Security and privacy

Security and the protection of people’s personal data is at the heart of the design and requirement of the NHS Federated Data Platform.We work closely with the National Cyber Security Centre and all data is held in line with the Office for National Statistics Five Data Safes and NHS England’s secure data environment principles.

Five data safes

  1. safe people – individuals accessing the data are trained and authorised to use it appropriately
  2. safe projects – projects are approved by data owners for the public good
  3. safe settings – preventing inappropriate access, or misuse
  4. safe outputs – summarised data taken away is checked to ensure it protects privacy
  5. safe data – information is protected and is treated to protect confidentiality

Find out more about security and the protection of people’s personal data.

Secure data environments

The Data Saves Lives Strategy includes a core set of commitments to move the NHS from a model of data sharing, to data access through Secure Data Environments. These are data access and storage platforms that enable the use of NHS health and social care data in research and analysis.

We identify these platforms based on their primary users and requirements for access:

  1. The NHS Federated Data Platform is for the NHS, or those commissioned by them, to access data for direct care and population health planning purposes.
  2. The NHS Research SDE Network is for external users and/or those conducting research to access data

All of these platforms will comply with the published Secure Data Environment guidelines.

Protecting your data on the NHS Federated Data Platform

The NHS Federated Data Platform has several measures in place to keep your data safe. These include:

  • Strong network security: firewalls and intrusion detection systems monitor all network traffic to and from the platform. This helps to block unauthorised access and detect suspicious activity
  • Data encryption: all data stored on the platform is encrypted, both when it’s being transferred (in transit) and when it’s at rest (stored on servers)
  • Purpose based access: Users only have access to the data they need to do their jobs. This helps to minimise the risk of unauthorised access to sensitive information
  • Regular backups: necessary backups of data are made regularly and stored offsite. This ensures that data can be recovered in case of a problem
  • Detailed logging and monitoring: all user activity on the platform is logged and monitored for suspicious activity. This helps to identify potential security breaches quickly and maintains a full audit trail. Security logs are encrypted and stored securely
  • Regular security testing: the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security
  • Development lifecycle: all changes to the product or platform go through a careful process of development, testing, quality assurance, and change management before they are released. This helps to prevent errors and problems
  • Monitoring: live services teams constantly monitor the product or platform 24/7 to quickly identify and fix any issues that may arise
  • Business continuity: there are plans in place to deal with unexpected events and minimise any disruption to the product or platform. This includes arrangements with partner organisations.

Overall, these security measures work together to protect your data. Find out more about how we are protecting privacy and confidentiality.