Skip to main content
Toggle menu

Search the website

Bennett Insights: An Overview of UK Data Policy Developments

Posted:
Written by:
  • Jess Morley
Categories:

An overview of the UK Government’s nine data policy documents published April - July 2022.



Background

In the first five years of UK policymaking following the EU Referendum (2017-2021), the UK Government published on average two high-level policy documents related to data (either explicitly or implicitly) per year. In contrast, in 2022 between the months of April and July alone, the UK Government published eight data-related policy documents, or nine including the Data Protection and Digital Information Bill.

This represents a significant increase in interest, activity, and attention in one policy area. It is likely that some of this concentration is attributable to administrative delays related to the COVID-19 pandemic and the re-direction and re-prioritisation of civil service resource and attention. However, the increase in activity, is also strategic.

One of the Government’s motivations for leaving the EU, has always been the desire to regain ‘sovereign control over’ (and responsibility for) large areas of policy previously governed by the EU and, in so doing:

“gain the freedom to regulate in a more proportionate and agile way that works for our great British businesses; benefits for people that put money back in their pockets, improve their rights and choices as consumers and give them access to better healthcare

The benefits of Brexit: how the UK is taking advantage of leaving the EU

Data policy is one of the main policy areas that has traditionally been set at the EU level, and so this recent flurry of activity also represents a desire from the UK Government to redesign national-level data policy so that it better suits the overarching aims of the State. In particular, it represents an ambition to enable the greater use of data for research, innovation, and business to support both the economy and the healthcare system. For example, the explanatory notes to the Data Protection and Digital Information Bill state:

“In the government’s view, some elements of current data protection legislation - the UK General Data Protection Regulation [the UK implementation of the EU-GDPR]] and the Data Protection Act (DPA) 2018 - create barriers, uncertainty and unnecessary burdens for businesses and consumers…… This can create an unnecessary burden for private organisations and slows down delivery of public services.”

In this context, the current level of activity surrounding data policy is understandable, particularly as data has played a key role in the UK’s response to the COVID-19 pandemic and will likely play an equally important role in the ‘recovery.’ However, it has created a ‘can’t see the wood for the trees’ problem where it has become difficult to see how the various documents, recommendations and commitments fit together to point in an overarching strategic direction. Thus, in this Insight, we set out to:

  1. Provide an accessible explanation of who writes high-level policy documents, what their status and purpose is, and what they are used for across the system.
  2. Make the raw text of all the documents navigable, by pulling together the commitments & recommendations, from across the documents, in their own words, by topic.
  3. Provide a succinct summary in our own words of the overarching aims, goals, and strategies, broken down by theme and by topic.

We do this by focusing on the policy developments for ‘health data’ specifically, primarily because this is the ‘type’ of data that is currently most obviously in the spotlight, and because it is clear that there is a desire to use a wider range of ‘data’ for health research and analysis purposes. However, the themes and strategies highlighted are applicable to all ‘types’ of data.

Since April of this year, the UK Government has published:

In keeping with the ontology of gov.uk, each of these documents belongs in one of three categories:

  1. Research and Statistics
  2. Policy Papers and Consultations
  3. Guidance and Regulation

For example, ‘The Goldacre Review’ represents would be classed as ‘research and statistics’ whilst ‘Data Saves Lives’ would be classed as as a policy paper and the The Data Protection and Digital Information would be ‘guidance and regulation’.

Within each of these categories there are then sub-categories. For instance, Data Saves Lives is a strategy whilst Data: A New Direction is the Government’s response to a public consultation, and the Roadmap for digital and data, 2022 to 2025 is internally focused (i.e., it is centred on how the Government itself will use digital and data) whilst the UK Digital Strategy is externally focused (i.e., it is centred on how digital will be used to improve the lives of businesses and citizens).

Though they may seem arbitrary, these categorisations matter because they typically dictate the status of the document, its authors, its purpose, and how it is used by the system.

To be specific, research (e.g., The Goldacre Review) is typically produced by external sources such as consultations, or academics. Its purpose is to evaluate and advise and set goals i.e., establish what the Government should be striving to achieve in a given area, how far away it is from the target state, and what actions it could take to reach the goal.

This advice and goal setting informs ‘policy papers’ which are written by civil servants and are typically strategies, (e.g., Data Saves Lives) which sets out the ‘vision,’ the aims, and the objectives, as well as setting out how these aims and objectives will be met. From strategies, individual policies, guidance documents, ethical frameworks, and standards are derived. Combined these types of documents establish the how of the what and the why. Where ‘harder’ boundaries are required (for instance in the case of data protection or patient safety), then new regulations might be required (e.g., Data Protection and Digital Information Bill). So, combined, these different types of policy documents:

  1. Set direction (important in a federated system);
  2. Create the environment (or where appropriate market) in which a particular goal will be achieved; and
  3. Dictate budgets and spending

Thus, each ‘category’ of document is equally important but each serves a unique purpose and each varies in the extent to which it is enforceable: research is advice and there is no requirement from central Government or any subsidiary to act upon it whilst regulation is enforceable by the law. This does, necessarily, mean that there is an implied hierarchy and sequence. However, it is not always the case that the hierarchy or sequence are followed exactly. Internal processes, and other practicalities, can mean that different categories of documents are published ‘out of sequence’ even if the ‘cluster’ is clearly identifiable. For example:

  • The Goldacre Review [Research] (April 2022)
  • Data Saves Lives [Strategy] (June 2022)
  • Creating the right framework to realise the benefits of health data (July 2019) [Guidance]
  • £200 million announced for privacy-preserving platforms for research (March 2022) [Funding]
  • Announced Federated Data Platform tender (April 2022) [Funding]

Are all clearly ‘grouped’ and driving toward the same goal of better, broader, and safer, use of health data for research and analysis, not all were published in the implied sequence. This is why it is helpful, to summarise groups of documents at a higher-level of abstraction (i.e., by theme) to make the overarching strategic direction more obvious. By doing this, it is, for example, possible to identify the overarching and consistent aims across all the 9 documents published between April and July this year:

  • Reduce the number of places data is collected, stored, and disseminated.
  • Make data accessible to trusted individuals, teams, organisations, and businesses (where appropriate) via a smaller number of platforms
  • Upskill the [clinical], analytical, academic, and senior management communities to ensure they are all capable of working in a modern, open, collaborative fashion and all have the required digital and data literacy.
  • Put in place legislation, standards, and mechanisms that ensure [NHS] data cannot be monopolised and is instead made readily accessible (in a secure fashion) for those who need it
  • Put in place legislation, standards, and mechanisms that ensure meaningful transparency and accountability over how data is used
  • Standardise the ways in which [patients] and publics are informed and involved in all uses of [NHS] data to ensure all uses are socially acceptable as well as legally compliant.

In what follows we provide a more detailed look at how we derived these overarching aims, showing how they can be abstracted from the recommendations and/or commitments written in each of the documents when these are summarised by topic and by theme. To do this we present the recommendations/commitments verbatim, according to our theme and topic structure, and provide a high-level summary in our own words.

As explained in the ‘Background’ section we do this by focusing on the policy developments for ‘health data’ specifically, but the themes and strategies highlighted are applicable to all ‘types’ of data.

Four Use Cases, Four Goals, & Four Themes

The starting point for understanding how the nine policy documents fit together (at least from a health data perspective), is recognising that at a strategic and high level of abstraction, the UK Government (particularly the NHS Transformation Directorate) views NHS data as having four disparate uses:

  • Direct Care
  • Managing Population Health
  • Planning NHS Services
  • Research (and Innovation)

As set out in the Plan for Digital Health and Social Care, it is hoped that by combining these four use cases, the Government can equip the health and care system to:

  • Prevent people’s health and social care needs from escalating
  • Personalise health and social care and reduce health disparities
  • Improve the experience and impact of people providing services
  • Transform performance

(Note that the first goal here is relevant across Government, it not a goal solely directed towards the NHS).

These are extremely ambitious goals and so, to break them down, the various documents make commitments/recommendations at lower levels of abstraction that, in theory, will enable the delivery of these goals. Although these commitments/recommendations are numerous, it is possible to see them as being grouped into four themes:

  • Platforms, Privacy and Security
  • Information Governance
  • Ethics, Participation and Trust
  • Workforce and Ways of Working

Combining these four themes with the four use cases provides a means of creating an accessible summary of all the nine documents.

Use Cases Goals Themes
Direct Care Prevent people’s health and social care needs from escalating Platforms, Privacy & Security
Managing Population Health Personalise health and social care and reduce health disparities Information Governance
Planning NHS Services Improve the experience and impact of people providing services Ethics, Participation & Trust
Research (and Innovation) Transform performance Workforce & Ways of Working

Direct Care

  • Goal: Use data to enable integrated and joined-up care/ public services.
  • Aim: Ensure the right information is available for the right person at the right time.

This will be achieved by:

  • Reducing the number of individual data collections
  • Making more detailed individual-level data available from central sources
  • Making this feasible by increasing the reliance on cloud infrastructure rather than physical databases
  • Improve the cybersecurity provisions of these centralised data sources
  • Further enhancing the resilience and protection of these centrals stores by improving the information governance training of frontline staff
  • Improving the ways in which frontline staff use data for decision-making by:
    • providing them with decision-support-tools; and
    • making the workforce more data literate

A Plan for Digital Health & Social Care

Platforms, Privacy & Security

Publish a Cyber Security Strategy for Health and Social Care to help all parts of the health and social care system build cyber security capabilities, resilience, clinical safety and accessibility (winter 2022)

Set out how we will enhance and extend existing national protections available through the NHS Security Operations Centre. These will include security monitoring, threat intelligence and national incident response coordination

In each ICS and NHS region, fund dedicated cyber staff to work alongside local NHS and social care organisations on managing cyber risk and ensuring compliance with nationally mandated cyber standards. Those staff will be supported through a national training programme and peer networks (2025)

Create a plan for the delivery of a national data registry, which will also encompass a review of imaging standards and a national architecture review. The National Data Registry will enable a clinician to view a person’s history at the point of care (September 2022)

Use clinical decision support systems in diagnostics to improve the provision of the most appropriate test at the right time, improve the safety and quality of care, and reduce the overall cost through the roll-out of iRefer. It is anticipated that it will be rolled out to 50% of trusts (by March 2023)

Roll-out of digital infrastructure that will enable diagnostic networks to make future use of AI to reduce repetitive tasks, increase the throughput speed of diagnostic results reporting and provide enhanced post-processing of imaging data sets (March 2024)

Harness the power of data for real-time management information and to provide insight on the opportunities for higher-quality and more efficient care across the system, with a focus on primary care and UEC. For example, interactive dashboards enable commissioners and providers to better understand their patients’ journeys from initial triage to health outcome (March 2025)

Information Governance

Develop a support offer specifically for frontline staff who work with IG, including: an IG transformation plan with practical tools to use in data-sharing situations, professional standards and training materials (December 2022); a new head of profession to lead on developing and executing the transformation plan, including competency frameworks, standards, job families and appropriate professional accreditation (from April 2022)

Publish an Information Governance Framework for Integrated Health and Care, part 2, and embed the information governance portal as the one-stop shop for help and guidance (December 2022)

Establish a data framework for adult social care, setting out what data the sector needs to collect, the purpose of those collections and the standards governing them, with a move towards client-level data collections and away from aggregate data collections (December 2022)

Workforce & Ways of Working

Continue to deliver digital boards leadership development for NHS and ICS boards in partnership with NHS Providers (ICS offer from summer 2022)

Work with NHSE’s People Directorate and HEE Technology Enhanced Learning and Digital Readiness Education teams to drive uptake of the staff app and Digital Skills Assessment Tool (summer 2022).

Continue to support regional Informatics Skills Development Networks to meet regionally specific digital, data and technology training needs

Data Saves Lives

Platforms, Privacy & Security

Develop an easily accessible data-sharing solution with local authorities and providers over the next 3 years that supports real-time decision making at local, regional and national levels, building on the learning from the pandemic, and seek to ensure different actors in the system have access to the same rich data sets – from June 2022

Agree a target data architecture for health and social care, outlining how and where data will be stored and accessed, starting with health (by July 2022) and then followed by social care – by September 2022

Publish the NHS Cloud Strategy, Principles and Policies to establish a more standardised and optimised approach to cloud adoption throughout the NHS – by June 2022

Deliver a target state that considers environmental impact through our cloud migration, and use of strategic cloud suppliers who have credible sustainability targets and roadmaps – by September 2022

Map the technical debt for national systems, and prioritise what must be addressed and completed through relevant programmes of work – by September 2022

Provide services to find and retrieve records from wherever they are created across health and social care – from June 2022

Improve our integration approach to scale APIs already being used by the market, starting with elective care – from May 2022 Improve the process of onboarding to national systems to increase uptake of national services and products such as the NHS number – from March 2022

Develop the roadmap for core NHS services using cloud technologies where appropriate – by March 2023

Build centres of excellence in the area of data architecture that focus on promoting best practices, support and training – by December 2022

Enhance the NHS service standard to provide more information on the right tools and technology that can be used to develop products and services – by December 2022

Information Governance

Establish a head of IG profession to ensure the development of competency frameworks, standards, job families and appropriate professional accreditation for information governance staff working in health and care – commenced from April 2022

Lead the development and implementation of information governance as part of a multidisciplinary function for informatics and champion the work of information governance professionals – by December 2022

Review the Data Security and Protection Toolkit and its language to bring it into line with our work to simplify information governance – by July 2022

Workforce & Ways of Working
Develop, in collaboration with Skills for Care, a digital skills framework that will support the improvement of the digital capabilities of everyone working in the adult social care sector (phase one completed March 2022), supported by the delivery of an inclusive approach to training opportunities to improve the data and digital literacy of the adult social care workforce – commenced from April 2022

Population Health

  • Goal: Use data for public health surveillance
  • Aim: Ensure the health and care system as a whole can predict, prevent, and (if necessary) respond to threats to public health.

This will be achieved by:

  • Providing regional health and care teams (ICSs mostly) with access to all health and care data for the people they are responsible for caring for via accessible and secure real-time platforms
  • Providing regional staff with the skills and knowledge to analyse the data available to them
  • Requiring regional analytical teams to openly share their analytic code so that specific analyses can be done in the same way in multiple locations
  • Creating an underpinning technical architecture that enables the combining of analytical results from multiple regions when it is necessary to gain a whole-population perspective
  • Revising information governance requirements so that sharing for the purposes of planning is not blocked by monopolistic behaviour of multiple data controllers

Specifically the following commitments/recommendations are made (verbatim text):

Transforming for a digital future: 2022 to 2025 roadmap for digital and data

Platforms, Privacy & Security

Will work to make all ‘critical’ data assets available and in use across government through trusted APIs and platforms such as GDX and IDS.

All departments agree to promote a ‘buy once, use many times’ approach to technology, including by making use of a common code, pattern and architecture repository for government.

All new services shall comply with the common approach to Secure By Design.

Information Governance
All departments will agree to co-develop and adopt a single data ownership model for ‘critical’ data assets.

Data Saves Lives

Platforms, Privacy & Security

Initiate a national pilot on improving care coordination via the Improving Care Coordination for Patients programme – completed March 2022

Create a showcase of replicable archetypes of national data and analytics technology infrastructure based on the maturity of integrated care systems – completed March 2022

Create a federated data platform that will enable each Trust and every ICS to have its own platform that can interact with regional and national platforms to fulfil specific, predetermined use cases, supporting leaders across the NHS to make better decisions through the systematic use of timely and relevant insight and evidence, and ultimately providing the connectivity needed to transform care and improve outcomes for patients – by April 2023

Information Governance
We will amend the 2002 COPI regulations to ensure that they facilitate timely and proportionate sharing of data, engaging with stakeholders and the public by the end of 2022 to make sure that changes are implemented transparently – delivery date subject to Parliamentary processes.
Workforce & Ways of Working
Begin to make new source code that we produce or commission open and reusable by default (with clear exceptions) and publish it under appropriate licences to encourage further innovation (such as MIT and OGLv3, alongside suitable open data sets or dummy data). Subject to consultation, the relevant policies will also aim to be open and reusable – commenced from December 2021)

A Plan for Digital Health & Social Care

Platforms, Privacy & Security
Every ICS has implemented a population health and planning data platform, and business intelligence tools by 2023

Planning

  • Goal: Use data for the effective and efficient commissioning and monitoring of services.
  • Aim: ensure the right services are provided in the right geographical locations; providers are paid for the services they provide; and unwarranted variations in care are detected and investigated.

This will be achieved by:

  • Reducing the number of individual data collections
  • Providing central analytics teams with access to aggregate performance data via secure data environments
  • Providing central analytics teams with the skills and knowledge to analyse the data available to them
  • Providing senior management with data literacy training to enable them to be ‘smart customers’ of data
  • Ensuring data is used for performance management in a way that is sensible and acceptable to both publics and professionals
  • Requiring central analytics teams to openly share their analytic code so that specific analyses can be done in the same way in multiple locations; and so all analytic code can be inspected for errors
  • Revising information governance requirements so that sharing for the purposes of planning is not blocked by monopolistic behaviour
  • Put in place standards and mechanisms that ensure transparency of data use for analytical purposes

Specifically the following commitments are made (verbatim text):

UK Digital Strategy

Platforms, Privacy & Security
The Government will continue to support data-led decision-making through the Integrated Data Service. The service consists of a cloud-based platform and will transform ways of working. Under robust security and ethical protocols, and through a Trusted Research Environment, the service will enable analysts and researchers to access, link, analyse and disseminate a range of data to help inform policy decisions.
Ethics, Participation & Trust
The Cabinet Office’s Algorithmic Transparency Standard recommendations will also help public sector organisations to provide clear information about the algorithmic tools they use to support decision-making. The Data Standards Authority will continue to work to improve how the public sector manages data, by establishing standards and making data-sharing across Government more effective.

Transforming for a digital future: 2022 to 2025 roadmap for digital and data

Workforce & Ways of Working

Over 90% of senior civil servants will be upskilled on digital and data essentials, with learning embedded into performance and development standards.

Over 90% of DDaT professionals will undertake DDaT related training at least once a year and will record their skills, to support the prioritisation of DDaT learning interventions and associated investment.

Data Saves Lives

Information Governance

Introduce a statutory power to enable health and adult social care public bodies to require anonymous information that relates to the provision of health and adult social care services in England – delivery date subject to Parliamentary processes

Put in place a system-wide target for the rationalisation of data collections to reduce the time spent by health and care staff inputting and processing data for national use – by end of 2022 and reviewed annually

Workforce & Ways of Working

We are developing an Open Analytics policy

We are beginning to make new source code that we produce or commission open and reusable by default (with clear exceptions).

We will encourage publishing code under appropriate licences to encourage further innovation (such as MIT and OGLv3, alongside suitable open datasets or dummy data). Subject to consultation, the relevant policies will also aim to be open and reusable.

We are building the profile of data and analysis as a profession, including consistent and appropriate competency frameworks, networks, training, career opportunities and status.

We are developing an online Analytics Hub, working with AnalystX, to share, promote and endorse training, events and other resources aimed at analysts and non-analysts across all career levels.

We will continue to encourage innovation and collaborative working through a data and analytics accelerator by promoting the use of open data, and working with a plurality of solutions and teams. The principles of the accelerator will be tested through hackathons and real business cases – by September 2022

We will develop and roll out a unified set of competency frameworks aligned to the government analysis function skills and the digital, data and technology profession – by December 2022

A Plan for Digital Health & Social Care

Workforce & Ways of Working

Co-create a national digital workforce strategy with the health and care system, setting out a framework for bridging the skills gap and making the NHS an attractive place to work (March 2023)

Enable recruitment, retention and growth of the Digital, Data and Technology (DDaT) workforce to meet challenging projected health and care demand by 2030, through graduates, apprentices and experienced hires, creating posts for an additional 10,500 full-time staff (March 2025)

Create a membership body for DDaT professionals in health and social care that will, over the years, bring cohesiveness between the disparate professions, to set and assure adherence to professional standards, and harmonise the DDaT profession (September 2022)

Establish new and continuation of existing digital learning offerings through the NHS Digital Academy, including the Digital Health Leadership Programme (via Imperial College and partners), Digital Futures Programme (cross-ICS), Topol Fellowships in Digital Healthcare and Health Innovation Placements, a programme that supports our change leaders to learn directly from exposure with industry (through 2022 and beyond)

Grow and nurture a pipeline of diverse future specialists and leaders through graduate and apprenticeship schemes, starting (June 2022)

Embed digital skills development into academic curricula to support our future and incoming workforce (from 2022)

Publish our Version 1 Open Source Policy through Github and a playbook on how to develop open source systems and products (summer 2022)

Goldacre Review

Platforms, Privacy & Security

Build trust by taking concrete action on privacy and transparency: trust cannot be earned through communications and public engagement alone.

Ensure all NHS data policies actively acknowledge the shortcomings of ‘pseudonymisation’ and ‘trust’ as techniques to manage patient privacy: these outdated techniques cannot scale to support more users (academics, NHS analysts, and innovators) using ever more comprehensive patient data to save lives.

Build a small number of secure analytics platforms – shared ‘Trusted Research Environments’ – then make these the norm for all analysis of NHS patient records data by academics, NHS analysts and innovators, wherever there is any privacy risk to patients, unless those patients have consented to their data flowing elsewhere. Every new TRE brings a risk of duplicated effort, duplicated information governance, duplicated privacy risks, monopolies on access or task, and obstructive divergence around data curation and similar activity: there should be as few TREs as possible, with a strong culture of openness and re-use around all code and platforms.

Use the enhanced privacy protections of TREs to create new, faster access rules and processes for safe users of NHS data; ensure all TREs publish logs of all activity, to build public trust.

Map all current bulk flows of pseudonymised NHS GP data, and then shut these down, wherever possible, as soon as TREs for GP data meet all reasonable user needs.

Use TREs – where all analysts work in a standard environment – as a strategic opportunity to drive modern, efficient, open, collaborative approaches to data science.

Information Governance
Develop clear rules around the use of NHS patient records in performance management of NHS organisations, aiming to: ensure reasonable use in improving services; avoid distracting NHS organisations with unhelpful performance measures.
Workforce & Ways of Working
Write an ‘open analytics policy for the NHS: Bring together DHSC and the NHS Transformation Directorate to write a policy that makes it clear to all analyst teams across the NHS, and all general managers, that sharing code is not the same as sharing data and that open is the preferred and default method for all analysis conducted using public data and public funding. Note that ‘open code’ is different to ‘open data’: it is reasonable for the NHS and government to do some analyses discreetly without sharing all results in real time.

Reproducible Analytical Pipelines Strategy

Workforce & Ways of Working

Reproducible Analytical Pipelines (RAP) will become the default way of conducting quantitative analysis. Analysis is then reproducible, transparent, trustworthy, efficient, and high quality.

Research software engineers will be embedded in analytical areas to deliver digital expertise, build products and develop capability. Research software engineers are software engineers who understand the process of analysis and research. They work with other analysts to develop digital analytics products for end users.

Analysts will have access to the tools they need to do analysis using the RAP principles

We will build analyst capability to do analysis using the RAP principles

Senior leaders and organisations will see the value of RAP and encourage analysts to use RAP principles

Analyst teams will be multidisciplinary and will work with digital teams so that they can deliver high quality and valuable analysis products through application programmable interfaces (APIs), interactive visualisations and regularly updating dashboards.

Research

  • Goal: Use data to analyse patterns of disease; identify new treatments; monitor the efficacy and safety of existing treatments; drive innovation; and more.
  • Aim: ensure researchers can access NHS data to conduct lifesaving research without compromising patient privacy and public trust.

This will be achieved by:

  • Reducing the extent to which the system relies on providing researchers with access to data via insecure ‘Pseudonymise and Disseminate’ methods
  • Providing researchers with access to population-level datasets via accredited ‘Trusted Research Environments’ (referred to as Secure Data Environments in Data Saves Lives) that meet a set of minimum technical specifications regarding privacy protection, governance, and open working
  • Simplifying Information Governance, once Trusted Research Environments are in place, to ensure it does not act as a barrier to life-saving research and innovation but continues to provide appropriate scrutiny regarding purpose of research
  • Upskilling the academic workforce to work in modern, open, computational ways so that all research code is shared openly for scrutiny and re-use
  • Funding research into the development of secure analytical platforms, and code and methodological innovation for data curation, privacy preservation, and more
  • Putting in place standards and contractual requirements for those looking to use NHS data for commercial purposes to ensure a fair return on investment, and public acceptability
  • Improving the quality of ‘Patient and Public Involvement and Engagement’ activity conducted by researchers
  • Putting in place standards and mechanisms that ensure meaningful public transparency over data use for research purposes

Specifically the following commitments/recommendations are made (verbatim text):

UK Digital Strategy

Platforms, Privacy & Security

We are also running a call for views (Data Storage and Processing Infrastructure, Security & Resilience) to further our National Data Strategy commitment to develop a stronger risk management framework for the infrastructure upon which data use relies.

In line with our overarching ambition to keep our digital systems, platforms, devices and infrastructure secure, we are investing more than £2.6 billion over 3 years. This includes a £114 million increase in funding for the National Cyber Programme, accompanied by enhanced funding for critical cyber skills training, infrastructure, research and development, innovation, defence, and intelligence.

Information Governance

We expect to bring forward primary legislation to reform the UK’s data protection laws, by simplifying some parts of the UK General Data Protection Regulation (GDPR) ensuring high standards of data protection. This Government’s view is that our reform of UK legislation on personal data is compatible with maintaining the free flow of personal data from Europe.

We will adopt a more flexible, outcomes-based approach for compliance, ensuring the Information Commissioner’s Office (ICO) accounts for the increasing importance of its remit for competition, innovation and economic growth. This flexible approach will reduce burdens on business and innovation, which impede the responsible use of personal data. In addition, these changes will also provide scientists with the clarity and confidence they need to get on with life-enhancing and life-saving research

The Government also committed to legislating for Smart Data in the Queen’s Speech. These changes will provide consumers and small businesses with the power to enable trusted third parties to help them access, make sense of, and use their data. Recently, the Business Secretary set out a new programme of investments in Smart Data to drive industry and collaboration across sectors.

We will also resist unreasonable attempts at data localisation, and seek international trade agreements to facilitate the free flow of data with trust.

Data Saves Lives

Platforms, Privacy & Security

Secure data environments will be the standard way to access NHS Health and Social Care data for research and analysis.

Secure data environments providing access to NHS Health and Social Care data must meet, or demonstrate a credible roadmap to meeting, criteria set out within our accreditation framework.

Secure data environments must maintain the highest level of cyber security to prevent any unauthorised access to data.

Secure data environment owners must be transparent about the data within their environment, who is accessing it, and what it is being used for.

The secure data environment may only be accessed by appropriate, verified users.

Secure data environments must ensure that patients and the public are actively involved in the decision making processes to build trust in how their data is used.

Data made available for analysis in a secure data environment will be de-identified in a proportionate manner to protect patient confidentiality.

NHS Health and Social Care data should only be linked with other datasets within an accredited NHS secure data environment.

All accredited NHS secure data environments must adhere to a policy of open-working, support code-sharing and facilitate use of technology that supports this, such as reproducible analytical pipelines (RAP).

Secure data environments must be able to support flexible and high quality analysis for the diverse range of uses they will support Secure data environments must ensure that nothing is brought in, or removed from, the Environment without assessment and approval.

Information Governance

We are committing to simplifying the Information Governance Framework; creating fit-for-purpose rules around different types of data - including pseudonymised data; simplifying the national data opt-out; standardising approaches to PPIE; and tackling the ‘bigger’ issues through participatory engagement such as citizens juries. Specifically, the data strategy makes the following commitments:

We are embedding the Information Governance Portal as the one-stop shop for help and guidance

We are creating fit-for-purpose rules around different types of data (such as pseudonymised), so that staff can clearly understand them, addressing concerns around pseudonymised data as raised by the Goldacre Review

We are developing a national information governance transformation plan, focusing on practical data-sharing situations, creating professional standards and addressing training for frontline staff

Ethics, Participation & Trust

We are co-designing a transparency statement, as part of a regularly updated online hub, setting out how publicly-held health and care data is used across the sector

We are developing a standard for public engagement, setting out best practice for health and care organisations, and any other body using NHS data, to engage appropriately with the public and staff across the system on data programmes and issues

We are undertaking in-depth engagement with the public and professionals, through forums such as focus groups with seldom heard groups, and large-scale public engagement on topics and questions that are high priority or particularly complex, including how we deliver secure data environments and the future of the national data opt-out, and working closely with regions to understand local needs.

We are working with the public, the expert advisory group, the National Data Guardian and other stakeholders to ensure that there is a simple opt-out system in place that provides clarity and choice, giving patients confidence and ensuring data continues to support the functioning of the health and care system

Workforce & Ways of Working

We are consulting with UK Research and Innovation (UKRI) and the National Institute for Health Research (NIHR) to consider how outputs from research they fund, involving health and care data, can follow open and reusable code principles

We are working to ensure all accredited NHS secure data environments adhere to a policy of open-working, support code-sharing and facilitate use of technology that supports this, such as reproducible analytical pipelines (RAP).

We will publish a digital playbook on how to open source your code for health and care organisations. Guidance on where to put the code, how to license and maintain it, and best practice for working with suppliers will be published in addition to case studies of teams who have done this – completed May 2022.

A Plan for Digital Health & Social Care

Platforms, Privacy & Security

Data for research and development will be available through a federated network of trusted research environments (TREs) by March 2025

We will deliver the policy and requirements needed to implement secure data environments (SDEs) – TREs are a type of SDE – across the NHS (December 2022)

We will enable researchers to access linkage-enriched genomics data sets from linked sources (2025)

We will develop a network of sub-national or regional linked TREs (March 2025)

Information Governance

We will ensure the right assurance and commercial foundations are put in place by 2025 to stimulate a thriving innovation ecosystem that fosters collaboration between the health and social care sectors and the tech industry

We will publish a Value-Sharing Framework to ensure the NHS gets best value from these assets (March 2023)

Ethics, Participation & Trust

We will develop a standard for public engagement that sets out best practice for engaging appropriately with the public and staff about data to be followed by any organisation using NHS data (December 2022)

We will co-develop a data pact setting out mutual expectations for the public and health and care system (December 2022)

Goldacre Review

Platforms, Privacy & Security

Build trust by taking concrete action on privacy and transparency: trust cannot be earned through communications and public engagement alone.

Ensure all NHS data policies actively acknowledge the shortcomings of ‘pseudonymisation’ and ‘trust’ as techniques to manage patient privacy: these outdated techniques cannot scale to support more users (academics, NHS analysts, and innovators) using ever more comprehensive patient data to save lives.

Build a small number of secure analytics platforms – shared ‘Trusted Research Environments’ – then make these the norm for all analysis of NHS patient records data by academics, NHS analysts and innovators, wherever there is any privacy risk to patients, unless those patients have consented to their data flowing elsewhere. Every new TRE brings a risk of duplicated effort, duplicated information governance, duplicated privacy risks, monopolies on access or task, and obstructive divergence around data curation and similar activity: there should be as few TREs as possible, with a strong culture of openness and re-use around all code and platforms.

Use the enhanced privacy protections of TREs to create new, faster access rules and processes for safe users of NHS data; ensure all TREs publish logs of all activity, to build public trust.

Map all current bulk flows of pseudonymised NHS GP data, and then shut these down, wherever possible, as soon as TREs for GP data meet all reasonable user needs.

Use TREs – where all analysts work in a standard environment – as a strategic opportunity to drive modern, efficient, open, collaborative approaches to data science.

Information Governance

Rationalise approvals: create one map of all approval processes; require all relevant organisations to amend it until all agree it is accurate; de-duplicate work by creating a single common application form (or standard components) for all ethics, information governance, and other access permissions; coordinate shared meetings when approval requires multiple organisations; have researchers available to address misunderstandings of their project; build institutions to help users who are blocked; recognise and address the risk of data controllers asserting access monopolies to obstruct competitors; publish data on delays annually; ensure high quality patient and public involvement and engagement (PPIE) is done.

Address the problem of 160 trusts and 6,500 GPs all acting as separate data controllers. Do this either through one national organisation acting as Data Controller for a copy of all NHS patients’ records in a TRE, or an ‘approvals pool’ where trusts and GPs can nominate a single entity to review and approve requests on their behalf.

Review the National Data Opt Out Policy after TREs are established

Revise the definitions of ‘anonymous’, ‘identifiable’ and ‘linked’ data; add a new category of ‘pseudonymised but re-identifiable’

Ethics, Participation & Trust

Provide researchers with easy access to practical guidance, and examples of best-practice PPIE

Have a frank public conversation about commercial use of NHS data for innovation, but only after privacy issues have been addressed through adoption of TREs; ensure the NHS gets appropriate financial return where marketable innovations are driven by NHS data, which has been collected at great cost over many decades; avoid exclusive commercial arrangements.

Workforce & Ways of Working

Promote and resource ‘Reproducible Analytical Pathways’ (RAP, a set of best practices and training created in ONS) as the minimum standard for academic and NHS data analysis: this will produce high quality, shared, reviewable, re-usable, well-documented code for data curation and analysis; minimise inefficient duplication; avoid unverifiable ‘black box’ analyses; and make each new analysis faster.

Ensure all code for data curation and analysis paid for by the state through academic funders and NHS procurement is shared openly, with appropriate technical documentation, to all data users. Data preparation, analysis and visualisation is complex technical work, requiring collaboration by many individuals, who may never meet, in a range of organisations, across the NHS and other sectors. The only way to manage this shared complexity is by sharing information, as in other technical fields.

Recognise software development as a central feature of all good work with data. UKRI/NIHR should provide open, competitive, high status, standalone funding for software projects and developers working on health data. Universities should embrace research software engineering (RSE) as an intellectually and academically creative collaborative discipline, especially in health, with realistic salaries and recognition.

Bridge the gap between health research and software development: train academic researchers and NHS analysts in contemporary computational data science techniques, using RAP where appropriate; offer ‘onboarding’ training for software developers and data scientists who are entering health services research and epidemiology; use in-person and online training; make online resources openly available where possible.

Response to Data Bill Consultation

Information Governance

The government’s new data protection rules will be focused on outcomes to reduce unnecessary burdens on businesses.

This bill will remove the UK GDPR’s prescriptive requirements giving organisations little flexibility about how they manage data risks - including the need for certain organisations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments. It means a small business such as an independent pharmacist won’t have to recruit an independent DPO to fulfil the requirements of UK GDPR, provided they can manage risks effectively themselves, and they will not have to fill out unnecessary forms where the risk is low.

The same high data protection standards will remain but organisations will have more flexibility to determine how they meet these standards.

The ICO will have new objectives which will give Parliament and the public better ability to hold the regulator to account. Currently, UK GDPR does not provide the ICO with a clear framework of objectives and duties. It is instead obliged to fulfil a long list of tasks. Clearer objectives to prioritise its activities against and a more modern governance framework will better equip the ICO to fulfil its role and bring it in line with the best practice of other regulators.

The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. The Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament. This will bring the ICO in line with other UK regulators, such as the Electoral Commission and strengthen the accountability of the privacy watchdog when it makes legal rules.

The reforms will further cement the UK’s position as a science superpower by simplifying the legal requirements around research so that scientists are not needlessly impeded from using data to innovate and make major breakthroughs. This removes the need for them to have the ultimate purpose of their research project finalised before collecting data. For example, scientists will be able to rely on the consent a person has given for their data to be used for ‘cancer research’ as opposed to a particular cancer study

Response to MHRA Consultation

Platforms, Privacy & Security

Cyber security - our policy position is to include cyber security as an essential requirement (for Software as a Medical Device).

Data protection, privacy, or confidentiality - we will work closely with the Department for Digital, Culture, Media & Sport (DCMS), Information Commissioner’s Office, the National Data Guardian, and the Health Research Authority to ensure that patient data is protected (in Software as a Medical Device)

Conclusion

This brief overview makes it clear that once the information, recommendations, and commitments in each of the myriad documents have been synthesised it becomes evident that, even if the exact nature of how varies between the four data use cases, the what of the overarching strategic aims remains fairly consistent throughout:

  • Reduce the number of places data is collected, stored, and disseminated.
  • Make data accessible to trusted individuals, teams, organisations, and businesses (where appropriate) via a smaller number of platforms
  • Upskill the [clinical], analytical, academic, and senior management communities to ensure they are all capable of working in a modern, open, collaborative fashion and all have the required digital and data literacy.
  • Put in place legislation, standards, and mechanisms that ensure [NHS] data cannot be monopolised and is instead made readily accessible (in a secure fashion) for those who need it
  • Put in place legislation, standards, and mechanisms that ensure meaningful transparency and accountability over how data is used
  • Standardise the ways in which [patients] and publics are informed and involved in all uses of [NHS] data to ensure all uses are socially acceptable as well as legally compliant.

Of course there are some areas where the how of one use case appears to contradict with the how of another. Similarly, there are some areas where the how is more detailed than others. This is natural, and to be expected, when an extremely important area of policy is undergoing such a rapid and intense period of development and change.

The important thing is that at least we now know where we are going.

To people outside the policy community this stuff can feel overwhelming and confusing, we have produced this Bennett OpenView to:

  • Draw together the raw text of these documents by topic using their own words
  • Write an accessible summary in our words by themes and topics
  • To provide an accessible description of what these types of policy documents are used for in the wider system