This was discussed in detail at VWV's 2022 PING Conference by Andrew Roddam, CEO of Our Future Health, a charity compiling a database of health data of five million adults and linking this with genetic and other data, for use in research and development.
One partner involved with Our Future Health is the NHS, and the Department for Health and Social Care (DHSC) has now released guidelines on what organisations must do to be able to host the data used for research and analysis (secure data environments), which is also relevant to those wishing to access it. The guidelines provide 12 key criteria, summarised below:
1. NHS data must be accessed through secure data environments and the organisation must meet the requirements prior to the organisation hosting data.
2. Secure data environments must meet defined criteria in order to become an 'NHS accredited secure environment'.
3. All aspects of cybersecurity must be integrated into the design and implementation of the environment (security by design).
4. Secure data environment owners must be transparent about how the data is used. There are no mandated actions in the guidelines, but an example of clear and accessible reporting is given and so would achieve this criterion.
5. Those accessing the data must be trained, authorised and suitably verified before access is permitted. Once permitted the access should be limited to that which is necessary and within the consent given.
6. Owners of secure data environments must make sure that patients and the public are involved in the decision making through Patient and Public Involvement and Engagement (PPIE) activities.
7. Data made available for analysis must protect patient confidentiality through techniques such as data minimisation, aggregation and pseudonymisation.
8. Inputs to the secure data environment must be assessed. The external inputs and datasets must be checked before being permitted to enter the secure data environment and linked to NHS data.
9. Secure data environments must follow a policy of open working (so that code developed can be reused), unless an exception to this applies.
10. Environments must be flexible and be able to support a range of functionality and tools used for analysis.
11. All uses of data within environments must be ethical, for the public good and comply with all existing laws.
12. Outputs from environments must be checked before it leaves to ensure confidentiality is maintained and the output aligns with the aims of the given project.
More details are to follow on the above criteria, but these guidelines give a flavour of what secure data environments will look like. This in turn provides companies with an exciting insight into how they may be able to tap into this invaluable resource in the not-so-distant future.