Secure Data Environment: Department for Health and Social Care access to the NHS England Secure Data Environment

The Department for Health and Social Care and the NHS in England made a commitment in Data Saves Lives, the data strategy for health and social care, to move to a system of ‘data access as default’ for the secondary uses of NHS health and social care data. 

This positive step will see the gradual reduction of ‘data sharing’ to a system of primarily ‘data access’ through secure, online platforms. This change will be supported by the implementation of Secure Data Environments (SDEs) across the NHS in England, including the NHS England SDE. 

As part of this transition to Data Access as default, the Department for Health and Social Care (DHSC, the 'Department') is committed to moving its analysis of health and care data into the NHS England SDE. This builds on other recent use cases and organisations who have already successfully shifted towards data access. 

Moving departmental analysis towards a model of ‘data access’ through the NHS England SDE will bring major improvements in security and transparency, while supporting a greater use of modern data science tools, such as R and Python programming, and will enable ‘Reproducible Analytical Pipelines’.

This document provides transparency on the proposed approach as well as the principles this process will adhere to.

Transitioning Department for Health and Social Care towards using the NHS England Secure Data Environment

The Secretary of State for Health and Social Care has overall responsibility for oversight of NHS delivery and performance and oversight of social care policy. The Department supports the Secretary of State for Health and Social Care in ensuring these responsibilities are met, including through the work of around 450 DHSC analysts that provide a critical function to analyse evidence and support informed policy making, crisis management and strategic planning. 

These analysts rely on secure and timely access to NHS and other health and care data sources to provide informed advice. After an assessment of the Department’s data analysis needs in 2022, such as the data needed, the funding available, and speed of access required, the NHS England SDE was deemed the most practical solution to utilise.

The NHS England SDE is a secure data and research analysis platform. It is part of the NHS Research SDE Network across England and designed to operate as a consistent service with the other elements of the network, supported by a unified Community of Practice. This network is jointly funded by NHS England, DHSC and the Department for Science, Innovation and Technology (DSIT) to make health and care data more accessible and linkable.

Only approved researchers are given controlled access to the environment, which follows the Five Safes Framework to ensure data is accessed and used in a secure and responsible way.

Utilising existing NHSE infrastructure will bring clear benefits to data security. Compared to the Department building its own platform, it is a better use of public money and will accelerate the pace of delivery and implementation. 

How departmental access to the NHS England SDE will be delivered

In this relationship, NHS England will continue to hold overall responsibility for the platform and maintain ultimate information governance responsibility. In the majority of cases, the Department will use the NHS England SDE in the same way as all other users as outlined on the 'access the SDE webpage’. However, recognising the responsibilities of the Secretary of State for Health and Social Care and their accountability to Parliament and the unique way that the Department needs access to data to support ministers in delivering those functions, NHS England has agreed to delegate some oversight functions to DHSC including output checking. 

Situations where delegation occurs will not be the norm, but are expected to include highly time-sensitive requests where data is needed for a decision quicker than standard 48hr turnaround times, or where repeat analysis occurs that doesn’t require duplicative checking, for instance to create visual data dashboards.

The key place that delegation will occur is output checking a proportion of research and analysis outputs from the NHS England SDE (for example, making sure only non-identifiable analysis leaves the SDE). DHSC will take responsibility for these outputs instead of the usual NHS process, but will be held to the same standards.

In these instances, NHS England will delegate output checking tasks to a dedicated Department team to carry out on their behalf for these DHSC uses. The team carrying out checks will not directly report into ministers or be carrying out analysis for results they would be checking. NHS England will retain overall responsibility for the service and information governance and will audit the work of the Departmental output checkers. For requests which do not meet the above criteria, NHS England will continue to check the outputs under its standard processes. 

Transparency and engagement

The approach for SDE access described in this document has been developed through close collaboration between DHSC and NHS England teams; including technical, information governance and policy considerations. Transitioning Departmental analysis of NHS data into the NHS England SDE has received widespread support, in particular from public and patient representatives at the Health Data Patient and Public Engagement and Communications Advisory Panel, as well as the NHS England Advisory Group for Data. The minutes for these meetings can be found on our website.

The Department is committed to high standards to demonstrate transparency and improve public trust in how it accesses and uses data. The Department’s use of data will continue to comply with the Five Safes framework outlined in the SDE Guidelines, including requiring output checking and publishing a data uses register.

The following policy principles have been developed to ensure clarity on how the Department’s access to the NHS England SDE will be implemented:

1. The process for the Department’s delegated access must be compliant with Data Access policy, the SDE guidelines and Five Safes framework
2. Any DHSC-specific processes must be proportionate, justified and auditable
3. Any revisions to this approach outlined must be transparent and communicated clearly
4. That this approach applies only to DHSC’s use of the NHS England SDE, and not to other clients or platforms. Any changes to this will be considered in time.

Principle 1: The process for the Department’s delegated access must be compliant with Data Access policy, the SDE guidelines and Five Safes framework

This team will perform output checking consistently with the NHS England process, and any checks will be performed in line with the Data Sharing Agreement between NHS England and DHSC. NHS England will retain legal responsibility for the service, as well as ultimate information governance responsibility relating to the NHS England SDE.

DHSC will only be able to access pseudonymised and anonymous data and will maintain a robust process to check that the outputs protect patient confidentiality.  

As part of our commitments to ensuring SDEs are in line with the Five Safes framework, as set out in our Policy Guidelines, output checking is a required part of operating an SDE. There will continue to be a standard output checking process for all customers of the NHS England SDE, which will apply to any DHSC outputs not delegated under this agreement.

NHS England retains responsibility for all outputs leaving the environment.

NHS England’s processes will ensure that any outputs do not contain identifiable data, including ensuring that small numbers are supressed and that no data in an output could inadvertently identify someone.

Principle 2: Any DHSC-specific amendments must be proportionate, justified and auditable

DHSC analysts accessing health and care data have clear accountability through the various professional bodies, including:

•    The Government Statistical Service (Competency framework for the Government Statistician Group)
•    Operational Research (Competency framework for Operational Research)
•    Economics (GES Technical Framework)
•    Social Research (The Government Social Research Technical Framework)

All statistics producers are bound by standards outlined in the Code of Practice for Statistics. This code upholds the pillars of value, quality and trustworthiness and if any of these are breached, the Heads of Profession in the Department will be notified.

This means that delegation of certain tasks from NHS England does not mean any lowering of accountability, scrutiny or standards. 

The Secretary of State for Health and Social Care uniquely has overall responsibility for oversight of all NHS delivery, performance and social care. In certain instances, for example those outlined earlier in this document, this responsibility justifies some delegation of output checking to DHSC for speed and efficiency. 

There will be Governance processes in place to ensure the Department and NHS England have oversight of this delegation, and it remains proportionate to the requirements. In the majority of cases, the Department will continue to use the NHS England SDE in the same manner as other users, including output checking.

NHS England will regularly audit and assure Departmental output checking. DHSC will adhere to best practice principles and publish code within the NHS England SDE to facilitate auditing processes. By having DHSC undertake output checking it will ensure high standards remain in output checking processes while also reducing the administrative burden on NHS England.

While other researchers may be able to justify high security and accountability levels, the DHSC has a unique use case in the SDE, using data to make timely national policy decisions and to report the performance of the NHS to Parliament.

We do not expect other platforms or customers have such a justification, but this will be kept under review and policy changes made accordingly in the future.

Principle 3: Any revisions to this approach outlined must be transparent and communicated clearly

NHS England will maintain an overarching transparency statement on their SDE webpages that covers the use of the platform by DHSC analysts, modifying with any substantive changes to policy and processes. 

As part of this statement, NHS England will ensure it is clear that this direction has been decided in a joint partnership between these organisations and that NHS England maintains sufficient controls in order to ensure it is content with data releases being secure. 

The Department will continue to publish a record of analytical activities it undertakes relating to production of official statistics and, via NHS England, will also maintain a Data Uses Register. The Data Uses Register lists the datasets DHSC have access to within the Data Sharing Agreement, as well as detailing objectives, processing activities and expected outputs and benefits from analysing these data. 

This publication sets the standard for future communication on how DHSC will access the NHS England SDE. Any significant changes to this arrangement, or broadening of the policy, will be engaged upon and published as part of the Department’s ongoing iterative and transparent approach to data access policy making.

Principle 4: This approach applies only to DHSC’s use of the NHS England SDE, and not to other clients or platforms

This change is specific to DHSC’s business needs using the NHS England SDE. At this point in time no other platforms in the NHS Research SDE Network should implement similar delegated access controls for DHSC or any other customers, although we will keep this under review and provide additional guidance, as necessary.

Conclusion

This partnership is a positive step forwards in increasing the security, transparency and capability of a critical part of the Department’s functions. Utilising the NHS England SDE will allow DHSC to maximise use of a flexible service model, increasing the speed this transition can take place and ultimately present better value for money. 

It demonstrates DHSC’s commitment to leading by example in the transition to ‘data access by default’, setting the tone for other health and care data users to continue their transitions to using Secure Data Environments.

While there are minor delegations, we have ensured these are proportionate, legal and ultimately have support from patients and the public through broad engagement and co-development with experts. 

As data access policy continues to be developed in an iterative and phased way we will publish updates to this policy, including where we expect changes in scope or process.

Definitions

The below definitions have been developed to provide clarity when reading the above document:

a. 'Data Access Policy': the development of national policy to move to a system of 'data access as default' for secondary uses of NHS data, facilitated by the implementation of Secure Data Environments (SDEs).  The use of data for research and analysis already happens – Data Access Policy will not change existing rules regarding data controllers, processors and accessors. The policy will change the mechanism for how this happens, that is predominantly via SDEs. Technical architectural information about the design and implementation of SDEs beyond the SDE Policy Guidelines is out of scope for Data Access Policy.

b. 'NHS Research SDE Network': this refers to the platforms funded by the Data for Research and Development programme, namely the NHS England SDE and a small suite of regional platforms with England-wide coverage. This will be the primary route to access NHS data for research purposes.

c. 'NHS data': where the data has been generated within the NHS and the NHS has responsibility for the data.

d. 'SDE accreditation': the definition of a long-term model for overseeing and assuring SDEs hosting and providing access to NHS data for research. 'Output checking' or ‘Safe outputs’: one of the principles described in the Five Safes frameworks. All information must be checked before it leaves a secure data environment, including data, code, tools, and any other outputs. The principle of safe outputs makes sure that the results of analysis contain only aggregated, non-identifiable results that match the approvals of users and their projects. 

Secure Data Environment

The Secure Data Environment (SDE) is a secure data and research analysis platform. It is part of an interoperable NHS Research Secure Data Environment network.

Data Access Policy guidelines

These guidelines set out expectations for how secure data environments will be used to access NHS health and social care data.

Data Access Policy update

The Data Access Policy update published on 12 October 2023.