How we use de-identified personal data to support our Purpose: “To lead the NHS in England to deliver high-quality services for all”
Data analytics and NHS England’s purpose
Supporting NHS England’s Purpose
NHS England needs information to achieve its Purpose – To lead the NHS in England to deliver high-quality services for all. Our analysis of de-identified personal data relating to peoples’ NHS care is essential to providing us with much of this information.
Our purpose statement provides clarity on what NHS England is seeking to achieve. It drives both ‘what’ we do (how we add value and what our priorities are) as well as ‘how’ we operate (our values, behaviours and accountabilities, and structures). NHS England’s operating framework sets out what we will do to achieve our Purpose and how we will do it:
- enabling local systems and providers to improve the health of their people and patients and reduce health inequalities;
- making the NHS a great place to work, where our people can make a difference and achieve their potential;
- working collaboratively to ensure our healthcare workforce has the right knowledge, skills, values and behaviours to deliver accessible, compassionate care;
- optimising the use of digital technology, research and innovation; and
- delivering value for money.
Activities to deliver these, and all of our public tasks are underpinned by functions and duties set out in legislation. Our statutory functions relate to, for example, the commissioning of primary care services, some secondary care services, and to the administration of screening services. A selection of our statutory duties from the NHS Act 2006 is set out below:
13C. Duty to promote NHS Constitution
13D. Duty as to effectiveness, efficiency etc.
13E. Duty as to improvement in quality of services
13F. Duty as to promoting autonomy
13G. Duty as to reducing inequalities
13H. Duty to promote involvement of each patient
13I. Duty as to patient choice
13J. Duty to obtain appropriate advice
13K. Duty to promote innovation
13L. Duty in respect of research
13M. Duty as to promoting education and training
13N. Duty as to promoting integration
13NA. Duty to have regard to wider effect of decisions
13NB. Guidance about discharge of duty
13NC. Duties as to climate change etc
13ND. Guidance about discharge of duty under section 13NC etc
13O. Duty to have regard to impact on services in certain areas
13P. Duty as respects variation in provision of health services
As a statutory organisation NHS England is legally obliged to perform its functions and duties. We cannot perform them without a clear understanding of how the NHS is performing in relation to them. It essential that we have information about all aspects of NHS services and its operating environment to achieve our Purpose.
Much of the information that we need can only be produced by analysing data obtained from providers of NHS care. The data that we analyse is de-identified or ‘pseudonymised’ personal data. This is data that relates to individuals, with for example information about the care they have received, but with no data items that identify them directly. NHS England may analyse this data to facilitate any of its statutory functions and duties. As the data is de-identified people’s confidentiality is respected.
The Unified Data Access Layer (UDAL) is our main analytical environment. It is a secure de-identified environment, technically and organisationally segregated both from source environments holding identifiable data and from the environment in which pseudonymisation is performed. (Our legacy environments use the same processes).
The general principle in UDAL is that users only have access to the data for which they require access. No data outside of “public” data is available to all users as standard. This public data includes published data as well as some additional internally derived reference data. It does not include any patient level data.
Access to UDAL for new users must be approved by line managers, and the Data Operations team being led by the Information Asset Owner. Further approval and justification is required for access to the restricted pseudonymised datasets.
NHS England has a power to collect and analyse information from health organisations, when directed to do so by the Secretary of State for Health and Social Care, using powers under the Health and Social Care Act 2012. When acting under directions, NHS England may collect and analyse personal data, including confidential information for purposes set out in the direction. When directed NHS England has a power to require the provision of data by health providers.
When pseudonymised and transferred to our de-identified environments the data may be analysed for purposes relating to any of our statutory functions or duties as described above, provided that this is not incompatible with the purpose for which the data was collected.
Merger with NHS Digital
In February 2023 NHS Digital merged with NHS England. NHS England acquired many of NHS Digital’s statutory powers and duties and has also become controller responsible for processing previously conducted by NHS Digital.
Before the merger, both NHS England and the Secretary of State for Health and Social Care could give a direction requiring NHS Digital to collect and analyse data from providers of NHS services.
When directed, NHS Digital could then require the provision of the data by these providers. This data could include fully identifiable personal data and confidential information. NHS Digital would then disseminate the data in pseudonymised form to NHS England for our analysis. The data processed by NHS England analysts was considered ‘anonymous in context’.
With the merger, the Secretary of State can make similar directions to NHS England, and all existing directions to NHS Digital are to be read as if given by the Secretary of State to NHS England. The consequence of this is that NHS England can collect and analyse fully identifiable personal data when directed to do so.
As NHS England is now responsible for the de-identification process, we now have the technical ability within the organisation to re-identify the data held in pseudonymised form. So, it can no longer be considered ‘anonymous in context’. To prevent re-identification and maintain confidentiality, NHS England must separate the processing of identifiable data collected under directions from the derived pseudonymised data held in our analytical environments.
To this end the Secretary of State has given the NHS England De-Identified Data Analytics and Publication Directions 2023. These require NHS England to put in place arrangements for the governance of ongoing processing of de-identified data that it previously obtained from NHS Digital and a framework for the future analysis, linkage and de-identification of data NHS England needs to access in the exercise of its functions in connection with the provision of health services.
As the directions mandate the processing by NHS England of de-identified personal data in support of its functions, the lawfulness of processing such data for any purpose that is “…not incompatible with the purpose for which the identifying data was obtained…” is explicit and transparent. This depends on the segregation of pseudonymised and identifiable environments as explained above.
The links below give access to directions given to NHS Digital by NHS England and the Secretary of State.
See also: Data Services for Commissioners
Sources of the data
The information may be collected by NHS England under directions, from any organisation that provides health services to the NHS, including NHS Trusts, NHS Foundation Trusts, GP Practices and other primary care providers and local authorities.
Categories of personal data
The details of the individual collections are specified in the directions. This may include records representing individual items of care, or summarised information including just numbers.
Where information about individual patients and their care is collected, this will usually include their NHS Number, other similar identifiers, postcode and date of birth. These are needed to make sure that the data is correct, and to allow linkage to other data. The data will include information about the health care received, administrative information, and may include ethnicity.
As described above identifiable personal data collected under directions is pseudonymised and transferred to our de-identified environments for analysis.
Categories of recipients
Within NHS England personal data collected under directions is processed by teams authorised to manipulate the data in identifiable form, to prepare it for the purpose set out in the direction. This processing may involve linkage to other datasets held by NHS England.
Data is released in pseudonymised form to NHS England’s de-identified environments, in accordance with the Analytics Directions described above. From here it may be accessed by analysts.
Data may be released in identifiable form only where there is an established legal basis, for example approval by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (‘section 251 support’) – see for example Assuring Transformation.
Data may be released to other organisations in a form that is anonymised in line with the Information Commissioner’s Anonymisation code of practice, or in identifiable form where there is an established legal basis. All requests for data from other organisations are dealt with by the Data Access Request Service.
Legal basis for processing
For UK GDPR purposes NHS England’s lawful bases for processing are:
Article 6(1)(c) – ‘…legal obligation…’ when acting under directions from the Secretary of State, and
Article 6(1)(e) – ‘…exercise of official authority…’ when processing in support of our statutory functions.
For the processing of special categories (health) data the conditions may be one or more of articles
9(2)(h) – ‘…health or social care…’;
9(2)(i) – ‘…public health…’
9(2)(j) – ‘…research purposes or statistical purposes…’.