Sharing GP data for research and development

GP practices that choose to share data for research and planning purposes can play a key role in driving medical breakthroughs, without the hassle of reviewing multiple data-sharing requests. By signing up, you will help advance health research, improve understanding of population needs, and support better care for our communities.

Why share data?
Currently, GP practices are asked on a project-by-project basis to share data. By establishing regular data flows to a regional research and development repository, practices can avoid repeated requests. Under a regional agreement, your data will be securely held alongside other datasets, ensuring it’s only used for research and development purposes.

How it works

• GP practices will have the opportunity to complete a data-sharing agreement
• The Data Access Committee and the ICB (Integrated Care Board) will review and approve all project requests, ensuring they meet strict protections and protocols
• The committee includes GPs, public representatives, and other experts to ensure compliance with the "5 Safes" framework, and whether the project is in the public interest.

This process allows GPs to contribute to research while reducing their workload.

Looking ahead
We are working with trusts and other data providers to make patient data accessible to research projects soon. A public information campaign will launch in early 2025 to raise awareness as data sharing expands.

Get involved
If your practice would like to start sharing data with the Secure Data Environment, please contact our team at: nencicb.sde@nhs.net

Some GP practices currently receive service support costs for research activities such as identifying eligible patients, providing datasets, and inviting patients to participate in studies. These activities are coordinated by the NIHR Clinical Research Network, now known as the Research Delivery Network, or directly by commercial organisations. Many GP practices also participate in the Clinical Practice Research Datalink (CPRD). These initiatives are separate from the work of the Secure Data Environment and will continue as before.

The Secure Data Environment offers an additional benefit by providing researchers with access to data collated from all GP practices, linked with secondary care datasets to deliver a comprehensive, system-wide overview. Achieving this level of integration and scale has historically been very challenging. By streamlining access to linked datasets, the Secure Data Environment will make our region a more attractive hub for research, facilitating greater use of existing data resources.

Importantly, participation in the Secure Data Environment is not expected to result in a decline in income for GP practices.

Flows of data from GP practices will be defined through a data sharing agreement between the North East and North Cumbria Secure Data Environment lead controller (which is the ICB) and each GP practice. Once the data is shared into the Secure Data Environment, it becomes the legal responsibility of the lead controller organisation, not the practice.

Liability for any data breach sits with the organisation(s) responsible for the breach in line with existing data protection legislation. As data controllers, GP practices will enter into data processing agreements with the data processor (who in this case is NECS) to ensure full compliance with data protection laws.

A Local Medical Committee (LMC)-appointed solicitor is also reviewing the contracts to confirm this, we will share the outputs from this once the review is complete.

We have engaged and worked with the LMC and representatives from the LMC over the last year or so. The LMC representatives have been supportive of the work we are doing and we will continue to work with them.

We are engaging with an LMC-appointed solicitor who is reviewing our data sharing contracts to provide independent advice to GP practices on liability and risks to you. Once this review is complete we will share the details.

GP practices would not need to manage opt outs - any patients who have already selected the National Data Opt Out will be excluded by the source organisation.

There will also be a Local Opt Out for the NENC Secure Data Environment which will be managed by NECS, so practices will not need to administer this. Contact details will be provided in the patient materials so GP practices can refer patients to this. An email and a helpline number will be available for patients to contact.

The ICB is leading the programme and in collaboration with Health Innovation North East and North Cumbria, North of England Commissioning Support (NECS) and Cumbria, Northumberland, Tyne and Wear NHS Foundation Trust (CNTW) to deliver the service. Work is underway with patient and public engagement, communications, data management, information governance and technical development.

By making health and care data more accessible, means that more research can happen. However for this to be done in a secure, robust way with standardised processes across the region to control who accesses the Secure Data Environment.

Accessing health and care data for research can be time-consuming and difficult process. The Goldacre Review and the Data Saves Lives strategy proposed the set up of Secure Data Environments as a more secure and efficient way to access data for research and development.

This is now reflected in NHS England policy. Over the coming years access to NHS data will move exclusively to Secure Data Environments.

This creates a simplified and robust route to access the data for research and development, reducing the burden on all NHS organisations including NHS trusts and GPs. Agreed datasets transfer from organisational IT systems to the Secure Data Environment for the purpose of research and development. Access is only granted for approved projects and accredited researchers through the North East and North Cumbria Data Access Committee.

The technical platform is up and running now and several test projects are using it. Currently the regional governance is not in place, but this is expected to be fully operational this year. Until the regional governance is fully established, data requests and approvals are currently managed on a case-by-case basis.

We are also developing our data request and enquiry processes and will be moving towards a structured approach this year.

We will support both research and development uses of data in the Secure Data Environment. We use the Health Research Authority guidance to determine whether projects fit into research or development. The types of projects the Secure Data Environment will use include:

• AI/algorithm development – testing, training and validation
• Clinical trial activities – feasibility, recruitment, efficacy through short and long term follow-up
• Real world studies – safety, effectiveness and cost effectiveness
• Translational research – academic discovery and implementation of discovery into practice
• Epidemiological studies – large cohorts for population health research
• Health systems research – evaluation of systems or processes, including operational and applied research
• Non-research – service planning, evaluation and improvement

Sharing data is optional.

The central, regional governance structure within the Data Access Committee means that GP practices will no longer need to review and assess individual data projects. There will be one central process with GP and patient representation to assess whether projects meet public interest and security standards. This will reduce the burden on GP practices and shift Data Controller liability to the Integrate Care Board. We will share updates on what projects are applying to access data on the Secure Data Environment and the outcome of their assessment.

A North East and North Cumbria Data Access Committee is being set up to assess and recommend to the ICB whether to approve or refuse  access to research and development projects and users. Our Data Access Committee includes data controller representatives from primary and secondary care, public members and data protection officers and information governance and research ethics specialists.

The process also includes a review by members of the public who will assess whether the project is in the public interest.

All projects will be mandated to complete an application form to use the Secure Data Environment that will be presented to the Data Access Committee. The application will cover the legal basis for the study, how data will be minimised and what benefit the project will provide.

Information on which projects apply to access Secure Data Environment will be published online and data contributors (GP practices) will be able to raise any concerns.

A Project Support Service will guide projects through the process to ensure they meet the required standards for safety and security. They will check that projects have relevant approvals from the Health Research Authority and Confidentiality Advisory Group where applicable.  

The programme is transitioning to a new governance model which is outlined below. The Data Access Committee is expected to be operational soon and will include:

• Public Members
• Senior Information Risk Officer
• Nursing representative (e.g. CNIO)
• Clinical representatives
• Academic/Research representatives
• Caldicott Guardian representatives
• Data Protection Officer representatives
• Research Governance representatives
• Data warehouse representative
• Data Science representative
• Commercial team representative
• Clinical audit team representative
• Chief Information Officer
• Chief Clinical Information Officer

At the heart of the North East and North Cumbria Secure Data Environment is a strong commitment to public and patient involvement. We have developed an extensive strategy that actively involves, listens to and engages with the population of the North East and North Cumbria.

Not only are our public panel of members involved in the programme governance, they have been involved in the design and development of our public information campaign.

Our approach builds upon the successful public engagement work as part of the Great North Care Record programme. We continue to work closely with the public, engaging them in discussions about how we manage and make information from their health and care records accessible to researchers and planners. Together, we are developing clear principles to ensure transparency and trust in how data is made accessible.

This is a core part of the programme to ensure transparency and co-design our approach. 14 public members have been recruited who are embedded in the governance structure.

The public members recognise the value and quality of the data held in the Secure Data Environment and embrace their role to ensure that patient health and care data is used appropriately, prioritising the best interest of the local population.

Together they share a broad knowledge-base and lived-experiences across a range of topics and expertise and the current demographic makeup of the group is diverse with a good split of male and female members, including people with lived experiences of disability and other medical conditions, and from other ethnic backgrounds and equality groups.

We are looking for more public members to ensure they are even more representative of our region.

Since being established the public members have:

·       Given 512 hours of their time

·       Taken part in 15 task and finish groups

·       Taken part in 13 workshops

·       Taken part in four focus groups

·       Reviewed eight key documents

·       Attended eight strategy boards

Co-produced plans including:

·       The involvement strategy

·       Public survey questions

·       Developed plain language about research and non research terminologies

·       Developed evaluation criteria for assessing research applications for the Secure Data Environment

·       Developed public messages for complex data topics

·       Developed branding and communications materials that will be shared with the public

·       Public involvement activities include street surveys of over 1500 people and impact assessments.

Other involvement activities

It is important to understand what local populations think about the use of their patient data, what concerns they have and how these may be addressed.

In January 2023, the programme spoke to a sample of the population in the North East and North Cumbria, with 375 people giving their views. From this survey and combined with patient feedback gained from the Great North Care Record, and using demographic data available from national statistics - the programme learned a lot about how different groups of people have different attitudes towards patient data for research.

Reviewing the findings with the public members group, the following populations were found to need further targeted support on their concerns and needs for information about the Secure Data Environment.

●      Remote residents – People living in larger communities outside major conurbations but without full access to key services

●      Affluent educated – People who are well educated and more affluent i.e., those with higher household incomes

●      Starting outers – Students, younger couples and singles in flats (i.e. aged 16-24 years)

●      Cautious women – Women aged 30 – 59 years identified in specific areas of the region and unwilling to share health data/keen to opt out

●      Diverse deciders - People on lower incomes with varied needs, who are struggling to make ends meet

●      Cultural collectives - Ethnic minority communities including established immigrant and the Jewish communities

In September 2024, further population level survey took place, increasing the number of people to 1050 to include more people in the groups identified above.

Focus groups

Focus groups will take place specifically of the priority groups to understand better their views and to consider questions about the use of identifiable data to create anonymised and pseudonymised data sets along with other issues that come out of the street survey report.

Young people’s on-line survey

A survey is being shared and targeting younger people (16 - 24) via social media and direct engagement with local colleges and universities.

Links to reports:

·       Summary PPIE report

·       Situational review – desk research to understand what insights are already available

·       Equality impact assessment–to help us understand which demographic have already opted out of sharing their healthcare information

·       Street survey of 400 people – to help us understand how people feel about their data being used in the Secure Data Environment

·       A further street survey of 1000 people took place in summer 2024 which explored attitudes further and targeted particular demographics in more detail.

Further work on focus groups and deliberative events are scheduled to take place over the coming months.

Under UK General Data Protection Regulation the following provides the legal basis for sharing data into the Secure Data Environment:

•  Article 6.1 e of UK GDPR (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
• There is a requirement under the Health and Social Care Act to undertake research (paragraph 13(1) of Schedule 1 of the NHS Act 2006) which was updated in 2022 to include Integrated Care Boards.
• Article 9.2(j) of UK GDPR enables the processing of special category data where “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89 (1) based on domestic law which shall be proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”

DPA 2018 enables the processing of special category data under Schedule 1 part 1 section 4

a)    For archiving purposes scientific or historical research purposes or statistical purposes,

b)    is carried out in accordance with article 89 one of the UK GDPR (as supplemented by section 19)

c)     is in the public interest

Common Law Duty of Confidentiality:

The ICB has an approved S251 application to set aside Common Law Duty of Confidentiality for the purpose of treating personal confidential data to pseudonymise, link and de-identify it for use in the NENC Secure Data Environment. The S251 also enables the generation of a research database (the NENC Secure Data Environment itself).

NENC Secure Data Environment also has separate Research Ethics Committee approval which covers both the use of the data flowing into the Secure Data Environment and the generation of the research database (the Secure Data Environment itself).

This means we have in place the legal basis under UK GDPR and Common Law to flow data into the Secure Data Environment.

A second S251 application is being developed for non-research purposes and is expected to be submitted by the end of 2024/25.

Secure Data Environments brings several opportunities to improve the health and wealth of our region. The Secure Data Environment covers both research and planning use cases which North East and North Cumbria can benefit from.

Research

We experience many of the worst healthcare outcomes, lowest levels of life expectancy, more time in poor health.

Our region features at the bottom of NIHR investment weighted against population need.

The Secure Data Environment will enable MORE research to happen – making the research pie bigger and improving healthcare outcomes for our population.

The Secure Data Environment will not replace patient consented clinical trials and research projects.

By creating a rich research and development data set we will increase our offering to researchers (commercial and non-commercial) and make the region an attractive place to carry out projects.

Our population is attractive to researchers as we have high health needs, with high instances of disease and a static population, although we are less ethnically diverse than other regions.

We also know from published literature that organisations who take part in research often perform better. Their patients benefit from the latest treatments and their staff are upskilled in new ways of working, also helping to make our regional organisations a great place to work.

The Secure Data Environment will enable us to carry out new research and development activities which is currently not possible, or very challenging. The ability to link datasets between primary and secondary care and between organisations for the purposes of research and development, will encourage collaborative working, unique project opportunities and answer important research questions.

These new opportunities will bring additional revenue to our region and participating organisations.

For example, AI projects using datasets to improve diagnostics and workflow improvements –ultimately benefiting patient care.

Development

It can take many years for the benefits of research projects to materialise. A key opportunity the Secure Data Environment presents is near real-time, data driven decisions around service improvement and planning. As we move towards group models of hospital care, and move care into communities, we need to understand these pathways and make the right decisions about how care is provided.

Being able to access data across different organisations will enable us to manage demand projection, capability requirements and workforce planning at both trust and regional level. The Secure Data Environment is additionally driving standardisation of data definitions, enabling and ensuring stakeholders are able to speak the same language.

Standardisation of data management

Having a single platform, agreed data definitions, a single access process and a single set of information governance protocols will greatly increase the pace and scale under which we can carry out research and development projects.

Yes, the Secure Data Environment can be accessed by a variety of researchers, including industry/commercial, NHS, academia, charities etc. However, all access requests will be subject to user validation in addition to a comprehensive project approval process. Our Data Access Committee will assess applications on an equal basis. In additional, all applications must pass a ‘public interest’ test with a panel of members of the public.

All applications will be treated the same, following the same governance and processes.

Contact the programme team and we will send you the paperwork.