Bennett Insights: An Overview of UK Data Policy Developments

Publish a Cyber Security Strategy for Health and Social Care to help all parts of the health and social care system build cyber security capabilities, resilience, clinical safety and accessibility (winter 2022)

Set out how we will enhance and extend existing national protections available through the NHS Security Operations Centre. These will include security monitoring, threat intelligence and national incident response coordination

In each ICS and NHS region, fund dedicated cyber staff to work alongside local NHS and social care organisations on managing cyber risk and ensuring compliance with nationally mandated cyber standards. Those staff will be supported through a national training programme and peer networks (2025)

Create a plan for the delivery of a national data registry, which will also encompass a review of imaging standards and a national architecture review. The National Data Registry will enable a clinician to view a person’s history at the point of care (September 2022)

Use clinical decision support systems in diagnostics to improve the provision of the most appropriate test at the right time, improve the safety and quality of care, and reduce the overall cost through the roll-out of iRefer. It is anticipated that it will be rolled out to 50% of trusts (by March 2023)

Roll-out of digital infrastructure that will enable diagnostic networks to make future use of AI to reduce repetitive tasks, increase the throughput speed of diagnostic results reporting and provide enhanced post-processing of imaging data sets (March 2024)

Harness the power of data for real-time management information and to provide insight on the opportunities for higher-quality and more efficient care across the system, with a focus on primary care and UEC. For example, interactive dashboards enable commissioners and providers to better understand their patients’ journeys from initial triage to health outcome (March 2025)

Develop a support offer specifically for frontline staff who work with IG, including: an IG transformation plan with practical tools to use in data-sharing situations, professional standards and training materials (December 2022); a new head of profession to lead on developing and executing the transformation plan, including competency frameworks, standards, job families and appropriate professional accreditation (from April 2022)

Publish an Information Governance Framework for Integrated Health and Care, part 2, and embed the information governance portal as the one-stop shop for help and guidance (December 2022)

Establish a data framework for adult social care, setting out what data the sector needs to collect, the purpose of those collections and the standards governing them, with a move towards client-level data collections and away from aggregate data collections (December 2022)

Continue to deliver digital boards leadership development for NHS and ICS boards in partnership with NHS Providers (ICS offer from summer 2022)

Work with NHSE’s People Directorate and HEE Technology Enhanced Learning and Digital Readiness Education teams to drive uptake of the staff app and Digital Skills Assessment Tool (summer 2022).

Continue to support regional Informatics Skills Development Networks to meet regionally specific digital, data and technology training needs

Develop an easily accessible data-sharing solution with local authorities and providers over the next 3 years that supports real-time decision making at local, regional and national levels, building on the learning from the pandemic, and seek to ensure different actors in the system have access to the same rich data sets – from June 2022

Agree a target data architecture for health and social care, outlining how and where data will be stored and accessed, starting with health (by July 2022) and then followed by social care – by September 2022

Publish the NHS Cloud Strategy, Principles and Policies to establish a more standardised and optimised approach to cloud adoption throughout the NHS – by June 2022

Deliver a target state that considers environmental impact through our cloud migration, and use of strategic cloud suppliers who have credible sustainability targets and roadmaps – by September 2022

Map the technical debt for national systems, and prioritise what must be addressed and completed through relevant programmes of work – by September 2022

Provide services to find and retrieve records from wherever they are created across health and social care – from June 2022

Improve our integration approach to scale APIs already being used by the market, starting with elective care – from May 2022 Improve the process of onboarding to national systems to increase uptake of national services and products such as the NHS number – from March 2022

Develop the roadmap for core NHS services using cloud technologies where appropriate – by March 2023

Build centres of excellence in the area of data architecture that focus on promoting best practices, support and training – by December 2022

Enhance the NHS service standard to provide more information on the right tools and technology that can be used to develop products and services – by December 2022

Establish a head of IG profession to ensure the development of competency frameworks, standards, job families and appropriate professional accreditation for information governance staff working in health and care – commenced from April 2022

Lead the development and implementation of information governance as part of a multidisciplinary function for informatics and champion the work of information governance professionals – by December 2022

Review the Data Security and Protection Toolkit and its language to bring it into line with our work to simplify information governance – by July 2022

Develop, in collaboration with Skills for Care, a digital skills framework that will support the improvement of the digital capabilities of everyone working in the adult social care sector (phase one completed March 2022), supported by the delivery of an inclusive approach to training opportunities to improve the data and digital literacy of the adult social care workforce – commenced from April 2022

Will work to make all ‘critical’ data assets available and in use across government through trusted APIs and platforms such as GDX and IDS.

All departments agree to promote a ‘buy once, use many times’ approach to technology, including by making use of a common code, pattern and architecture repository for government.

All new services shall comply with the common approach to Secure By Design.

All departments will agree to co-develop and adopt a single data ownership model for ‘critical’ data assets.

Initiate a national pilot on improving care coordination via the Improving Care Coordination for Patients programme – completed March 2022

Create a showcase of replicable archetypes of national data and analytics technology infrastructure based on the maturity of integrated care systems – completed March 2022

Create a federated data platform that will enable each Trust and every ICS to have its own platform that can interact with regional and national platforms to fulfil specific, predetermined use cases, supporting leaders across the NHS to make better decisions through the systematic use of timely and relevant insight and evidence, and ultimately providing the connectivity needed to transform care and improve outcomes for patients – by April 2023

We will amend the 2002 COPI regulations to ensure that they facilitate timely and proportionate sharing of data, engaging with stakeholders and the public by the end of 2022 to make sure that changes are implemented transparently – delivery date subject to Parliamentary processes.

Begin to make new source code that we produce or commission open and reusable by default (with clear exceptions) and publish it under appropriate licences to encourage further innovation (such as MIT and OGLv3, alongside suitable open data sets or dummy data). Subject to consultation, the relevant policies will also aim to be open and reusable – commenced from December 2021)

Every ICS has implemented a population health and planning data platform, and business intelligence tools by 2023

The Government will continue to support data-led decision-making through the Integrated Data Service. The service consists of a cloud-based platform and will transform ways of working. Under robust security and ethical protocols, and through a Trusted Research Environment, the service will enable analysts and researchers to access, link, analyse and disseminate a range of data to help inform policy decisions.

The Cabinet Office’s Algorithmic Transparency Standard recommendations will also help public sector organisations to provide clear information about the algorithmic tools they use to support decision-making. The Data Standards Authority will continue to work to improve how the public sector manages data, by establishing standards and making data-sharing across Government more effective.

Over 90% of senior civil servants will be upskilled on digital and data essentials, with learning embedded into performance and development standards.

Over 90% of DDaT professionals will undertake DDaT related training at least once a year and will record their skills, to support the prioritisation of DDaT learning interventions and associated investment.

Introduce a statutory power to enable health and adult social care public bodies to require anonymous information that relates to the provision of health and adult social care services in England – delivery date subject to Parliamentary processes

Put in place a system-wide target for the rationalisation of data collections to reduce the time spent by health and care staff inputting and processing data for national use – by end of 2022 and reviewed annually

We are developing an Open Analytics policy

We are beginning to make new source code that we produce or commission open and reusable by default (with clear exceptions).

We will encourage publishing code under appropriate licences to encourage further innovation (such as MIT and OGLv3, alongside suitable open datasets or dummy data). Subject to consultation, the relevant policies will also aim to be open and reusable.

We are building the profile of data and analysis as a profession, including consistent and appropriate competency frameworks, networks, training, career opportunities and status.

We are developing an online Analytics Hub, working with AnalystX, to share, promote and endorse training, events and other resources aimed at analysts and non-analysts across all career levels.

We will continue to encourage innovation and collaborative working through a data and analytics accelerator by promoting the use of open data, and working with a plurality of solutions and teams. The principles of the accelerator will be tested through hackathons and real business cases – by September 2022

We will develop and roll out a unified set of competency frameworks aligned to the government analysis function skills and the digital, data and technology profession – by December 2022

Co-create a national digital workforce strategy with the health and care system, setting out a framework for bridging the skills gap and making the NHS an attractive place to work (March 2023)

Enable recruitment, retention and growth of the Digital, Data and Technology (DDaT) workforce to meet challenging projected health and care demand by 2030, through graduates, apprentices and experienced hires, creating posts for an additional 10,500 full-time staff (March 2025)

Create a membership body for DDaT professionals in health and social care that will, over the years, bring cohesiveness between the disparate professions, to set and assure adherence to professional standards, and harmonise the DDaT profession (September 2022)

Establish new and continuation of existing digital learning offerings through the NHS Digital Academy, including the Digital Health Leadership Programme (via Imperial College and partners), Digital Futures Programme (cross-ICS), Topol Fellowships in Digital Healthcare and Health Innovation Placements, a programme that supports our change leaders to learn directly from exposure with industry (through 2022 and beyond)

Grow and nurture a pipeline of diverse future specialists and leaders through graduate and apprenticeship schemes, starting (June 2022)

Embed digital skills development into academic curricula to support our future and incoming workforce (from 2022)

Publish our Version 1 Open Source Policy through Github and a playbook on how to develop open source systems and products (summer 2022)

Build trust by taking concrete action on privacy and transparency: trust cannot be earned through communications and public engagement alone.

Ensure all NHS data policies actively acknowledge the shortcomings of ‘pseudonymisation’ and ‘trust’ as techniques to manage patient privacy: these outdated techniques cannot scale to support more users (academics, NHS analysts, and innovators) using ever more comprehensive patient data to save lives.

Build a small number of secure analytics platforms – shared ‘Trusted Research Environments’ – then make these the norm for all analysis of NHS patient records data by academics, NHS analysts and innovators, wherever there is any privacy risk to patients, unless those patients have consented to their data flowing elsewhere. Every new TRE brings a risk of duplicated effort, duplicated information governance, duplicated privacy risks, monopolies on access or task, and obstructive divergence around data curation and similar activity: there should be as few TREs as possible, with a strong culture of openness and re-use around all code and platforms.

Use the enhanced privacy protections of TREs to create new, faster access rules and processes for safe users of NHS data; ensure all TREs publish logs of all activity, to build public trust.

Map all current bulk flows of pseudonymised NHS GP data, and then shut these down, wherever possible, as soon as TREs for GP data meet all reasonable user needs.

Use TREs – where all analysts work in a standard environment – as a strategic opportunity to drive modern, efficient, open, collaborative approaches to data science.

Develop clear rules around the use of NHS patient records in performance management of NHS organisations, aiming to: ensure reasonable use in improving services; avoid distracting NHS organisations with unhelpful performance measures.

Write an ‘open analytics policy for the NHS: Bring together DHSC and the NHS Transformation Directorate to write a policy that makes it clear to all analyst teams across the NHS, and all general managers, that sharing code is not the same as sharing data and that open is the preferred and default method for all analysis conducted using public data and public funding. Note that ‘open code’ is different to ‘open data’: it is reasonable for the NHS and government to do some analyses discreetly without sharing all results in real time.

Reproducible Analytical Pipelines (RAP) will become the default way of conducting quantitative analysis. Analysis is then reproducible, transparent, trustworthy, efficient, and high quality.

Research software engineers will be embedded in analytical areas to deliver digital expertise, build products and develop capability. Research software engineers are software engineers who understand the process of analysis and research. They work with other analysts to develop digital analytics products for end users.

Analysts will have access to the tools they need to do analysis using the RAP principles

We will build analyst capability to do analysis using the RAP principles

Senior leaders and organisations will see the value of RAP and encourage analysts to use RAP principles

Analyst teams will be multidisciplinary and will work with digital teams so that they can deliver high quality and valuable analysis products through application programmable interfaces (APIs), interactive visualisations and regularly updating dashboards.

We are also running a call for views (Data Storage and Processing Infrastructure, Security & Resilience) to further our National Data Strategy commitment to develop a stronger risk management framework for the infrastructure upon which data use relies.

In line with our overarching ambition to keep our digital systems, platforms, devices and infrastructure secure, we are investing more than £2.6 billion over 3 years. This includes a £114 million increase in funding for the National Cyber Programme, accompanied by enhanced funding for critical cyber skills training, infrastructure, research and development, innovation, defence, and intelligence.

We expect to bring forward primary legislation to reform the UK’s data protection laws, by simplifying some parts of the UK General Data Protection Regulation (GDPR) ensuring high standards of data protection. This Government’s view is that our reform of UK legislation on personal data is compatible with maintaining the free flow of personal data from Europe.

We will adopt a more flexible, outcomes-based approach for compliance, ensuring the Information Commissioner’s Office (ICO) accounts for the increasing importance of its remit for competition, innovation and economic growth. This flexible approach will reduce burdens on business and innovation, which impede the responsible use of personal data. In addition, these changes will also provide scientists with the clarity and confidence they need to get on with life-enhancing and life-saving research

The Government also committed to legislating for Smart Data in the Queen’s Speech. These changes will provide consumers and small businesses with the power to enable trusted third parties to help them access, make sense of, and use their data. Recently, the Business Secretary set out a new programme of investments in Smart Data to drive industry and collaboration across sectors.

We will also resist unreasonable attempts at data localisation, and seek international trade agreements to facilitate the free flow of data with trust.

Secure data environments will be the standard way to access NHS Health and Social Care data for research and analysis.

Secure data environments providing access to NHS Health and Social Care data must meet, or demonstrate a credible roadmap to meeting, criteria set out within our accreditation framework.

Secure data environments must maintain the highest level of cyber security to prevent any unauthorised access to data.

Secure data environment owners must be transparent about the data within their environment, who is accessing it, and what it is being used for.

The secure data environment may only be accessed by appropriate, verified users.

Secure data environments must ensure that patients and the public are actively involved in the decision making processes to build trust in how their data is used.

Data made available for analysis in a secure data environment will be de-identified in a proportionate manner to protect patient confidentiality.

NHS Health and Social Care data should only be linked with other datasets within an accredited NHS secure data environment.

All accredited NHS secure data environments must adhere to a policy of open-working, support code-sharing and facilitate use of technology that supports this, such as reproducible analytical pipelines (RAP).

Secure data environments must be able to support flexible and high quality analysis for the diverse range of uses they will support Secure data environments must ensure that nothing is brought in, or removed from, the Environment without assessment and approval.

We are committing to simplifying the Information Governance Framework; creating fit-for-purpose rules around different types of data - including pseudonymised data; simplifying the national data opt-out; standardising approaches to PPIE; and tackling the ‘bigger’ issues through participatory engagement such as citizens juries. Specifically, the data strategy makes the following commitments:

We are embedding the Information Governance Portal as the one-stop shop for help and guidance

We are creating fit-for-purpose rules around different types of data (such as pseudonymised), so that staff can clearly understand them, addressing concerns around pseudonymised data as raised by the Goldacre Review

We are developing a national information governance transformation plan, focusing on practical data-sharing situations, creating professional standards and addressing training for frontline staff

We are co-designing a transparency statement, as part of a regularly updated online hub, setting out how publicly-held health and care data is used across the sector

We are developing a standard for public engagement, setting out best practice for health and care organisations, and any other body using NHS data, to engage appropriately with the public and staff across the system on data programmes and issues

We are undertaking in-depth engagement with the public and professionals, through forums such as focus groups with seldom heard groups, and large-scale public engagement on topics and questions that are high priority or particularly complex, including how we deliver secure data environments and the future of the national data opt-out, and working closely with regions to understand local needs.

We are working with the public, the expert advisory group, the National Data Guardian and other stakeholders to ensure that there is a simple opt-out system in place that provides clarity and choice, giving patients confidence and ensuring data continues to support the functioning of the health and care system

We are consulting with UK Research and Innovation (UKRI) and the National Institute for Health Research (NIHR) to consider how outputs from research they fund, involving health and care data, can follow open and reusable code principles

We are working to ensure all accredited NHS secure data environments adhere to a policy of open-working, support code-sharing and facilitate use of technology that supports this, such as reproducible analytical pipelines (RAP).

We will publish a digital playbook on how to open source your code for health and care organisations. Guidance on where to put the code, how to license and maintain it, and best practice for working with suppliers will be published in addition to case studies of teams who have done this – completed May 2022.

Data for research and development will be available through a federated network of trusted research environments (TREs) by March 2025

We will deliver the policy and requirements needed to implement secure data environments (SDEs) – TREs are a type of SDE – across the NHS (December 2022)

We will enable researchers to access linkage-enriched genomics data sets from linked sources (2025)

We will develop a network of sub-national or regional linked TREs (March 2025)

We will ensure the right assurance and commercial foundations are put in place by 2025 to stimulate a thriving innovation ecosystem that fosters collaboration between the health and social care sectors and the tech industry

We will publish a Value-Sharing Framework to ensure the NHS gets best value from these assets (March 2023)

We will develop a standard for public engagement that sets out best practice for engaging appropriately with the public and staff about data to be followed by any organisation using NHS data (December 2022)

We will co-develop a data pact setting out mutual expectations for the public and health and care system (December 2022)

Build trust by taking concrete action on privacy and transparency: trust cannot be earned through communications and public engagement alone.

Ensure all NHS data policies actively acknowledge the shortcomings of ‘pseudonymisation’ and ‘trust’ as techniques to manage patient privacy: these outdated techniques cannot scale to support more users (academics, NHS analysts, and innovators) using ever more comprehensive patient data to save lives.

Build a small number of secure analytics platforms – shared ‘Trusted Research Environments’ – then make these the norm for all analysis of NHS patient records data by academics, NHS analysts and innovators, wherever there is any privacy risk to patients, unless those patients have consented to their data flowing elsewhere. Every new TRE brings a risk of duplicated effort, duplicated information governance, duplicated privacy risks, monopolies on access or task, and obstructive divergence around data curation and similar activity: there should be as few TREs as possible, with a strong culture of openness and re-use around all code and platforms.

Use the enhanced privacy protections of TREs to create new, faster access rules and processes for safe users of NHS data; ensure all TREs publish logs of all activity, to build public trust.

Map all current bulk flows of pseudonymised NHS GP data, and then shut these down, wherever possible, as soon as TREs for GP data meet all reasonable user needs.

Use TREs – where all analysts work in a standard environment – as a strategic opportunity to drive modern, efficient, open, collaborative approaches to data science.

Rationalise approvals: create one map of all approval processes; require all relevant organisations to amend it until all agree it is accurate; de-duplicate work by creating a single common application form (or standard components) for all ethics, information governance, and other access permissions; coordinate shared meetings when approval requires multiple organisations; have researchers available to address misunderstandings of their project; build institutions to help users who are blocked; recognise and address the risk of data controllers asserting access monopolies to obstruct competitors; publish data on delays annually; ensure high quality patient and public involvement and engagement (PPIE) is done.

Address the problem of 160 trusts and 6,500 GPs all acting as separate data controllers. Do this either through one national organisation acting as Data Controller for a copy of all NHS patients’ records in a TRE, or an ‘approvals pool’ where trusts and GPs can nominate a single entity to review and approve requests on their behalf.

Review the National Data Opt Out Policy after TREs are established

Revise the definitions of ‘anonymous’, ‘identifiable’ and ‘linked’ data; add a new category of ‘pseudonymised but re-identifiable’

Provide researchers with easy access to practical guidance, and examples of best-practice PPIE

Have a frank public conversation about commercial use of NHS data for innovation, but only after privacy issues have been addressed through adoption of TREs; ensure the NHS gets appropriate financial return where marketable innovations are driven by NHS data, which has been collected at great cost over many decades; avoid exclusive commercial arrangements.

Promote and resource ‘Reproducible Analytical Pathways’ (RAP, a set of best practices and training created in ONS) as the minimum standard for academic and NHS data analysis: this will produce high quality, shared, reviewable, re-usable, well-documented code for data curation and analysis; minimise inefficient duplication; avoid unverifiable ‘black box’ analyses; and make each new analysis faster.

Ensure all code for data curation and analysis paid for by the state through academic funders and NHS procurement is shared openly, with appropriate technical documentation, to all data users. Data preparation, analysis and visualisation is complex technical work, requiring collaboration by many individuals, who may never meet, in a range of organisations, across the NHS and other sectors. The only way to manage this shared complexity is by sharing information, as in other technical fields.

Recognise software development as a central feature of all good work with data. UKRI/NIHR should provide open, competitive, high status, standalone funding for software projects and developers working on health data. Universities should embrace research software engineering (RSE) as an intellectually and academically creative collaborative discipline, especially in health, with realistic salaries and recognition.

Bridge the gap between health research and software development: train academic researchers and NHS analysts in contemporary computational data science techniques, using RAP where appropriate; offer ‘onboarding’ training for software developers and data scientists who are entering health services research and epidemiology; use in-person and online training; make online resources openly available where possible.

The government’s new data protection rules will be focused on outcomes to reduce unnecessary burdens on businesses.

This bill will remove the UK GDPR’s prescriptive requirements giving organisations little flexibility about how they manage data risks - including the need for certain organisations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments. It means a small business such as an independent pharmacist won’t have to recruit an independent DPO to fulfil the requirements of UK GDPR, provided they can manage risks effectively themselves, and they will not have to fill out unnecessary forms where the risk is low.

The same high data protection standards will remain but organisations will have more flexibility to determine how they meet these standards.

The ICO will have new objectives which will give Parliament and the public better ability to hold the regulator to account. Currently, UK GDPR does not provide the ICO with a clear framework of objectives and duties. It is instead obliged to fulfil a long list of tasks. Clearer objectives to prioritise its activities against and a more modern governance framework will better equip the ICO to fulfil its role and bring it in line with the best practice of other regulators.

The ICO will be required to set up a panel of experts in relevant fields when developing each piece of statutory guidance. The Secretary of State will also need to approve ICO statutory codes and guidance before they are presented to Parliament. This will bring the ICO in line with other UK regulators, such as the Electoral Commission and strengthen the accountability of the privacy watchdog when it makes legal rules.

The reforms will further cement the UK’s position as a science superpower by simplifying the legal requirements around research so that scientists are not needlessly impeded from using data to innovate and make major breakthroughs. This removes the need for them to have the ultimate purpose of their research project finalised before collecting data. For example, scientists will be able to rely on the consent a person has given for their data to be used for ‘cancer research’ as opposed to a particular cancer study

Cyber security - our policy position is to include cyber security as an essential requirement (for Software as a Medical Device).

Data protection, privacy, or confidentiality - we will work closely with the Department for Digital, Culture, Media & Sport (DCMS), Information Commissioner’s Office, the National Data Guardian, and the Health Research Authority to ensure that patient data is protected (in Software as a Medical Device)