How we are protecting privacy and confidentiality

NHS England takes its responsibility to handle health and care data lawfully, proportionately, ethically and in confidence very seriously, which is why privacy by design, is at the heart of the NHS Federated Data Platform (FDP).

As an organisation, the privacy and the protection of data is one of the overarching principles we are guided by when designing technology solutions.

We are protecting patient data in the following ways:

  • Strict access controls – only people who need to see patient data as part of their role in, or working on behalf of, the NHS will have access. As happens currently, there will be clear rules on who has access, what they can see, and what they can do. Access is strictly limited to the data needed by an individual to perform their duty. Permission is granted on a case-by-case basis by the data controller. Data Protection is enforced via the Data Protection Act 2018 and the UK General Data Protection Regulation. If an organisation doesn’t comply, the Information Commissioner’s Office (ICO) may need to take action against the company. Read more information on possible penalties.
  • NHS Privacy Enhancing Technology (PET) – A newly-bought tool that will provide an added layer of protection and accountability to data accessed via the NHS FDP. In the first instance, PET will register all data flowing into FDP and provide a clear audit functionality to show who has accessed data and for what purpose. The use of PET will evolve to also treat data and remove any identifiable information (de-identify) where and when required. This is expected to be by the end of Summer 2024.
  • Lawful use of data – All uses of data within the NHS Federated Data Platforms must be ethical, for the public good, and comply with all existing law including data protection laws. In line with UK GDPR, we make sure we adhere to the data minimisation principle, where only the minimum amount of data is processed fora specific purpose.
  • Respecting patient choice – The use of patient data within the NHS Federated Data Platform will always respect national opt-out policy and opt outs will be applied in line with the policy. The national data and type 1 opt outs do not apply to the data processed in the current Products on the platform under the policy. If that changes we will update this page and our privacy notices.

You can read more about all these elements in the sections below.

Privacy notices

Further information about how NHS England and other organisations may use data in the NHS Federated Data Platform and NHS Privacy Enhancing Technology can be found in the overarching privacy notices:

NHS Privacy Enhancing Technology

NHS Privacy Enhancing Technology (NHS PET) will provide a standard approach to enabling safe data access and use, including data treatment (identifying or anonymising data) and data protection. It is provided by a different supplier to the NHS FDP.

During the transition of Trust who have been piloting pilot products to the FDP; the focus of the integration will be the provision of the enhanced transparency functionality, PET will not process patient data. Data will continue to be kept safe and secure in the same way it currently is. Additional functionality will then be introduced as part of a phased approach, aligned to the relevant programme delivery milestones.  Any changes to the processing of data will require the privacy notice and Data Protection Impact Assessment documents to be updated and re-approved  prior to launch, as described in the FDP Information Governance Framework.

Access to data within the Federated Data Platform

Access to data must have an explicit aim to benefit patients and/or the NHS in England. Access to NHS health and social care data within the NHS Federated Data Platforms will be carefully controlled. Only authorised users will be granted access to data for approved purposes.

Where the appropriate data sharing agreements are in place, hospital trusts and Integrated Care Boards (on behalf of Integrated Care Systems) federated data platforms will be able to interact with one another – for example an ICS coordinating the discharge of patients from hospital to care settings within a geographical area.

Individual instances of the NHS Federated Data Platform will also interact with a national instance of the NHS FDP where appropriate. This could be to understand in real-time how many patients are in hospital, how long patients are waiting for critical treatments, and where pressure points are across the system. No confidential patient information will be in the national instance of the NHS Federated Data Platform.

Confidentiality

There will always be a valid lawful basis for the collection and processing of personal information (including special category information) within the NHS Federated Data Platform (FDP), as defined under data protection legislation. For example, a lawful basis for the collection and processing of personal information is where a clinician is providing direct care to a patient.

Other laws we must adhere to include:

Each NHS organisation will be the data controller for their instance of the NHS FDP. The use of the data will always remain under the full control and protection of the NHS. The supplier of the NHS FDP will only operate under the instruction of the NHS when processing data on the platform. The supplier will not control the data in the platform, nor will they permitted to access, use or share it for their own purposes. The contract has strict stipulations about confidentiality, and there is robust governance in place to monitor delivery and usage of the NHS FDP.

Data made available for analysis in the NHS FDP will protect patient confidentiality using techniques such as data minimisation and de-identification.

De-identification practices mean that personal identifiers are removed from datasets to protect patient confidentiality. This includes techniques such as aggregation, anonymisation, and pseudonymisation. The level of de-identification applied to data may vary based on user roles and requirements for accessing the data. This is in line with ICO (Information Commissioner’s Office) guidance.

Where the data being accessed is Confidential Patient Information, the requirements of the common law duty of confidentiality must also be met.

There are strict processes in place regarding data governance. This will include the completion of a Data Protection Impact Assessment (DPIA) and the creation of data sharing agreements and privacy notices. This process must be completed and approved prior to any data sharing commencing.

Data for direct care

Personal data for direct care (i.e. to manage diagnosis, to schedule a treatment or appointment, and to manage a patients discharge from hospital) will be required to be held in identifiable form. This does not mean that a user of an individual platform (such as a clinician, bed manager or discharge coordinator) could access a full health record using the platform; each user will only see the data required to carry out a specific task relating to a patient’s direct care. In this instance, the data controller would be the NHS organisation responsible for providing the patients care i.e. a hospital. The data held for this purpose would be held within the trust instance of their federated data platform, as such the data could and would not be used for any other purpose or in any other instances of the federated data platform.

Data for secondary uses

Where personal data is used for secondary purposes (this means that the use of the data is different to the purpose for which the data were originally collected) such as to plan and improve health and care services, de-identification techniques will be used to make it less identifiable. De-identification practices mean that some obvious personal identifiers like name or date of birth are removed from datasets to protect patient confidentiality, but the data remains personal data.

Linking data

In some cases, NHS Bodies may need to link data to understand what factors are driving poor outcomes in different population groups. For example, local Population Health Management teams often link data to understand current health and care needs and predict what local people will need in the future. Health problems are complex, and, in many cases, a single health issue may be influenced by interrelated social, environmental, and economic factors. By linking data, local health and care services can then design new proactive models of care. In this instance the data controller would be a local integrated care board (ICB) (on behalf of the Integrated Care System) or integrated care system (ICS) responsible for planning and commissioning services which meet the needs of their population.

Definitions:

Anonymisation

Anonymisation involves the application of one or more anonymisation techniques to Personal Data. When done effectively, the anonymised information cannot be used by the user or recipient to identify an individual either directly or indirectly, taking into account all the means reasonably likely to be used by them. This is otherwise known as a state of being rendered anonymous in the hands of the user or recipient.

Pseudonymisation

Has the meaning given in UK GDPR being the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

Opt-outs and the NHS FDP

Type one opt-outs

Type 1 opt-outs – Do not currently apply to Products used in the NHS FDP.

If this changes in the future because a new Product processes confidential patient information in a way which would mean that the Type 1 opt-out would apply, the relevant User Organisation would be responsible for ensuring that the Type 1 opt-out was applied and the FDP Privacy Notice would be updated to make this clear.

Find out more about Type 1 opt-outs.

National data opt-out

The national data opt out applies to all data which is used for secondary use purposes. This means that the use of the data is secondary to the purpose the data was originally collected for (such as direct care).

There is no specific patient opt out from data being shared into the FDP, as FDP is IT software bringing existing patient data together from a wide range of existing clinical IT systems to process it for the same purposes as it is currently being processed. This allows clinicians to plan and deliver care more efficiently to improve patient care.

The FDP will not initially be used to process identifiable data for purposes other than the individual care of patients. Any secondary use of data will be anonymised; therefore, the national data opt out does not therefore apply.

No further uses will be allowed without further engagement with public, patient and stakeholder assurance and advisory groups.

Any additional use must be supported by a clear legal basis and a data protection impact assessment, which is a legal requirement under the UK GDPR.

If, in the future, FDP is used for a purpose where the national data opt out does apply, then it will always be respected. This means that the records of patients who have registered a national data opt out will not be processed in the FDP for these purposes.

Where data is currently used for purposes other than the individual care of patients, for example, to plan NHS services, de-identified data is almost always used. Where de-identified data cannot be used for these purposes, patients have the right to opt out of their identifiable data being used in certain circumstances, through registering a national data opt out.