Transparency Notice for Secondary Care ePMA Data Collection 2024

This Transparency Notice covers the data we collect for the electronic Prescribing and Medicine Administration (ePMA) systems from health care services in England.  

It covers:

• why we collect information about you (we call this 'personal data')
• what we do with it, including who we share it with
• how long we keep it for and where we store it
• our legal basis for using it
• what your data protection rights are

Read more about how NHS England uses personal data to improve health and care.

From 13 January 2025, NHS England will collect medicine data every week from each secondary care provider (typically hospitals) in England who use a computer system to record the medicines they give to patients. These computer systems are known as electronic Prescribing and Medicine Administration (ePMA) systems. We are also collecting data backdated to 1 June 2018 (or from the point ePMA systems first started to be used if after this date).

This collection will initially be from the hospital’s main ePMA system which covers the majority of their wards. We may extend the collection to other ePMA systems used in hospitals for different specialities such as cancer, dialysis, intensive care, maternity, and ophthalmology.

The purposes of this data collection are:

• to establish a collection of patient-level (identifiable) data for medicines prescribed and administered in secondary care providers (such as hospitals) in England when this is recorded on their ePMA systems
• NHS England will make the data available for planning, commissioning, analysis and research purposes to organisations with a lawful basis
• NHS England will assess each provider’s data coding and will send data quality reports back to each hospital about how well they are following the NHS standard for recording medicines and devices used in their computer systems. This standard is called the dictionary of medicines and devices (dm+d). These reports will not identify any patients

This collection will start on 13 January 2025 and NHS England will continue to consult and engage with people to develop this transparency notice as we prepare for this collection.

Under data protection law, NHS England is the ‘controller’ for the ePMA collections. This means that we make decisions about what personal data we need to collect and how we will use your data to run the data collection.

Every week we will collect from each provider data for the preceding 7 days. Shortly after each provider’s first weekly collection has started we will arrange for collection of historical data back to 1 June 2018. (If a provider started using ePMA in September 2019 we backdate the collection to then, if they started using ePMA in 2014 we backdate to no earlier than 1 June 2018).

For each patient we collect:

• NHS Number
• information about medicines that have been prescribed and given to them; whilst in hospital, when being discharged back to the care of their GP, and when they are being treated as outpatients. 

On receipt of the data we:

• using the NHS Number, we add date of birth, post code, registered GP and gender from our Personal Demographics Service. This enables a patient's age, Integrated Care Board/Local Authority area and statistical values such as deprivation index, lower layer super output area to be derived
• check for restricted medicines relating to human fertilisation and embryology, and sensitive medicines relating to sexually transmitted diseases. If any are found we remove the NHS Number, so it is not possible to trace prescribing or administration of those medicines to individual patients. (More information about this subject can be found in the Directions Requirements Specification or Data Protection Impact Assessment)
• add a placeholder for Token Person ID which is a unique reference number that allows us (before the data is viewed/accessed) to remove NHS Number, but still be able to link data in this collection to the same patient’s data in another dataset held by NHS England

The data collection (particularly the historic) may include data relating to individuals that are deceased. Enabling health organisations to analyse records for patients that have not survived treatments could assist in identifying what part medicines have played, as well as contributing to the overall usefulness of the information we can offer for analysis and research.

We have been issued a legal document, called Directions, from the Secretary of State for Health and Social Care which places a legal obligation on NHS England to collect and analyse secondary care ePMA data. These Directions are issued to NHS England under section 254 of the Health and Social Care Act 2012 and are called the Secondary Care ePMA Directions 2024.

Under the UK General Data Protection Regulation (UK GDPR), NHS England is the controller of your personal data where we have been told to collect and use your data by law (we have a legal obligation). We are also a joint controller with the Department of Health and Social Care, which is a government department the Secretary of State for Health and Social Care holds responsibility for.

Where we share data, NHS England is usually the sole controller, unless we have been directed to share the data by the Secretary of State in which case we will be joint controllers with the Department of Health and Social Care.
NHS England’s legal basis under the UK GDPR and Data Protection Act 2018 (DPA 2018) is:

• Article 6(1)(c) - Legal obligation (the Secondary Care ePMA Directions 2024)
• Article 9(2)(h) – Healthcare purposes, plus Schedule 1, Part 1, paragraph 2 (health or social care purpose) of DPA 2018 

NHS England’s Common Law Duty of Confidentiality legal basis is:

• legal obligation (the Secondary Care ePMA Directions 2024)
• NHS England also issues the hospitals in scope of this collection with a legal document called a Data Provision Notice under section 259 of the Health and Social Care Act 2012. This places a legal obligation on the hospitals to provide the data to NHS England without breaching the Common Law Duty of Confidentiality

NHS England will share data with organisations who have a lawful basis and need to access secondary care medicine data to support improvements to health outcomes.  

From 13 January 2025 data will be available to:

• NHS England to support them to carry out their statutory functions regarding the monitoring of medicines. The data will be de-personalised (NHS Number is removed), but will contain Token Person IDs (a unique reference number) which allows us to link the data in this collection to the same patient’s data in another dataset held by NHS England, if that is required for the analysis. NHS England treats all patient data with great care and has rules relating to privacy, security and confidentiality which are closely followed, including the National Data Guardian’s Caldicott Principles
• the secondary care provider (such as a hospital) that provided the original data to NHS England. This is in the form of a simple report for data quality purposes and to provide feedback regarding their adoption of the dictionary of medicines and devices standard (dm+d). No patient identifiable data or Token Person IDs are included in this report
• all other organisations that wish to access this data must obtain approval from NHS England’s Data Access Request Service. In addition to the Data Access Request Service requests to access ePMA data might receive independent scrutiny from the Advisory Group for Data (AGD). The AGD also makes general recommendations or observations to NHS England about our processes, policies, and procedures to ensure they are appropriate for governing the receipt, processing and publication of data that does not compromise confidentiality and maximises the use of information

Only the minimum amount of data necessary to achieve the relevant health and social care purpose will ever be shared (this is called data minimisation), and usually no personal data will be included. We expect that to protect patient confidentiality most approved requests to access the data will be anonymous or de-personalised (pseudonymised) information:

• anonymous view – we only include the medicine data and not any information that identifies an individual. This anonymous view enables only simple use cases to be answered, for example ‘How does opiate prescribing vary between hospitals?’
• de-personalised (pseudonymised) view – we include the medicine data as well as age, gender*, and other fields. This is information that does not easily identify an individual, because personal identifiers have been removed. However, the information is still about an individual person and so needs to be handled with care.  This de-personalised view allows complex use cases to be answered, including by using information from other datasets, for example ‘Analysis of different hospitals to see whether there is variety when prescribing pain-relief after hip replacement surgery for patients aged 75 or over’ 
• identifiable view - NHS England can only share data that identifies a person under strict criteria and it must be approved by the Data Access Request Service. This would be for use cases where individual patient consent has been obtained or where the healthcare organisation can receive the data by law.

More information about what these terms mean can be found on the Understanding Patient Data website.

The Directions for this collection stipulate this data can only be accessed through a Secure Data Environment. This is to align with the strategy document Data saves lives: reshaping health and social care with data (Data Saves Lives) published in June 2022 which mandates the use of Secure Data Environments for NHS data. 

In Secure Data Environments a range of built-in tools allow users to interrogate, analyse and visualise data. This is a highly secure computing environment that provides remote access to data by health organisations. It closely controls who accesses the data and ensures that nothing is brought into or removed from the environment.

NHS England provides a Secure Data Environment which organisations can use to access data. New NHS Secure Data Environments will be built by the NHS during 2024, in accordance with policy guidelines, a full technical specification, and accreditation regime, all of which are being produced as a result of 'Data saves lives' commitments. NHS England will only share data with Secure Data Environments that are approved environments which meet NHS England governance and assurance criteria and standards and this Transparency Notice will be updated to reflect further governance and assurance processes as this strategy is developed.

NHS England also has a number of legal powers under the Health and Social Care Act 2012 to share data with organisations where it is necessary for particular purposes.

Organisations must apply and gain approval through NHS England’s Data Access Request Service to access ePMA data.

Each application is assessed very carefully to make sure that the organisation:  

• has a legal basis to access the data
• will use the data for the benefit of health and care and for the agreed purposes only
• will handle and store the data securely 

We only share data which can identify you (identifiable data) if this is absolutely necessary and the organisation who has made an application for data cannot achieve their purpose without it. Where possible we remove information from the data which identifies you, or we replace it with a unique reference number (this is known as pseudonymisation). 

Each organisation we share data with must sign a Data Sharing Framework Contract and a Data Sharing Agreement and we carry out audits to check they are using the data as agreed.

We will also use the data to publish national statistics and data outputs that contain only anonymous data which cannot be used to identify individuals. We never publish any data that could identify you.

We publish all of our data releases on our data release register which details who NHS England has shared data with, for what purpose, and the expected benefits.

Where necessary, requests to access data includes independent scrutiny from the Advisory Group for Data (AGD).

The minimum retention period for ePMA data is 8 years after the closure of the Secondary Care ePMA project.

This retention period will be reviewed regularly to ensure that the data is only held as long as is necessary our purposes in accordance with the Records Management Code of Practice 2021 and our Records Management Policy. 

Other organisations we share your personal data with must only keep it for as long as is necessary and as set out in their Data Sharing Agreement. Information about this will be provided in their privacy notices on their websites.

This data will be stored within the UK.

Under data protection law, you have the following rights over your data for this collection: 

Your right to be informed

You have the right to be told how and why we are using your personal data.  We have published this transparency notice to provide you with this information.

Your right to get copies of your data

You have the right to ask us for copies of your personal data (right of access). For more information, see how to make a subject access request.

Your right to get your data corrected

You have the right to ask us to correct (rectify) your personal data if you think it is inaccurate or incomplete.

Your right to limit how we use your data

You have the right to ask us to limit the way we use your personal data (restrict processing) in certain circumstances.

To make a rights request, email us at [email protected].

Under section 258 of the Health and Social Care Act 2012, before establishing a new collection NHS England must consult with stakeholders. The Medicine Data for Secondary Uses workstream has consulted as detailed here:

The Digital Medicines Programme Data project team has developed a plan for communication and engagement with NHS organisations and patient groups which runs up to the 13 January 2025 collection start date.

The National Data Opt-Out, introduced on 28 May 2018, allows patients to opt out of their confidential patient information being used for research or planning purposes.

When NHS England collects ePMA data

If you have registered a National Data Opt-Out, NHS England can still collect your data under the Secondary Care ePMA Directions 2024. This is because the National Data Opt-Out does not apply where NHS England has a legal obligation to collect the data (see section 6.4 of the National Data Opt-Out Operational Policy Guidance for more information).

When NHS England shares ePMA data

For any data we share with other organisations through our Data Access Request Service, we will apply the national data opt-out in line with the National Data Opt-Out Operational Policy Guidance.

You can find out more about and register a national data opt-out or change your choice on nhs.uk/your-nhs-data-matters.

We will not share your identifiable patient information with other organisations for research and planning purposes, unless there is an exemption to this. You can find out more about where your choice does not apply and about opting out of sharing your health records on the NHS website.

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, contact our Data Protection Officer at [email protected].

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through their website.

NHS England may make changes to this Transparency Notice. If so, the date on the page header will also change. Any changes to this notice will apply immediately from the date of any change.