Advice supporting data access from NHS Digital in respect of GDPR
This is the content of the letter sent to DARS customers on 7th February 2018.
Download the original letter - Advice supporting data access from NHS Digital in respect of GDPR [1023.25KB]
As a researcher and customer of NHS Digital this letter is to try and help you get the data you require from NHS Digital in the most effective way.
As you know the General Data Protection Regulation applies from 25th May 2018 and the data management of your research must conform to this and the Data Protection Act 2018. Many of you will have attended the recent researcher roadshows carried out jointly by NHS Digital and the MRC that gave more detail (presentations shortly available at http://digital.nhs.uk/DARS). This letter sets out some advice which we hope you find helpful.
The most important piece of information is that you have until the 25th May 2018 to address any shortfalls in your current lawful basis for processing personal data or special category personal data under GDPR, particularly if that lawful basis relies on consent. More detail on this is provided by the European Commission's Article 29 Data Protection Working Party which has published its position on consent: Guidelines on Consent under Regulation 2016/679 adopted 28th November 2017 at:
To help explain how data protection legislation applies to health and social care research, the HRA has published a suite of four high-level briefing documents aimed at those working in research in the NHS, universities, research council and charity institutes and commercial companies. Supported by a UK-wide GDPR working group with representation from a wide range of expert bodies, including the Information Commissioner's Office, these four high-level briefing documents have been adopted by NHS Digital as our research procedure for GDPR:
- A Lawful Basis for Health Research under Data Protection Legislation
- Transparency, Health Research and the Data Protection Law
- Data Protection Safeguards: 'appropriate safeguards' when processing personal data for purposes of health or social care research
- Data Subject Rights and Research Exemptions: Understanding the exemptions to application of the right to access, to portability, to rectification, to erasure, and to object, in the context of Health and Social Care Research
The four documents, along with further detailed guidance from the HRA about operational arrangements that researchers and organisations may need to put in place for researchers and their organisations, are available at:
NHS Digital Statutory Legal Duties under the Health and Social Care Act 2012
GDPR does not impact on NHS Digital's requirement to meet its statutory legal duties under the Health and Social Care Act 2012 and the Care Act 2014.
Common Law Duty of Confidentiality
There are no changes to the requirement to demonstrate how you are meeting your duties under the common law duty of confidentiality.
However, if you are relying on consent to meet the common law duty of confidentiality, this would be a good time to assess whether the consent you are using to access personal confidential data from NHS Digital would meet the reasonable expectations of your cohort. If it does not, you should consider how you might deal with this problem for example by re-consent of your cohort or by applying for the common law duty to be set aside by the Confidentiality Advisory Group of HRA.
Next steps - DARS
To be able to receive or hold NHS Digital data after 25th May 2018, you will need to have addressed both the common law duty of confidentiality and the lawful basis for obtaining the data you want from NHS Digital. When you have read the guidance above and are confident that you meet the requirements of common law duty of confidentiality, can confirm your lawful basis for data processing moving forward, and are able to conform to GDPR [and the Data Protection Act 2018] please contact NHS Digital's DARS service via firstname.lastname@example.org, stating your NIC number and entitling the email "Existing Research Study - GDPR". We are creating a bespoke service within DARS to help you through this process.
We hope you find this approach positive and helpful.