What this means for me

  • Most people in the UK who use the NHS – whether for an ongoing condition, maternity services, an operation, or an emergency – will have some data recorded about their care which is already available to researchers on an anonymised basis. For example, this could include:

    • how long it took an ambulance to get you to hospital
    • how long you waited for admission to a bed or for your operation or mental health intervention
    • what sort of treatment you had
    • how long you stayed in hospital (if you did)
    • whether you were re-admitted soon afterwards
    • what ongoing treatment you have for health conditions such as diabetes (if any).

    Controlled access to data held in patient records improves an individual’s care and helps the health and care system plan local services. Information can also be provided to researchers to enable them to find out more about diseases, their causes and risks, and develop new treatments. You may also have agreed to be part of a clinical trial, in which case you will already know what you agreed to, and what its purpose is.

    The NHS and other organisations which use data to enable health research – such as Clinical Research Practice Datalink, UK Biobank, and Cystic Fibrosis Trust – already make their de-identified data available to researchers.

  • If data from many different patients are linked up and pooled, researchers and doctors can look for patterns in the data, helping them develop new ways of predicting or diagnosing illness, and identify ways to improve clinical care. The information from health data is really valuable to help understand more about disease, to develop new treatments, to monitor safety, to plan services and to evaluate NHS policy.

    Before a researcher is granted access, their study is assessed by an independent review committee or other decision-making group, who check that the reason for using the data is appropriate. Wherever possible, identifying information will be removed from that data, and researchers should only be given the minimum amount necessary to answer a question. Data must be stored securely, and a legal contract must be signed before data can be accessed.

    Often a study will need to use data about an individual that is held in more than one dataset. When this happens, a trusted third party, usually NHS Digital, links the data using a unique identifier (such as NHS number which is then removed) to make sure the researcher cannot re-identify individuals.

  • Health Data Research UK is leading work to improve access to data by researchers to improve prevention, care and treatments, helping people lead longer, healthier lives.

    Health Data Research UK is working with:

    • the organisations which hold health data (known as data custodians)
    • healthcare professionals, academics, charities and industry who want to carry out research to improve prevention, care and treatments
    • patients and the public to shape how access to data should work.

    Its aim is to enable medical discoveries that improve people’s lives by making it possible for researchers to:

    • develop new ways of managing and extracting knowledge and insights from complex and diverse health data
    • use data from big datasets to address important health research questions that cannot be tackled by individual research organisations.

    It will do this by:

    • bringing together information about existing health datasets so that researchers know what’s available and how they can access it
    • improving the quality of UK health data, and developing its use, by working with the data custodians to help them work towards common standards for allowing access to the data
    • enabling researchers to use the health data safely and securely
    • ensuring we have the skills and ways of working to work with data in the most efficient and responsible way to solve health challenges
    • developing tools – like Artificial Intelligence – that can help draw new insights
  • If researchers have access to larger, more diverse datasets, the more likely it is that they will find something that can help you, your family, your community or someone else with a condition. If research identifies something which could improve care for individual patients taking part in research, wherever possible this will be fed back to the team treating them, so they can benefit directly from it.

    The fuller the data that the NHS has about its services and patients, the better it can plan for the future.

    Evidence, brought together by Understanding Patient Data, shows that people are generally comfortable with anonymised data from medical records being used for improving health, care and services, for example for research, provided there is a public benefit.

  • The NHS has some of the richest data records in the world, but much of it is very hard to access and it’s not joined up. Health data is held in thousands of different places across the UK.

    Part of the aim of Health Data Research UK is to help provide links across these datasets, make it more straightforward for researchers to access in a safe and secure way and help increase the speed and scale at which research and innovation can take place. The end result will be that people benefit sooner from improved treatments, devices, interventions and health system management.

How my data is protected

  • The organisation which currently has your data (known as data custodians) – your GP practice, community health services, mental health or hospital trust, medical research charity, UK Biobank or disease registry – is responsible for keeping your data safe.

    Every member of staff who works for these organisations has a legal obligation to keep information about you confidential. For example, in the NHS, organisations maintain a duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

    Where systems have been set up to collect data from GP practices, NHS trusts, Health Boards and so on – for instance by NHS Digital in England, the Information Services Division of NHS Scotland, NHS Wales, and Health and Social Care Northern Ireland – the organisations collecting the data have responsibility for it. It is collected and, in most cases, de-identified before being released for research.

    These organisations and others are part of the UK Health Data Research Alliance which brings together the organisations that hold the UK’s health data. They are working together and with the public to develop standardised tools, techniques, conventions and technologies for research and innovation. All organisations working with Health Data Research UK have to sign up to the ‘Principles for Participation’ outlining the key principles that guide their work.

  • Under General Data Protection Regulations you have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a Subject Access Request or SAR. This guide from the Information Commissioner explains how to make a subject access request.

  • Decisions about how health data is used will always put patient privacy, safety and benefit first and there are multiple safeguards in place to ensure this happens.

    Health Data Research UK is enabling researchers to discover and request access to data via the  Innovation Gateway. The Gateway does not hold or store any datasets or patient or health data but allows users to see descriptions of the different types of datasets in the UK to enable researchers to see what’s available and how they can access it. A dataset is a collection of related individual pieces of data but in the case of health data, identifiable information (e.g. name or NHS number) is removed and data is de-identified where possible.

    If a researcher wants to access a dataset, they can send a request via the Innovation Gateway and this will be considered by the organisation that looks after that dataset.

    We’re now working to ensure that all research on the data is carried out in what’s known as a Trusted Research Environment or Safe Haven. These are highly secure places – either physical servers often in a locked room or on a Safe Cloud – that can only be used by researchers who have been permitted entry. Any technology companies involved in providing or supporting the Safe Havens will not be able to see or access the data.

    The aim is to enable maximum security, through multiple layers, and to minimise the risk of anyone’s data being misused.

  • The organisations responsible for managing the data (the ‘data custodians’) already have tried and tested data protection plans in place to respond to threats to data security, including significant data breaches or near misses. These plans are regularly reviewed by the NHS and other organisations involved as part of their commitment to cybersecurity, and their legal duty under the Data Protection Act and General Data Protection Regulations to protect people’s data.

    If ever there is a security breach, or a risk of a security breach, these plans will come into place and will likely involve reporting the incident to the Information Commissioners Office.

Concerns about data

  • The General Data Protection Regulation (GDPR) specifically makes it a criminal offence to deliberately attempt to, or to re-identify someone (conditions apply). For a helpful description of what is meant by identifiable data, please read Understanding Patient Data’s factsheet.

    There are multiple safeguards in place – both by Health Data Research UK and the organisations that manage the data (data custodians) – to reduce the risk of data being reidentified. The Innovation Gateway will not hold or store any datasets or patient or health data. If access is provided by the data custodian, we’re working to ensure, research on the data will be carried out in what’s known as a Trusted Research Environment or Safe Haven. These are highly secure places – either physical servers often in a locked room or on a Safe Cloud – that can only be used by researchers who have been permitted entry. Any technology companies involved in providing or supporting the Safe Havens will not be able to see or access the data.

    This minimises the risk that any data can be downloaded or transferred and then used to identify any individual patient.

    For a helpful description of what is meant by identifiable data, please read Understanding Patient Data’s factsheet.

  • The safeguards we are working with organisations that manage the data (data custodians) to put in place work to avoid identification of any individual patient and minimise the risk of any data being misused. This makes it extremely unlikely that there would be any adverse consequences for people.

    You can make a request to your healthcare provider (your GP or hospital) and ask who has had access to your identifiable NHS data.

  • It is usually possible to opt out of sharing health data held in personal records about you. To do this, contact the organisation that holds the record (such as your GP practice or hospital). If you live in:

Industry partners

  • Health Data Research UK has many industry partners to boost capabilities in a variety of ways – from data analytics tools to research skills and resources. Many UK-based small and medium-size enterprises are involved, as well as large companies with an international presence. Forty per cent of the companies involved in the Health Data Research Hubs are UK-founded, and all must have a UK base, thereby helping to ensuring that this programme enhances the UK’s life sciences sector. Wherever we do work with industry partners, we are committed to being transparent about these partnerships.

  • Health Data Research UK is working with some big technology companies, such as Google, Microsoft and IBM to develop services and tools for health data research in the UK. Like the other companies we work with, they benefit from working in partnership with UK organisations by gaining insights into the NHS and how to develop innovative products for patients.

  • Industry is critical in rapidly translating pioneering research into mainstream care. It is the biomedical and pharmaceutical industries that have taken pioneering research and turned it into many of the medical innovations − such as the X-ray machine, MRI scanner and penicillin – that we take for granted today.

    Without the involvement of industry, the NHS would not be able to get the new medicines, treatments and diagnostics for patients. Medicines and diagnostics are always developed outside the NHS and government by the private sector.

    The involvement of industry partners in Health Data Research UK’s work does not mean that they will automatically be able to access data. They are providing a specific service, and – like all the partners and companies involved – won’t have any privileged access to information. The same principles and safeguards will apply to anyone inside or outside the partnership. Any decisions about how the data will be used will always put patient privacy, safety and benefit first and there are multiple safeguards in place to ensure this happens.

  • The data will not be available for free and the organisation that manages the data (data controller) will have some form of charge for access or services or both. This is the case currently with most data controller in the UK.

    Health Data Research UK is working with the data controllers and the Hubs to look at an approach to making its work sustainable. This will mean they will not have to rely on the UK taxpayer for its funding over the long-term and to achieve this there will need to be a commercial model for access to data. Anyone requesting access to data must demonstrate the benefits that their research will bring to patients and the NHS. Health Data Research UK is also working closely with the Government to supports its policy development to realise the benefits and value of UK health data.

  • Any researchers working for private companies wishing to access the data will need to demonstrate how their research will benefit patients and the NHS. While companies are likely to profit (for example, by developing new drugs), they will also be delivering vital benefits to patients.

Public involvement and engagement

  • Public engagement and involvement are at the heart of the work of Health Data Research UK. We want people to understand what we are doing and why so that:

    • patients and the public work with us in research and innovation
    • the needs, values and interests of patients and the public are understood and embedded in our work
    • people have trust and confidence in the use of health data for research and innovation
    • people are advocates for data being used in research and innovation.

    Health Data Research UK’s Public Advisory Board, which was recruited from patients and members of the public from across the UK, has shaped the work of the programme so far. Patient/public events were held to gain input and feedback from people about how they would want their data to be accessed and used for research. Each of the Health Data Research Hubs is expected to involve patients and the public in making decisions on how their data is used, and they report on this on a quarterly basis.

  • The work we’ve been doing so far with patients and the public has been crucial but isn’t the only thing we’re doing. We are planning a wide ranging campaign in 2020 with our partners, patients and the public to open up the discussion.

    If you would like to get involved in Health Data Research UK’s work, visit our ‘Get Involved’ webpage to find out about the latest opportunities to get involved and how you can be kept up-to-date.

Have a question that hasn’t yet been answered?

Get in touch at enquiries@hdruk.ac.uk and we’ll do our best to help.