Memorandum of understanding - Health and Safety Executive (HSE)

Introduction

1. This MoU has been agreed between the Care Quality Commission (CQC) and the Health and Safety Executive (HSE) with the support of the Local Government Association (LGA). It applies to both health and adult social care in England. The purpose of this MoU is to help ensure that there is effective, co-ordinated and comprehensive regulation of health and safety for patients, service users, workers and members of the public.

2. t outlines the respective responsibilities of CQC, HSE and local authorities (LAs) in England when dealing with health and safety incidents in the health and adult social care sectors, and the principles that will be applied where specific exceptions to these general arrangements may be justified. The MoU applies to all activities; therefore, it describes the principles for effective liaison and for sharing information more generally.

3. HSE, LAs and CQC will co-operate effectively to enable and assist each other to carry out their responsibilities and functions, and to maintain effective working arrangements for that purpose.

4. Other organisations also have roles or responsibilities for investigation, prosecution and/or oversight in relation to offences in health and adult social care settings – such as ill-treatment or wilful neglect. Appropriate liaison with other prosecutors/regulators/oversight bodies, such as the police, Crown Prosecution Service (CPS) and Safeguarding Adults Boards is essential.

Some of these may be signatories to the Work-related Deaths Protocol (WRDP). CQC, HSE and LAs will notify relevant bodies of incidents and agree the coordination of activity or work with them as appropriate to protect patients, service users, workers and the public from risk of harm.

Respective responsibilities for dealing with health and safety incidents

5. CQC is the lead inspection and enforcement body under the Health and Social Care Act 2008 for safety and quality of treatment and care matters involving patients and service users in receipt of a health or adult social care service from a provider registered with CQC.

6. HSE/LAs are the lead inspection and enforcement bodies for health and safety matters involving patients and service users who are in receipt of a health or care service from providers not registered with CQC. (HSE is responsible for enforcing health and safety at all healthcare premises as well as care homes with nursing, whilst LAs are responsible for residential care homes. Further information can be found on enforcement allocation.)

7. HSE/LAs are the lead inspection and enforcement bodies for health and safety matters involving workers, visitors and contractors, irrespective of registration.

8. LAs are also responsible for enforcing food safety regulations in hospitals and care homes.

9. Annex A contains examples of incidents typically falling to CQC and HSE/LAs respectively to illustrate the responsibilities outlined above. The response from the lead body will be in line with their regulatory policies. Their decisions on whether to investigate or take further action will be subject to their guidance and published policies.

General considerations for enforcement responsibilities

10. When considering the circumstances of a specific incident the primary consideration is whether the injured person is a patient/service user and whether the service provider is registered with the CQC. If that is the case the responsible authority will normally be the CQC unless the police have primacy.

11. An enquiry will generally commence with the CQC because a patient/ service user is injured. During the course of the enquiry information may emerge that the service provider is not registered or there may not be a regulated activity taking place or that CQC does not have applicable legislation or sufficient powers to take action. In such circumstances CQC should liaise with HSE/LA regarding why a particular case may revert to the HSE/LA or CQC to jointly investigate with HSE/LA.

12. The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 are broad in their concept of the duty to provide care and treatment in a safe way. This duty includes ensuring that the premises used by the service provider are safe to use for their intended purpose and ensuring that the premises and equipment are suitable, properly used and properly maintained. The definition of ‘premises’ is very broad and includes any building or other structure or machinery physically affixed to the building, any surrounding grounds or a vehicle.

13. Regulation 12 (1) of the Regulated Activities Regulations which relates to the need to provide safe care and treatment includes a duty to ensure that the premises used by the service provider are safe to use for their intended purpose.

14. Regulation 13 of the Regulated Activities Regulations which relates to the duty to safeguard service users from abuse and improper treatment includes the duties to establish and operate effective systems and processes in order to prevent abuse of service users; and to effectively investigate, immediately upon becoming aware of, any allegation or evidence of such abuse.

15. Although specific health and safety at work (HSW) legislation may exist, such as the Lifting Operations and Lifting Equipment Regulations 1998 (LOLER), it should generally be the case that CQC can adequately enforce using their legislation, without needing recourse to specific legislation. In a limited number of cases CQC may exhaust its enforcement powers and may look to HSE/LA for support.

Incidents where specific circumstances may apply

16. In a small number of cases, more specific criteria may be applied to ensure that the most appropriate body takes charge of the investigation and/or any related action. These criteria and some examples are set out in Annex B. Any such cases will be considered individually on their merits, taking these criteria into account.

Liaison in relation to individual incidents

17. Where there is uncertainty about jurisdiction or where paragraph 16 applies, the relevant bodies will:

• determine who should have primacy for any regulatory action and whether joint or parallel regulatory action will be conducted;
• keep a record of this decision and agree criteria for review, if appropriate;
• designate appropriate contacts within each organisation to establish and maintain any necessary dialogue throughout the course of the regulatory action; and
• keep duty-holders / providers, injured parties and relatives (where appropriate) informed.

See also Annex D: Operational working arrangements.

Incident notifications and general information sharing arrangements

18. The statutory requirements for the notification of incidents to CQC and HSE include RIDDOR and CQC’s notification requirements.

19. Each party to this MoU will work collaboratively by:

• notifying the other parties as appropriate as soon as possible about information they receive on incidents in the jurisdiction of that body, and
• sharing relevant intelligence and enforcement data (see Annex C: Arrangements for sharing intelligence to support the MoU).

20. The effectiveness of these arrangements will be subject to a review at least every three years.

Further information can be found in the following:

• Annex A: Illustrative examples of incidents that fall to CQC and HSE/LAs respectively
• Annex B: Incidents where more specific and exceptional criteria may apply
• Annex C: Arrangements for sharing intelligence to support the MoU
• Annex D: Operational working arrangements

Signatures

Sarah Albon
Chief Executive
Health & Safety Executive (HSE)

Ian Trenholm
Chief Executive
Care Quality Commission (CQC)

6 March 2024

Annex A: Illustrative examples of incidents that fall to CQC and HSE/LAs respectively

Incidents where CQC take the lead (if the provider is registered with CQC)

These examples are not exhaustive and do not take account of police / CPS potential involvement. Where appropriate, comments have been added to aid understanding.

• a patient/service user falling from a window; (premises issue directly relevant to care of vulnerable patients/service users)
• severe scalding of a patient/service user in a bath/shower
• a patient/service user being seriously injured or dying after becoming trapped in bed rails.
• a patient/service user develops Legionnaires’ disease when a regulated activity is being carried out (staff also at risk but greatest risk is to patients/service users)
• a complaint received that the hot and cold water system in a residential care home is not being properly maintained and there is risk of Legionella proliferation (staff also at risk but greatest risk is to patient/service users)
• a patient/service user with a need for assistance with eating being given inappropriate food and being seriously harmed or dying from choking
• a patient/service user being seriously injured or dying after being physically restrained by staff
• a patient/service user travelling in an ambulance is injured because their wheelchair is not properly secured (transport services provided in a vehicle designed and used mainly for carrying a person who requires treatment is a regulated activity)
• a patient/service user injured in their own home whilst receiving care from a regulated domiciliary care agency (regulated activity in the course of being provided)
• a patient/service user injured during a supervised outing where the carer is employed by a registered service provider (definition of regulated activity also includes an activity that is ancillary to, or carried on wholly or mainly in relation to a regulated activity when the ancillary activity is in line with the patient/service user’s care plan)
• a patient/service user is injured when leaving their appointment due to a pothole in the clinic car park (injury is to the patient because of the lack of safety of the premises); and
• ill-treatment or wilful neglect of a patient/service user.

Incidents where HSE/LAs take the lead:

• circumstances where the commissioner of the service, rather than the provider, seems to have been primarily at fault; (CQC have no remit over third parties not registered with them but they can prosecute those carrying out a regulated activity without registering)
• circumstances where the provider is not required to be registered with CQC
• employees developing dermatitis related to glove use
• a manual handling injury to an employee from moving and handling patients/service users or items and equipment
• a patient/service user is injured where construction work is being carried out by a construction/maintenance contractor that has created a risk, e.g., breach in security allowing patient/service user to exit premises and be injured or an unsecured door falls causing injury. (CQC has no vires over the construction company, appropriate to use HSW legislation).
• a staff member develops Legionnaires’ disease
• cooling tower implicated in a Legionnaires’ disease outbreak or general concerns over the management of a cooling tower and risks to the public which may arise from it.

Annex B: Incidents where more specific and exceptional criteria may apply

CQC should generally have appropriate and sufficient powers under their own legislation to take action. However, in a small number of cases, more specific criteria may need to be applied to ensure that the most appropriate regulator takes charge of the investigation and/or any related action. This may be because of more applicable legislation e.g. Control of Asbestos at Work Regulations or because of an absence of applicable legislation e.g. CQC does not have enforcement powers, equivalent to section 7 of the Health and Safety at Work etc. Act 1974 (HSW), in relation to individuals. In such cases the circumstances will be considered on their individual merits, and a mutually agreed decision reached, in line with the published policies of CQC and HSE/LAs and following the guidance in paragraph 17. These examples are not exhaustive and do not take account of police / CPS potential involvement.

Factors tending towards CQC taking the lead include incidents:

• which may have exposed staff to harm, but the principal concern is the greater risk of harm to patients / service users (e.g. unsecure storage of cleaning chemicals may be an issue under the Control of Substances Hazardous to Health Regulations but the greater risk of harm may be to vulnerable patients/service users).

Factors tending towards HSE/LA taking the lead include incidents:

• involving any maintenance contractors (e.g. failings in management of hot and cold water systems and creation of risks of Legionella are due at least in part to failings by a water treatment company. CQC have no vires over such contractors)
• in supported living premises, personal care may or may not be provided to people as part of the support that they need to live in their own homes. The legal agreements for the provision of care and accommodation are normally separate. Supported living providers that do not provide any ‘personal care’ are not required by law to register with CQC, therefore CQC have no vires. Where personal care is provided to some individuals in the premises, this activity would be regulated by CQC. (Personal care is defined by CQC as supporting people in their homes (or where they're living at the time) with things like washing, bathing or cleaning themselves, getting dressed or going to the toilet.)
• day services/centres are not required by law to register with CQC as ‘personal care’ is not being provided in the place where service users are living at the time the care is provided, therefore CQC have no vires.
• involving an activity that is not a regulated activity and is not being managed/supervised by a registered provider (e.g. patient/service user injured while being escorted in a taxi because wheelchair not properly secured, travel in a taxi is not a regulated activity and taxi company not a registered provider, therefore CQC has no vires)
• where specific HSW legislation can most adequately deal with the cause of the harm (e.g. the thorough examination and test requirements of lifting equipment under LOLER, or duty to manage asbestos under Regulation 4 of the Control of Asbestos Regulations)
• some premises issues (e.g. patient/service user injured by faulty automatic entrance door to health centre where the door was under a maintenance contract and CQC were satisfied that the registered provider had done what they needed to by contracting a maintenance firm)

Factors tending towards joint or co-ordinated investigations include incidents:

• where both commissioners and registered providers appear to be significantly at fault
• where employers not required to be registered with CQC, as well as CQC registered providers, appear to be significantly at fault, and
• where providers should be registered with CQC but are not (in such cases CQC would consider the failure to register, and HSE/LAs the specific non-compliance issues).

Annex C: Arrangements for sharing intelligence to support the MoU

Each party is separately responsible for the information that they hold, including the responsibility to ensure that it is lawfully processed, kept secure and shared lawfully. Each party takes on this responsibility for information they receive from another party at the point of receipt.

For the processing of personal data, each party is a separate data controller and has its own responsibilities under the UK GDPR and Data Protection Act 2018, in addition to the common law duty of confidentiality.

Neither CQC nor HSE will transfer any personal data it is processing outside of the European Economic Area, unless appropriate legal safeguards are in place, such as Model Contract Clauses.

CQC and HSE will ensure that they have appropriate technical and organisational procedures in place to protect any personal data they are processing. This includes any unauthorised or unlawful processing, and against any accidental disclosure, loss, destruction or damage. CQC will promptly inform HSE, and vice versa, of any unauthorised or unlawful processing, accidental disclosure, loss, destruction or damage to any such personal data. Both parties will also take reasonable steps to ensure the suitability of their staff having access to such personal data.

Specific CQC Responsibilities

CQC has the following specific responsibilities:

• Carrying out any required Data Protection Impact Assessment for any element of business or process change
• Following CQC Data Security Guidance to ensure that the necessary measures are taken to protect personal data.
• Ensuring CQC staff are appropriately trained in how to use and look after personal data and follow approved processes for data handling.
• Ensuring CQC staff have appropriate security clearance to handle personal information collected as part of this process.
• Secure transfer of personal data to HSE as necessary for fulfilment of HSE’s regulatory functions.
• Responding to Data Subject Access Requests when and where required.
• Reporting any data breaches within CQC to their Data Protection Officer and the Information Commissioner’s Office (ICO) (where appropriate).
• Maintaining any Article 30 processing records for data held on CQC systems.

Specific HSE Responsibilities

HSE has the following specific responsibilities:

• Carrying out any required Data Protection Impact Assessment for any element of business or process change.
• Following HSE Data Security Guidance to ensure that the necessary measures are taken to protect personal data.
• Ensuring HSE staff are appropriately trained in how to use and look after personal data and follow approved processes for data handling.
• Ensuring HSE staff have appropriate security clearance to handle personal information collected as part of this process.
• Responding to Data Subject Access Requests when and where required in relation to personal data being processed as part of the regulatory function.
• Reporting any data breaches to their Data Protection Officer and the ICO (where appropriate).
• Maintaining any Article 30 processing records for data held on HSE systems.

Individual Rights

GDPR specifies rights for individuals over the processing of their data. These rights, and the process an individual should follow when making a request, are listed in both CQC’s and HSE’s privacy notice. Both parties should ensure they consult and comply fully with their respective privacy policies in the event of a Data Subject exercising any of their rights under data protection legislation.

In response to any subject access request, CQC or HSE will undertake a proportionate and reasonable search and respond within one month of the original request.

Data breach

CQC is responsible for reporting any breach occurring within their authority to their Data Protection Officer and the ICO (where appropriate).

HSE are responsible for reporting any data breaches within their Authority to their Data Protection Officer and ICO (where appropriate).

Any personal data breach as defined by GDPR Article 4(12) that meets the relevant threshold criteria will be reported to the Information Commissioners’ Office (ICO) within 72 hours of notification. This will include informing the affected data subject should the circumstances warrant it. The appropriate Data Protection Officer (see below) will be responsible for making the report, following consultation with their Chief Executive Officer (CEO).

Data retention

CQC and HSE will retain personal data associated with health and adult social care settings in accordance with their respective organisational disposal policies. Each party is responsible for ensuring appropriate technical and procedural functions are in place to ensure the secure and timely destruction of personal data.

Information Disclosure

Either party to this MoU may receive a request for information from a member of the public or any other person under the various pieces of information disclosure legislation (EU General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018 (DPA)), Environmental Information Regulations 2004 (EIRs), the Freedom of Information Act 2000 (FOIA) etc.).

The recipient party to any request for information is ultimately responsible for making the final decision on disclosure. All requests for information will be considered on case-by-case basis, and all resulting disclosures must be lawful. The default position for both parties is to disclose unless one or more absolute exemptions (as defined by the appropriate legislation) apply to a specific request. Where the recipient party wishes to apply a qualified exemption (as defined by the appropriate legislation) to all or part of a request, they must ensure this is validated by a documented public interest test.

The following has been agreed as the operational means of information sharing over and above the normal working level arrangements described in paragraph 19 of this MoU:

• HSE/LAs will request intelligence from CQC, or share concerns, on a case by case basis by contacting their National Customer Service Centre.
• CQC will share concerns with HSE via the Public Services Sector Account.
• CQC will request intelligence from, or share information with, LAs on a case by case basis by contacting the relevant local authority
• HSE will share information on its completed health and social care RIDDOR and concerns investigations (including enforcement notices and prosecutions), in England, with CQC on a quarterly basis; and
• CQC will share intelligence with the police and/or CPS by contacting the relevant local service.

Annex D: Operational working arrangements

The purpose of the MoU is to help ensure that there is effective, co-ordinated and comprehensive regulation of health and safety for patients, service users, workers and members of the public. To this end there needs to be effective operational working arrangements brought about by effective collaborative working.

This MoU is a statement of intent. Nothing in it shall create any legally binding or enforceable obligations on the HSE, LAs or CQC.

Effective collaborative working will be achieved through:

• a common understanding of each other’s roles and responsibilities and good regulatory practice
• regular sharing of knowledge and information in areas of mutual interest
• close co-operation on respective regulatory and other activities.

The main body of this MoU sets out the principles to consider when establishing the lead enforcement body for the site or activity in question. Where the need for effective collaborative working arises, e.g. for a transfer of enforcement responsibility or joint working, in the first instance the inspector responsible for the site in question should liaise with their operational counterpart in HSE, the LA or CQC.

CQC inspectors or assessors can be contacted via the National Customer Service Centre (03000 616161) asking for the lead for the service. Issues not resolved through this liaison should be referred to the relevant sector specific enforcement leads.

HSE inspectors can be contacted via the Public Services Sector account.

Local Authority inspectors can be contacted via the contact details for the relevant LA.

In the event of agreement not being reached, the matter should be escalated through the operational management chain. Advice may be sought at any stage from HSE’s Health and Social Care Services operational policy and strategy team via the Public Services Sector account.