The lawful basis for processing personal data under the UK GDPR is:
Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

The lawful basis for processing special category data under the UK GDPR is:
Article 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; and

Article 9(2)(j) - processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The relationship between public sector fraud and “public interest” has been discussed at length in recent years and in particular, against the duty of confidentiality - to that end, the 2021 consultation by the Academy of Medical Royal Academies, supported by the National Data Guardian provides some useful insight (https://www.aomrc.org.uk/wp-content/uploads/2021/06/Disclosing_personal_demographic_data_0621.pdf) identifying that protecting the public sector from fraud supports disclosure and that effective protection of public services and effective management of the public purse in this circumstance falls within the public interest test (even where this breaches confidentiality).

The work is self-funded.

Expected Benefits:

The NHS, like all public sector bodies, has a duty to combat fraud and, when it occurs, to recover monies for the public purse. NHSCFA has been setup with this specific remit, as well as a role in preventative action. This data share therefore supports this activity and the mitigation of fraud risk in the substantial public interest through both the detection and prevention of fraud and fraudsters but also through the mitigation of fraud risk and safeguarding of NHS system.

Further details about the work are restricted to maintain the integrity of potential future investigation detection activities.

Outputs:

The outcome will provide either assurances concerning the integrity of NHS business systems from fraud or will identify outliers and associated risks concerning potential NHS fraud.

Processing:

No data will flow to NHS England for the purposes of this Data Sharing Agreement (DSA).

NHS England will grant access to the NHSCFA via the Unified Data Access Layer (UDAL) – a data management system within NHS England that enables patient data to be processed and made available for analytical purposes.

UDAL accommodates a series of tools, which enable users to explore patient or aggregate data, to create standardised reports and dashboards, and create statistical models.

NHSCFA will extract subsets of the data where required to carry out analyses using an NHSCFA-managed analytical tool.

NHSCFA will create an analytical product from the data which will be converted into either an intelligence product or an evidential one for the purposes of criminal investigations. These products will be stored on the CFA case management and intelligence system for any subsequent case file submission to the CPS or criminal / civil court.

The Data will not be transferred to any other location.

The Data will be stored on servers at NHS England (UDAL) and NHSFCA (extracted subsets of data)

The Data will be accessed by authorised personnel via remote access.

The Controller(s) must confirm and provide evidence upon audit by NHS England that access via any remote device complies with the data security obligations within this DSA and the Data Sharing Framework Contract.

For remote access:
- Remote access will only be from secure locations situated within the territory of use (as further restricted elsewhere within the DSA if so done) stated within this DSA;
- Access controls granting users the minimum level of access required are in place;
- Remote access is only via secure connections (e.g., VPNs or secure protocols) to protect data;
- Multifactor authentication (MFA) is required for remote access;
- Device security, including up-to-date software and operating systems, antivirus software, and enabled firewalls are utilised for the remote access;
- All remote access is undertaken within the scope of the organisation’s DSPT (or other security arrangements as per this DSA) and complies with the organisation’s remote access policy.

The above applies in addition to any condition set out elsewhere within the DSA (e.g. who may carry out processing, and for what purpose).

The Data will not leave England at any time.

Access is restricted to employees or agents of the NHSCFA.

All personnel accessing the Data have been appropriately trained in data protection and confidentiality.

The Data will not be linked with any other data.

NHSCFA will not share data disseminated via the DSA with any third party other than as part of their investigation as forensic evidence

There will be no requirement and no attempt to reidentify individuals when using the Data.