Transparency Notice for Healthcare Operational Data flows for Acute data

NHS England is collecting and analysing information in order to implement automated granular daily data collections to replace and rationalise existing, less regular local and national data flows, and national aggregated data collections, called SitReps. This will reduce the reporting burden on providers and provide more timely data for the purposes of the NHS, to enable improved data insights to be obtained in order to support NHS delivery plans for the recovery of elective care and urgent and emergency care services. This would be in relation to recovering NHS waiting lists, care co-ordination and improvement in the quality and timeliness of healthcare operational data flows through the health and social care system.

The development and delivery of the acute data collection will:-

Enable local and national commissioners/decision makers with timely data about current acute patient activity for planning, benchmarking, service improvement, response to crisis, and to comply with their statutory duties; and

Make data available on a daily basis showing acute activity from the previous day to commissioners and at a national level with the ability to:

• inform decision making at a national and local level based on almost real time data flows, allowing commissioners to allocate or move resources and capacity to respond to local needs,
• give national views of system pressures to allow for planning and delivery of emergency or urgent response situations such as crisis bed capacity
• support the discharge of patients from acute care and make decisions on additional resource or alternative settings for patients with delayed discharges to create acute bed capacity for elective recovery and emergency patient admissions

An Acute Dataset pilot collection was originally introduced in March 2022 as a pilot and will now become the first national data collection. You can read more about the pilot collection.

The following legal bases apply to NHS England’s processing of the Healthcare Operational Data flows acute data collection:

We have been issued a legal document, called Directions, from the Secretary of State for Health and Social Care which places a legal obligation on NHS England to collect and analyse information to support NHS delivery plans for the recovery of elective care and emergency and urgent care in relation to recovering NHS waiting lists, care co-ordination and the improvement of managing patient flows through the health and care system. These Directions are issued to NHS England under section 254 of the Health and Social Care Act 2012 and are called the Healthcare Operational Data Flows Directions 2024. 

Under the UK General Data Protection Regulation (UK GDPR), NHS England is a joint controller with the Department of Health and Social Care, which is a government department the Secretary of State for Health and Social Care (Secretary of State) holds responsibility for.  This is because the Secretary of State and NHS England have jointly decided the purposes for processing personal data under the Healthcare Operational Data Flows Directions 2024 . NHS England is the sole controller that processes the data collected from Providers for this data collection and is also the sole controller that decides who data can be shared with.

NHS England’s legal basis under the UK GDPR and Data Protection Act 2018 (DPA 2018) is:

• Article 6(1)(c) - Legal obligation under the Directions
• Article 9(2)(g) – substantial public interest supplemented plus DPA 2018 Schedule 1, Part 2, para 6 - Statutory etc and government purposes
• Article 9(2)(h) – Healthcare purposes, plus DPA 2018 Schedule 1, Part 1, paragraph 2 (health or social care purpose)

NHS England’s Common Law Duty of Confidentiality legal basis is:

• Legal obligation under the Directions
• NHS England also issues the NHS Trusts in scope of this collection with a legal document called a Data Provision Notice under section 259 of the Health and Social Care Act 2012.  This places a legal obligation on the NHS Trusts to provide the data to NHS England without breaching the Common Law Duty of Confidentiality

Patient identifiable data is collected including: -

• NHS number
• date of birth
• postcode of their usual home address
• information about their admission, inpatient stay and discharge from hospital plus any outpatient appointments data

Patient level identifiable data will be collected daily and stored by NHS England Arden and GEM DSCRO (AGEM DSCRO). On receipt of the data, AGEM DSCRO will pseudonymise (de-identify) the data by adding a Token Person ID, which is a unique reference number that allows us to remove patient identifiers (NHS Number, date of birth and postcode), but still be able to link data in this collection to the same patient’s data in another dataset held by NHS England.

The pseudonymised (de-identified) data which will be used for analytical purposes, will be stored separately within our Unified Data Access Layer (UDAL) and our instance of the NHS England Federated data platform and will not be linked back to the identifiable data set.

NHS England will share information with Integrated Care Boards and the Hospital Trusts that originally provided the data.  

Subject to established NHS England governance procedures and approvals, data providers will be able to view their own data via products made available on the NHS England Federated data platform view (the View).  They will be able to view their data in three formats:

Data Quality Reports – Data quality reports to NHS Trusts (which do not identify an individual) through the viewer, will be provided to providers, on the data they have submitted, highlighting the coding errors. This will allow them to review the data quality and resubmit the data.  Providers can download their own aggregate data quality and metrics reports which will not include data about patients.

Aggregate level - Data may be viewed at provider level in aggregate form on the Federated Data Platform to enable individual NHS Trust providers and ICBs to monitor performance and outcomes across their own organisation(s)

Pseudonymised level – NHS Trusts and their associated ICBs may, subject to an appropriate legal basis, have access to pseudonymised (de-identified) data for their own patients and service users to support them in their duty of monitoring and managing the local system in partnership with their Integrated Care Boards. 

We will only share personal data where the organisation has a lawful basis to receive it and NHS England has a lawful basis to provide it.

Any request by organisations for access to the record level data must apply for the data through NHS England’s Data Access Request Service (DARS), and enter into a Data Sharing Agreement. In addition to DARS, if necessary the examination of the application will include independent scrutiny from the Advisory Group for Data (AGD). AGD also makes general recommendations or observations to NHS England about our processes, policies, and procedures to ensure they are appropriate for governing the receipt, processing and publication of data that does not compromise confidentiality and maximises the use of information.

The data will be used to support and accelerate the recovery of waiting lists and waiting times and is aligned with NHS England elective recovery plan published in February 2022 which aims to transform services by harnessing the potential of data and technology.

The long-term plan supported a major shift towards out of hospital care and the need to develop the data and digital infrastructure to support transformation more broadly.

NHS England has committed £2.1 billion to modernise digital technology and improve the frequency and use of the data to redesign care pathways. NHS England want to focus on areas that use data to drive better clinical and operational decision making and in doing so free up clinical time and reduce barriers to collaborative working. 

The data will support all stakeholders by providing a number of benchmarking opportunities to improve efficacy of patient care and will help to identify best practice to drive organisational and clinical improvement as well as gaps in service provision and to accelerate recovery of waiting lists and waiting times. It will also support better commissioning of services to support patients’ onward care with the most appropriate care.

NHS England treats all patient data with great care and has rules relating to privacy, security and confidentiality which are closely followed, including the National Data Guardian’s Caldicott Principles. 

We will retain your personal data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code 2021 and NHS England’s Records Management Policy.

This data will be stored within the UK. Within NHS England, the identifiable data will be in our AGEM DSCRO infrastructure which uses a mix of cloud applications and applications installed on the virtualised infrastructure.

The pseudonymised data which will be used for analytical purposes will be stored within our Unified Data Access Layer (UDAL) and our instance of the Federated Data Platform.

We follow the NHS England cloud security – good practice guide, as well as best practices for security and deployment.

You can read more about the health and care information collected by NHS England, and your choices and rights in:

• how we look after your health and care information
• NHS England general Transparency Notice and its associated GDPR Record of processing entry 
• how to make a subject access request

The National Data Opt-Out introduced on 28 May 2018 enables patients to remove consent for their confidential (identifiable) NHS data to be used for research or planning purposes.

The Directions provide the legal basis for this collection, and NHS England will issue Data Provision Notices under Health and Social Care Act 2012 section 259 to each provider.  The Data Provision Notice is a legal obligation which the providers must comply with. Therefore, we are able to collect your confidential patient information even if you have registered a National Data Opt-Out, because the opt-out does not apply if we are legally required to collect your data.

If you have registered a national data opt out, we will not share your confidential patient information with other organisations for research and planning purposes, unless there is an exemption to this. You can find out more about where your choice does not apply on the NHS website. You can find out more about opting out of sharing your health records.

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer. 

If you are not happy with our response, you have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through their website

NHS England may make changes to this Transparency Notice. If so, the published date below will also change. Any changes to this notice will apply immediately from the date of any change.