Policy paper

Data access policy update

Published 12 October 2023

Applies to England

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/data-access-policy-update/data-access-policy-update

Introduction

The Department for Health and Social Care and NHS England made a commitment in Data saves lives: reshaping health and social care with data to move to a system of ‘data access as default’ for the secondary uses of NHS health and social care data (‘NHS data’).

‘Data access by default’ refers to the move from a system of data sharing to a system of data access. This change will be supported by the implementation of Secure Data Environments across the NHS in England.

Secure Data Environments (SDEs) are data storage and access platforms that allow approved users to access and analyse data without the data leaving the environment. This brings major improvements to security and transparency as well as speed of access for researchers, compared with current data-sharing practices.

Moving to a system of data access will also help to improve public confidence in secondary uses of NHS data. For example, a recent report entitled Towards a Healthier, Wealthier UK: Unlocking the Value of Healthcare Data by the Boston Consulting Group’s Centre for Growth found that 86% of the public surveyed are more comfortable with data access via SDEs than data sharing.

This is a positive change but one that we recognise is complex to achieve. In part, this will be delivered through the critical investments made by the Data for Research and Development Programme into an interoperable NHS Research SDE Network, which includes the NHS England SDE.

Clear policy and a coherent strategic narrative are equally important in shaping this transition. This is why we published the 12 Secure Data Environment policy guidelines in September 2022. A simple explanation of the rationale behind SDEs can also be found on NHS England’s website.

Since the publication of our guidelines, we have continued to engage with stakeholders from across the sector. This has been invaluable in helping to define the work required to deliver on our ambitions in the data strategy.

One strategic decision this engagement has facilitated is to take a phased and incremental approach to delivering data access as default for the secondary uses of NHS data. This acknowledges the complexity and scale of the change, as well as the number of unknowns that need to be worked through before further strategic decisions are taken, while allowing us to learn from investments and practical delivery experience.

We have also refreshed our commitment in the data strategy to update and reflect in more detail our policy intentions and delivery timelines, following our period of engagement with stakeholders across the sector.

Our new commitment

We are moving to a system of ‘data access as default’ for the secondary uses of NHS health and social care data, facilitated by the implementation of SDEs across the NHS in England. The transition is underway, and we will update on the timeline for data access as default by the end of 2023.

Besides this:

  • by December 2022, we will publish a clear public guide to SDEs and our overarching policy guidelines for the use of SDEs (complete)
  • by spring 2025, we will have put in place a long-term model of accreditation. All platforms in the NHS Research SDE Network will be accredited. As part of establishing an accreditation process, we will publish a clear set of SDE security and capability requirements
  • from September 2022 until spring 2025, we will publish a suite of materials that details the scope, timeline for transition and wider policy decisions to implement data access by default for research uses of NHS data

There is ongoing work to consider how adult social care data will fit into the SDE network, as adult social care data is maturing rapidly. It is out of scope for this policy update but will be considered for future updates.

This policy update applies to all ‘NHS-controlled SDEs’. It does not nullify or replace the SDE policy guidelines. The guidelines outlined the core principles that organisations providing access to NHS data for research will need to adhere to, including the requirement for public engagement.

This publication focuses on how NHS data will be used for secondary purposes by those outside of the NHS through SDEs for research, including the NHS Research SDE Network. The NHS Research SDE Network will also be a route for approved research conducted by, or in partnership with, those inside the NHS to securely take place.

Policy update

1. Secure Data Environments (SDEs) will become the primary route for accessing NHS data for research - this is what is meant by the term ‘data access as default’. Further information on the transition to data access by default will be provided by the end of 2023.

2. The NHS Research SDE Network will become the primary way to access NHS data for research, alongside the small number of existing local – for example, NHS trust-specific – SDEs for research.

3. We expect NHS organisations to have oversight of data held in SDEs and decision-making powers about which users may access data sets for which projects.

NHS-controlled SDEs may use commercial or academic technical solutions where it is more efficient than the NHS providing this itself. However, apart from for defined exception use cases (outlined in point 13, below) or specific joint NHS-academic platforms, solely commercial and/or academic-controlled SDEs will not continue to host NHS data or make it available for research.

4. The transition from data sharing to a system of data access will be phased. We will not turn off data sharing overnight, and we expect there will be a period of dual-operating both sharing and access.

We are committed to engaging with stakeholders to help shape and inform our plans for the transition.

5. The NHS Research SDE Network will consolidate multiple data access routes into one Data Access Committee per region, totalling 8 across England. This represents a considerable reduction in the number of decision points that researchers must navigate.

Researchers will see improvements as each of the network’s 8 Data Access Committees adopt the same data access application process supported by a single application form, harmonised Data Access Committee structure and turnaround times, and templated data access agreement.

6. While policy remains to be developed, SDEs providing access to NHS data for research already exist - for example, the NHS England SDE. These services are covered by several assurance mechanisms, which are sufficient until accreditation becomes operational. SDEs must comply with existing legal frameworks to keep data safe and used correctly.

SDEs in the NHS Research SDE Network are currently overseen by the Data for Research and Development Programme Board.

7. Organisations entering data partnerships with the NHS through the NHS Research SDE Network will be expected to adhere to the principles in the Value Sharing Framework for NHS data partnerships. These are:

  • the cost of access should not prevent good use of data
  • the NHS will always charge a fee for accessing health data
  • the cost of access should depend on how data is being used
  • the NHS should share in the value created by its data

8. SDEs must comply with the provisions of the Freedom of Information Act 2000 in relation to requests for information about the operations of the SDE, in line with existing guidance for public authorities.

9. All SDEs must be compliant with the national data opt-out.

10. We remain committed to establishing a robust accreditation regime for SDEs that provide access to NHS data for research to ensure that the highest standards of privacy and security are being met. To this end:

  • work is underway with the UK Statistics Authority (UKSA) to co-design a new, amended version of its accreditation framework
  • initial testing and implementation of a model of accreditation will focus on the Data for Research and Development Programme’s NHS Research SDE Network to ensure the suitability and tailoring of the solution
  • accreditation of the network will ensure transparency and accountability to the public in how NHS data is accessed and used for research uses, while ensuring a high-quality, consistent experience for users

11. NHS-controlled SDEs will be expected to uphold high standards of transparency about how data is used and who accesses it. Accreditation will ensure these high standards of transparency are upheld.

While we are still developing an amended accreditation framework with UKSA for the NHS Research SDE Network, it will be underpinned by the same commitment to transparency as the existing Digital Economy Act Processor Accreditation Data Capability Guidance framework.

12. Public and patient engagement will support implementation of the NHS Research SDE Network and will be focused upon where public views can meaningfully shape decision-making. For example:

  • the upcoming large-scale public engagement programme run by the NHS Transformation Directorate will help to shape data access policy decisions
  • all NHS-controlled SDEs will conduct patient and public involvement and engagement in designing processes and making access decisions, as well as engaging and informing people about how their data is used and the benefits

13. Instances of disseminating NHS data outside of an SDE for research will be extremely limited. There are, however, likely to be some use cases that remain as exceptions. Some of these will be permanent exceptions and will be categorised as:

  • legal exceptions: where there is a legal basis for data sharing and the data cannot be made available through access to a SDE. This may include the sharing of patient-level data between NHS SDEs, SDEs controlled by government departments and arm’s length bodies, as well as between SDEs in other countries. This will be considered on a case-by-case basis in the same way as now
  • ethical exceptions: where there is explicit consent for data to be shared. For example, clinical trial data and consented cohorts. This does not mean that consented clinical trial and cohort data cannot be stored and accessed within SDEs, where there are reasons to do so. However, data can be shared in line with the approvals in place and consent given by participants. Where appropriate consent exists, NHS data linked to consented cohorts or clinical trial data should be onward-shared in a manner consistent with information provided to participants

14. To ensure that vital research can continue as policy is implemented, there will also be some temporary exceptions. These will be based on the iteratively expanding capacity and capability of SDEs for research, including the NHS Research SDE Network as it develops. For instance:

  • technical exceptions: where the NHS Research SDE Network is unable to provide the technical or storage capabilities for a specific data access use case, data sharing may still take place. We expect the numbers of this type of exception to decrease over time as capacity and capabilities improve

Next steps

While this publication aims to provide further clarity on the transition to data access as default, we do not have all the answers at this stage, and neither should we.

We commit to continuing to learn, listen and work transparently and publicly with our stakeholders and the public. Future policy updates will provide further detail as we continue to listen, iterate and co-develop data access policy.

Appendix: definitions

The definitions below are for use in data access policy updates. They have been developed to provide clarity when reading this publication.

NHS data

Where the data has been generated within the NHS and the NHS has responsibility for the data.

Secondary uses of NHS data

This refers to all uses of NHS data beyond the direct care of individuals:

  • to improve population health through the proactive targeting of services
  • for the planning and improvement of services
  • for the research and innovation that will power new medical treatments

Research uses of NHS data

This is the use of NHS data by industry researchers, academic researchers and charities for reasons such as developing new medicines or understanding more about diseases.

Data sharing

This refers to the existing process by which NHS data is made available for research. In a data-sharing system (sometimes referred to as data dissemination), the NHS produces a cut of data and sends it to the requestor who then analyses it within their own computer system.

Data access

This refers to the process by which NHS data will be made available for secondary use. Data access for research will take place within SDEs. This will allow approved users to view and analyse NHS data without it having to leave the environment.

NHS-controlled SDEs will be able to control many factors, including:

  • who can be a user
  • the data that users can access
  • what users can do in the environment
  • the findings of analysis that users can remove

NHS-controlled SDE

This refers to the current scope for data access policy and SDE accreditation. This includes the NHS Research SDE Network, as well as local NHS SDEs for research.

NHS Research SDE Network

This refers to the platforms funded by the Data for Research and Development Programme, which are expected to function as an interoperable network. They will become the primary way to access NHS data for research.

SDE accreditation

The definition of a long-term model for overseeing and assuring SDEs that host and provide access to NHS data for research.

Back to top