Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, whether his Department undertook a risk assessment before making full medical records available to social care providers through the Devon and Cornwall Care Record.

Responsibility for delivering shared care records sits with local integrated care boards (ICBs).The health and care organisations which participate in the Devon and Cornwall Care Record are joint controllers for the shared care record system and are responsible for determining who is authorised to access medical records in the system, the process for authorising users, how those users access records and the purposes for which the records can be accessed.

Every ICB which shares records is required to look after an individual’s information in accordance with the Information Governance Framework for shared care records published by NHS England, to ensure that only authorised users access relevant information, and that access is governed by appropriate access controls. The framework is available at the following link:

https://transform.england.nhs.uk/information-governance/guidance/summary-of-information-governance-framework-shared-care-records/information-governance-framework-for-integrated-health-and-care-shared-care-records/

There are safeguards in place to keep information confidential. All care organisations accessing information via the Devon and Cornwall Care Record must be compliant with the Data Security and Protection Toolkit and sign a data sharing agreement. To access, a user needs an account which must be requested by an authorised sponsor in their organisation. Each time a shared record is accessed in the Devon and Cornwall Care Record, it is recorded in an audit trail.

The registered managers of any care home are responsible legally for the safe management of information and ensuring all staff receive training and must agree to the terms and conditions of use, of which they are reminded on the login page.