English
Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
Data access policy update
Published 12 October 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: [email protected].
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/data-access-policy-update/data-access-policy-update
The Department for Health and Social Care and NHS England made a commitment in Data saves lives: reshaping health and social care with data to move to a system of ‘data access as default’ for the secondary uses of NHS health and social care data (‘NHS data’).
‘Data access by default’ refers to the move from a system of data sharing to a system of data access. This change will be supported by the implementation of Secure Data Environments across the NHS in England.
Secure Data Environments (SDEs) are data storage and access platforms that allow approved users to access and analyse data without the data leaving the environment. This brings major improvements to security and transparency as well as speed of access for researchers, compared with current data-sharing practices.
Moving to a system of data access will also help to improve public confidence in secondary uses of NHS data. For example, a recent report entitled Towards a Healthier, Wealthier UK: Unlocking the Value of Healthcare Data by the Boston Consulting Group’s Centre for Growth found that 86% of the public surveyed are more comfortable with data access via SDEs than data sharing.
This is a positive change but one that we recognise is complex to achieve. In part, this will be delivered through the critical investments made by the Data for Research and Development Programme into an interoperable NHS Research SDE Network, which includes the NHS England SDE.
Clear policy and a coherent strategic narrative are equally important in shaping this transition. This is why we published the 12 Secure Data Environment policy guidelines in September 2022. A simple explanation of the rationale behind SDEs can also be found on NHS England’s website.
Since the publication of our guidelines, we have continued to engage with stakeholders from across the sector. This has been invaluable in helping to define the work required to deliver on our ambitions in the data strategy.
One strategic decision this engagement has facilitated is to take a phased and incremental approach to delivering data access as default for the secondary uses of NHS data. This acknowledges the complexity and scale of the change, as well as the number of unknowns that need to be worked through before further strategic decisions are taken, while allowing us to learn from investments and practical delivery experience.
We have also refreshed our commitment in the data strategy to update and reflect in more detail our policy intentions and delivery timelines, following our period of engagement with stakeholders across the sector.
We are moving to a system of ‘data access as default’ for the secondary uses of NHS health and social care data, facilitated by the implementation of SDEs across the NHS in England. The transition is underway, and we will update on the timeline for data access as default by the end of 2023.
Besides this:
There is ongoing work to consider how adult social care data will fit into the SDE network, as adult social care data is maturing rapidly. It is out of scope for this policy update but will be considered for future updates.
This policy update applies to all ‘NHS-controlled SDEs’. It does not nullify or replace the SDE policy guidelines. The guidelines outlined the core principles that organisations providing access to NHS data for research will need to adhere to, including the requirement for public engagement.
This publication focuses on how NHS data will be used for secondary purposes by those outside of the NHS through SDEs for research, including the NHS Research SDE Network. The NHS Research SDE Network will also be a route for approved research conducted by, or in partnership with, those inside the NHS to securely take place.
1. Secure Data Environments (SDEs) will become the primary route for accessing NHS data for research - this is what is meant by the term ‘data access as default’. Further information on the transition to data access by default will be provided by the end of 2023.
2. The NHS Research SDE Network will become the primary way to access NHS data for research, alongside the small number of existing local – for example, NHS trust-specific – SDEs for research.
3. We expect NHS organisations to have oversight of data held in SDEs and decision-making powers about which users may access data sets for which projects.
NHS-controlled SDEs may use commercial or academic technical solutions where it is more efficient than the NHS providing this itself. However, apart from for defined exception use cases (outlined in point 13, below) or specific joint NHS-academic platforms, solely commercial and/or academic-controlled SDEs will not continue to host NHS data or make it available for research.
4. The transition from data sharing to a system of data access will be phased. We will not turn off data sharing overnight, and we expect there will be a period of dual-operating both sharing and access.
We are committed to engaging with stakeholders to help shape and inform our plans for the transition.
5. The NHS Research SDE Network will consolidate multiple data access routes into one Data Access Committee per region, totalling 8 across England. This represents a considerable reduction in the number of decision points that researchers must navigate.
Researchers will see improvements as each of the network’s 8 Data Access Committees adopt the same data access application process supported by a single application form, harmonised Data Access Committee structure and turnaround times, and templated data access agreement.
6. While policy remains to be developed, SDEs providing access to NHS data for research already exist - for example, the NHS England SDE. These services are covered by several assurance mechanisms, which are sufficient until accreditation becomes operational. SDEs must comply with existing legal frameworks to keep data safe and used correctly.
SDEs in the NHS Research SDE Network are currently overseen by the Data for Research and Development Programme Board.
7. Organisations entering data partnerships with the NHS through the NHS Research SDE Network will be expected to adhere to the principles in the Value Sharing Framework for NHS data partnerships. These are:
8. SDEs must comply with the provisions of the Freedom of Information Act 2000 in relation to requests for information about the operations of the SDE, in line with existing guidance for public authorities.
9. All SDEs must be compliant with the national data opt-out.
10. We remain committed to establishing a robust accreditation regime for SDEs that provide access to NHS data for research to ensure that the highest standards of privacy and security are being met. To this end:
11. NHS-controlled SDEs will be expected to uphold high standards of transparency about how data is used and who accesses it. Accreditation will ensure these high standards of transparency are upheld.
While we are still developing an amended accreditation framework with UKSA for the NHS Research SDE Network, it will be underpinned by the same commitment to transparency as the existing Digital Economy Act Processor Accreditation Data Capability Guidance framework.
12. Public and patient engagement will support implementation of the NHS Research SDE Network and will be focused upon where public views can meaningfully shape decision-making. For example:
13. Instances of disseminating NHS data outside of an SDE for research will be extremely limited. There are, however, likely to be some use cases that remain as exceptions. Some of these will be permanent exceptions and will be categorised as:
14. To ensure that vital research can continue as policy is implemented, there will also be some temporary exceptions. These will be based on the iteratively expanding capacity and capability of SDEs for research, including the NHS Research SDE Network as it develops. For instance:
While this publication aims to provide further clarity on the transition to data access as default, we do not have all the answers at this stage, and neither should we.
We commit to continuing to learn, listen and work transparently and publicly with our stakeholders and the public. Future policy updates will provide further detail as we continue to listen, iterate and co-develop data access policy.
The definitions below are for use in data access policy updates. They have been developed to provide clarity when reading this publication.
Where the data has been generated within the NHS and the NHS has responsibility for the data.
This refers to all uses of NHS data beyond the direct care of individuals:
This is the use of NHS data by industry researchers, academic researchers and charities for reasons such as developing new medicines or understanding more about diseases.
This refers to the existing process by which NHS data is made available for research. In a data-sharing system (sometimes referred to as data dissemination), the NHS produces a cut of data and sends it to the requestor who then analyses it within their own computer system.
This refers to the process by which NHS data will be made available for secondary use. Data access for research will take place within SDEs. This will allow approved users to view and analyse NHS data without it having to leave the environment.
NHS-controlled SDEs will be able to control many factors, including:
This refers to the current scope for data access policy and SDE accreditation. This includes the NHS Research SDE Network, as well as local NHS SDEs for research.
This refers to the platforms funded by the Data for Research and Development Programme, which are expected to function as an interoperable network. They will become the primary way to access NHS data for research.
The definition of a long-term model for overseeing and assuring SDEs that host and provide access to NHS data for research.