Memorandum of understanding between the Care Quality Commission and the National Data Guardian for Health and Social Care
Introduction
This Memorandum of Understanding (MoU) sets out the framework to support the working relationship between the Care Quality Commission (CQC) and the National Data Guardian for Health and Social Care (NDG), in order to safeguard the wellbeing and rights of the public receiving health and social care in England.
The working relationship between CQC and the NDG is part of the maintenance of a regulatory system for health and adult social care in England that promotes patient safety and high-quality care and protects the rights of people using those services.
CQC is the independent regulator of health and social care in England. The NDG is a statutory office holder appointed to act as an advocate for patients and service users on how their health and care data is used and to promote the provision of advice and guidance about the processing of health and adult social care data in England. The responsibilities and functions of CQC and the NDG are set out in Annex 1. Both CQC and the NDG share a concern for the quality and safety of health and care services and recognise that the development of models of health and care service delivery requires close cooperation between them.
This MoU does not override the respective statutory responsibilities and functions of CQC and the NDG and is not enforceable in law. However, CQC and the NDG are committed to working in ways that are consistent with the principles of this MoU.
Principles of Co-operation
This MoU is a statement of principle which supports our focus on promoting patient and public safety and wellbeing. More detailed operational protocols and guidance can be developed as required.
CQC and the NDG intend that their working relationship be characterised by the following principles:
- The need to make decisions which promote people’s safety and high-quality health and social care.
- Promoting equality and human rights and reducing health inequalities are considered throughout our work.
- Respect for CQC and the NDG’s independent status.
- The need to maintain public and professional confidence in CQC and the NDG and CQC’s regulatory process.
- Openness and transparency between CQC and the NDG as to when co-operation is and is not considered necessary and/or appropriate.
- The need to use resources effectively and efficiently.
- Addressing overlaps and gaps in the regulatory framework.
Areas of Co-operation
The working relationship between CQC and the NDG involves co-operation in the following areas:
- This agreement is intended to ensure that where an identified breach of confidential personal information (or other issue identified by the NDG) which indicate a risk to the quality of health and social care services or to the safety and welfare of people using those services or suggest significant failures of governance, the NDG has a clear path for referring the breach to CQC for consideration of appropriate action, which may include regulatory and/or enforcement action where this is consistent with CQC’s methodology.
- The NDG and CQC will also work closely to ensure that together they promote the need for appropriate use of data by health and care organisations and individuals working in them.
- The NDG and CQC also, separately, have memoranda of understanding with the Information Commissioner’s Office (ICO). CQC, NDG and ICO will work together to develop a framework for coordinating their activity in response to any identified breach.
Both CQC and the NDG recognise that all processing of personal data (including the sharing of personal data) must be carried out in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, sections 76 to 79 of the Health and Social Care Act 2008, the Human Rights Act 1998, and all relevant legislation relating to these matters and respective Codes of Practice, frameworks or other policies relating to confidential personal information and information issues such as the Common Law Duty of Confidence. Both CQC and the NDG agree that the sharing of personal data will be considered on a case by case basis and carried out in a manner consistent with the Data Sharing Code of Practice published by the Information Commissioner’s Office.
Both CQC and the NDG recognise their responsibilities under the Freedom of Information Act 2000. Where CQC or the NDG receives a request under the Act for information received from the other, both CQC and the NDG agree to take reasonable steps to consult on the proposed disclosure and the application of exemptions, but recognise that the responsibility for disclosure lies with the recipient of the request.
Resolution of Disagreement
Where there is disagreement between CQC and the NDG, this should be resolved in the first instance at working level. If this is not possible, it may be referred through those responsible for the management of this MoU, up to and including Chief Executive of CQC and the NDG who will then be jointly responsible for ensuring a mutually satisfactory resolution.
Duration and Review
This MoU commences on the date of the signatures below. It is not time limited and will continue to have effect unless the principles described above need to be altered and/or cease to be relevant.
This MoU will be reviewed every 2-3 years but may be reviewed at any time at the request of either party. Any alterations to the MoU will, however, require both parties to agree.
Both CQC and the NDG have identified a person responsible for the management of this MoU (known as ‘Relationship Leads’) and their contact details are set out in Annex 2. Relationship Leads will liaise as required to ensure that:
- This MoU is kept up to date;
- They identify any emerging issues in the working relationship between CQC and the NDG;
- They resolve any questions that arise in regard to the interpretation of this MoU.
Signatures
Sir Julian Hartley
Chief Executive
Care Quality Commission
Date: 13.05.25
Dr Nicola Byrne
National Data Guardian
Office of the National Data Guardian
Date: 26.03.25
Annex 1: Responsibilities and functions of the CQC and the NDG
The Care Quality Commission
The CQC is the independent regulator of health and adult social care in England. Its purpose is to make sure health and care services provide people with safe, effective, compassionate, high-quality care and to encourage them to improve.
The CQC does this by registering, monitoring, inspecting and regulating hospitals, adult social care services, dental and general practices and other care services in England, to make sure they meet fundamental standards of quality and safety. We set out what good and outstanding care looks like and we make sure services meet these standards which care must never fall below.
CQC aims to tackle inequalities and protect and promote people's rights to make sure everyone has good quality care, and equal access, experience and outcomes. This is in line with our strategy, our core purpose and legal responsibilities, including the Equality Act (2010) Public Sector Equality Duty, and the Human Rights Act (1998).
Since April 2023, CQC has a responsibility to give a meaningful and independent assessment of care in a local area. This includes assessment of Local Authorities’ performance against their duties under Part 1 of the Care Act 2014. The Health and Care Act 2022 also gives CQC responsibilities to assess whether integrated care systems are meeting the needs of their local populations.
The CQC reports publicly on what it finds locally, including performance ratings for care providers, to help people choose care and encourage providers to improve. It also reports annually to Parliament on the overall state of health and adult social care in England.
The National Data Guardian for Health and Social Care
The NDG is a statutory office holder appointed by the Secretary of State under the Health and Social Care (National Data Guardian) Act 2018 to act as an advocate for patients and service users on how their health and care data is used and to promote the provision of advice and guidance about the processing of health and adult social care data in England.
Health and adult social care data is defined in the Health and Social Care (National Data Guardian) Act 2018 as information that relates to the physical or mental health or condition of an individual, the diagnosis of his or her condition or his or her care or treatment, adult social care provided to an individual (or an assessment for such care), adult carer support provided to an individual (or an assessment for such support) whether or not the identity of the individual is ascertainable or is to any extent derived, directly or indirectly from such information.
The NDG may publish guidance, and give advice, assistance and information, about the processing of health and adult social care data in England.
The Health and Social Care (National Data Guardian) Act 2018 imposes a duty on public bodies within the health and adult social care sector (and private organisations which contract with them to deliver health or adult social care services) to have regard to the NDG’s published guidance that is relevant to those bodies or activities.
Annex 2: Contact details
This annex is only available as part of the original document.