Agenda Item 10(b)
Rotavirus Evaluation Data Sharing Agreement Between xx CCG and University of Liverpool.
Agreement Commenced: Date of signature
Agreement expires: 31/05/2017
Unique Reference: 0012
Information Sharing Agreement 0012: Rotavirus Evaluation Sharing Agreement v1.1
Page 0
Business Intelligence Team
Rotavirus Vaccine Evaluation
Rotavvirus Vaccine Evaluation
Summary and Benefits of the Project
This document outlines the requirements for an information sharing agreement between General
Practice, xx CCG and University of Liverpool.
The aim of this data sharing project is to enable the sharing of data to inform the evaluation of rotavirus
vaccine which was introduced in July 2013. The aim of this evaluation is to:
Understand if there any benefits to be gained through vaccinating children against rotavirus
Quantify any benefits or disbenefits identified.
This document contains the file specification for the fields required from primary care together with a
Sharing Agreement detailing how the information will be transmitted, stored and used by both XX CCG
and University of Liverpool. Appendix A shows a diagram of the data flow, the governance principles and
who has access at each point.
Change History
Document created
Expiry date amended, dates of extraction added, extraction
field and University of Liverpool details confirmed.
Extraction method
Signed up GP Practices will allow the extraction of patient level data via EMIS Web to be used only for the
purposes within this Information Sharing Agreement (ISA).
Extract Frequency
Three data extractions will be performed. The first will occur in December 2014, the second extract will
occur in August 15. The third and final extract will be performed during August 2016.
Extract Parameters
The extract parameters are below
Business Intelligence Team
Search population: Currently registered patients (Excluding dummy patients)
Search Date: Day of extraction
Date range: Where Indicated - Last 7 years initially
Each subsequent extract covers data for previous 12-months.
Fields for extraction:
Registration status
Post Code*
Date of Birth*
Time since last diarrhoea episode
Diarrhoea symptom NOS
Enteritis due to rotavirus
Infectious diarrhoea
Diarrhoea and vomiting
Diarrhoea of presumed infectious origin
Viral Gastroenteritis
Infectious gastroenteritis
Infantile viral gastroenteritis
Gastroenteritis - presumed infectious origin
Gastrointestinal symptoms NOS
3.6 Rotavirus vaccination (Code & Date)
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
All instances & dates
and data management
Patient level data
extracted from
Patient identifable
items transformed
to non-identifiable
form prior to
Data extract sent
via NHSnet
Data analysed for
the study
The data extraction from EMIS web will be stored temporarily on the CCG secure network for the
purposes of transmission to the University of Liverpool. The patient identifiable items within the dataset
(DOB and postcode) will be transformed prior to data sharing. This means that postcode will be converted
to Lower Super Output Area (LSOA) and date of birth will be converted to age in months. The data will be
transmitted to University of Liverpool in the form of batches of CSV files via the CCG Patient Identifiable
Data (PID) NHS net account ([email protected]). This is an acceptable form of data transmission of
patient identifiable data. The information will then be deleted from the CCG network.
For security features of this process please see Governance and Security section below. To understand Data
Management process - see below.
Business Intelligence Team
Governance and Security
Data Governance
It is essential that all processing and use of personal data is in line with the Data Protection Act. In order
to protect the rights of individuals there is a statutory duty placed on those who decide ‘how’ and ‘why’
such data is processed – the ‘data controller’. The data controller for this extraction is the GP Practice as
they are the statutory body. Therefore all proposed use of the data must be in agreement with GP
This essentially means that ALL decisions regarding the use of the data rest with the GP Practice. The
data processors cannot utilise or disclose this information to a third party e.g., Department of Health,
without your express permission, unless covered by the terms of this agreement.
The information will only be used in accordance with the specific purpose that it is provided for and will
be at all times treated as confidential and handled in a secure manner.
The shared information will not be used for any of the following:
Advertising, Marketing & Public Relations
Trading/sharing in personal information
Future Research not covered by the parameters of this sharing agreement
Legal basis for Information Sharing
The information shared will not contain patient identifiable data items.
The Health and Social Care Act 2012 also allows sharing of information for the purpose of advancing the
health and wellbeing of the people in the area, to encourage persons who arrange for the provision of any
health or social care services in that area to work in an integrated manner.
Security of the servers/data warehouse
Data will be extracted and warehoused on a secure server hosted and administered by University of
Liverpool. The following security features are in place to ensure the data is secure.
Servers have routine, auditable back up procedure to prevent data loss
Secure anti-virus software
Servers in secure room with key access and log book for access
Building has swipe card access for every floor.
Computers have time out screens and screen lock functions for users.
Users have secure password to network
This process is regularly audited by external auditors to ensure fit for purpose
Data Management
The data extracted will be housed in a secure data warehouse as above. The University of Liverpool data
governance practices, which are informed by the Data Protectiion Act (1998), will be rigidly adhered to.
Retention period
Business Intelligence Team
The data will be stored by University of Liverpool for 10 years after the expiry of this data sharing
agreement (31/05/2017). No further data will be shared between the University of Liverpool and GP after
the expiry of this data sharing agreement (31/05/2017).
Subject Access
Subject access requests will be dealt with by the data controller in accordance with the provisions of the
Data Protection Act 1998.
Complaints will be dealt with in accordance with XX CCG Complaints Policy.
In line with Department of Health recommendations, the use of laptops or other portable media for
storing/transferring person identifiable or other sensitive information is not allowed under this
agreement unless it is encrypted to standards approved by the DoH. Data will be transmitted via approved
secure routes in this case NHS net to NHS net or encrypted email.
Information breaches
Partners will take steps to avoid any breach (intentional or otherwise) or disclosure to third parties
outside the remit of this Agreement. Breaches must be reported through to XX CCG Incident reporting
procedures, fully investigated and a report provided to XX CCG.
Any Serious Untoward Incidents occurring within the scope of the information shared under this
agreement must be reported to the participating organisations within 1 day of the incident occurring. The
SUI must be fully investigated. The GP practices reserves the right to be informed at every stage of the
investigation. Disciplinary action will be the responsibility of the organisation where the incident has
occurred. This agreement will be reviewed in light of any lessons learnt from such incidents.
Information will only be accessible to those authorised by this agreement or for whom it is essential to
access the information to complete the purpose of the sharing.
Partner organisations must have confidentiality clause within staff contracts of employment and or
require staff participating in this agreement to sign confidentiality agreements. Staff must have current
CRB checks where agreements require the sharing of sensitive data in particular children’s data
Where training needs to meet the requirements of this agreement are assessed and identified, each
organisation will ensure that the resource is made available to staff.
Patient Confidentiality
Some patients may still wish to opt out of sharing data in the same way as they may have done for the
national spine. Patients’ data will not be shared if the read codes of 93C3 (Refused consent for upload to
national shared electronic record) and 93C1 (Refused consent for upload to local shared electronic
record). Patients will also be hidden from the extract if a practice marks their records as ‘private’ from
within the clinical system. Both methods are acceptable.
Business Intelligence Team
Copies of this agreement will be provided to each of the signatory organisations. A master copy will be
held by XX CCG. XX CCG will support any changes or amendments to this agreement.
This information sharing agreement will be adopted by the signatory organisations. Key staff will be
identified in each organisation to ensure that the protocols in this agreement are adhered to.
Information Governance
All signatories to this agreement are required to have approved Information Governance Policies in place
that state the legal, ethical and professional obligations to protect service user information.
Signatories to this agreement must ensure that all staff, contractors or other third parties who are
involved in the processing of information covered by this agreement have received appropriate
Information Governance training.
Monitoring & Review
Review of this agreement will be overseen by XX CCG, with reference to the signatory organisations, and
in particular if there are changes to the agreed purpose or processes. This document will also be reviewed
whenever there are changes to legislation or guidelines that may affect the sharing of the information
covered by the agreement.
Staff are required to report any adverse incidents that may affect the validity of the statements in this
agreement and any breaches of security or confidentiality to Information Intelligence Services at
Liverpool CC.
Any queries relating to this agreement should be addressed to XX CCG.
This agreement will be sent to practices once Practices will be communicated to every two years providing
them with an opportunity to opt out.
Effective Date
This ISA is considered to be effective following signature of all parties and from the date on the signature
page of the agreement unless prior authorisation to share has been approved by the Caldicott Guardian.
Information Sharing Agreement
You agree to share the data specified within this sharing agreement for the purpose specified.
Signed …………………………
Date of expiry 31/05/2017
University of Liverpool
Business Intelligence Team
Signed …………………………
Date of expiry 31/05/2017
GP Practice Name:
Signed …………………………
Date of expiry 31/05/2017

Information Sharing Agreement