We treat the data we hold with great care. All data which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will ever be shared.
Wherever possible, de-personalised data or anonymous data is used and shared to protect patient confidentiality. We also apply the National Data Guardian’s Caldicott Principles to ensure we only provide the minimum amount of data necessary for the purpose for which it is to be used. In some cases, only personally identifiable data can be shared to achieve the purpose, but this is always done in accordance with the law and subject to safeguards to ensure that the data is kept safe and secure.
All requests by other organisations to have access to data held by the NDRS are currently assessed on a case-by-case basis by the UK Health Security Agency’s Office for Data Release (ODR), who act on behalf of NHS Digital to manage those requests. The ODR previously carried out this role for Public Health England before the NDRS was transferred to NHS Digital on 1 October 2021
The ODR makes sure that organisations requesting access to the NDRS data:
- will only use it for a health and social care purpose, and for cancer data, they will only use it for a medical purpose as defined by Regulation 2 of the Health Service (Control of Patient Information) Regulations 2002 (COPI)
- cannot achieve their aim unless they can use data which could identify you (directly or indirectly)
- can only access the the minimum amount of data needed to achieve the purpose
- access de-identified data after appropriate techniques have been applied to remove and prevent the disclosure of identifying information
- have an appropriate legal basis to request the data and have obtained all necessary legal and ethical approvals
- have appropriate safeguards in place to ensure that the data will be processed safely and securely
Data which would enable you to be directly or indirectly identified is only shared with:
- clinicians and the healthcare team providing you with care, such as your hospital or GP
- organisations who can provide evidence you have given them your explicit consent to the sharing of your data with them
- organisations who have been granted specific legal approval from the Health Research Authority’s Confidentiality Advisory Group to use confidential patient information without your consent and who also have ethical approval to do so, or
- organisations with whom we have a legal obligation to share confidential patient information without consent - for example where there is a Court Order, or where this is necessary for public health purposes under Regulation 3 of COPI, including under the COPI Notices issued by the Secretary of State for Health and Social Care in relation to COVID-19
There are a number of organisations the NDRS shares data with. These include:
- your clinician/healthcare team: to provide you with care and treatment
- NHS England and NHS Improvement: to help measure the impact of screening programmes
- NHS England and NHS Improvement and The National Institute for Health and Care Excellence (NICE): to provide an evaluation of the drugs which have been added to the Cancer Drugs Fund which supports a final report published by NICE
- the Office for National Statistics: to produce national statistics about cancer and rare diseases
- NHS clinical commissioning groups (CCGs): to help plan and improve NHS healthcare services
- European Surveillance of Congenital Anomalies (EUROCAT): to bring together data on congenital anomalies collected by other population based registries in Europe so that expertise can be shared
- research organisations, including universities, charities, industry partners and clinical research organisations that run clinical trials: to carry out research
Details about the data we have shared from the NDRS with other organisations, except for anonymous data, is published in the ODR Data Release Register for releases made before the 1 October 2021. From the 1 October 2021 all data shared from the NDRS will be published on the NHS Digital Data Release Register. This includes details of each organisation ODR has released data to, alongside the type of data released, the legal basis for release and the purpose for which the data was provided.