News

Government publishes draft guidance on NHS protection of patient data

The Department of Health and Social Care has published draft statutory guidance for NHS England with regards to how it should exercise statutory functions intended for transfer from NHS Digital.

The draft regulations, named ‘Health and Social Care Information Centre (Transfer of Functions, Abolition and Transitional Provisions) Regulations 2023’, have been developed ahead of NHS England and NHS Digital merging on 1 February 2023.

The document sets out the measures that NHS England is expected to take to protect confidential information when exercising relevant data functions, with the objective of ensuring that NHS England acts as a safe and effective guardian of data collected from NHS and adult social care services.

It covers a number of areas including scope; a safe haven for data; governance, scrutiny and accountability; independent advice; procedures for internal access to data; stakeholder engagement; technical measures and controls; arrangements with third parties for data processing; and transparency and reporting.

Scope

The guidance specifies that it covers any data identifying an individual, and also any data identifying an individual that is subsequently de-identified or pseudonymised, where the organisation holds both the de-identified data and other data that would enable re-identification of the subject.

It also applies to personal data as defined under UK GDPR. NHS England is identified as the controller for all personal data previously controlled by NHS Digital.

A safe haven for data

“By maintaining the highest standards of data protection and information governance, along with transparency in how data is used,” the document states, “NHS England will adopt principles, processes and safeguards that are designed to demonstrate it is, and will continue to be, a trusted custodian of health and care data.”

It adds that “taking the right decisions now” on ensuring these principles, processes and safeguards are in place will put the healthcare system in a position to deliver the four goals of reform identified in ‘A plan for digital health and social care’ (covered by HTN here).

Ultimately, the aim is for these data procedures to support the system in preventing health and social care needs from escalating; personalising health and social care needs along with reducing disparities; improving the experience and impact of people providing services; and transform performance.

The guidance notes that NHS England must ensure the same level of protection, safeguards and transparency over data use as NHS Digital, including with regards to collecting and disseminating data; publishing all data unless restricted from doing so by law; publishing all directions received from the Secretary of State; publishing transparency information on its website in line with GDPR responsibilities; and more.

Governance, scrutiny and accountability

Governance in this area should “reflect the accountability of NHS England’s board for the exercise of transferred data functions,” the document states.

The board should exercise its responsibility through an “appropriate model of oversight” and should ensure that appropriate measures are put in place to scrutinise functions, prospectively and retrospectively.

Governance may include internal audits, external audits, internal security and information governance assurance, spot checks, deep dives, requests for reports and scrutiny on particular issues, audits of third-party access and data- sharing arrangements, and obtaining of independent advice.

With regards to organisational responsibilities, NHS England must ensure that there are no conflicts of interest and should clearly set out responsibilities for the Senior Risk Information Officer, Caldicott Guardian, Data Protection Officer and Chief Information Security Officer.

Independent advice

Processes and procedures should be in place for obtaining independent advice when exercising transferred data functions; examples include appointing board members to relevant committees and sub-committees, and obtaining independent advice from experts.

Operational arrangements for obtaining independent advice in relation to specific data projects, programmes and initiatives should also be put in place, such as establishing expert advisory panels or groups or obtaining advice from the National Data Guardian.

The guidance advises that NHS England should put in place a “specific data advisory group to include independent advisers who can, individually and collectively, provide expert advice and assurance on both internal and external access to data for purposes other than direct care.” This group can support with internal and external access processes and guidance; streamlining and improving access processes; complex and novel data collection; and more.

As a minimum, the group should consist of independent advisors across a number of specialisms, including practising clinicians; independent lay advisors; an independent chair; and an internal representative from the DPO, Caldicott Guardian, SIRO and data and analytics functions.

Procedures for internal access to data

Internal procedures must be put in place to specify how NHS England will access identifiable data, based on the same principles of risk-based assessment used for external requests. The procedures should be subject to advice from the data advisory group.

Stakeholder engagement

NHS England should arrange to engage with key stakeholders to understand expectations and views, draw on expertise and experience, involve stakeholders in assurance, and raise awareness of the organisation’s role.

Suggestions for engagement include the Information Commissioner’s Office, the Health Research Authority, the Confidential Advisory Group, research groups and representatives, and patient groups, among others.

The document also sets out expectations on how NHS England should engage with devolved governments if required, including a need to agree their role and how data will be collected and analysed.

Technical measures and controls

NHS England should maintain separate technical data processing environments for identifiable data and de-identified data; should use privacy-enhancing technologies to protect identifiable data; should carry out internal analysis in de-identified data processing environments; and should ensure appropriate technical, organisational and security controls are in place over the movement of data from identifiable to non-identifiable data environments.

The document states to progress towards third-party access to data held by NHS England being achieved through approved secure data environments or trusted research environments.

Arrangements with third parties for data processing

NHS England should ensure that any arrangements with a third party for data processing on its behalf have effective safeguards to protect data from being processed for purposes outside NHS England instructions. These arrangements should otherwise contain provisions that comply with UK GDPR requirements, and a data protection impact assessment should be carried out.

Transparency and reporting 

Transparency should be achieved through publishing directions and statutory requests; data collected, including the purposes behind it; internal analysis of data; third-party access to data; decision-making regarding data access and dissemination; terms of reference and operating procedures for advisory groups; outcomes of audits; and board oversight and scrutiny.

NHS England has a duty to include an assessment on the effectiveness of the transferred data functions in its annual report.

To read the guidance in full, please click here.

The finalised guidance is expected to be published “within a reasonable timeframe following the transfer of NHS Digital’s statutory functions to NHS England on 31 January 2023.”