Information Sharing and Data Governance With ICBs in Mental Health Services

System working depends on information moving safely and predictably across organisational boundaries. In practice, information sharing fails when there is uncertainty about lawful basis, inconsistent record standards, unclear role-based access, or interface handovers that omit critical risk detail. ICBs want assurance that providers can share what is needed for safe care and performance oversight without creating avoidable confidentiality breaches or “shadow records”. This article sits within working with ICBs in mental health and links to mental health service models and pathways, focusing on practical data governance controls that support safe interfaces, credible reporting and commissioner confidence.

What information sharing needs to achieve in community mental health

Providers should design information sharing around three operational outcomes:

  • Safety: partners receive timely, decision-ready risk and safeguarding information so escalation and protection planning is not delayed.
  • Continuity: handovers and step-up/step-down transitions include the minimum dataset needed to prevent repetition, gaps or unsafe assumptions.
  • Credible assurance: performance and quality reporting can be reconciled to underlying records, without duplicative data entry or conflicting datasets.

Governance must support these outcomes while maintaining confidentiality, data minimisation, and appropriate access controls.

Core governance building blocks that commissioners expect

1) Clear roles, responsibilities and named ownership

Commissioners and Trust partners will look for named roles for information governance (IG) leadership, operational ownership (service managers), and technical administration (system access). In practice, this means knowing who approves access, who manages data sharing agreements, and who investigates potential breaches or mis-sharing.

2) Data Sharing Agreements and “what we share” clarity

Providers should not rely on informal assumptions about what can be shared. A Data Sharing Agreement (or equivalent documented arrangement) should define: purpose, categories of data, lawful basis, parties, retention, security controls, and escalation routes for incidents. Operationally, staff need a short “what we share and when” guide, aligned to pathways and escalation processes.

3) DPIAs where risk or scale requires it

Where data sharing is new, high-risk, involves special category data at scale, or introduces new technology, a DPIA (or equivalent privacy risk assessment) should evidence that risks have been identified and mitigated. The key is not the document itself, but that mitigations are implemented: access restrictions, audit logging, staff training and process controls.

4) Role-based access and audit trails

In system working, “too much access” is as risky as “not enough”. Role-based access should reflect job function and the service model (for example, limiting access to sensitive fields or restricting editing rights). Audit trails should show who accessed or amended records and when, supporting investigation of concerns and demonstrating control.

5) Minimum dataset standards for interfaces

Information sharing should be anchored in standard minimum datasets for specific interfaces: referral, crisis escalation, safeguarding referral, discharge/step-down handover. This reduces avoidable variation and supports safe decision-making across teams.

Operational examples (how providers make data governance work day to day)

Example 1: Crisis escalation summaries that prevent delay and improve safety

Context: Staff escalate to a Trust crisis service, but information quality varies. Crisis teams request clarification, delaying decisions. The ICB raises concerns about late escalation and inconsistent escalation evidence.

Support approach: The provider introduces a standard escalation summary template that staff must use for all step-up requests. The template includes: what changed, current risks, safeguarding concerns (if any), actions already taken, what is being requested, and time sensitivity. The provider also defines where the summary is recorded so it is auditable and not duplicated across informal channels.

Day-to-day delivery detail: At each contact for high-risk cases, staff record early warning indicators and actions taken. When escalation is needed, the summary is completed and shared through the agreed secure route. Managers review repeat escalations weekly and sample a small number to confirm that summaries are complete, shared appropriately, and reflected in the case record. Where gaps occur, supervision focuses on documentation quality and decision-making.

How effectiveness/change is evidenced: Faster crisis decisions, fewer back-and-forth clarifications, and clearer audit trails. Evidence includes escalation logs, sampled records showing the template in use, and trend monitoring of escalation timeliness.

Example 2: Safeguarding information sharing with controlled access

Context: Exploitation concerns involve multiple partners. Staff need to share information rapidly, but there is anxiety about confidentiality, and records are sometimes stored in inconsistent places. The ICB wants assurance that safeguarding information is shared lawfully and recorded consistently.

Support approach: The provider implements a safeguarding recording standard: where safeguarding notes are stored, what minimum fields must be completed, and who can access sensitive safeguarding content. A short staff guide clarifies lawful sharing for safeguarding purposes and sets out secure sharing routes and escalation for uncertainty.

Day-to-day delivery detail: Weekly safeguarding huddles track active cases and confirm that partner contact is recorded with outcomes. Role-based access limits editing rights to trained staff and managers, while ensuring essential visibility for front-line delivery. Audit logs are reviewed where concerns arise. Supervision includes scenario testing: what can be shared, when, and how it is recorded.

How effectiveness/change is evidenced: Improved safeguarding referral timeliness, stronger multi-agency evidence in records, reduced use of informal communication channels, and clear audit trails for access and amendments. Evidence includes safeguarding logs, huddle records, and periodic compliance checks.

Example 3: Performance reporting that reconciles to records without creating “shadow data”

Context: The ICB requests activity and outcome reporting. Staff start tracking information in spreadsheets because the clinical record is not structured for reporting, creating duplicates and inconsistencies. Commissioners challenge data credibility during contract monitoring.

Support approach: The provider redesigns a small number of record fields to support reporting (for example, coded outcomes domains, review dates, pathway stage) and agrees a reporting dataset with the ICB. A data quality audit checks that reported figures reconcile to underlying records, with defined correction actions.

Day-to-day delivery detail: Staff complete the structured fields as part of routine reviews rather than separate data entry. Managers run monthly data quality checks on a small sample and feed learning into supervision (for example, correcting mis-coded pathway stage). Governance reviews trends and uses re-audit to verify that data quality improvements are sustained.

How effectiveness/change is evidenced: Reduced reliance on spreadsheets, improved reporting consistency, and easier commissioner sampling because evidence trails are clearer. Evidence includes reconciliation checks, audit results and governance minutes showing action tracking and verification.

Explicit expectations that must be met

Commissioner expectation

ICBs expect lawful, secure information sharing that supports safe care and credible assurance. They will look for documented data sharing arrangements, clear minimum datasets for interfaces, access controls, and evidence that performance reporting reconciles to records. They also expect providers to manage IG risks proactively, including incident response and verification of data quality improvements.

Regulator / Inspector expectation (e.g. CQC)

CQC expects robust record-keeping, confidentiality, and safe coordination across boundaries. Inspectors will test whether records are accurate and contemporaneous, whether safeguarding information is recorded and shared appropriately, and whether governance controls reduce risk. Where information sharing fails, they will look for learning, corrective action and sustained improvement.

Practical assurance: what to show when asked

When commissioners ask “how do you manage information sharing?”, the most credible answer is evidence: a clear interface dataset, an anonymised example of a safe escalation summary, a data quality audit trace, and a brief overview of access controls and incident response. This demonstrates control and reduces the risk of IG becoming a purely theoretical conversation.

Latest from the knowledge hub

⬅️ Return to Knowledge Hub Index