Transparency notice for faster data flow acute data (pilot)

NHS England’s Pilot Faster Data Programme aims to create daily collections of patient data from acute care settings (the Providers). To do this, NHS England and the Providers are using Foundry, a Palantir product, which will pull data into the NHS England Greater East Midlands Data Services for Commissioners Regional Office (GEM DSCRO) from the Providers. The Pilot Faster Data Flow Acute Data Set is targeting admission, inpatient, discharge and outpatient activity in acute settings. 

Daily collections from acute providers will allow for early identification of issues such as increasing waiting times to be admitted, or delays in patients being discharged from hospital. This will result in faster and more efficient operational decisions to resolve issues and support the emerging crisis of increasing waiting times for elective care, such as responding quicker to increased localised demand by making effective use of independent sector capacity. The data will also be used to drive improvement within the NHS, through using consistent measurement of performance and working with regions and systems to understand and address the reasons behind performance variation.

We have been given a legal document, called Directions, from the Secretary of State for Health and Social Care which requires NHS England to collect this data. The Directions create a legal obligation for our processing. NHS England has been directed to undertake this work under section 254 of the Health & Social Care Act 2012 (HSCA 2012). These Directions are known as the Data Services for Commissioners Directions 2015. Under the UK General Data Protection Regulation 2016 (UK GDPR), NHS England is the controller of your personal data where we are directed to process personal data.

The following legal bases apply to NHS England’s processing of the Pilot Faster Data Flow Acute Data Set:

NHS England has considered the Common Law Duty of Confidentiality and determined for:

• collection and analysis of the Pilot Faster Data Flow Acute Data Set, NHS England has a statutory obligation by way of the Directions
• the provision of the Pilot Faster Data Flow Acute Data Set by Providers to NHS England, they will have a legal obligation to provide the information by way of a Data Provision Notice, in accordance with section 259 of the H&SCA 2012

For each patient, we collect their:

• NHS number
• date of birth
• postcode of their usual home address
• information about their admission, inpatient stay and discharge from hospital plus any outpatient appointments and visits

Patient level identifiable data will be collected daily by NHS England Gem DSCRO. The data will be collected using an NHS England instance of Palantir’s Foundry platform. For the provision of Foundry to collect the data, Palantir will act as a processor. Palantir will not have access to the identifiable data collected.

On receipt of the data, GEM DSCRO will pseudonymise the data by adding a Token Person ID, which is a unique reference number that allows us to remove patient identifiers (NHS Number, date of birth and postcode), but still be able to link data in this collection to the same patient’s data in another dataset held by NHS England.

Where possible an automated process collects the data and transfers it to NHS England.

NHS England will only share information with Integrated Care Boards and the Hospital Trusts that provided the data.  

Any request by these organisations for access to the record level data must apply for the data through NHS England’s Data Access Request Service (DARS), and enter into a Data Sharing Agreement. In addition to DARS, if necessary the examination of the application will include independent scrutiny from the Advisory Group for Data (AGD). AGD also makes general recommendations or observations to NHS England about our processes, policies, and procedures to ensure they are appropriate for governing the receipt, processing and publication of data that does not compromise confidentiality and maximises the use of information.

Before sharing the data, it will be anonymised in line with the ICO’s Anonymisation Code of Practice. The disseminated data is de-personalised but includes a Token Person ID which allows it to be linked to other datasets held by recipients. 

The data will be used to support and accelerate the recovery of elective waiting lists and waiting times and is aligned with NHS England elective recovery plan published in February 2022 which aims to transform services by harnessing the potential of data and technology. NHS England has committed £2.1 billion to modernise digital technology and improve the frequency and use of the data to redesign care pathways. NHS England want to focus on areas that use data to drive better clinical and operational decision making and in doing so free up clinical time and reduce barriers to collaborative working. 

The data will support all stakeholders by providing a number of benchmarking opportunities to improve efficacy of patient care and will help to identify best practice to drive organisational and clinical improvement as well as gaps in service provision and to accelerate recovery of elective waiting lists and waiting times. It will also support better commissioning of services to support patients’ onward care with the most appropriate care.

NHS England treats all patient data with great care and has rules relating to privacy, security and confidentiality which are closely followed, including the National Data Guardian’s Caldicott Principles. 

NHS England has considered the Common Law Duty of Confidentiality and determined for:

• NHS England to disseminate: Common Law Duty of Confidentiality does not apply to data which is not identifiable in the hands of the recipient, so the data does not include identifiable data, or the data is de-personalised and not owed a duty of confidence
• recipient to receive data, the Common Law Duty of Confidentiality does not apply because either, the data does not include identifiable data, or data supplied is anonymous, or is de-identified

We will retain your personal data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code 2021 and NHS England’s Records Management Policy.

This data will be stored within the UK. Within NHS England, the identifiable data will be in our GEM DSCRO infrastructure which uses a mix of cloud applications and applications installed on the virtualised infrastructure. The Foundry platform with be used within the GEM DSCRO infrastructure to collect the data but Palantir staff will not have access to the data. The pseudonymised data which will be used for analytical purposes will be stored within our Unified Data Access Layer (UDAL).

We follow the NHS England cloud security – good practice guide, as well as best practices for security and deployment.

You can read more about the health and care information collected by NHS England, and your choices and rights in:

• how we look after your health and care information
• NHS England general Transparency Notice
• how to make a subject access request

The National Data Opt-Out introduced on 28 May 2018 enables patients to remove consent for their confidential (identifiable) NHS data to be used for research or planning purposes.

The Directions provide the legal basis for this collection, and NHS England will issue Data Provision Notices under Health and Social Care Act 2012 section 259 to each provider.  The Data Provision Notice is a legal obligation which the providers must comply with. Therefore, we are able to collect your confidential patient information even if you have registered a National Data Opt-Out, because the opt-out does not apply if we are legally required to collect your data.

However, if you have opted out, we will not share your confidential patient information with other organisations for research and planning purposes, unless there is an exemption to this. You can find out more about where your choice does not apply on the NHS website. You can find out more about opting out of sharing your health records.

No confidential patient information under this collection will be shared and therefore the National Data Opt-outs does not apply. 

Our Data Protection Officer is Jon Moore, who can be contacted at [email protected].

NHS England may make changes to this Transparency Notice. If so, the published date below will also change. Any changes to this notice will apply immediately from the date of any change.