Joint data controller agreement between PHSO and LGSCO
Joint Data Controller Agreement between Parliamentary and Health Service Ombudsman and the Local Government and Social Care Ombudsman for complaint handling carried out by the Joint Working Team
Last updated: March 2023
- Parliamentary and Health Services Agreement (PHSO)
- Local Government and Social Care Ombudsman (LGSCO)
PHSO
- SD (for investigation issues)
- AJ (for data protection issues)
LGSCO
- AP (for investigation issues)
- JO (for data protection issues)
The Parliamentary and Health Service Ombudsman and Local Government and Social Care Ombudsman carry out joint assessments and investigations of complaints. The PHSO investigates complaints about NHS services and government departments and agencies, while LGSCO investigates complaints about councils, other authorities and organisations including school admissions appeal panels and adult social care providers, such as care homes.
Joint investigations by the PHSO and LGSCO covered by this agreement are about individuals who believe they have been let down by local authorities, private adult social care providers and NHS services. This agreement does not extend to joint PHSO and LGSCO complaints that involve investigating government departments and their agencies.
Both organisations will process the personal information outlined in part 5 of this agreement for the purpose of carrying out joint assessments and investigations, in accordance with their investigatory functions.
This casework will be carried out by a team made up of PHSO and LGSCO employees. Joint cases will be conducted on LGSCO IT systems (using ECHO for Case Management).
Where either LGSCO or PHSO identify that a complaint may involve elements of both health and social care, the Joint Working Team will assess the complaint and decide how it should be considered further.
Before the Joint Working Team can start to assess a complaint, written consent from the complainant for LGSCO and PHSO to share information between them must be received. When a complaint is allocated in the Joint Working Team, they will provide the complainant with more information about how their personal data will be processed.
A complainant is provided with information about how their personal data will be processed (“fair processing information”) when they submit their complaint to either LGSCO or PHSO, in the form of a privacy statement or notice.
The Regulatory Reform (Collaboration etc between Ombudsmen) Order 2007 inserted powers into the Parliamentary Commissioner Act 1967, the Health Service Commissioners Act 1993 and the Local Government Act 1974 to give LGSCO and PHSO specific powers to share information ‘for the purposes of a complaint’ and to conduct joint investigations. Under Section 33 of the Local Government Act 1974 and Section 18 of the Health Service Commissioners Act 1993 limited information can be shared at an initial stage to establish whether a fuller assessment is undertaken. If a fuller assessment and investigation are recommended then the permission of the complainant to share information must be sought. This consent may initially be obtained over the telephone, but must be followed up by written consent. (See forms to download) Information will only be passed from one organisation to the other once the consent of the individual concerned has been obtained. This consent will be recorded on both organisations’ case management systems. The key legislative provisions of both organisations allowing data sharing are set out in the downloadable form.
Under Article 26 of the UK General Data Protection Regulation (UK GDPR), where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. And under Section 5(2) of the Data Protection Act 2018, where an organisation is required by law to process personal data, it must retain data controller responsibility for the processing. Although the Joint Working Team work in the LGSCO environment and use LGSCO systems, PHSO will retain data controller responsibility along with LGSCO. LGSCO and PHSO will therefore be joint data controllers for data held in joint investigations carried out by the Joint Working Team.
Relevant information and evidence gathered by PHSO will be sent to the LGSCO to be stored on ECHO. PHSO will retain copies of this information on their case management system for reference.
PHSO may hold other information that is not provided to the LGSCO. This will be stored in line with PHSO case handling procedures.
The information transferred will be held on the LGSCO’s ECHO system and all new information will be held on ECHO, unless there are exceptional reasons why it cannot be, such as large file size, or file type.
The following classes of personal data may be processed under this joint data controller agreement:
- personal details of the aggrieved/person affected (PA)
- personal details of any representative making the complaint on behalf of the PA
- family details of the PA
- personal details of other people involved in the case
- lifestyle and social circumstances
- goods and services
- financial details
- employment and education details
- details of complaints, incidents and grievances
- visual images, personal appearance and behaviour
- responses to surveys
We also process special categories of personal data, and other sensitive classes of information that may include:
- physical or mental health details
- racial or ethnic origin
- religious or other beliefs
- political opinions, sexual life
- trade union membership
- offences (including alleged offences)
- criminal and legal proceedings, outcomes and sentences
Information received by PHSO that needs to be dealt with by the Joint Working Team will be sent to LGSCO via secure email if possible.
Information shall be transferred securely between PHSO and LGSCO. The type of transfer will depend on the format of the information being transferred.
Where possible paper or other physical information will be converted to digital information and sent via secure electronic means. All digital information shared shall be encrypted at rest and in transit.
When paper or physical information must be transferred between PHSO and LGSCO this must be via monitored and secured courier or post.
Information transferred to the LGSCO for the attention of the Joint Working Team will, where possible, be scanned and placed on LGSCO’s case management system ECHO. Hard copies of correspondence will then be destroyed.
Where joint working cases require clinical or legal advice about particular health elements of a case this will be requested by LGSCO of PHSO advisers, or LGSCO’s own retained legal advisors. All documentation will be returned to LGSCO and uploaded to their case management system ECHO. Copies of the advice and associated documentation may be retained on PHSO systems but PHSO will not hold anything in this regard that is not held on ECHO. LGSCO may obtain their own legal advice which will be held on ECHO only.
PHSO and LGSCO are accountable for the personal data they steward on behalf of the people who work for and with them and for the public whose complaints they handle. Both organisations have appropriate training and policies in place to ensure the security and privacy of information and these are audited at least annually by an external objective reviewer.
In the event of a security or data incident that compromises the confidence, integrity, availability or resilience of information within the scope of this agreement, both DPOs must be contacted immediately.
LGSCO and PHSO may decide to handle incidents together or separately and both controllers will undertake to report significant incidents to the Information Commissioner’s Office (ICO). This will include developing incidents where the exact circumstances and impact may not have been identified. Each data controller reserves the right to report to the ICO if they consider the incident a significant risk to the rights and freedoms of individuals.
All casework material associated with joint working investigations will be retained for 12 months after a case is closed, unless there are exceptional reasons why it should be retained for longer, such as legal proceedings or ICO involvement. While both organisations have their own retention schedules we have harmonised our approach to retention of joint working casework.
Data subjects can exercise their right to request their personal data from either body, but all subject access requests for data held as part of a joint working case will be dealt with by LGSCO in line with their information request handling policy and procedure. LGSCO will inform PHSO of any requests for information they receive relating to Joint Working Team cases.
LGSCO will be responsible for ensuring the personal data held on their systems for the purposes of joint working are handled in accordance with relevant legislation and best practice. This will include but is not limited to: ensuring inaccurate personal data is amended or deleted as appropriate. LGSCO will inform PHSO about any amendments or deletions which would affect any information they hold, resulting from a data subject exercising their rights in this area. Data subjects can exercise their rights to object to or restrict processing of their personal data, and to have inaccurate personal data rectified with either body.
Any changes can only be made if both parties are in agreement. A copy of this agreement will be published on the websites of both parties to demonstrate an open and transparent approach to this work. The agreement will be monitored and reviewed annually to ensure it is still relevant or if there are any significant changes in legislation that require it to be updated.
In the event of a complaint/allegation of the misuse of personal information being processed for the purposes of a joint investigation this will initially be considered by LGSCO, liaising with PHSO as necessary.
For PHSO:
DM, Assistant Director of Casework
For LGSCO:
KS, Director of investigations