Whilst there are increasing opportunities for data-driven innovation and technology to support the management of healthcare services and the delivery of health-related research, public outcries in the recent years have demonstrated how certain members of the public are not comfortable with the idea that their personal health data, which was originally shared with doctors in confidence, being used and/or shared with third parties for purposes beyond the provision of direct care. A recent example of this was NHS’ large scale project entitled ‘GP Data for Planning and Research’ (GPDPR), which faced such resistance when originally proposed that it had to be suspended for further consideration.
Striking a balance between leveraging the power of health data for the mentioned purposes, preserving patient confidentiality and ensuring the security of data is therefore fundamental for healthcare organisations to effectively discharge their statutory obligations whilst maintaining public trust and confidence in the health services. And the use of Secure Data Environments (SDEs) is currently regarded as the gold standard for achieving that balance.
“Secure data environments are data storage and access platforms, which uphold the highest standards of privacy and security of NHS health and social care data when used for research and analysis. They allow approved users to access and analyse data without the data leaving the environment.”[1]
Where effectively implemented, SDEs present numerous advantages to the current practice of routine sharing of data for purposes beyond the provision of care, including the following:
For these reasons, the implementation of SDEs has received strong support from industry experts and is now recommended by the government in its policy paper. The Department of Health and Social Care, in its policy paper “Data saves lives: reshaping health and social care with data”[2], highlights the central role that SDEs will play in allowing analysis to take place within a secure online platform while also building public’s trust that their health and care data are kept safe. To this end, the paper states that the SDEs will be the default route for NHS and adult social care organisations to gain access to de-identified data for research and analysis without engaging in any data distribution.
The policy paper echoes the recommendations of Professor Ben Goldacre made in his independent report, ‘Better Broader, Safer: Using Health Data for Research and Analysis’ (also known as the ‘Goldacre Review’).[3] According to Professor Goldacre, SDEs also present an opportunity to modernise data analysis by removing the IT constraints arising from having multiple platforms which may not always support the use of modern data analysis tools.
[1] Department of Health and Social Care’s (DHSC) policy paper “Secure data environment for NHS health and social care data – policy guidelines”, updated 23 December 2022.
[2] ‘Policy Paper: Data saves lives: reshaping health and social care with data’ (GOV.UK, 15 June 2022) accessed 10/07/2023.
[3] ‘Better, Broader, Safer: Using Health Data for Research and Analysis (Secretary of State for Health and Social Care, April 2022) accessed 10/07/2023.
Statistically speaking, commercial data driven organisations are 23 times more likely to acquire customers, 6 more likely to retain customers, and 19 times more likely to boost profitability. In the public sector making sure decisions are evidence based can greatly improve patient outcomes, cut inefficiency and find cost savings. Therefore, developing a secure data environment where you can have all your data linked can allow you to make more data driven decisions.
Developing an SDE is not just about keeping the data locked away and safe. It is the whole suite of technology and organisational measures that you will need in order to not only keep the data safe but also to allow controlled access so they can be analysed to benefit society, or your organisational goals.
We have extensive experience in developing Trusted Research and Secure Data Environments. We are the “go to” organisation for these projects for a number of different prestigious organisations. One project we have been working on over the past 12 month has been to support the development of an SDE, from a data protection and data privacy standpoint, on behalf of circa 2000 public sector organisations across a number of different geographical boundaries. This project concerns 15 million people’s records and requires intricate knowledge of confidentiality, data protection laws and regulations as well as privacy enhancing technologies. Importantly, it requires us to apply our expert knowledge in a practical away, whilst always ensuring that all relevant stakeholders not only understand the model but are also onboard with it.
Implementing Secure Data Environments (SDEs) involves more than simply placing data in a cloud database with industry-standard accreditations would suffice to regard it as an SDE. However, the reality is that the effective implementation of SDEs is substantially more complex, as it requires considerations that extend far beyond the choice of a storage solution and involves putting in place an array of technical and organisational measures around it.
It requires integrating various technical and organisational measures that comply with the “Six Safes” framework, originally developed by the Office for National Statistics (ONS), which is a set of principles that determine the layers of protection that must be implemented for an environment to be considered an SDE. This framework ensures secure access to health and care data and involves safeguarding data security through Safe People, Safe Projects, Safe Setting, Safe Data, Safe Outputs, and Safe Return.
Safe People | Safe Projects | Safe Setting | Safe Data | Safe Outputs | Safe Return |
---|---|---|---|---|---|
Understanding all requirements around the “6 Safes” and tailoring their application to the needs of the project in a robust manner during the implementation of SDEs is undoubtedly a challenging task. Applying this framework in research projects is essential to maintain public confidence, protect patient information, and enable timely and secure access for approved researchers while following a data access policy for health and care research.
We provide a full data protection and information governance consultancy service to all our clients who engage with us. We provide flexible packages and services to make sure that you only pay for what you need, so you aren’t paying for unnecessary services. Whatever you and your organisation need, we are here to help.