PERFORMANCE: The six-PCT cluster reported it was working to develop an “information sharing agreement” between it and its constituent primary care trusts.

The risk register said the impact of the breaches would be “catastrophic” and the likelihood “almost certain” of fines from the Information Commissioner’s Office and civil litigation.

The report said: “There is a risk that the cluster is accessing and processing PID [patient identifiable data] from PCTs in breach of the Data Protection Act, leading to potential fines from the Information Commissioner, reputational damage and civil action by any patients affected.

“An Information governance framework is being developed, including an overarching information sharing agreement between the cluster and the six PCTs, to set out how this will work and meet legal, Information Commissioner and other requirements.

“A draft of this has been sent to Business Support Unit managing directors with Southwark and Greenwich agreed.”

The outstanding Business Support Unitss are Lambeth, Lewisham, Bromley and Bexley.

A spokeswoman for NHS South East London said: “An NHS South East London Information Governance Framework had been circulated and has now been adopted by all Business Support Units therefore substantially mitigating and increasing the controls against the identified risk.”