Statutory guidance

NHS England’s protection of patient data

Published 23 May 2023

Applies to England

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/nhs-englands-protection-of-patient-data/nhs-englands-protection-of-patient-data

Introduction and scope

Introduction

This guidance is issued by the Secretary of State for Health and Social Care (‘the Secretary of State’) under the power in section 274A of the Health and Social Care Act 2012 (‘the 2012 Act’). The guidance sets out measures that the Secretary of State expects NHS England to take to protect confidential information when exercising the relevant data functions, as defined by section 253(3) of the 2012 Act.

The objective is to ensure that NHS England acts as a safe and effective guardian of people’s data collected from NHS and adult social care services (both within England and from the devolved administrations) following the transfer of NHS Digital’s statutory functions under the Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023 (‘the transfer regulations’). These regulations transferred to NHS England the statutory duties of NHS Digital set out in the 2012 Act and other legislation, and abolished NHS Digital as a separate organisation.

Under section 274A(3) of the 2012 Act, NHS England is legally required to have regard to this guidance when exercising the data functions that have transferred to NHS England from NHS Digital under the transfer regulations. In the regulations these are referred to as the ‘relevant data functions’. However, these will be referred to in this guidance as ‘transferred data functions’. These statutory functions of NHS Digital relate to its management of data and are set out in:

These transferred data functions include functions in relation to adult social care data. For example, under:

  • section 254 of the 2012 Act, the Secretary of State may direct NHS England to establish and operate an information system where it is necessary or expedient for the Secretary of State to have adult social care information in relation to the exercise of their functions in connection with the provision of health services or of adult social care in England
  • section 277A and 277C of the 2012 Act, the Secretary of State may direct NHS England to exercise their functions to require relevant providers of adult social care services to supply information that the Secretary of State requires for purposes connected with the healthcare system, or adult social care system, in England

Scope

Confidential information is defined in section 263(2) of the 2012 Act and this guidance covers all information that falls within that definition. This guidance therefore covers:

  • data identifying an individual
  • data identifying an individual that is subsequently de-identified or pseudonymised, where an organisation (including NHS England) holds both:
    • the de-identified data
    • other data or pseudonymisation keys that would enable re-identification of the subject of the data

The guidance therefore also applies to personal data as defined under the UK General Data Protection Regulation (GDPR), which includes health data as defined in part 7, section 205(1) of the Data Protection Act (DPA) 2018. In relation to the transferred data functions, NHS England will be the controller (as defined under UK GDPR) for all personal data for which NHS Digital was previously the controller.

This scope is referred to throughout this guidance as ‘data’.

This guidance is made under the 2012 Act as amended by the regulations and, together with those regulations, exists alongside NHS England’s fulfilment of other legal obligations in relation to data, such as the UK GDPR, the DPA, the common law duty of confidentiality, and directions made by the Secretary of State.

This guidance will be kept under annual review and updated where necessary. The Secretary of State must consult with NHS England, and any other person that the Secretary of State considers appropriate, when reviewing the guidance. This will include the National Data Guardian.

A safe haven for data

Maintaining high standards of data protection, information governance and transparency

NHS Digital was an effective and secure guardian of people’s data from its creation. It developed and improved its processes in response to expert advice (such as that provided by the National Data Guardian and NHS Digital’s Independent Group Advising on the Release of Data (IGARD)) and in response to public expectations of how health and social care data should be appropriately used. The transfer of NHS Digital’s functions to NHS England will continue that vital role and its culture of continuous improvement in the protection of data.

NHS England should aim to maintain high standards of data protection, information governance, and transparency about how data is used, and demonstrate that it is a trustworthy custodian of health and care data. In order to do this NHS England should maintain and continuously review and develop principles, processes and safeguards that will enable it to continue NHS Digital’s role as a safe haven for data.

Taking the right decisions now on ensuring these principles, processes and safeguards are in place will put the health and social care system in a position to deliver the 4 goals of reform as identified by the Secretary of State in A plan for digital health and social care. They will help to equip the system to:

  • prevent people’s health and social care needs from escalating
  • personalise health and social care, and reduce health disparities
  • improve the experience and impact of people providing services
  • transform performance

Summary of statutory protections transferring to NHS England

NHS England will ensure at least the same degree of protection, level of safeguards and transparency over data use as NHS Digital, recognising that, over time and as part of future transformation into the new NHS England, how this is achieved may change to reflect a new operating model.

The Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023 have transferred to NHS England statutory functions that formed part of the protection of people’s data in NHS Digital. These will ensure at least the same degree of protection and are summarised below:

  • in exercising the transferred data functions, the same legal framework for collecting and disseminating data as applied to NHS Digital applies to NHS England
  • NHS England must publish all data it collects and obtains, unless restricted from doing so by law. For example, it cannot publish identifiable data, and cannot publish data if directed not to do so by the Secretary of State
  • NHS England can only disseminate data where it has a specific legal power to do so and cannot disseminate confidential patient data unless the recipient has a legal basis under the common law duty of confidentiality to receive and process it
  • NHS England must publish its procedures for the making and consideration of requests under section 255 - that is, requests to establish a system for the collection or analysis of information
  • NHS England must comply with a direction from the Secretary of State for Health and Social Care to establish an information system under section 254. All the existing directions to NHS Digital have been transferred to NHS England to ensure continuity in data collections (they can be revoked by direction of the Secretary of State)
  • NHS England will publish all directions received from the Secretary of State and all requests to establish information systems under section 255, so there is full transparency on what IT system delivery functions NHS England is carrying out, what data is being collected and analysed, and for what purpose
  • like NHS Digital, NHS England will publish transparency information for the public on its website in line with its UK GDPR responsibilities about how it collects, uses and shares data with others. The level of transparency should be at least the same as NHS Digital achieved prior to the transfer of its functions to NHS England
  • NHS England must have regard to any advice given to it by the Confidentiality Advisory Group (CAG)
  • NHS England will seek advice from its own data advisory group on specific data access requests and to support the development and maintenance of precedents, standards and guidance on data access
  • NHS England is required to report annually on how it has discharged its transferred data functions

Governance, scrutiny and accountability

In exercising the transferred data functions, NHS England should ensure that its governance supports high standards of protection for data processed for the purpose of those functions. This governance should reflect the accountability of NHS England’s board for the exercise of the transferred data functions.

The board should exercise its responsibility through an appropriate model of oversight and should ensure it puts in place appropriate measures to scrutinise functions, prospectively and retrospectively.

The board retains ultimate responsibility for how effectively the organisation meets its legal obligations, including having regard to this guidance. The role of the non-executive directors on the board is important in this regard, providing an independent view on the effectiveness of safeguards and delivery. The governance may include, but is not limited to:

  • internal audits
  • external audits
  • internal security and information governance assurance
  • spot checks
  • executive, non-executive or board sponsored deep dives, requests for reports and scrutiny on particular issues
  • audits of third-party access and data-sharing arrangements
  • obtaining independent advice

Organisational responsibilities

Within NHS England, responsibilities and accountabilities for using the data derived from the exercise of the transferred functions (for example, for analysis and planning) should be separate from the functions providing assurance and advice on this (such as information governance and Caldicott Guardian functions) to ensure there are no conflicts of interest.

The Senior Information Risk Owner (SIRO) should be an executive director who generally does not have significant responsibilities and accountabilities for managing and using patient data. For circumstances where, as an executive director, their role might involve such responsibilities in relation to data, a conflicts of interest policy should be put in place with clear arrangements to:

  1. minimise the risk of conflicts occurring
  2. manage any actual or perceived conflicts of interest which do arise

The SIRO should put in place appropriate accountability and assurance arrangements to ensure that information risk, including security and IT operational information risk, is appropriately managed and mitigated, with clear reporting and escalation arrangements to the SIRO. Arrangements should include ensuring there are mechanisms in place for the SIRO to prevent or stop data processing where this is required to manage information risk.

NHS England should also clearly set out where responsibilities sit for the following roles, which ensure the organisation acts in accordance with the law relating to data:

  • SIRO for NHS England - accountable for managing all information risk across the organisation
  • the Caldicott Guardian
  • the Data Protection Officer
  • Chief Information Security Officer

Independent advice

Processes and operational procedures for obtaining independent advice

NHS England should ensure it has processes and procedures in place for obtaining independent advice when exercising the transferred data functions. The arrangements for obtaining independent advice should support oversight and scrutiny by NHS England’s board. The arrangements may include, but are not limited to:

  • appointing members to relevant committees and sub-committees who have specialist data protection and data security expertise
  • obtaining independent advice from specialists and experts

NHS England should also have procedures in place for how it will obtain advice from the CAG under section 262A of the 2012 Act.

NHS England should put in place operational arrangements for obtaining independent advice in relation to specific data projects, programmes and initiatives devised and carried out under the transferred data functions where this is required. These may include, but are not limited to:

  • establishing expert advisory panels or groups, which include external and/or independent members
  • obtaining advice from the National Data Guardian, the Information Commissioner’s Office, the Health Research Authority and/or CAG
  • obtaining independent advice from professionals and consultants who are experts in their field

A data advisory group

For the purpose of exercising the transferred data functions, NHS England should put in place a data advisory group, which is accountable to the SIRO, to include independent members who can, individually and collectively, provide expert advice and assurance on both internal and external access to data for purposes other than direct care.

NHS England should have processes in place to seek advice from both members individually and from the data advisory group as part of operational processes to support the response to specific data access requests and to support the development and maintenance of precedents, standards and guidance on data access.

The data advisory group should be able to provide NHS England with advice as requested on:

  • internal access processes, policies, procedures and guidance in relation to data obtained under the transferred data functions and that could identify any individual
  • external data access and dissemination processes, policies, procedures and guidance
  • streamlining and continuously improving internal and external data access processes, using a clearly understood risk management framework, precedent approaches and standards that requests must meet
  • complex and novel data collections, internal and external access and dissemination requests, including formulation of appropriate responses to access and dissemination requests
  • precedents for internal and external access, including advising in accordance with an agreed audit framework whether processes for the use of precedents are operating appropriately, to provide ongoing assurance of access processes
  • transparency of data collection, analysis, internal and external access and use
  • standard data-sharing and data-processing agreements, and relevant safeguards in contractual terms and conditions, including data protection and security provisions
  • any matter that the SIRO, the board or a sub-committee of the board requests, including providing advice or reports as may be requested to support the production of the annual report under section 13U(2)(d) of the National Health Service Act 2006 (‘the 2006 Act’)

The data advisory group membership should consist of (as a minimum):

  • independent members across a number of specialisms - for example law, ethics, research, analysis, adult social care and clinical practice, including practising clinicians. Clinicians should include clinicians from general practice and secondary care, and clinicians with responsibilities for operational performance
  • independent lay members
  • a chair, who is an independent member
  • an internal representative from each of the DPO and the Caldicott Guardian and a representative from the data and analytics function
  • a representative of the SIRO should attend all data advisory group meetings

For the avoidance of doubt, the majority of members in the data advisory group should be independent members.

When acting collectively, the majority of the members of the data advisory group involved should be independent members and should have the relevant expertise to advise on the matters the group is being asked to advise on. When seeking individual advice from independent members of the group, NHS England should also ensure that the member has the relevant expertise to advise on the matter requested. NHS England should ensure there are processes in place to provide appropriate transparency where it seeks advice from individual members.

The data advisory group should generally operate collectively to review and advise on specific requests to provide internal or external access or to share with a third party data that NHS England considers is complex, novel or contentious, particularly where the request is not covered by an approved precedent or standard. It is expected that these circumstances will reduce over time as more precedents and standards are agreed and assured by the group, and where individual independent members provide support early in the process on specific complex requests where needed.

Minutes of the data advisory group meetings should be published, subject to the need to maintain confidentiality over sensitive matters which the group may be asked to advise on, for example, where there is a need for a safe space to seek and obtain advice to consider a course of action before decisions are made and actions taken. Transparency is not therefore required in relation to information to which exemptions under the Freedom of Information Act 2000 could be applied.

Subject to above, published minutes should include at least a summary of the advice and recommendations of the group on any specific internal or external access or dissemination requests. The minutes should also record where any member dissented from a group decision, where the member requests this to be recorded.

The terms of reference for the data advisory group must be agreed by the NHS England board or an appropriate sub-committee of the board. NHS England should consult with the Department of Health and Social Care and the National Data Guardian on the terms of reference, and any revisions to the terms of reference, of the data advisory group.

NHS England should publish the terms of reference and be transparent about the group’s operating processes.

Code of practice

In relation to the review and update to the code of practice prepared under section 263(1) of the 2012 Act, NHS England should consult with the Information Commissioner’s Office and the National Data Guardian and obtain independent advice in good time before publication of any update.

NHS England should also engage with key stakeholders and other persons as it considers appropriate, including any of the relevant stakeholders identified below, before publication.

Procedures for internal access to data

NHS England must put in place internal procedures in relation to how it will access identifiable data obtained under the transferred data functions, which are based on the same principles as external requests for access to such data, and which are subject to as rigorous a process of review, assurance and scrutiny as that for external access requests.

In particular, those procedures should be subject to advice from the data advisory group (as set out above) and should include the processes for reviewing, quality-assuring and advising on internal requests for access to identifiable data:

  • for analysis for planning, commissioning or research purposes
  • for the de-identification of the data for the purpose of transferring that data to internal NHS England de-identified data environments for further analysis for planning, commissioning or research purposes

Stakeholder engagement

NHS England should have in place arrangements for engaging with key stakeholders in relation to the exercise of its transferred data functions. This is to:

  • understand people’s expectations and views
  • draw on their expertise and experience
  • involve stakeholders in assurance
  • raise awareness of the organisation’s role and the benefits of improving the way in which the NHS and social care manage data across the 4 major uses

Engagement may be in general terms or on specific data projects, programmes and initiatives, and could include engagement with:

  • the Information Commissioner’s Office
  • the National Data Guardian
  • the Health Research Authority
  • the Confidential Advisory Group
  • privacy groups and representatives
  • patient or service user groups and representatives
  • lay people or the general public
  • research groups and representatives
  • professional and clinical groups and representatives
  • provider and integrated care board groups and representatives
  • IT system provider groups and representatives
  • arm’s length bodies
  • government departments and agencies
  • devolved administrations, and their health and adult social care bodies and agencies (see below)

Engagement with devolved administrations

NHS England may, at the request of a devolved administration or one of their health and adult social care bodies and agencies under section 255 of the 2012 Act, set up an information system to collect and/or analyse data from organisations within the health or adult social care service of that devolved administration. If the request is from one of their health and adult social care bodies or agencies, the relevant devolved administration should be informed by NHS England about this request.

NHS England should agree with the relevant devolved administration, body or agency, their role and how the data will be collected, analysed and disseminated in line with the processes NHS England publishes for managing section 255 requests. NHS England should ensure that these published processes help to determine where data controllership sits for each case.

There should be regular engagement with devolved administrations, their bodies or agencies to review the requested data collections and their effectiveness, and to ensure continuous improvement. NHS England should allow the devolved administration or its bodies or agencies to agree to any changes in approach in relation to the information systems established under the section 255 request, and to otherwise have oversight of NHS England’s role in relation to the data obtained by NHS England under the section 255 request.

NHS England should have internal processes in place to facilitate regular review and discussion with the devolved administrations in relation to information systems established for devolved administrations, their bodies or agencies under section 255. These processes should enable either party to raise any concerns or issues for timely and effective resolution.

Technical measures and controls

When exercising the transferred data functions and where practical (taking into account existing technology platforms and solutions) NHS England should:

  • maintain separate technical data processing environments for identifiable data and de-identified data
  • use privacy-enhancing technologies to protect identifiable data
  • carry out internal analysis in de-identified data processing environments
  • ensure appropriate technical, organisational and security controls and assurance is in place over the movement of data from identifiable to non-identifiable data environments, and over re-identification processes. This includes appropriate controls and audit regarding access to and use of pseudonymisation keys

In line with national policy, where possible, NHS England should progress towards third-party access to data held by NHS England being through approved secure data environments and/or trusted research environments that meet the national guidelines, or, when in operation, have been accredited.

Arrangements with third parties for data processing on behalf of NHS England

When exercising the transferred data functions, NHS England should ensure that any agreements or arrangements with a third party for processing data on its behalf as a processor under UK GDPR have effective safeguards to protect data from being processed for purposes outside of the instructions of NHS England.

Such agreements or arrangements should otherwise contain provisions that comply with the requirements of UK GDPR. As part of this, a data protection impact assessment will be carried out in line with UK GDPR requirements.

Transparency and reporting

Transparency

When exercising the transferred data functions, NHS England should operate with the same degree of transparency as NHS Digital in relation to the collection, analysis, publication and use of data. NHS England should be transparent by publishing information about:

  • directions and statutory requests under section 255, which should continue to be published
  • data collected, including purposes for which data is collected
  • internal analysis of data, including purposes for which data is analysed. As soon as is practical, NHS England should publish an internal Data Uses Register for data flows into de-identified data environments
  • third-party access to data, including purposes for which data is analysed. NHS England should continue the Data Uses Register of NHS Digital, and take steps to evolve and improve this
  • decision-making regarding data access and dissemination
  • terms of reference and operating procedures for advisory groups
  • outcomes of third-party access and data-sharing audits
  • board oversight and scrutiny

In relation to the publication of official statistics and management information obtained through the exercise of the transferred data functions, including data on the performance of NHS services, NHS England should ensure the same degree of objectivity and transparency as NHS Digital, in line with the Code of Practice for Statistics.

Annual reporting

NHS England is accountable to the Secretary of State and to Parliament for its exercise of the transferred data functions. NHS England has a specific duty under section 13U(2)(d) of the 2006 Act to include in its annual report an assessment of how effectively it has discharged those functions. For the first full financial year it exercises those functions and in subsequent years, this should include an assessment of the steps taken by NHS England to follow this guidance and to protect confidential information generally.

The assessment in the annual report should provide a summary of the way in which NHS England protects people’s data and, alongside its publication of procedures and other elements by which it ensures transparency, offer an assessment for the public as well as Parliamentarians as to how effectively it protects confidential data. The content should provide an assessment of organisational approaches to protecting data, including how controls are implemented to ensure separation of identifiable data environments and de-identified data environments, and how the risk of re-identification is mitigated. It should also consider any in-year changes or significant actions that have implications for the protection of data.

The assessment should above all provide an assessment of the ability of the organisation to protect confidential data and provide evidence to support that assessment. NHS England should seek independent advice to inform this report and consult with the National Data Guardian for their views.

NHS England should ensure that a copy of the annual report, or an extract containing the assessment relating to the transferred data functions, is shared with each devolved administration, the National Data Guardian and the Information Commissioner’s Office.

NHS England should provide information to assist the assessment of how effectively it has protected data in the discharge of its transferred data functions as necessary when requested by the Secretary of State or Parliament (for example, in a Parliamentary question or by a Parliamentary committee). This should be fulfilled via the usual accountability route into the Department of Health and Social Care.

Back to top