Risk Stratification

Introduction

The overall aims of health care are to improve the individual experience of care, to improve the health of local populations, and to deliver this in a cost effective way. However, health care has seen an increased demand for care paired with increased costs and constrained resources.

Risk stratification can assist by identifying opportunities to improve care, and additionally can inform the planning and commissioning for a variety of interventions.  

What is risk stratification?

Risk stratification uses data to better understand, plan, and manage the current and future health needs of our local patient population.

The process of collecting, analysing and using data is called risk stratification.

The data is run through a computer-based programme, often referred to as a risk stratification tool, which assigns ‘risk scores’ to patients. By doing this, the tool calculates which people are at high risk of experiencing certain outcomes, such as unplanned emergency care. It can also help identify and support patients with long term conditions, and reduce the risk of certain diseases developing such as Type 2 Diabetes.

Risk stratification tools are operated by Processors. NHS Lancashire and South Cumbria ICB has contractual arrangements in place with these risk stratification Processors:

  • NHS Midlands and Lancashire Commissioning Support Unit (NHS ML). NHS ML’s risk stratification tool is Aristotle.
  • Prescribing Services Limited (PSL). PSL’s risk stratification tool is Eclipse VISTA.

Risk stratification Processors are not part of the ICB or any GP Practice. They are separate organisations that are carrying out their duties under contract. The contract instructs them what they can and cannot do with the data and sets out their obligations.                                                         

How does it work?

GPs and the Lancashire and South Cumbria Integrated Care Board (LSC ICB) are individual Data Controllers. A Data Controller makes material decisions relating to the processing of personal data, for example processing data for risk stratification purposes. Your data is used in two ways by GPs and the LSC ICB for risk stratification purposes:

  • By targeting individuals at high-risk of needing additional preventive care interventions. This is known as risk stratification for case-finding. Typically, GPs use the case-finding method to prevent health issues, to prevent unexpected hospital visits, and to help identify and support patients with long term conditions.  The risk stratification tool ‘finds’ registered patients who are most at risk. The tool will produce an electronic report that is reviewed by clinical staff at your Practice. You might then be contacted should the report identify changes needed to your care, and you may be offered additional health care services.  Clinical staff are able to re-identify individual patients from the risk stratified data so that they can discuss the outcome and consider additional health care services with the patient.
  • By analysing a population to predict future care needs so that services can be planned and commissioned. This is known as risk stratification for commissioning. The NHS Lancashire and South Cumbria ICB uses this method to understand the current and future needs of the local population so that they can commission the right services.  The risk stratification tool assesses the potential scale of future adverse events among patients based on risk score. The tool will produce an electronic report that can be used by ICB staff to assist with the planning and commissioning of services.  ICB staff can never identify an individual from the risk stratified data they are able to view.

Purpose of the processing

Risk stratification enables the identification and management of the right level of care and services for the local patient population. By assigning risk scores to patients, the information can be used for direct care and improving overall health outcomes.

Data sources

Risk stratification tools use information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS England from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed within risk stratification tools to produce a risk score.

Lawful basis for processing

Under the UK General Data Protection Regulation (GDPR), the lawful basis we rely on to process personal data is: Article 6(1)(e); “necessary in the exercise of official authority vested in the controller”.

The lawful basis we rely on to process your special category data is: Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine”.

Risk stratification activity is undertaken under Section 251 of the NHS Act 2006 which enables the Common Law Duty of Confidentiality (CLDC) to be temporarily lifted. This means that the  data can be processed without patient consents as long as there are specific technical and security measures in place. ICB staff can never identify an individual from the risk stratified data.

Recipients of the processed data

Risk stratification tools are operated by Processors. A Processor feeds a mix of personal information about patients (age, gender, diagnoses, admissions to hospital, etc.) into their tool where it gets automatically processed under appropriate contractual and security measures. The tool analyses the data to produce risk scores. The risk scores are a non-identifiable data set.

The law says commissioners, including the NHS Lancashire and South Cumbria ICB, are not allowed to access Personal Confidential Data (PCD) because they are not providing direct patient care. ICB staff therefore do not have access to Personal Confidential Data as part of the risk stratification purposes.

Identifiable risk stratification data is made available to Clinicians/GPs who have a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce risks.  

Retention period

Personal data used for risk stratification purposes is processed, retained, and securely deleted/disposed of at the end of its lifecycle in accordance with NHS England’s Records Management Code of Practice for Health and Social Care: https://transform.england.nhs.uk/information-governance/guidance/records-management-code/.

Your right to opt out

You have a choice about whether you want your information to be used for risk stratification purposes.

If you are happy with this use of information you do not need to do anything.

If you do not wish your confidential patient information to be included in risk stratification you can choose to opt-out through the National Data Opt Out process by visiting https://www.nhs.uk/your-nhs-data-matters/

You can also contact your GP Surgery’s Practice Management Team  to discuss how disclosure of your data for risk stratification can be limited.

Opting out will not affect the care you receive, but it could affect the pro-active provision of your care. You can change your mind about your choice(s) at any time.

More information can also be found in our Privacy Notice under the ‘National Data Opt Out,’ and ‘Type 1 Opt Out’ sections.

For more information and our contact details

Please refer to our Privacy Notice where you can find out more information about risk stratification, opting out, and your information rights amongst other matters.

A risk stratification leaflet and poster are also available.

Any generic questions about the use of data may be directed to: lscicb.contactus@nhs.net.

Please contact us via our Data Protection Officer if you have any questions about the content of this webpage, our Privacy Notice, information we hold about you, and any data protection or privacy concerns you may have:

Data Protection Officer, Tel: 01782 916875, Email: mlcsu.dpo@nhs.net.

You may also contact the Data Protection Officer should you have a complaint about how we process your personal data. Should your complaint not be resolved to your satisfaction following contact with our Data Protection Officer, you have the right to contact the Information Commissioner to lodge a complaint:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF. Webpage: www.ico.org.uk, Tel: 0303 123 1113.

 

We keep this webpage under regular review. This page was last updated on 30/4/2025.

Q – Can data truly predict the likelihood of future illness in a population?

A – The concept of risk stratification tools is simple: predict the risk of future adverse events so that efforts can be targeted to avoid or mitigate them.

A comprehensive dataset of patient information is essential for accurate risk stratification to assess the potential scale of future adverse events among patients at high, medium, and low risk. Although no advanced prediction can ever be 100% accurate, by identifying these groups, health planning may be adapted to meet their needs by providing interventions to avoid these adverse events happening.

 

Q – Why is risk stratification important?

A – The data can be used to make care management decisions. It helps GP Practices to focus on those patients identified as being at higher risk and offer appropriate interventions, and it helps health care commissioners to plan for current and future care needs, whilst reducing costs and improving care.

 

Q – Who has access to risk stratification data?

A – People who have access to data will only have access to that which they need to fulfil their roles:

  • The Processor uses their risk stratification tool to analyse the data and produce non-identifiable risk scores.
  • Your GP Practice is allowed to re-identify individuals by matching risk scores against the patients on their system. GP Practice staff require access to this re-identified data so that they may provide patients, who are assessed as being at high risk of future adverse events, with appropriate interventions.
  • The ICB will only ever have access to non-identifiable risk score data. They do not need individual patient data to enable them to plan for current and future care needs, or to commission services.

 

Q – Will data be shared with third parties outside of the NHS?

A – Personal identifiable data will not be shared with third parties unless there is a valid legal basis for the disclosure.

Data that is anonymised or is aggregated may be shared with other parties. Individuals would not be identifiable from these data sets.

 

Q – How does risk stratification work?

A – A Processor operates the risk stratification tool and they feed a mix of information about patients (age, gender, diagnoses, admissions to hospital, etc.) into the tool. The tool analyses the data to produce risk scores. The risk scores are a non-identifiable data set.

For GP Practices the non-identifiable risk scores will be linked to data held within their system so they can identify patients and offer them additional care or interventions.

The ICB will only ever have access to non-identifiable risk scores for their commissioning and planning purposes.

 

Q – How will data be kept secure during the risk stratification process?

A – Strict security protocols are in place, including:

  • Processors, GP Practices, and ICBs must submit an annual self-assessment to meet conditions of the Data Security and Protection Toolkit (DSPT) to measure their performance against the National Data Guardian’s data security standards. 
  • A contract with a Processor must be in place that contains relevant security and data protection clauses. The contract instructs the Processor as to their obligations.
  • Processer staff, GP Practice staff, and staff within the ICB are trained in data protection and information governance. Their contracts of employment and relevant organisational policies provide further safeguards against data misuse.
  • Auditable Role Based Access Controls (RBAC) are in place for staff processing data.
  • Only the minimum necessary patient identifiable data is obtained and processed.
  • Data is processed in a secure data environment.
  • The risk scores will be non-identifiable. This data will remain non-identifiable for  commissioning and planning purposes, and only revealed in identifiable form to your GP Practice staff.
  • Identifiable data is destroyed in accordance with the NHS Records Management Code of Practice.

 

Q – How is it ensured that the data used for risk stratification is accurate?

A – Healthcare Providers have organisational processes in place to verify the accuracy of your data and to ensure that it is kept up to date. For example, your GP Practice may check with you that your contact details are still up to date when you visit your Surgery.

The data that is ingested into the risk stratification tool has therefore already been verified as accurate and up to date at source.

 

Q – Do you need my consent when using my data for risk stratification purposes?

A – When information is given in circumstances where it is expected that a duty of confidentiality applies, that information cannot normally be disclosed without the consent of the patient.

However, there are some circumstances that make disclosure of confidential information lawful without patient consent. One of those circumstances is when Section 251 of the National Health Act 2006 is relied on to set aside the requirement under the Common Law Duty of Confidentiality (CLDC) to seek patient consent, subject to an application to the Confidentiality Advisory Group (CAG) and approval of the Secretary of State.

For our risk stratification purposes, Section 251 approval is relied on to provide a legal means of processing confidential patient information without patient consent.

We recognise that some patients may feel this is a loss of their autonomy. This is why we consider it important that we are transparent about the use of data, and increase public awareness of risk stratification.

Although we believe that the net impact of risk stratification on privacy is marginal and the benefits great, should you not wish for your confidential personal data to be used for risk stratification purposes then you can opt out. More information on opting out can be found higher up on this page.

Opting out will not affect the care you receive, but it could affect the pro-active provision of your care. You can change your mind about your choice(s) at any time.

Return to header