Key Takeaways
- When patient data crosses between organisations with different statutory mandates (NHS to insurer, hospital to DWP), the governance challenge is constitutional, not just data protection.
- UK GDPR is necessary but not sufficient - purpose limitation, controller autonomy, and patient understanding all break down at constitutional boundaries.
- Lawful basis non-inheritance: each data controller must independently establish its lawful basis at every boundary, rather than relying on the originating organisation's justification.
- The Constitutional Transition Matrix maps 10 healthcare domains in a 10×10 grid - not all crossings carry equal risk (NHS-to-NHS is Low; NHS-to-DWP is Critical).
- Five Constitutional Authority Interaction Principles define how governance obligations from different domains interact - and where standard Data Sharing Agreements and DPIAs fall short.
When an NHS Trust shares patient data with another NHS Trust, both organisations operate under the same legislation. Both are governed by CQC. Both operate under the NHS Standard Contract. Both have the same institutional orientation towards the patient: a statutory duty to provide care. The data governance challenge is real - consent, lawful basis, purpose limitation - but it is contained within a shared framework.
When an NHS Trust shares patient data with a private insurer for pre-authorisation, something fundamentally different happens. The data crosses from an organisation governed by the NHS Act 2006 with a statutory duty to care, to an organisation governed by the Financial Services and Markets Act 2000 with a fiduciary duty to shareholders. The regulator changes from CQC to the FCA. The institutional orientation towards the patient shifts from care recipient to claimant.
This is not a data protection problem. It is a constitutional problem. And it is the reason we built an entire pillar of our Seven Flows Boundary Governance Audit around cross-constitutional analysis - because data protection frameworks, however robust, cannot capture what happens when patient data moves between fundamentally different types of institution.
Critically, this is not only a problem at the NHS boundary. Constitutional transitions happen entirely within the private sector. A private hospital sharing clinical data with an insurer for pre-authorisation is a constitutional crossing. A diagnostic imaging network sending results to a private GP practice is a crossing between different governance frameworks. A private mental health provider sharing data with an employer's occupational health service is a crossing from care to commercial employment context. The constitutional analysis applies wherever the institutional purpose, regulatory authority, or statutory mandate changes at a boundary - and that happens across and within every sector of healthcare, not just at the NHS interface.
What we mean by constitutional
We use the term "constitutional" deliberately, though not in the sense of UK constitutional law doctrine. We mean it in the structural sense: the combination of statutory mandate, regulatory authority, data governance framework, and institutional purpose that defines what each type of organisation exists to do.
An NHS Trust exists to provide healthcare. A private hospital exists to provide healthcare for profit. A private insurer exists to underwrite and manage financial risk. The DWP exists to administer social security and enforce conditionality. When patient data crosses between these domains, the governance challenge is not just about consent, lawful basis, and security. It is about the fundamental change in the institutional context within which that data is held and used.
In our methodology, we identify ten constitutional domains that healthcare data routinely crosses between: NHS, Primary Care, Local Authority, Private Healthcare, Private Diagnostics, Community Pharmacy, Insurance/PMI, VCSE, DWP, and Digital Health Platforms. Each has a distinct statutory basis, regulatory authority, and institutional orientation towards the patient.
We map these in a Constitutional Transition Matrix - a 10×10 grid showing the governance risk level for every possible domain crossing. An NHS-to-NHS crossing is Low risk. An NHS-to-Insurance crossing is High. An NHS-to-DWP crossing is Critical. The matrix is not symmetrical: NHS-to-DWP (care data used for sanctions assessment) carries different risk from DWP-to-NHS (benefit data informing care decisions), because the direction of the constitutional transition changes the nature of the risk.
When our methodology is applied to a boundary, the matrix determines the additional governance requirements beyond the standard Seven Flows assessment. A same-domain boundary is scored on the seven flows alone. A cross-constitutional boundary triggers our Constitutional Authority Interaction Principles - five rules that define how governance obligations from different domains interact and where they conflict.
Why UK GDPR is necessary but not sufficient
UK GDPR provides a robust framework for data protection. Lawful basis, purpose limitation, data minimisation, storage limitation, accountability - these principles apply regardless of which type of organisation holds the data. A private insurer must comply with UK GDPR just as an NHS Trust must.
But UK GDPR is necessary and not sufficient for governing constitutional transitions. Here is why - and here is what our methodology is designed to reveal when applied beyond data protection to the constitutional dimension.
Purpose limitation transforms at constitutional boundaries. When an NHS Trust shares clinical data with a GP practice, the purpose remains clinical care. When the same data is shared with an insurer for pre-authorisation, the purpose has shifted. The insurer will use the data for underwriting risk assessment, claims adjudication, fraud detection, and premium calculation - purposes that are fundamentally incompatible with the original clinical purpose under UK GDPR Article 5(1)(b), even if each individual purpose has its own lawful basis.
Why standard DPIAs fail at constitutional boundaries
In our framework, this is where the Consent flow and the Provenance flow interact at constitutional boundaries. Consent that would score Level 3 within the NHS domain (proper lawful basis, DPIA in place, privacy notice adequate) may need to be scored lower at a constitutional crossing if the patient has not been meaningfully informed that their data is transitioning from a care context to a commercial or compliance context. A standard Data Privacy Impact Assessment (DPIA) evaluates processing risk within one organisation's context. It does not assess the governance implications of the institutional purpose changing at the boundary - the shift from care to commercial, from clinical to financial, from beneficence to risk management. A privacy notice that says "we may share your data with relevant third parties" does not constitute informed consent for a constitutional transition. Our scoring model reflects this: a boundary cannot achieve "Managed" on Consent at a constitutional crossing without evidence that the patient understood the transition, not just the sharing.
Controller autonomy creates governance gaps at constitutional boundaries. Under UK GDPR, each data controller is independently responsible for its processing. An NHS Trust cannot control what a private insurer does with data once it has been lawfully shared. The Trust can specify the purpose in the data sharing agreement. But enforcement depends on the receiving organisation's compliance, not the sharing organisation's governance.
This is a principle we have formalised in our methodology as lawful basis non-inheritance - the principle that each data controller must independently establish its lawful basis at every boundary, rather than relying on the originating organisation's justification. Organisation B cannot rely on Organisation A's consent, public task, or legitimate interest to justify its own processing. At constitutional boundaries, where the receiving organisation operates under entirely different legislation, the importance of this principle intensifies - and the likelihood that it is properly implemented diminishes. Our methodology assesses Consent at both sides of every boundary independently. If the sending organisation believes it has shared data lawfully but the receiving organisation has not independently established its own lawful basis, the boundary is scored at the lower of the two assessments.
Patient understanding breaks down. Patients generally understand that their clinical data is shared between clinicians for their care. This is the foundation of implied consent in healthcare. But patients often do not understand the constitutional implications of their data crossing into different institutional domains.
When a patient consents to their private healthcare provider sharing clinical information with their insurer, do they understand that the institutional orientation towards them changes? That the insurer operates under FCA regulation, not CQC? That the data may inform future premium calculations? The consent may be technically valid. The patient's genuine understanding of the constitutional transition is often absent. This gap between technical compliance and meaningful consent is one of the issues our methodology is specifically designed to surface.
The crossings that matter most
Not all constitutional crossings carry the same risk. Three patterns deserve particular attention - and each illustrates why a data protection-only approach misses the real governance challenge.
Care to Commercial: the Bupa Cromwell problem
When data crosses from an NHS or primary care context into a private healthcare, insurance, or commercial diagnostics context, the institutional orientation shifts. The patient is no longer only a care recipient - they are also a customer, a policyholder, or a data subject within a commercial entity.
The sharpest example we use in our methodology is Bupa Cromwell Hospital. Bupa operates both as a hospital (regulated by CQC) and as an insurer (regulated by the FCA). When a patient is treated at Bupa Cromwell under their Bupa insurance policy, the clinical data and the insurance data exist within the same corporate group. The internal boundary between the hospital division and the insurance division is a full constitutional transition - CQC to FCA, clinical governance to financial governance, care orientation to risk management orientation - happening within a single parent company.
Corporate integration often makes constitutional boundaries less visible, not more governed. The data sharing happens through internal systems without the formal governance (DSAs, DPIAs, lawful basis documentation) that would be required if the organisations were independent. Our assessment framework treats internal constitutional boundaries with the same rigour as external ones - because the regulatory obligations are identical regardless of corporate structure.
Care to Compliance: the DWP crossing
When clinical data crosses into the DWP - for benefit assessments, work capability assessments, or conditionality enforcement - the constitutional transition is extreme. The patient becomes a claimant. The data is no longer used to help them. It is used to assess whether they qualify for support, and potentially to sanction them if they do not comply with conditions.
Our Constitutional Transition Matrix rates every DWP crossing as Critical - the highest risk level. Every protective principle in clinical data governance - beneficence, non-maleficence, patient autonomy - is structurally absent from the DWP's institutional framework. Our methodology applies the Constitutional Authority Interaction Principles to this crossing: purpose limitation travels with the data (the DWP cannot repurpose clinical information beyond the specific benefit determination for which it was shared), higher-risk orientation requires enhanced governance (explicit patient notification, tightened purpose limitation, additional DPIA), and neither constitution dominates by default (the DWP's statutory mandate to assess eligibility does not override the patient's rights under clinical data governance frameworks).
Digital Platform crossings: the multi-constitutional challenge
Digital health platforms often sit at the intersection of multiple constitutional domains simultaneously. A telehealth provider may be registered with CQC (healthcare regulation), process NHS-funded patients (NHS contractual framework), hold data as an independent controller (UK GDPR), and share data with insurers (financial regulation).
Our methodology assesses such platforms per-boundary, not per-organisation. A platform that scores well on the boundary with NHS providers may score poorly on the boundary with insurer partners, because different constitutional crossings engage different obligations. The per-boundary approach prevents a strong score on one crossing from masking a weak score on another.
Private-to-Private: the invisible boundaries
Not all constitutional crossings involve the NHS. When a private hospital group refers a patient to an independent diagnostic imaging provider, both organisations are CQC-registered private healthcare providers - but they are separate data controllers, separate CQC registrations, with separate clinical governance. This is a Private-to-Diagnostics crossing on our Transition Matrix, rated MEDIUM-HIGH. The governance requirements - identity verification, consent propagation, clinical intent communication, responsibility transfer - apply identically to an NHS referral, but often with less formal infrastructure. NHS organisations at least have standardised systems (MESH, NHS number, PDS). Private sector boundaries may rely on email, fax, proprietary portals, or telephone - each with its own governance gaps.
The insurer network model creates a further layer. When an insurer builds a network of approved providers, every patient journey through that network crosses organisational boundaries that are governed by commercial contracts rather than statutory frameworks. The clinical governance at these boundaries depends on what the insurer's contract requires - and contracts designed by commercial teams rarely address Identity propagation, MVRT, or Outcome flow. The boundary governance sits in a gap between clinical regulation (CQC) and financial regulation (FCA), with neither regulator examining the joins between providers in the network.
What governance at constitutional boundaries requires
Current data sharing agreements typically address the UK GDPR requirements: lawful basis, purpose, retention, security measures, subject rights. These elements are usually present. What is almost always absent is any recognition of the constitutional dimension.
Our methodology requires five additional considerations at constitutional boundaries. To safely manage healthcare data sharing across constitutional boundaries, organisations must implement these five Constitutional Authority Interaction Principles:
1. Clinical risk responsibility follows care delivery
Where statutory frameworks conflict or leave gaps at a boundary, clinical risk responsibility attaches to the organisation delivering care, not the organisation originating the data. This is grounded in CQC Regulation 12: the provider is responsible for safe care regardless of the source of the patient, data, or instruction.
2. Lawful basis cannot be inherited
Each controller must independently establish its lawful basis at every boundary. This is settled UK GDPR principle, but it is routinely violated at constitutional crossings where organisations assume that upstream consent or public task lawful basis extends to them.
3. Purpose limitation travels with the data
Data shared for a clinical purpose retains its purpose limitation regardless of which constitutional domain receives it. An insurer receiving clinical data for pre-authorisation cannot repurpose it for underwriting without independent lawful basis.
4. Higher-risk orientation requires enhanced governance
When data crosses from a care-oriented domain to a commercial, compliance, or sanction-oriented domain, enhanced governance is required: explicit patient notification, tightened purpose limitation, additional DPIA, and audit trail of the constitutional transition.
5. Neither constitution dominates by default
Both sets of obligations apply simultaneously. Where they conflict - an NHS duty to share for care versus a patient's refusal to allow insurer access - the conflict must be documented, escalated, and resolved. The current practice of silently defaulting to the more powerful party is not governance. It is an absence of governance.
What the audit output looks like
To illustrate the level of specificity our methodology produces, consider how a constitutional analysis would read for a common boundary.
Example: Private Hospital to Insurer (PMI) - HIGH Risk Crossing
Consent: Level 2 - Lawful basis documented but patient not meaningfully informed of constitutional transition from care to financial risk management context
Provenance: Level 2 - Clinical data shared without metadata restricting downstream use
Alert & Responsibility: Level 1 - MVRT failure, no bilateral confirmation that insurer has received, reviewed, and accepted pre-authorisation request within clinically safe timeframe
Constitutional Interaction Principle 3 (purpose limitation travels with data) not evidenced in the DSA
Recommended: Revise DSA to include explicit purpose limitation enforcement; implement patient notification at point of constitutional transition; establish MVRT protocol for the pre-authorisation boundary
This is the level of specificity that standard data protection reviews do not reach - because they assess data sharing, not constitutional transitions. And every finding traces to statute, making it immediately defensible and actionable. See a full sample scorecard.
The regulatory direction
The Data Use and Access Act 2025 strengthens the obligation on each data controller to independently establish its lawful basis for processing. As interoperability mandates increase the volume of data flowing across organisational boundaries, constitutional crossings will become more frequent and more visible.
The Ten Year Plan's emphasis on plurality of provision, outcomes-based commissioning, and AI deployment will multiply constitutional crossings. Every IHO that commissions care across NHS, private, voluntary, and digital providers will need to govern constitutional transitions that the current framework ignores.
Organisations that understand their constitutional exposure now - that have mapped their domain crossings, assessed their governance maturity at each one, and implemented the interaction principles - will be positioned for the regulatory environment that is forming. Those that treat every data sharing agreement as equivalent will face a growing governance deficit as the system evolves around them.
Healthcare Boundary Governance Series
- The Governance Gap in the NHS Ten Year Plan & Reforms
- When Your Patient Becomes Nobody's Patient
- The Constitutional Problem in Healthcare Data Sharing (current)
- 70% of NHS Digital Health Has No Safety Assurance
Inference Clinical's Seven Flows Boundary Governance Audit includes a full Constitutional Transition Analysis: every domain crossing mapped, risk-rated, and assessed against five formal Interaction Principles. To understand your constitutional exposure, take the free Boundary Risk Score or book a boundary scoping call.
