Medical Records: Data Protection
(asked on 17th April 2025) - View Source
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, what steps he is taking to ensure the adequacy of (a) vetting procedures for companies that apply to use medical records and (b) safeguards to prevent medical data being used for purposes other than those for which access was granted.
National Health Service patient data from medical records is only shared when it will benefit health and care and where it is subject to technical and organisational controls to maintain privacy and protect data. Where a research project requests access to patient data it must adhere to strict rules, including obtaining approval from a Health Research Authority (HRA) Research Ethics Committee (REC) where required and, where processing confidential patient information without consent, support from the Confidentiality Advisory Group (CAG) and approval from the HRA. These research approval processes ensure only legitimate organisations or individuals are able to use the data, for an appropriate purpose, and that safeguards are in place to protect people’s data.
NHS England provides organisations with access to patient data for secondary uses, including for health research, primarily through the Data Access Request Service (DARS). The access is considered according to the purpose, rather than the organisation type. This service considers applications against a set of standards, including one relating to the commercial use of data, with further information available at the following link:
https://digital.nhs.uk/services/data-access-request-service-dars/dars-guidance
Applicants must meet robust data security and governance standards, including completing the Data Security and Protection Toolkit, which is available at the following link:
https://www.dsptoolkit.nhs.uk/
Applicants must also demonstrate compliance with the UK General Data Protection Regulation, and must demonstrate that their application to access patient data is in line with the approvals they have received from an REC, and where processing confidential patient information without consent, the support from the CAG and approval from the HRA. Applications may also be considered by the Advisory Group of Data (AGD), which provides advice to NHS England. The minutes of the AGD are available at the following link:
Where access to data is agreed through the DARS process, the organisation must sign a data sharing framework contract and a data sharing agreement. NHS England carries out data sharing audits to check that organisations meet the obligations in their contract and agreement. Audit outcomes are published at the following link:
https://digital.nhs.uk/services/data-access-request-service-dars/data-sharing-audits
The Department and the NHS in England are currently moving to a system of ‘data access as default’ for secondary uses of NHS data, which is being supported by the implementation of Secure Data Environments (SDEs). SDEs are data storage and access platforms with features that enable NHS organisations to have greater control and oversight over their data, as they allow approved users to view and analyse data without it having to leave the environment.
NHS England operates a national SDE which is part of the wider NHS Research Secure Data Environment Network. The NHS Research SDE Network covers the whole of England and includes 11 regional, NHS-led SDEs. Further information is available at the following link:
https://digital.nhs.uk/services/secure-data-environment-service
On 7 April 2025 the Prime Minister announced that the Government and the Wellcome Trust will invest up to £600 million to create a new Health Data Research Service. This groundbreaking initiative will deliver significant health benefits to the public and patients. The Health Data Research Service will transform access to NHS data by providing a secure single United Kingdom-wide access point, which will ensure patient data continues to be protected and used appropriately.