Constitutional Crossings in Healthcare
Not all organisational boundaries are equal. When data and clinical responsibility cross between organisations under different legislation, different regulators, and different institutional orientations, the governance challenge intensifies. An NHS Trust referring to another NHS Trust is a same-domain crossing — the same Caldicott principles, the same PSIRF framework, similar governance cultures. An NHS Trust sharing clinical data with a private insurer for pre-authorisation crosses a constitutional boundary — from CQC to FCA, from care to commerce.
We identify ten constitutional domains in healthcare. Each has a distinct statutory mandate, regulatory authority, data governance framework, and institutional orientation towards the patient. The audit assesses every boundary against the standard Seven Flows methodology, then applies additional governance requirements where the boundary crosses constitutional domains.
This page details the twelve most common crossing types we assess, with the specific governance considerations and diagnostic questions for each.
See the full Constitutional Transition Matrix →The ten constitutional domains
| Domain | Primary Legislation | Regulator(s) | Orientation |
|---|---|---|---|
| NHS | HSCA 2012, NHS Act 2006 | CQC, NHS England, ICBs | Care — statutory duty. Public task. |
| PC (Primary Care) | NHS Act 2006, GMS/PMS contracts | CQC, NHS England | Care — independent contractors, separate data controllers. |
| LA (Local Authority) | Care Act 2014, Children Act | CQC (regulated activities), Ofsted | Care AND assessment — means-testing, eligibility. |
| PRIV (Private) | HSCA 2008, Companies Act 2006 | CQC | Care AND commercial — fiduciary duty alongside clinical duty. |
| DIAG (Diagnostics) | HSCA 2008, MHRA, IRR 2017 | CQC, MHRA, UKAS | Service provision — every transmission is a responsibility transfer. |
| PHAR (Pharmacy) | Medicines Act 1968, Human Medicines Regs | GPhC, CQC | Care AND dispensing — expanding clinical role. |
| INS (Insurance) | FSMA 2000, Insurance Act 2015 | FCA, PRA. NOT CQC. | Commercial — risk assessment, claims, cost control. |
| VCSE | Charities Act 2011, Companies Act | Charity Commission, CQC (if regulated) | Care AND advocacy — variable governance maturity. |
| DWP | SSA Act 1992, Welfare Reform Act 2012 | Parliamentary, ICO | Assessment AND compliance — benefit eligibility, sanction. |
| DIGI (Digital Platforms) | HSCA 2008, MHRA, Consumer Rights Act | CQC, MHRA, ICO | Platform — manufacturer, deployer, provider, processor. The platform IS the boundary. |
What happens when constitutional domains meet
Additional audit considerations
- Same primary legislation, same regulator, same contractual framework (NHS Standard Contract)
- Both operate under Art 6(1)(e) public task with the same statutory functions
- PSIRF applies bilaterally. Caldicott applies bilaterally. DSPT applies bilaterally.
- The risk is operational (different systems, different cultures) not constitutional
- IHO sub-contracting under the Ten Year Plan introduces new complexity: the IHO contract becomes the boundary, not the organisation
Is the PSIRF plan aligned across both organisations at this boundary?
Additional audit considerations
- Both CQC regulated, both operate under public task, but GP practices are independent data controllers
- Different IT systems (EMIS/SystmOne vs Trust EPR) create identity and provenance risks
- GP as gatekeeper: clinical intent flows primarily GP → NHS but outcome flows are often poor NHS → GP
- Neighbourhood health model blurs this boundary further: GPs in neighbourhood teams share data with Trust-employed staff
- New GP contracts (single/multi-neighbourhood provider) create additional sub-contracting boundaries
Does discharge information arrive in a format the GP system can ingest without manual re-entry?
Additional audit considerations
- Different primary legislation: HSCA 2012 vs Care Act 2014. Different public tasks under Art 6(1)(e)
- LA operates under elected member oversight — political accountability the NHS does not have
- Social care involves means-testing and eligibility assessment — data shared for care may inform financial assessment
- Care Act 2014 s.6 duty to cooperate exists but does not resolve data controller conflicts
- Caldicott applies to both since 2014 but governance maturity varies dramatically
- Safeguarding (s.42 Care Act) creates a mandatory sharing obligation that overrides other considerations
- Section 75 NHS Act pooled budget arrangements enable integration but create complex controller relationships
- PSIRF does not adequately address cross-boundary incidents (confirmed by 2025 research)
- Different IT ecosystems: NHS systems do not interoperate with LA case management systems
When care data crosses to LA, can the patient be confident it will not be used for means-testing without separate consent?
Additional audit considerations
- Different lawful basis: NHS operates under Art 6(1)(e) public task; private operates under (b) contract or (f) legitimate interests for non-NHS work
- For NHS-funded work: NHS Standard Contract applies, bringing PSIRF, Caldicott, DSPT — but only for NHS-funded activity
- For privately-funded work: none of these frameworks apply. The same provider may operate different governance for its NHS corridor vs its private corridor
- Under the controller autonomy principle, the private provider must independently establish its lawful basis — it cannot rely on the NHS’s public task
- CQC Regulation 17 applies to both but CQC inspects private providers under a different regime
- PE/corporate ownership creates tension: clinical data governance vs commercial data exploitation
Does the provider operate dual governance frameworks for NHS-funded vs privately-funded activity, and how is data segregated?
Read our Boundary Risk Assessment for Private Healthcare guide →
Additional audit considerations
- Both operate under commercial constitutional frameworks — no NHS Standard Contract, no PSIRF (unless NHS-funded)
- Lawful basis typically Art 6(1)(b) contract or (f) legitimate interests
- No Caldicott unless NHS-funded. No DSPT unless NHS-connected.
- DCB 0129/0160 still applies if health IT systems are involved (HSCA 2012 s.250 applies to all health IT, not just NHS)
- CQC Regulation 17 applies to both if CQC-registered
- Post-M&A integration creates new internal boundaries that were previously external — governance typically degrades
- Commercial confidentiality may obstruct transparency
Does the data sharing agreement reflect a genuine clinical governance framework, or is it a commercial contract with clinical obligations bolted on?
Additional audit considerations
- Every diagnostic transmission is a responsibility transfer — the diagnostics provider holds clinical responsibility for the report
- Teleradiology/telepathology is a pure boundary model: the entire service IS the boundary crossing
- DCB 0129 is existential: the diagnostic platform is a health IT system and every result carries clinical risk
- Identity verification critical: diagnostics provider must independently verify the correct patient
- Clinical intent must travel with the request: “urgent suspected cancer” vs “routine follow-up” changes the pathway
- Alert flow is safety-critical: unexpected findings, critical results, and incidental findings require immediate alert with confirmed receipt
- MHRA medical device regulations may apply if AI-assisted diagnosis is involved
- ISO 15189 accreditation adds a further governance layer
When a critical result is found, is there a documented, tested pathway for alerting the referring clinician with confirmed receipt within a defined timeframe?
Additional audit considerations
- Different professional regulator: GPhC, not GMC/NMC. Different professional standards
- Community pharmacies are independent contractors — separate data controllers with limited clinical record access
- Summary Care Record access is partial: medications and allergies but not full clinical history
- Expanding clinical role under Ten Year Plan without corresponding expansion of data access
- Medicines reconciliation at boundaries is a known patient safety risk
- Electronic prescribing (EPS) is well-established but identity and medication matching errors still occur
As pharmacy takes on expanded clinical roles under the Ten Year Plan, does the data sharing framework support safe clinical decision-making, or is pharmacy operating with insufficient clinical context?
Additional audit considerations
- FUNDAMENTAL CONSTITUTIONAL TRANSITION: Care orientation → Commercial orientation
- Different regulator entirely: CQC (provider) vs FCA (insurer). No overlap in regulatory frameworks
- Insurer operates under Art 6(1)(b) contract and (f) legitimate interests. NOT public task. NOT Caldicott. NOT DSPT.
- Clinical data shared for pre-authorisation may be used for underwriting, claims adjudication, fraud detection, or premium calculation — purposes fundamentally incompatible with original clinical purpose under Art 5(1)(b)
- Common Law Duty of Confidentiality and UK GDPR purpose limitation restrict clinical data sharing for non-care purposes
- No DCB 0129/0160 obligation on the insurer — insurer systems are not health IT under HSCA 2012
- Patient may not understand clinical data crosses from care domain to commercial domain
- Bupa Cromwell is a unique case: same parent operates hospital (CQC) and insurer (FCA) — internal boundary with full constitutional implications
- Consent flow critical: was patient consent for insurer data sharing truly informed and freely given, or a condition of the insurance contract?
Is clinical data crossing from care to commercial domain with the patient’s informed understanding, and are purpose limitation obligations being met?
Additional audit considerations
- MOST DANGEROUS CONSTITUTIONAL TRANSITION: Care orientation → Compliance/sanction orientation
- The patient becomes a claimant. Data shared for care may determine benefit eligibility, impose conditionality, or apply sanctions
- DWP operates under Social Security Administration Act 1992 and Welfare Reform Act 2012 — fundamentally different statutory framework
- DWP’s public task under Art 6(1)(e) is benefit assessment and administration — not care. Purpose limitation acutely engaged
- DWP has fraud investigation powers under s.72 SSA Act with no equivalent in healthcare
- The Ten Year Plan proposes employment advisers and work coaches integrated into neighbourhood health services — placing DWP orientation physically inside NHS care settings
- No Caldicott obligation on DWP. No clinical governance framework. No PSIRF. No Duty of Candour.
- Historical evidence of DWP misuse of health data: WCA assessments overriding clinical opinion, sanctions based on health data
When health data crosses to DWP, whose constitution governs it? What commitments travel with the data? What recourse does the citizen have when care data is used for sanction?
Additional audit considerations
- Variable governance maturity: large national charities may have robust governance; small community organisations may not
- May be sub-contractors under NHS Standard Contract with DSA obligations, or independent providers with minimal data governance
- Ten Year Plan positions VCSE as “essential partners” in neighbourhood health — but PSIRF, Caldicott, and DCB do not naturally extend to VCSE
- Trust-based relationships with vulnerable communities could be damaged by data governance failures
- Charity Commission governance requirements are not equivalent to CQC or NHS governance
Has the VCSE organisation been assessed for data governance maturity before being given access to patient data, and is governance proportionate to sensitivity?
Additional audit considerations
- The platform IS the boundary: simultaneously occupies multiple constitutional domains
- May be manufacturer (DCB 0129), deployer (DCB 0160), provider (CQC), AND processor (GDPR) simultaneously
- Every clinical interaction on the platform crosses at least one organisational boundary
- Platform may serve NHS patients (public task) and private patients (contract/legitimate interests) through same technology with different constitutional obligations
- Clinical responsibility at the platform boundary is the core unresolved question: is the platform a conduit or a provider?
- Some platforms are insurer subsidiaries serving NHS patients — insurance constitutional domain delivering NHS care via digital infrastructure
- Specialist advice platforms sit at exact primary/secondary care boundary — every consultation is a crossing
Does the platform have a single governance framework, or does it operate under different constitutional rules depending on who is on each side of the boundary?
See our healthcare technology assessment & funded remediation →
Additional audit considerations
- Multiple constitutional domains within a single operational context
- Co-location or corporate integration makes boundaries less visible but does not reduce governance requirements
- The Bupa Cromwell model: same parent operates under CQC AND FCA simultaneously — the internal boundary between hospital and insurer carries full constitutional governance requirements
- Neighbourhood health centres under the Ten Year Plan: five or more constitutional domains sharing physical space with informal data sharing and implicit responsibility transfer
- These models create the illusion of integration while the constitutional obligations remain distinct
Where the model integrates multiple constitutional domains, has the governance been designed to match the operational integration, or does operational informality mask unresolved constitutional tensions?
Constitutional Transition Matrix
Find the originating domain on the left and the receiving domain across the top. The cell shows the additional constitutional risk the audit assesses on top of the standard Seven Flows analysis. The matrix is not perfectly symmetrical — NHS → DWP (care data used for sanction) carries different risk from DWP → NHS (benefit data informing care).
| NHS | PC | LA | PRIV | DIAG | PHAR | INS | VCSE | DWP | DIGI | |
|---|---|---|---|---|---|---|---|---|---|---|
| NHS | — | Low | M-H | M-H | Med | Med | High | Med | CRIT | High |
| PC | Low | — | Med | Med | Med | L-M | High | Med | High | High |
| LA | M-H | Med | — | M-H | Med | Med | High | L-M | High | High |
| PRIV | M-H | Med | M-H | — | M-H | Med | High | Med | High | High |
| DIAG | Med | Med | Med | M-H | — | L-M | M-H | Med | M-H | M-H |
| PHAR | Med | L-M | Med | Med | L-M | — | M-H | Med | M-H | M-H |
| INS | High | High | High | High | M-H | M-H | — | M-H | High | High |
| VCSE | Med | Med | L-M | Med | Med | Med | M-H | — | M-H | M-H |
| DWP | High | High | High | High | M-H | M-H | High | M-H | — | High |
| DIGI | High | High | High | High | M-H | M-H | High | M-H | High | — |
How constitutional crossings affect the Boundary Risk Score
The constitutional analysis adds a layer to the Seven Flows assessment. A boundary that scores “Managed” on the standard Seven Flows may be downgraded if the constitutional interaction principles are not addressed — for example, if an organisation has strong internal consent processes but has not established independent lawful basis at a constitutional crossing.
For each boundary, the auditor:
- Identifies the constitutional domains on either side
- Consults the Transition Matrix to determine additional risk level
- Applies crossing-specific considerations to the Seven Flows scoring
- Assesses whether governance accounts for the constitutional transition — not just the data transfer
- Where orientation changes (care → commercial, care → compliance), assesses patient awareness and purpose limitation enforcement
The constitutional dimension also directly affects pricing. A same-domain boundary is simpler to audit than a cross-constitutional boundary. An engagement with multiple constitutional crossings is inherently more complex.
How constitutional crossings impact Data Sharing Agreements
Standard Data Sharing Agreements (DSAs) and Data Privacy Impact Assessments (DPIAs) typically assume both parties operate under equivalent regulatory frameworks. When a constitutional crossing is involved, this assumption fails. A DSA between an NHS Trust and a private insurer must account for the transition from Art 6(1)(e) public task to Art 6(1)(b) contract — different lawful bases, different purpose limitations, and different regulatory oversight. The constitutional crossing means the receiving organisation has no Caldicott obligation, no PSIRF framework, and no Duty of Candour. Unless the DSA explicitly addresses these governance gaps, data crosses from a care constitution to a commercial constitution with inadequate safeguards.
See the five Constitutional Authority Interaction Principles →
Julian Bradder
Founder & CEO, Inference Clinical. The Constitutional Crossings framework is developed from governance analysis of clinical handover across NHS, private, local authority, and commercial healthcare boundaries.