What approvals are in place?
Every use of personal data must be lawful and must comply with the Data Protection Act (2018)/GDPR and satisfy the common law duty of confidentiality
Data Protection Act (2018)/General Data Protection Regulation (GDPR)
Under UK GDPR the following provides the legal basis for sharing data into the Secure Data Environment:
- Article 6.1 e of UK GDPR (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Article 9.2(j) of UK GDPR enables the processing of special category data where “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89 (1) based on domestic law which shall be proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
Common Law Duty of Confidentiality:
The Health Research Authority (HRA) has given Section 251 support, following advice from their Confidentiality Advisory Group (CAG), for the development of the Thames Valley and Surrey Secure Data Environment (CAG reference: 23/CAG/0046). This provides the legal basis to allow access to the specified confidential patient information without asking for consent.
Research Ethics Committee
TVS SDE also has ethical approval from South Central – Oxford C Research Ethics Committees (REC) for a research database (REC reference: 22/SC/0330).
What is a Section 251/s251?
This is a shorthand term and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002 (Section 251). Section 251 was established because it was recognised that the NHS’s essential activities and important medical research required the use of patient-identifiable information where anonymised information was not possible and obtaining consent was not practical.
Section 251 allows the Common Law Duty of Confidentiality to be lifted temporarily to enable the use and disclosure of Patient Identifiable Information for medical purposes without breaching the principles of confidentiality.
The Confidentiality Advisory Group (CAG) reviews research and non-research applications under Section 251 and advises under the framework of Regulations 2002 whether there is sufficient public interest to temporarily lift the common law duty of confidentiality in the context of the application made.
What data sharing/processing documents for the TVS SDE are my practice being asked to sign and why?
There are two documents that the practice needs to review and sign in order to sign up to sharing data with the TVS SDE:
Provider Terms
The Provider Terms are the legal agreement that a GP practice signs to take part in the Thames Valley & Surrey Secure Data Environment (TVS SDE)
They confirm that Oxford University Hospitals NHS Foundation Trust hosts the SDE on behalf of the region, that all participating providers are joint controllers of the data, that data can only be accessed for agreed use cases following approval by an independent committee with strong public representation, and that practices must ensure patients are appropriately informed.
The Terms also explain the legal basis for data use, how intellectual property and any income are handled, how risks and liabilities are managed, and how a provider can withdraw if they choose
Data Protection Impact Assessment
A DPIA is a formal assessment that looks at how personal data will be used, what the privacy and data‑protection risks are, and how those risks are managed and reduced. For the TVS Secure Data Environment, each participating GP practice must agree a DPIA to confirm that the flow of data into the SDE is lawful, necessary and proportionate, that appropriate safeguards are in place, and that patient rights and confidentiality are protected. A standard DPIA for General Practices has been written for practices to review.
Can a patient opt out of (object to) their data flowing into the TVS SDE?
The TVS SDE will comply with the national data opt-out and our local TVS SDE data opt-out. GP practices would not need to manage opt outs, we apply the opt outs to the data in the TVS SDE.
Patients will be informed through transparency and communications materials, such as privacy notices, posters, leaflets, website wording.
How does the data access approval process work?
Researchers fill out a templated data access form for their project. Access requests are reviewed in stages, with different groups focusing on different aspects of the decision.
The TVS SDE Management Team reviews requests first. Their role is to assess whether a request is feasible and achievable for example, whether the SDE has the data, capacity, and capability to support it safely and lawfully. Requests that pass this stage may be provisionally approved and move forward for further review.
Provisionally approved requests are reviewed by the Services and Data Access Review Committee (SARC). The SARC focuses on desirability – whether a request represents an appropriate and valuable use of data from a public perspective. This includes considering potential benefits, risks, and alignment with the purpose of the TVS SDE, the Five Safes Framework, and the SDE Network principles
If a request is approved, access is provided once the appropriate Data Access Agreement and user terms are in place and any required controls have been agreed. Data can only be used for the approved purpose and within the secure TVS SDE environment.
Do I still have control over my patient’s data?
The request of data for any project will be assessed by the TVS SDE management Team, and then the Services and Data Access Review Committee (SARC) and as a data controller you will be represented on SARC by GP members on the committee.
The SARC also has over 30% public members. Only research applications from approved researchers, that have been approved by the SDE Management Team and the SARC would be given access to the data. Only de-identified data will be made accessible for research.
Data providers are notified when their data is involved in a data access request, after the request is provisionally approved by management Team, and prior to SARC review. This is an opportunity to raise any concerns to the Management Team.
Is there a Privacy Notice available for patients that a GP can link to from their practice website.
We have developed a Privacy Notice which GP Practices can take wording from. Additionally, the Privacy Notice will be made available on the TVS SDE website, to which patients can be referred.
The privacy notices were drafted in line with the legal requirements under the UK General Data Protection Regulation and Information Commissioner’s Office guidance. As such, they provide the reader with all necessary information on the programme, the purposes, their rights and how to exercise them.
It will enable them to understand what is going to happen to their data and they will be able to make informed decisions.