NHS Data Interoperability: Why the Chasm Remains in 2026

This is the fourth article in a series examining the boundary between local authority social care and the NHS. The first article established the constitutional domain gap. The second examined what happens when both sides reorganise simultaneously. The third showed that 28.2% of delayed discharge is caused by “interface processes” — the crossing itself. This article examines why data cannot flow across the boundary even when both sides want it to.

In December 2025, the Department of Health and Social Care announced that 80% of CQC-registered care providers now use digital social care records. The milestone had been a long time coming. The original target was March 2024. By February 2024, only 63% of providers had adopted digital records, and the deadline was pushed back a year. The starting point in December 2021 was 40%. Getting from 40% to 80% over four years, with £25 million in additional funding, was presented as a significant achievement.

On the NHS side, 91% of secondary care trusts had electronic patient records by May 2025, with the government targeting 100% by March 2026. Every GP practice in England is connected to GP Connect. Transfer of Care FHIR messages are mandated for discharge summaries. The NHS Spine provides national infrastructure for identity, messaging, and routing. Shared care records programmes operate in every region. The Federated Data Platform, whatever its controversies, represents a national-scale data architecture.

Two digital ecosystems. Two levels of maturity. One boundary between them. And at that boundary, the data infrastructure that exists on the NHS side does not extend to the social care side — not because social care has failed to digitise, but because the two sides were never designed to interoperate.

NHS vs Social Care Data Architecture: Two Systems That Do Not Connect

The NHS’s data infrastructure is built on a set of foundational standards. The NHS number serves as the universal patient identifier. SNOMED CT provides clinical terminology. FHIR (Fast Healthcare Interoperability Resources) defines how clinical data is structured and exchanged. MESH provides a national messaging service for point-to-point data transfer. The Data Security and Protection Toolkit (DSPT) sets mandatory security standards for all organisations handling NHS data. These are not optional. They are conditions of participation in the NHS data ecosystem.

Social care’s data infrastructure is fundamentally different. Not worse — different. Social care records are structured around the person’s care and support needs, their goals, their daily routines, their preferences and choices. They use different terminology because they describe different things: not clinical observations and diagnoses, but functional capacity, social circumstances, carer availability, housing conditions, safeguarding concerns. The record structure reflects the Care Act’s strengths-based, person-centred model — a different legislative purpose from the NHS Act’s clinical framework.

The Digital Social Care Records programme has made genuine progress. By end of February 2025, all assured DSCR systems had switched on GP Connect, meaning care providers could view a restricted subset of the primary care record — the last three encounters, current medications, allergies. This is a real improvement. A care home nurse who can check a resident’s current medication list without phoning the GP surgery is providing safer care.

But GP Connect is a read-only window. Social care can look into the NHS. The NHS cannot look into social care. There is no equivalent of GP Connect that allows a hospital discharge coordinator to view a patient’s social care record — their care package, their housing situation, their carer arrangements, their local authority assessments. There is no Transfer of Care FHIR message that flows from social care to the NHS. The interoperability platform announced for development in 2025 — connecting social care records together and providing a single connection point into NHS systems — is still being built.

The asymmetry is structural. The NHS built national data infrastructure over decades, mandated participation, and enforced standards through commissioning contracts and provider licences. Social care is delivered by over 17,000 providers — large chains, small independents, sole traders, voluntary organisations — regulated by CQC but not connected to any national data infrastructure in the way that NHS trusts are connected to Spine. The DSCR programme has achieved 80% adoption of digital records. It has not achieved interoperability with the NHS. Having a digital record and being able to exchange data across the constitutional boundary are entirely different capabilities.

The DSPT illustrates the gap precisely. For NHS organisations, DSPT compliance is mandatory — a condition of the provider licence. For social care, the toolkit was extended to include adult social care providers, but implementation varies enormously. No national assessment equivalent to the NHS’s Digital Maturity Assessment exists for social care — and as of September 2024, NHS England confirmed it had no plans to add social care to that assessment. The two sides of the boundary are not even measured against the same digital maturity framework.

Shared care records — local platforms that aggregate data from multiple NHS and social care sources — offer the most promising current bridge. The Connecting Care Records programme is working toward national interoperability between these local platforms, with around half of ambulance services currently able to access shared care records. The aim is all ambulance services by 2026. But shared care records are local solutions — they depend on local data sharing agreements, local integration work, and local relationships between health and social care organisations. They are exactly the kind of locally-negotiated, organisation-specific infrastructure that the second article showed will not survive the dual reorganisation intact.

The NHS Number Problem: Identity Reconciliation Across Domains

The most basic prerequisite for data exchange across any boundary is a shared identifier. In the NHS, the NHS number serves this function. Every patient registered with a GP has one. Every NHS system uses it. It is the key that allows information about a person to be linked across organisations.

In social care, the NHS number is not universally used. Local authorities assign their own client identifiers. Care providers use their own systems. A GP Connect supplier’s documentation makes the practical reality clear: to look up a patient’s GP record via GP Connect, you need to know the patient’s NHS number and date of birth. The system encourages care providers to record NHS numbers — but it is a recommendation, not a mandated field in most social care systems.

When a patient is discharged from hospital to a care home, the discharge summary is sent to the GP and — in theory — to “any relevant third-party provider of health or social care.” The Transfer of Care specification requires this. In practice, the care home may not have a system that can receive FHIR messages. The local authority commissioning the placement may not receive the summary at all. The social care assessor visiting the patient after discharge may be working from a phone call, a fax, or a PDF emailed to a shared inbox.

Identity reconciliation — the first of the Seven Flows — fails at the LA-NHS boundary not because of technological impossibility but because neither side has been required to use the other’s identifier. The NHS number could serve as the shared key. In some areas, local shared care records do include social care data linked by NHS number. The London Care Record, for example, integrates some social care information. But these are local solutions, varying by geography, dependent on local relationships and funding — exactly the kind of relational governance that the second article in this series showed cannot survive reorganisation.

The Data (Use and Access) Act 2025: What It Changes and What It Does Not

The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, represents a significant legislative change. It amends the Health and Social Care Act 2012 to make information standards mandatory for both public and private health and adult social care providers. Previously, providers were required to “have regard to” information standards. Now they “must comply.” The Act extends this obligation to IT suppliers serving the health and care sector, with the power to enforce compliance.

Digital Care Hub’s briefing for social care providers sets out what this means in practice: CQC-registered providers must ensure their digital systems comply with national standards once introduced. IT suppliers who fail to comply may face enforcement action. The intended outcome is that hospital discharge summaries, medication lists and care plans will transfer digitally to social care providers; care providers will be able to share and receive real-time updates from NHS teams; care histories will be accessible to emergency services.

This is the right legislative direction. But the Act’s healthcare-specific provisions — Schedule 15 and Section 121 — currently lack a commencement date and supplementary regulations. The ICO has indicated that its consultations are not likely to begin until late 2025 or early 2026. The Health and Social Care Information Standards (Procedure) Regulations 2025 came into force on 6 August 2025, establishing the procedural framework — but the specific standards that will be mandated, the timelines for compliance, and the enforcement mechanisms are yet to be defined.

The Act creates the legal authority for mandatory interoperability. It does not create interoperability. That requires defined standards, compliant systems, identity reconciliation, consent management, and governance infrastructure at every crossing point. The Act enables the destination. The journey has not been planned.

And the journey faces a practical obstacle that the legislation does not address. If IT suppliers to social care providers are required to meet new interoperability standards, those suppliers will incur costs not budgeted under existing contracts — costs they will seek to pass through to providers. Social care providers, already operating on margins that the CQC describes as fragile, may be unable to absorb those costs. The DHSC estimates that the Act’s measures will deliver £340.5 million in savings over ten years. The upfront investment required to realise those savings has not been costed or funded.

The Consent Boundary: Lawful Basis Changes at Every Crossing

Even where data can technically flow across the LA-NHS boundary, a governance question sits at every crossing: under what lawful basis?

The Data (Use and Access) Act introduces a new lawful basis — “recognised legitimate interests” — allowing organisations to process personal data for specific public interest purposes including safeguarding and protecting public health. It also clarifies that Article 6(1)(e) — processing necessary for a task carried out in the public interest — is the controller’s own task, not another body’s. This is a significant clarification for the boundary: a local authority cannot process health data by relying on the NHS’s public task, and vice versa. Each controller must have its own lawful basis for every element of data it receives from the other side.

In practice, this means that when a hospital shares a patient’s clinical information with the local authority for the purpose of arranging social care, the local authority needs its own lawful basis for receiving and processing that clinical data — separate from the basis on which the hospital collected it. The patient, meanwhile, may not understand that their data is crossing from one legal regime to another: from a universal service where treatment data is processed under public task authority, to a means-tested service where the same data may inform a financial assessment that determines how much the patient will pay for their care.

This is the Consent flow in the Seven Flows framework. It is not about whether the patient has ticked a box. It is about whether the constitutional significance of the data crossing has been made explicit — whether the patient understands that information created under NHS authority is about to be used under Care Act authority, with different consequences, different purposes, and different financial implications. No current system manages this. No digital social care record captures it. No discharge summary flags it.

The Single Patient Record: Why It Needs Constitutional Binding

The 10 Year Health Plan commits to a single patient record, accessible via the NHS App from 2028. The vision is a unified view of every patient’s health and care data, accessible to authorised professionals across settings. The government has positioned DSCRs as building blocks toward this goal, exploring ways to link digital social care records that meet data standards with the single patient record.

The ambition is the right one. Fragmented data is a patient safety risk. The Darzi report and the Sudlow review both identified the UK’s health data system as fragmented and complex, and called for more efficient data sharing.

But a single patient record that spans health and social care must span the constitutional boundary described in this series. It must contain data created under NHS Act authority and data created under Care Act authority. It must manage the fact that the NHS data was collected for clinical purposes and the social care data was collected for assessment and support purposes — different lawful bases, different retention periods, different access controls, different subject access regimes. It must handle the reality that social care data may include financial assessment information that the NHS has no right to see, and that clinical data may include information about conditions that the patient has not disclosed to their social care provider.

A single record that combines data from two constitutional domains without governing the boundary between them creates a new category of risk. Not a technical risk — the systems can be built — but a governance risk. Who is the data controller for information that was created in one domain and is now displayed in a record managed by another? What happens when the patient exercises their right to restrict sharing of specific data elements, and the restriction applies differently under health and social care legislation? What audit trail evidences that a specific data element crossed from one domain to the other, under what authority, for what purpose?

These are Constitutional Binding questions. Every data element in a cross-domain record needs to carry its provenance: the constitutional authority under which it was created, the purpose for which it was collected, and the constraints on its onward use. Without this binding, a single patient record becomes a single point where constitutional governance fails rather than a single point where it succeeds.

What Interoperability at the LA-NHS Boundary Actually Requires

The data governance chasm at the LA-NHS boundary will not be closed by digitisation alone. 80% DSCR adoption is a necessary condition, not a sufficient one. Mandatory information standards under the Data (Use and Access) Act are a necessary condition, not a sufficient one. Even the single patient record, if achieved, is an infrastructure capability, not a governance framework.

What is missing is the governance layer that manages each data crossing — the infrastructure that ensures every data exchange across the constitutional boundary satisfies the conditions for safe, lawful, and governed transfer. The Seven Flows define these conditions:

Identity: a shared identifier (the NHS number) used consistently on both sides, with reconciliation infrastructure for the 20% of social care providers still without digital records and for every new referral where the person is unknown to one side.

Consent: infrastructure that makes the constitutional crossing explicit to the data subject and manages their preferences across domains — not a single consent form, but a governed consent state that travels with the data.

Provenance: every data element carries its origin — which system, which organisation, which constitutional domain, which professional created it, under what authority. When a clinical observation is used in a social care assessment, the provenance chain must be preserved.

Clinical Intent: the clinical reasoning that accompanies data across the boundary must be legible to the receiving domain. A discharge summary that conveys status without context is data transfer, not governed exchange.

Alert and Responsibility: when data crosses the boundary, the accountability for acting on it must transfer explicitly. A safeguarding concern flagged in a clinical record that is now visible in a social care system requires a governed responsibility transfer — not just visibility.

Service Routing: the data must reach the right service, in the right organisation, with the capacity and capability to act on it. Sending a discharge summary to a generic local authority email address is not governed routing.

Outcome: the sending organisation must be able to determine whether the data crossing achieved its purpose. Did the social care assessment happen? Was the care package delivered? Was the safeguarding referral actioned? Without outcome data flowing back across the boundary, the loop is never closed.

At Inference Clinical, the Seven Flows audit methodology assesses each of these conditions at every organisational boundary crossing. For the LA-NHS boundary specifically, the audit maps the data governance infrastructure that exists, identifies where each flow fails, and produces a structured gap analysis that any organisation — ICB, local authority, care provider — can act on. The methodology is designed to work with whatever digital infrastructure is in place: fully digital, partially digital, or paper-based. Because the governance requirement exists regardless of the technology. A governed crossing on paper is safer than an ungoverned crossing on FHIR.

The organisations that recognise the data governance chasm as a boundary governance problem — not a digitisation problem — will build the infrastructure that makes cross-domain data exchange safe, lawful, and effective. Inference Clinical’s Boundary Risk Assessment maps data governance maturity at each crossing, producing a structured Boundary Risk Score that quantifies where each of the Seven Flows fails. The organisations that wait for the Data (Use and Access) Act’s provisions to be commenced, for the standards to be defined, for the single patient record to be built, will be waiting while the boundary continues to fail patients every day.

Julian Bradder

Founder & CEO, Inference Clinical

Building infrastructure for inter-organisation responsibility transfer in healthcare. 30 years’ experience in digital transformation across government, FTSE 100, and healthcare.