Who are the ‘Data Guardians’?

Last updated on 22 Jun 2021

Data Guardians might sound like something from a comic book, but this collection of organisations, statutory bodies, charities, individuals and even laws are all working together to protect your interests and your data – even though you may never have heard of them.

The General Practice Data for Planning and Research (GPDPR) data collection would allow NHS Digital to gather patient data, but use of this is tightly regulated. There are many organisations, ‘data guardians’ that protect end to end use of the data. One of those is the Health Research Authority. We review every request for use of identifiable patient data without consent for research purposes.

The NHS holds and uses a wide range of patient data, and carefully controlled access to this information during the pandemic enabled researchers to quickly develop treatments and vaccines, and allowed primary healthcare to protect and support the most vulnerable.

While the response to the pandemic has made it more apparent how sharing data for research and healthcare planning can save lives, it is nothing new. In the 1990s a suggested link between the MMR vaccine and autism led to a mass boycott of childhood vaccines. By reviewing GP records of vaccinated children and following those children’s progress, researchers were able to disprove any link and rebuild confidence in lifesaving jabs.

But this type of research can only work if most people are included. Tracking disease through the whole community gives invaluable information for everyone’s benefit.

And we know that trust is the cornerstone of confidence not to opt out. NHS Digital has announced a delay in implementing GPDPR to help people better understand why sharing health data is important and how it will be kept safe. Today NHSX launches its new draft strategy to build understanding on how data is used, the potential for data-driven innovation and improving transparency so the public knows how their data is used.

So, we’ve brought together a list of organisations that act as the gatekeepers and champions of your data, along with details of where people can go for guidance and where data is held. This list is not exhaustive and there may be others not captured here.

‘The way patient data is collected and stored is of fundamental importance, but arguably as important is how and why it is used. Even after GPDPR has collected your data into a secure environment, other approvals must be gained for it to be used on a case-by-case basis. For example, if a pharmaceutical company wants to access GPDPR to develop a new treatment, permission from our Confidentiality Advisory Group and a Research Ethics Committee will have to be obtained. We will ensure that the use of the data is in your interests, and for patient or public good.’

Matt Westmore, Chief Executive at the Health Research Authority

Organisations that provide safeguards around the use of health data

Health Research Authority – an arms length body or the DHSC with the responsibility to protect and promote the interests of patients and the public in research. We protect your data through our:

Confidentiality Advisory Group - An independent committee of experts and lay people which provides advice on requests to use confidential patient information, advising the Health Research Authority (HRA) for research uses and the Secretary of State for Health for non-research uses.

Research Ethics Committees – Committees that review research applications and safeguard the rights, safety, dignity and well-being of research participants. Each committee consist of up to 15 members, a third of whom are 'lay' – meaning their main professional interest is not in a research area, nor are they a registered healthcare professional.

Tony Calland

‘The Confidentiality Advisory Group reviews applications requests to use identifiable patient data where it is not possible to get patient’s consent. We balance the benefit to the public and the NHS against any possible risk of re-identification and only support applications when there is no other option but to use identifiable data. We ensure that measures to inform the public are robust and always supported by evidence from working with patient groups. Protecting patient confidentiality is our primary task.'

Tony Calland, Chair of the Confidentiality Advice Group

Organisations that provide safeguards around the use of health data

Data Controllers – individuals or organisations who are responsible for data and ensure that the data is protected appropriately by ensuring that collection, processing and disclosure are legally compliant and that individuals are treated fairly in relation to the use of their data. The Information Commissioner has the power to take action against them if they do not conduct their duties and individuals can bring claims for compensation and damages. This covers all personal data and is not limited to health and care data.

Independent Group Advising on the Release of Data (IGARD) – An independent committee that reviews requests for access to data through the NHS Digital Data Access Request Service, in accordance with its Terms of Reference.

Information Commissioners Office – An independent authority which upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. They cover all personal information, not just health and care data.

National Data Guardian - advises and challenges the health and care system to help ensure that citizens’ confidential information is safeguarded securely and used properly.

Public Health England Office for Data Release - The Office for Data Release provides a common governance framework for responding to requests to access PHE data for secondary purposes, including service improvement, surveillance and ethically approved research.

UK Council of Caldicott Guardians - A Caldicott Guardian is a senior person with an organisation who is responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. All NHS organisations and local authorities which provide social services must have a Caldicott Guardian. The UK Council of Caldicott Guardians provide support for Caldicott Guardians and others fulfilling the Caldicott function within their organisation.

Champions - public groups that advocate on health data

medConfidential -medConfidential is an independent, organisation working with patients and medics, service users and care professionals, drawing advice from a network of experts in the fields of health informatics, computer security, law/ethics and privacy. It campaigns for confidentiality and consent in health and social care.

Understanding Patient Data – an organisation which is building a community through creating resources, conducting analysis and hosting dialogues with the public, patients and healthcare professionals to make uses of patient data more visible, understandable and trustworthy, for patients, the public and health professionals.

Use MY data - an independent group of patients, relatives and carers that educates on how health and care data is used, works with its members to under their aspirations and concerns around the use of health data healthcare, service improvement and research and advocates to improve patient decision making, treatment and experience.

Guidance about health and care data

MRC Health Data Access Tool – guidance for researchers on how to access routinely collected health data, including the approvals required and the application processes.

NHSX IG Portal – a collection of guidance advising patients and services users, health and care organisations and IG professionals on the requirements around handling health and care data.

Research data environments - where health data is held

Clinical Practice Research Datalink – A data store of health and care data that contains anonymised patient data from a network of GP practices across the UK. This data is also linked to a range of other health related data to provide a longitudinal, representative UK population health dataset. The data encompass 60 million patients, including 16 million currently registered patients.

Health Data Research UK Innovation Gateway – A website that provides a searchable resource of available health and care datasets. The Gateway is mainly for researchers, innovators, and data custodians to learn about and apply to use health datasets safely and securely.

NHS Digital Data Access Request Service – A data store that provides access to the data held by NHS Digital once applications have been reviewed by IGARD (see above). NHS Digital holds a range of datasets which are used by researchers and those planning health and care services to improve health and care provision.

Back to news and updates