DHSC updates proposed plans to secure data environments access policy

In September, we covered the publication of the Department for Health and Social Care (DHSC)’s secure data environment policy guidelines, in an article which can be found here.

This month DHSC has announced an update to these guidelines, which will apply to all NHS controlled secure data environments (SDE) as an addition to the original policy guidelines published in 2022.

The update follows a consultation period (open until Friday 23 June) to outline a series of decisions taken to help define the work required to deliver on the ambitions in the data saves lives strategy.

“One strategic decision this engagement has facilitated, is to take a phased and incremental approach to delivering data access as default. This acknowledges the complexity and scale of the change, as well as the number of unknowns that need to be worked through before further strategic decisions are taken, while allowing us to learn from investments and practical delivery experience,” the guidance states.

The policy adds that “secure data environments will become the default route for accessing NHS data for research and external uses,” however, notes that “instances of disseminating NHS data outside of an SDE for research and external uses will be extremely limited.”

On the subject of data for operational use, the policy update shares that “NHS platforms exclusively used for operational purposes, including for commissioning directly by the NHS, are currently out of scope for data access policy.” It adds that this includes “operational instances of the ‘Federated Data Platform’ procured by the Chief Data and Analytics Office of NHS England. This is because these platforms do not provide access to NHS data to third parties or for research. NHSE remains committed to implementing data access as default, as part of a holistic set of controls in line with the ‘Five Safes’, for operational purposes.”

The updates goes on to add: “While the transition to data access as default for all secondary uses of data remains important, our engagement has shown distinct differences in the role of policy and strategy between research and other use cases of data. By prioritising in this way, we will be able to provide clarity more quickly for the most challenging and urgent area of data access to resolve.”

The published update also notes a number of other changes, including that secure data environments will become the default route for accessing NHS data for research and external uses.  It notes that NHS Research SDE Network will become the primary way to access NHS data for research and external uses, that NHS organisations should have oversight over data held in SDEs and possess decision-making powers about which users may access which datasets for which projects; and that SDEs will be expected to uphold high standards of transparency about how data is used and who is allowed to access it.

Development of an accreditation model for SDEs which will “ensure the future credibility and quality of SDEs hosting and providing access to NHS data for research and external uses”, is currently underway.

“We cannot achieve everything at once. We are mindful of the requirement to continue to engage, to build understanding and confidence. We will move only as fast as the public and stakeholders accept. We commit to continuing to learn, to listen and to work transparently and publicly. Future policy updates will provide further detail as we continue to listen, iterate and co-develop data access policy.”

To view the updated policy draft, please click here.