• The UK Government has recognised that it has an extraordinary data resource in its NHS healthcare and patient records, which could be a significant competitive advantage in the global life sciences sector.

• Current data sharing practices, which involve data being transferred from the NHS to external organisations, have significant shortcomings and there is a need for a more secure and efficient mechanism of accessing NHS data for research.

• There will be a transition away from such data transfers and towards data access through NHS funded and controlled ‘secure data environments’ to enable more widespread access to NHS data for R&D.

The Department of Health and Social Care in the United Kingdom has published a proposed update to its policy regarding access to National Health Service (NHS) data for research purposes¹. The proposed update focuses on the creation of ‘secure data environments’ for accessing NHS data to achieve the UK Government’s target of ‘data access as default’. This policy seeks to transform the ways in which pharmaceutical and biotechnology companies can access NHS data for R&D.

The UK Government’s focus on unlocking NHS data

In recent years, the UK Government has shown both recognition of the importance of the life sciences industry to the UK economy and a desire to retain a competitive edge in the sector. A key part of this strategy is to leverage the unique resource that is the 75 years’ worth of patient records and data collected by the UK’s NHS, which remains largely untapped. The use of NHS data was a key part of the UK’s response to Covid-19 and, since the pandemic, the Government has shown a consistent focus on unlocking the full potential of NHS data, in a safe and efficient manner. An independent review commissioned by the UK Government and published in April 2022 stated: ‘NHS data represents an exceptional and globally important resource… The life sciences sector can use data to evaluate and refine medications, or develop whole new classes of medical technology.’²

In June 2022, the Department of Health and Social Care and the NHS made a commitment, by announcing a ‘data saves lives’ strategy³ to move away from a system of data sharing (involving the transfer of data to third party organisations) and towards a system of ‘data access as default’ for all secondary uses of NHS health and social care data through the creation of secure, virtual environments which would allow verified researchers to access health data. The new proposed policy focuses on implementing such ‘secure data environments’.

What is a Secure Data Environment?

Secure data environments (referred to as ‘SDEs’) are data storage and access platforms whereby approved users can both access and carry out analysis on data, without that data leaving the platform. This allows for greater certainty as to security levels and is a much more efficient way of data-sharing than current practices such as the entry into individual data sharing agreements with third party organisations. Crucially, the organisation providing the environment (in this case being the NHS) has control and oversight over who can access what data within the SDE.

As well as adhering to existing legal frameworks around data protection in the UK, in September 2022 the Department for Health and Social Care published 12 guidelines⁴ for the creation of SDEs, including cybersecurity requirements. The guidelines also reiterate the need for engagement with the public and state that all uses of data within SDEs must be ethical, for the public good and for health purposes.

Implementation of SDEs

The UK Government’s proposed policy update aims to provide further clarity on the development and use of SDEs.

1. SDEs as default: SDEs will be the default route for accessing NHS data for research uses. Access to NHS data outside of an SDE will be extremely limited.
2. Out of scope platforms: certain NHS platforms, which are exclusively operational, are outside of the scope of the data access policy as they do not give third parties access to data for research purposes.
3. SDE network: the primary source of access to NHS data will be the national NHS Research SDE Network, but there will be a small number of existing, local (e.g. NHS trust specific) SDEs.
4. NHS to have oversight: as mentioned above, the SDEs will allow the NHS to have oversight and control over data access. The policy update reiterates that the Government does not expect that existing commercial and/or academic controlled SDEs will be able to continue to host NHS data or make it available for research.
5. Data-sharing cut-off: by the end of 2023, an update will be provided on the timeframe for the transition from existing data sharing processes to SDEs. It is expected that there will be a period of dual operating between data sharing and data access while the change is rolled out.
6. Data Access Committees: initially each SDE will have as single Data Access Committee (which will include patient and public representatives) to which researchers must apply to be granted access. The application process will be harmonised across different SDEs.
7. Transparency: SDEs must uphold high levels of transparency over how data is used and who accesses it, with patient and public involvement.
8. Assurance mechanisms: A long-term model of accreditation for NHS SDEs is in the process of being developed and tested to ensure credibility and quality. However, the policy explains that existing legal frameworks and governance systems provide adequate reassurance in the interim period to enable further SDEs to be developed pending implementation of the accreditation system.
9. Exceptions: the policy update indicates that any exceptions to data access policy will be extremely limited. However, certain issues are not subject to the general policy and are to be considered on a case-by-case basis, such as the sharing of patient-level data between NHS SDEs and the inclusion of data from clinical trials in SDEs.

Comment

AI is changing the capacity of research organisations to analyse large volumes of data on an unprecedented scale - supporting innovation but also raising questions about the rights to such innovations (see our previous OnPoints Inventive AI: European Patent Office finds that only humans can be inventors⁵ and Embracing the AI Revolution: Navigating Intellectual Property Challenges and Opportunities⁶). However, enabling access to quality data is essential to harnessing the power of AI tools, as well as benefiting more traditional research.

The UK’s policy update makes it clear that enabling the effective re-use of NHS data is a project of huge scale and complexity, and one that will take time to implement. The Government is taking a ‘phased and incremental’ approach. That said, certain NHS SDEs have already been put in place and in March 2022, a joint funding package of £200 million was announced for the NHS Data for Research and Development programme⁷ with £100 million of this is expected to go specifically towards SDEs.

Through the European Health Data Space, the EU is also seeking to facilitate use of public sector data for life sciences research and is putting in place legal frameworks for the re-use of health data through the proposed Data Governance Act and the Data Act (see our previous OnPoints Harnessing Big Data – Draft EU Data Governance Regulation Aims to Increase Innovators’ Access to Data⁸ and EU Data and Digital Drive: an Overview of Forthcoming Legislation⁹).

¹Data access policy update: proposed draft published 26 May 2023.

²Goldacre Review published April 2022.

³Data saves lives policy paper: reshaping health and social care with data, published June 2022.

⁴Secure data environment for NHS health and social care data - policy guidelines published 23 December 2022.

⁵Dechert OnPoint: ‘Inventive AI: European Patent Office finds that only humans can be inventors’.

⁶Dechert OnPoint: https://www.dechert.com/knowledge/onpoint/2023/7/1-_introduction--artificial-intelligence--ai--has-become-one-of-.html.

⁷Press release: £260 million to boost healthcare research and manufacturing published 2 March 2022.

⁸Dechert OnPoint: Harnessing Big Data – Draft EU Data Governance Regulation aims to increase innovators’ access to data.

⁹Dechert OnPoint: EU Data and Digital Drive: an Overview of Forthcoming Legislation.