© Crown copyright 2018
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: email@example.com.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/accessing-public-health-england-data/about-the-phe-odr-and-accessing-data
Public Health England (PHE) recognises the benefits of using data for the public good but also takes its responsibility for protecting confidentiality very seriously. We have a range of policies, protocols and processes in place to ensure the confidentiality of data is maintained at all times.
PHE is committed to optimising the use of public data, in line with The Re-use of Public Sector Information Regulations 2015. Many of our data collections and data tools adopt Open Government Licences, so they can be accessed, used or shared, without any financial, legal or technical barrier.
Data must not contain any information that could be used alone or in combination with any other data to identify individuals, where it is made publicly accessible as ‘open data’. Organisations like the Open Data Institute and the Open Knowledge Foundation provide more information on open data, including ways to help assess quality and reliability.
Not all data in the custodianship of PHE can be made available as open data. There are valid reasons why data should not be shared openly (such as it contains identifiable or de-personalised data) or why access should be under specific conditions. Requests to access non-publicly available data are handled by the PHE Office for Data Release (ODR).
2. Office for Data Release
The ODR is responsible for providing a common governance framework for responding to requests to access PHE data for secondary purposes, including service improvement, surveillance and ethically approved research. All requests to access data are reviewed by the ODR and are subject to strict confidentiality provisions in line with the requirements of:
- the common law duty of confidentiality
- data protection legislation (including the General Data Protection Regulation)
- 7 Caldicott principles
- the Information Commissioner’s statutory data sharing code of practice
- the national data opt-out programme
The ODR considers all requests for access to the data on a case-by-case basis. We work with the applicant to assess whether their needs can be met with anonymous data or whether the project protocol can be revised in a way that allows for anonymous data to be used.
The majority of data we release are anonymised in line with the Anonymisation standard for publishing health and social care data specification or the ICO’s Anonymisation code of practice unless the applicant has other specific permissions. For example, if PHE is assured that access to personal identifiable data is absolutely necessary, then this will only be released if the applicant has individual patient consent or can provide evidence of a legal basis for that information to be transferred and processed by them.
3. Governance and accountability
The ODR is accountable to the PHE Data Release Assurance Board. Overall accountability for information governance within PHE is the responsibility of the PHE Accountable Officer who, through the Statement of Internal Control, must provide assurance that all risks to PHE, including those relating to information, are effectively managed and mitigated. The Data Release Assurance Board supports the Senior Information Risk Officer and Caldicott Guardian.
The minutes of the meetings of PHE Data Release Assurance Board are available online.
The ODR operates across a number of directorates within PHE but is part of the Health Improvement Directorate, integrated into the National Cancer Registration and Analysis Service (NCRAS). The ODR reports to the Director of Disease Registration.
4. Data availability and services
The ODR can facilitate access to a wide range of datasets and auxiliary services to support direct care, research, clinical audit, surveillance and service evaluation where there is a legitimate and legal basis to do so and the data is to be used for health-care purposes.
The data that can be requested from the ODR can be described broadly in 2 ways:
- individual-level data, which is data relating to a single person; in this dataset, each row typically represents an individual person and each column an attribute such as age, gender and the disease they have been diagnosed with
- aggregate-level data, which is summed and/or categorised data that consolidates data relating to multiple persons
The ODR is also able to facilitate data linkages (bringing information from different sources together about the same person or entity to create a new, richer dataset) and support access to secure safe haven space within PHE.
Organisations wishing to work on projects that align with PHE’s overall objectives to improve and protect the nation’s health can also apply to fund or sponsor staff to work on our data within PHE.
The ODR welcomes approaches from organisations who wish to propose similar arrangements to access data from the National Disease Registers.
The NCRAS cancer registration data dictionary contains detailed information on the fields that an applicant can request from the ODR to support research, service evaluation or clinical audit on cancer patients, their care and treatment. It allows prospective applicants to explore what data items are available, select the items that they require and provide the ODR with justification as to why each data field is being requested for their specific project. The data dictionary is continually updated by the ODR to reflect updates in the availability of cancer registration data.
See more information on PHE cancer data sets, linkage and availability.
Email firstname.lastname@example.org for more information or advice about how to request access to PHE data sets.
5. ODR application and approval process
The ODR operates a 3-staged approval process:
- Assessment and approval.
This process is underpinned by a comprehensive pre-application advice service to enable prospective data users to set up their project for success by:
- establish the feasibility of a project and availability of data
- understanding methodologies to render data anonymous
- gaining access to PHE experts or appropriate collaborators that could assist in the development of an application
- understanding what information will be needed to support an application
- understanding asset specific application requirements (such as the need for programme level oversight)
- identifying potential issues that could lead to delays in access to the data required
- understand the responsibilities of both the applicant and the ODR in applying to access data
It is strongly recommended that prospective applicants discuss their proposed project with the ODR prior to submission of a full application.
Email email@example.com to access pre-application advice.
6. Submitting an application to the ODR
Applications for data are initiated on submission of a project-specific application form to firstname.lastname@example.org. This includes the ODR data request form and the requisite supporting evidence.
For all requests to access PHE data, the ODR review requires applicants to submit:
- a completed copy of the latest ODR Data Request Form, which captures information about who is applying, a summary of the project, the source and type of data required and if you have a secure environment to process the data within
- a clear, specific and unambiguous protocol, which details exactly how PHE data will be used in your project
- a detailed data specification, including all inclusion and exclusion criteria to be applied to the data; so that the ODR can understand exactly what your data requirements are and whether what you are asking for will answer your project question and be only what’s really needed for the project
This information is mandatory for all requests.
However, depending on the nature of the request applicants will be required to submit further documentation. In broad terms additional documentation will depend on 3 criteria, (1) the level of patient identifiability, (2) the intended end use and (3) whether any other organisation is involved the project (such as a mailing company sending out questionnaires or another university conducting part of the project).
Each application will be acknowledged and receipted and given a unique reference number on submission of a data request. The ODR will manage the application as a project, with an ODR data access and confidentiality manager coordinating the process and ensuring that all relevant issues are handled appropriately.
The ODR will conduct an initial review of the validity of the request and provide an estimated cost and indicative timescales for delivery following receipt of the application. Estimated times are based on the complexity of the request but on average the ODR aims to facilitate a request within 60 working days.
Once the ODR has validated the request, the application will be reviewed to ensure that:
- there is a justified purpose for the release
- the data specification is the minimum necessary and appropriate anonymisation techniques have been applied
- there is an appropriate legal basis for accessing the requested data
- the applicant has appropriate safeguards in place to ensure that the data will be processed safely and securely
- the project will be conducted in line with the UK Policy Framework for Health and Social Care Research (where applicable)
- programme level endorsement has been granted (where applicable)
Conditionally approved applicants will be sent a project-specific data sharing contract determining the permitted processing activities and the terms and conditions of the release. All data will be transferred to an approved data recipient by secure transfer methods.
7. ODR service charges
PHE follows HM Treasury rules on fees and charges as a publicly funded body. PHE has adopted a formal cost recovery framework for the ODR, following approval by the Data Release Assurance Board.
Charges are not levied on the data itself but are recouped to cover the costs of any bespoke data preparation and services.
Estimated costings can be provided and are calculated based on the complexity of the request, data extraction, analysis and presentation tasks involved. Actual costs will be confirmed during the application process and formally agreed before work commences.
The cost recovery framework provides an overview of the costs that PHE’s ODR charges for products, services and activities.
8. Data Release Register
PHE is committed to ensuring individual privacy rights are respected and informing the public about how we process applications for personal confidential data and about instances where disclosures are made for secondary use.
The PHE Data Release Register demonstrates our commitment to transparency and accountability about who we are disclosing personally identifiable or de-personalised data to and for what reason.
In 2018, the Data Release Assurance Board made a commitment to ensure that any and all public facing documentation relating to ODR activity will conform to the Wellcome Trust’s Understanding Patient Data Initiative (UPD).
We understand that the technical language used to describe how identifiable data is can be complex. It is important to explain clearly what it means when information is ‘anonymised’ and what the likelihood of re-identification is when using different types of data. The Data Release Register will utilise the terminology within the Spectrum of Identifiability as published by UPD.
9. Training opportunities and ways to keep in contact with the ODR
To learn more about the ODR and how to apply for access to personally identifiable or de-personalised data for secondary uses, the ODR invites you to join an introductory webinar for to explain how the ODR supports access to PHE data.
The next webinar will be held on 26 October 2018 from 10:30am to 11:30am. To sign up please find the event on the ODR calendar and register your details.
Further sessions will be organised on a quarterly basis, or more frequently depending on demand. These will also be tailored based on feedback received after each and further training sessions on other, more specific topics will also be organised in the coming months.
To express your interest in attending future webinars, contact the ODR by:
- phone 020 7654 8030
- email email@example.com
To receive monthly updates on the work of the ODR, including recent publications, operational updates and training opportunities, join the ODR mailing list.