Consultation outcome

Data access policy update: proposed draft

Updated 12 October 2023

Applies to England

Introduction

The Department for Health and Social Care (DHSC) and the NHS in England made a commitment in the data saves lives strategy to move to a system of ‘data access as default’ for the secondary uses of NHS health and social care data (‘NHS data’). This change will be supported by the implementation of secure data environments across the NHS in England.

Secure data environments are data storage and access platforms that allow approved users to access and analyse data without the data leaving the environment. This brings major improvements to security and transparency as well as speed of access for researchers, compared to current data-sharing practices.

This is a positive change but one that we recognise is complex to achieve. In part, this will be delivered through the critical investments made by the Data for Research and Development programme into national and sub-national secure data environments. Clear policy and a coherent strategic narrative are equally important in shaping this transition, which is why we published the 12 secure data environment policy guidelines and a simple explanation for secure data environments in September 2022.

Since the publication of our guidelines, we have continued to engage with stakeholders from across the sector. This has been invaluable in helping to define the work required to deliver on our ambitions in the data saves lives strategy.

One strategic decision this engagement has facilitated is to take a phased and incremental approach to delivering data access as default. This acknowledges the complexity and scale of the change, as well as the number of unknowns that need to be worked through before further strategic decisions are taken, while allowing us to learn from investments and practical delivery experience.

Another strategic decision we have reached is that our policy efforts should focus, for the time being, on the transition to data access as default for research and external uses of NHS data only. While the transition to data access as default for all secondary uses of data remains important, our engagement has shown distinct differences in the role of policy and strategy between research and other use cases of data. By prioritising in this way, we will be able to provide clarity more quickly for the most challenging and urgent area of data access to resolve.

This update applies to all ‘NHS controlled SDEs’. It does not nullify or replace the Secure Data Environment Policy Guidelines published in 2022. The guidelines outlined the core principles that organisations providing access to NHS data for research and external uses will need to adhere to, including the requirement for public engagement.

While this publication aims to provide further clarity on the transition to data access as default, we do not have all the answers at this stage. Nor should we have all the answers because they need to be co-developed with the public and our stakeholders.

We cannot achieve everything at once. We are mindful of the requirement to continue to engage, to build understanding and confidence. We will move only as fast as the public and stakeholders accept.

We commit to continuing to learn, to listen and to work transparently and publicly. Future policy updates will provide further detail as we continue to listen, iterate and co-develop data access policy.

Policy update

1. Secure data environments (SDEs) will become the default route for accessing NHS data for research and external uses. Instances of disseminating NHS data outside of an SDE for research and external uses will be extremely limited.

2. NHS platforms exclusively used for operational purposes, including for commissioning directly by the NHS, are currently out of scope for data access policy. This includes operational instances of the ‘Federated Data Platform’ procured by the Chief Data and Analytics Office of NHS England (NHSE). This is because these platforms do not provide access to NHS data to third parties or for research. NHSE remains committed to implementing data access as default, as part of a holistic set of controls in line with the ‘Five Safes’, for operational purposes.

3. The NHS Research SDE Network will become the primary way to access NHS data for research and external uses, alongside the small number of existing local (for example, NHS trust specific) SDEs for research. There will be a small number of defined exceptions to data access policy (see point 10, below).

4. We expect NHS organisations to have oversight over data held in SDEs and have decision-making powers about which users may access datasets, for which projects. NHS controlled SDEs may use commercial or academic technical solutions, where it is more efficient than the NHS providing this itself. However, apart from for defined exception use cases (outlined in point 10, below), we do not expect that commercial and/or academic controlled SDEs will continue to host NHS data or make it available for research. We encourage partnership between academic organisations and their subnational SDE to maximise funding efficiencies and expertise.

5. The cut off date for data sharing for research and external uses of NHS data has not yet been set, but by the end of 2023 we will provide clarity on when we expect this to take place. ‘Data sharing’ refers to the process where data is provided from the NHS to an external researcher or organisation. We expect that there will be a period of dual operating (data sharing and data access) while the change is embedded across the system, but ultimately there will only be a very small number of defined exceptions to the policy.

6. Initially, from a researcher perspective there will be a single Data Access Committee to apply to for each NHS funded SDE in operation. These committees will have harmonised data application processes to ensure consistency and efficiency of decision making. Over time we will explore the possibility of delegated authority across data access committees. All data access committees will include patient and public representatives.

7. SDEs will be expected to uphold high standards of transparency about how data is used and who accesses it:

   • all NHS controlled SDEs will uphold high levels of transparency over how decisions are made
   • all NHS controlled SDEs will uphold high levels of transparency over who is accessing data, for which purposes, and the outcomes
   • all NHS controlled SDEs will conduct patient and public involvement and engagement in designing processes and making decisions, as well as engaging and informing people about how their data is used and the benefits

8. While policy remains to be developed, SDEs providing access to NHS data for research and external uses already exist, for example, the NHSE SDE. These services are covered by several assurance mechanisms:

   • secure data environments must comply with existing legal frameworks to keep data safe and used correctly. This includes the provisions of the Freedom of Information Act (FOI), in relation to requests for information about the operations of the SDE, in line with existing guidance for public authorities

   • SDEs in the ‘NHS Research SDE Network’ are currently coordinated by the Data for Research and Development Programme Board. Their design and implementation will also be influenced through the Network’s Community of Practice (CoP)

   • our commitment within the data saves lives strategy to put in place robust accreditation for NHS Research SDEs remains firm, but we believe that existing security and governance measures covered above provide sufficient reassurance in the interim period

   • platforms should continue to be invested in while a fuller accreditation model is developed

9. Development of an accreditation model:

   • we are currently in the process of defining a long-term model of accreditation of SDEs, which will ensure the future credibility and quality of SDEs hosting and providing access to NHS data for research and external uses

   • engagement is underway with stakeholders to determine the options for implementing an appropriate model of accreditation. Specifically, we are considering how to maximise existing frameworks while ensuring fitness for purpose for NHS data. Furthermore, we want to ensure a long-term model is sufficiently scalable and avoids unnecessary duplication

   • initial testing and implementation of a model of accreditation will focus on the Data for R&D programme’s NHS Research SDE Network to ensure the suitability and tailoring of the solution

10. The following exceptions currently apply to data access policy, this list will be reviewed regularly as part of the iterative policy development process:

    • sharing of patient-level data between NHS SDEs, as well as between SDEs in other countries, will be considered on a case-by-case basis in the same way as now, and only be done where there is a legal basis to do so and adequate protections in place

    • sharing of patient-level data between NHS SDEs and SDEs controlled by government departments and arms-length bodies within England will be considered on a case-by-case basis in the same way as now, and only be done where there is an existing legal basis to do so, and value is added to data held elsewhere

    • consented NHS data, including clinical trial data and consented cohorts, are out of scope for data access policy

    • this does not mean that consented clinical trial and cohort data cannot be stored and accessed within SDEs, where there are reasons to do so. However, data can be shared in-line with the approvals in place and consent given by participants

    • where appropriate consent exists, NHSE data linked to consented cohorts or clinical trial data may be onward shared, if this is consistent with information provided to participants in the trial

    • we recognise there will be exceptions beyond this and will factor these into future phases of this work

How to respond

We welcome your feedback on the draft proposals. You can let us know your views by emailing them to dataaccesspolicy@dhsc.gov.uk.

We will be monitoring and collating feedback until Friday 23 June.

As per our commitment in the data saves lives strategy, we will be engaging with the public and patients about our policy. We will publish further updates as our work in developing data access policy progresses. We will also be engaging about the long-term accreditation of SDEs from summer 2023.

Appendix 1 - definitions

These definitions have been developed to provide clarity when reading the policy update.

Data access policy: the development of national policy to move to a system of data access as default for secondary uses of NHS data, facilitated by the implementation of SDEs. The use of data for research already happens – data access policy will not change existing rules regarding data controllers, processors and accessors. The policy will change the mechanism for how this happens, predominantly via SDEs. Technical architectural information about the design and implementation of SDEs beyond the SDE policy guidelines is out of scope for data access policy.

NHS controlled SDE: this refers to the current scope for data access policy and SDE accreditation. This includes platforms funded to provide secure access to NHS data for research and/or external uses: planned NHS Sub-National SDEs and the existing National SDE (both funded by the Data for Research and Development programme) as well as local NHS SDEs for research. It does not include NHS platforms exclusively used for operational purposes, including commissioning, with all activity conducted by or on behalf of the NHS, which are governed by existing procurement, governance and data security regulations.

NHS Research SDE Network: this refers to the platforms funded by the Data for Research and Development programme, which are expected to function as an interoperable network. They will become the primary way to access NHS data for research and innovation.

NHS operational platforms: refers to NHS platforms exclusively used for operational purposes, with are all activity conducted by or on behalf of the NHS, which are governed by existing procurement, governance and data security regulations.

NHS data: where the data has been generated within the NHS and the NHS has responsibility for the data.

SDE oversight and accreditation: the definition of a long-term model for overseeing and assuring SDEs hosting and providing access to NHS data for research. This expands what was previously referred to as ‘accreditation’.

Privacy notice

Summary of initiative and policy

We are collating feedback through our policy mailbox to a consultation on our data access policy update.

What personal data we collect

We will be collecting individuals names, email addresses and place of work.

How we use your data (purposes)

We will collect individuals personal information from feedback emails we receive in response to this consultation. We will hold this personal information so we are able to analyse the feedback received.

Legal basis for processing personal data

Under the General Data Protection Regulation (GDPR), the lawful basis we rely on for processing this information is:

• performance of a task carried out in the public interest

Data processors and other recipients of personal data

DHSC is a data controller. We will not pass any data onto a third party.

International data transfers and storage location(s)

Storage of data by DHSC is provided via secure computing infrastructure on servers located in the European Economic Area. DHSC platforms are subject to extensive security protections and encryption measures.

Retention and disposal policy

DHSC will hold the data for 6 months while the feedback is analysed.

How we keep your data secure

DHSC uses a range of technical, organisational and administrative security measures to protect any information we hold in our records from:

• loss
• misuse
• unauthorised access
• disclosure
• alteration
• destruction

We have written procedures and policies that are regularly audited and reviewed at a senior level.

Your rights as a data subject

By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.

These rights are:

1. The right to get copies of information – individuals have the right to ask for a copy of any information about them that is used.

2. The right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected

3. The right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used.

4. The right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.

5. The right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.

Comments or complaints

Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should email data_protection@dhsc.gov.uk in the first instance or write to:

Data Protection Officer
39 Victoria Street
London
SW1H 0EU

Anyone who is still not satisfied can complain to the Information Commissioners Office. Their website address is www.ico.org.uk and their postal address is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Automated decision making or profiling

No decision will be made about individuals solely based on automated decision making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.

Changes to this policy

This privacy notice is kept under regular review and was last updated on 26 May 2023.