NHS England as a data safe haven: our 5 data promises

Data managed by health and social care services can help to transform our health and care system and is essential to improving outcomes. 

We will use data, and we will allow others to securely access data, to support four different outcomes: 

• To deliver high-quality care to individuals
• To understand, protect, and improve the health of the population
• To effectively plan, evaluate, and improve the delivery of services
• To research and develop innovative preventions, diagnostics, treatments, vaccines and other interventions, and monitor their impact on patient care

NHS England is now the custodian of national datasets generated by health and social care services. It has assumed NHS Digital’s role of bringing data together, at a national level, and managing it securely and responsibly for the purposes described above. 

It will also take responsibility for ensuring that the data is made available to approved users to improve health and care, where there is an appropriate legal basis, and where they demonstrate they can use the data safely. Examples include research to develop new treatments, or greater clinical understanding of health conditions and diseases; supporting population health; and facilitating health and adult social care planning and service commissioning. 

More streamlined, safe, secure access to data by health and care providers will enable NHS England to promote the effective and efficient planning, development and provision of health and adult social care services.

NHS England will also take responsibility for publishing and continuously reviewing the open datasets and official statistical products that NHS Digital produces, in line with its publication obligations and the Code of Practice for Statistics. NHS England recognises this data is key to transparency and improving understanding of the NHS’s services and operations.

Individual services will remain data controllers for patient health records and for collecting, storing, and managing access to the data that they need to care for patients and deliver local services.

We will uphold the highest standards of data management, in terms of how we store, secure, analyse, manage, and allow internal and external access to data.

The same rules that applied to NHS Digital about collecting data, and making it available for research and analysis, now apply to NHS England. The transfer of statutory functions will include all existing protections for data.  

We know that patient data is special and sensitive, and we will continue to respect that in the way that we protect and secure data, limit identifiability and manage access to it, including internal NHS England access to data. We will ensure that it is used to improve health and care.

We will be transparent about the use of data and will publish details of organisations who have been allowed access to data, the data they have accessed, the purpose for that access and the data they have used. We will also publish details about data obtained under the transferred NHS Digital functions which is accessed by NHS England. This will provide the same level of transparency about internal access to the data as there was when NHS England accessed data from NHS Digital, before the merger. We will publish information about the independent advice we receive about internal and external data access and the decisions that are made.

We will have clear rules and processes to ensure that decisions about internal and external data access and use are made within a clear Information Governance framework, that processes are subject to assurance and scrutiny, and there is appropriate oversight by the Board.

For all access to data for planning, commissioning and research purposes, we will:

• Always default to de-identified data where we can – many uses of data do not require personal identifiers. We will therefore only use identifiers when essential.
• Not allow data to move out of our systems unless absolutely required – nearly all uses of data in the future will be inside Secure Data Environments.

NHS England will continue to uphold opt-outs in line with national policy and will ensure patients have a genuine choice about how their own identifiable data is used for purposes beyond their direct care.

We know from our research that the existing opt-out system is confusing and can be difficult to navigate. The Department of Health and Social Care will work with NHS England, the National Data Guardian and other stakeholders to ensure patients have confidence in the opt-out system, and to ensure data continues to support the functioning of the health and care system.

NHS England will also continue to build awareness and increase transparency and trust in the way that data is used in the NHS. Increasing transparency and trust will be essential.

NHS England’s robust policies and procedures, backed by staff training and support, will continue to enhance a culture of safe and secure data management, in which data is only used safely, securely, and appropriately, to deliver improved health outcomes.

NHS England will continue to have governance in place to ensure that the Board, with its independent non-executive members, will oversee how NHS England exercises its new transferred data functions and protects patient data. It will also put in place arrangements for the independent scrutiny of internal and external data access and will obtain independent advice on its data collection and internal and external access processes.

Within the organisation, the Chief Delivery Officer, as the Senior Information Risk Officer (SIRO), will have overall responsibility for NHS England’s information risk policy. The Information Governance function and Data Protection Officer will be part of the Chief Delivery Officer’s Directorate. Together with the Cyber Security function and the Caldicott Guardian function, they will provide assurance on the protection of patient data and the appropriateness of its use. 

The Transformation Directorate will lead the organisation’s use of data and analysis, reporting to the National Director of Transformation; this is a separate part of the organisation to the Delivery Directorate. This will ensure separation of Executive Director accountability for information governance from operational aspects of data storage, data flows, and data use (see Figure 1 below). It also means that monitoring, auditing and assurance of data functions is undertaken by those with no role in the management or use of data.

This diagram shows the way that data flows and access were managed before the merger and how that will change as a result of the merger. In time, Secure Data Environments (SDEs) will become the default way that users are provided with access to NHS data, including for NHS England analysts. More information on SDEs can be found in Section 5.

Transparency will be key to maintaining public confidence in how NHS England obtains, holds, uses, disseminates, and protects data. 

NHS England will, as NHS Digital did previously, publish all directions received from the Secretary of State so there is full transparency about the IT systems it delivers on behalf of the Secretary of State and about what data is being collected and analysed and for what purpose. It will also continue to publish requests made by other organisations for it to collect and analyse data. 

Before establishing any new data collection, NHS England must consult with a variety of people, including representatives of those from whom information will be collected and those who may use the data.

Like NHS Digital, NHS England will publish information on its website about how it collects, uses and shares data with others, including a Data Uses Register. This will ensure that the public know what data is being shared, with whom and why. Organisations will only be allowed to access data if they have the right legal basis, can demonstrate that they can manage it securely and are using it to improve health and care. 

NHS England will, as NHS Digital did, obtain independent advice on its data access processes, procedures and, where appropriate, on individual decisions around data access. This will also include its internal data access processes.

NHS England will put in place a new data advisory group to include independent advisers, including members of the previous NHS Digital Independent Group Advising on Release of Data (IGARD). This group will, individually and collectively, provide expert advice and assurance on both internal and external access to data for planning, commissioning and research purposes. 

NHS England will consult with the Department of Health and Social Care and the National Data Guardian on the terms of reference of the data advisory group, which will be approved by the NHS England Board and published.

NHS England will be required to report to Parliament, as part of its annual report, on how effectively it has discharged its new transferred data functions. This will include how it has protected patient data.

The Information Commissioner and the National Data Guardian are both key external stakeholders in relation to how NHS England uses, manages and protects patient data. NHS England will engage proactively and transparently with them to obtain their advice and challenge, in addition to engaging with them in their formal statutory, and in the case of the Information Commissioner’s Office, regulatory roles. It will also consult the National Data Guardian as part of producing its annual report.

NHS England will continue to manage the production of official statistics about health and care data, publishing these in line with the Code of Practice for Statistics, under the independent leadership of the organisation’s Chief Statistician. It will also continue to publish a wide range of open data, management information and statistical publications in accordance with its transferred data functions. In line with the Code, the Chief Statistician will have sole authority for deciding on methods, standards and procedures, and on the content and timing of official statistics. The Chief Statistician will report to the National Statistician (the Government’s Head of the Statistical Service) on all professional matters.

Taken together, all of this adds up to ensure that NHS England is upholding the highest standards of transparency and continues to be publicly accountable for how it collects, analyses, publishes and shares information.

NHS England will ensure it has the right technologies in place to protect data and to enable the effective delivery of its services.

Secure Data Environments (SDEs) are data storage and access platforms that will allow the NHS to provide approved users to access and analyse data, without it having to leave the environment. The technology will allow data access to be fully controlled and auditable, reducing the possibility of data misuse or theft. SDEs will enable the high-quality research and analysis to take place to improve outcomes, whilst upholding the highest standards of privacy and security. 

SDEs will become the standard way that the NHS provides approved users with access to health and care data for planning, commissioning and research, including within NHS England. This change will greatly increase the level of protection in place. NHS SDEs will be designed to the highest standards, adhering to the SDE Policy Guidelines and designed with reference to the “Five Safes” framework developed by the Office for National Statistics (ONS):

• Safe Settings - the environment prevents inappropriate access, or misuse
• Safe Data - information is protected and confidentiality maintained
• Safe People - those accessing the data are well trained, and authorised, to use it appropriately
• Safe Outputs – any summarised data taken away is checked to ensure it protects privacy
• Safe Projects - the use of the data goes through rigorous checks and approvals

Some parts of the NHS are already using SDEs to a high standard; the NHS is investing significantly to build these platforms and adapt old systems over the next three years. This includes NHS England.

From the merger date, NHS England will take on responsibility for running Critical National Infrastructure for the NHS, supported by the existing dedicated cyber security capability that protects and monitors the systems and information in its care. Like NHS Digital before, NHS England will continue to work closely with the National Cyber Security Centre to understand the threats and manage the security risks. It will also have wider responsibility for the cyber-resilience of the NHS. 

More specifically, NHS England will have several cyber security responsibilities:

• Managing the security risks to NHS England data by running a dedicated cyber security function
• Enabling the wider NHS to reduce cyber risk by delivering capability to prevent, detect and respond to cyber events and ensure broader cyber resilience
• Continually and strategically improving services and the overarching risk by dynamically altering centrally delivered cyber services, information and support as threats evolve
• Leading improved cyber outcomes in NHS England and the system by regular board level engagement