Collecting and using health data

The UK Statistics Authority and its executive office, the Office for National Statistics (ONS), process a large quantity of personal data. This includes collecting, storing, using, and deleting data to produce aggregate National and official statistics and statistical research. All our staff will come across personal data in some way.

Our data come from a variety of sources, such as mandatory and compulsory surveys and administrative sources in the public and private sectors. The ONS has a policy specific to managing special category data, however health data require additional considerations beyond this policy. Specifically, we must have regard for patient confidential information. This is information where the patient sharing the information would expect it to be treated as confidential. It could include information that both identifies the patient and includes some detail about their medical condition or treatment, and other personal data such as demographic data.

This policy considers what users should be aware of when collecting and using health data, particularly patient confidential information, to produce statistics and statistical research. It supplements the special category data policy by focusing on the additional considerations that are unique to health data from a data protection perspective, and with regards to the common law duty of confidence.

This policy applies to all UK Statistics Authority and ONS employees including staff on fixed-term, temporary or permanent contracts, staff on secondment, students, and contractors. It applies to those who use our services (for example, the Secure Research Service and the Integrated Data Service (IDS)) who collect and use special category data to produce statistics and statistical research.

The UK Statistics Authority takes data protection seriously and adheres to the UK General Data Protection Regulation (GDPR) principles in all its business interactions that involve the processing of special category personal data, including health data. The UKGDPR principles state that personal data shall be:

• processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency)

• collected only for specified, explicit and legitimate purposes (Purpose Limitation)

• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation)

• accurate and, where necessary, kept up to date (Accuracy)

• not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data are processed (Storage Limitation)

• processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage (Security, Integrity and Confidentiality)

We are also responsible for, and must be able to demonstrate compliance with, the data protection principles referenced (Accountability).

As part of the Office for National Statistics' (ONS's) statutory functions, we process special category data in accordance with the requirements of Article 9 and 10 of the General Data Protection Regulation (GDPR) and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

When the ONS is collecting and processing special category personal data, including health data, it does so under the lawful processing condition outlined in Article 9 (2) (j) of the UK GDPR: "Processing is necessary for archiving in the public interest, scientific or historical research purposes or statistical purposes based on UK law." This processing also complies with Article 89(1) of the DPA 2018.

In addition, we must satisfy the common law duty of confidence: common law confidentiality is not codified in an Act of Parliament but built up from case law through individual judgments. The main principle is that the information shared should not be used or disclosed further, except as originally understood by the confider, or with their subsequent permission. Although judgements have established that confidentiality can be breached "in the public interest", these have centred on case-by-case considerations of exceptional circumstances.

However, common law confidentiality can also be overridden or set aside by legislation. This is the case when applicable or relevant data are shared with the ONS for statistical purposes. In the ONS's case, this legislation is the relevant sections of the Statistics and Registration Service Act (SRSA) 2007, as amended by the Digital Economy Act 2017, which are used to enable applicable data to be shared with the ONS for its functions (primarily the production of official statistics). These sections state that "a disclosure does not breach any obligation of confidence owed by the public authority making the disclosure, or any other restriction on the disclosure of information (however imposed)".

Further, for any personal information processed by the ONS, including patient confidential information acquired under the SRSA, then section 39 of the SRSA provides a statutory confidentiality to such information:

"Personal information held by the Board in relation to the exercise of any of its functions must not be disclosed by any member or employee of the Board, member of any committee of the Board, or any other person who has received it directly or indirectly from the Board."

(The legislation refers to the UK Statistics Board, of which the ONS is part).

Examples of the ONS processing health data, and patient confidential information include the production of mortality and health statistics, such as those released as part of our response to the coronavirus (COVID-19) pandemic, and to support census transformation.

Wider frameworks exist in the UK, beyond the Office for Nationals Statistics (ONS), for the protection of health data. Some aspects of these are relevant to this policy.

Notably, the National Data Guardian for Health and Social Care in England (NDG) is an independent, advice-giving post established by the Department of Health and Social Care. They advise on the safe use of people's confidential health and care data. They consult and intervene on matters such as data confidentiality and security, the effective use of data, public engagement and dialogue, public benefit, and the importance of individual choice. By providing advice, guidance, and challenge on the use of people's data, the NDG encourages the building and maintenance of systems and practices that are transparent and trustworthy.

The NDG is a statutory post, and its powers and responsibilities are laid out in the Health and Social Care (National Data Guardian) Act 2018. The role's powers enable the NDG to give advice and issue official guidance to the health and adult social care system. But they can also give advice more generally to non-health and care system bodies, providing it is about health and adult social care data. The NDG is not a regulator and does not hold enforcement powers.

Related to this, the first NDG, Dame Fiona Caldicott, oversaw the creation of Caldicott Guardians. This is a role that all public bodies exercising functions that relate to the health service, adult social care or adult care support in England, and that process confidential information about patients and service users, should appoint. This includes other organisations providing services as part of the publicly funded health service, adult social care, or adult care support pursuant to arrangements with a public body.

Caldicott Guardians help their organisations to ensure that confidential information about health and social care service users is used ethically, legally, and appropriately. Caldicott Guardians should provide leadership and informed advice on complex matters involving the use and sharing of patient and service user confidential information, especially in situations where there may be areas of legal and/or ethical ambiguity. The NDG provides guidance to Caldicott Guardians to assist them in their role.

Finally, the Health Research Authority (HRA) leads on the appropriate use of health data for research (including patient confidential information in particular) in England and Wales, with equivalent systems operating in Scotland and Northern Ireland.

All the practices described in the wider Office for National Statistics' (ONS's) special category data policy apply to health data. They are not repeated here. In addition, the following apply.

Lawfulness and ethical considerations

The ONS has a statutory function to produce and publish statistics in relation to the UK (section 20 of the Statistics and Registration Service Act (SRSA) 2007), This is to support its statutory objective of promoting and safeguarding the production and publication of statistics that serve the public good (section 7 of the SRSA 2007). The ONS may collect health data directly from data subjects through voluntary surveys and studies (such as the Coronavirus (COVID-19) Infection Survey) or from organisations that already collect, hold, and use health data for their own purposes (such as NHS Digital and the Department of Health and Social Care).

Data are acquired from other organisations only where this is compliant with relevant legislation. Sections 45B and 45C of the SRSA 2007 provide a power for Crown bodies and other public authorities (respectively) to share the data they hold with the ONS to produce statistics, without requiring the consent of the individuals to whom the data relate. Although General Data Protection Regulation (GDPR) usually restricts the use of personal data to the purpose for which the data were originally collected, there is special provision within the UK GDPR that permits further use of data for statistical and research purposes (Article 6(1)(e) of the UK GDPR).

Use of health data in the production of statistics will in most cases be under the following lawful basis, and in accordance with the ONS privacy notice:

"Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject" as stated in Article 9, Subsection 2, point j. Where a different lawful basis may apply, this will be made clear to data subjects.

The processes followed when using the SRSA in this way are generally different to those followed by many other organisations seeking to access similar health data, using other legal bases. For example, they may obtain Health Research Authority (HRA) approval and undergo NHS Research Ethics Committee review.

However, ONS governance and procedures for using the SRSA powers are robust and provide equivalent scrutiny and assurance. For example, in terms of robust ethical scrutiny, rather than consulting a NHS Research Ethics Committee, the ONS consults the National Statistician's Data Ethics Advisory Committee on its uses of health data and patient confidential information. The committee is independent and provides challenge across a range of ethical principles; notably, by assessing the balance between the public good of producing any new official statistic proposed by the ONS versus the privacy risks that result from the processing required, and the public acceptability of such processing.

The ONS consulted the National Data Guardian (NDG) in 2018, before first using its powers under section 45 of the SRSA to acquire electronic health records to produce official statistics. In addition, the ONS:

• will continue to periodically consult the NDG

• is committed to considering any advice provided in response

• is committed to engaging with any wider initiatives rolled out by the NDG office

Transparency

In terms of health data that the ONS collects directly from subjects, the ONS will publish clear and accessible transparency materials. For example, the ONS publishes detailed information and protocols for its COVID-19 Infection Survey.

In addition, all processing associated with the secondary use of electronic health records by the ONS is in line with the wider ONS privacy notice. This includes the fact that there is statutory provision for the ONS to safeguard confidentiality because of section 39 of the SRSA 2007.

The ONS also compiles and makes available a register of all data sources that include personal information (458 KB, XLXS) and are used by the ONS for its functions. This includes what the data are, how they are used, and the legal basis under which they were acquired. All external health data sources are included in this register.

Most electronic health data that the ONS processes are shared with the ONS by NHS Digital under a series of Data Sharing Agreements. These agreements are public and appear on a register maintained by NHS Digital.

The use of patient confidential information for the production of official statistics is exempt from the National Data Opt-Out. The ONS sets this out and the reasons why on the ONS website.

Minutes from the National Statistician's Data Ethics Advisory Committee are publicly available.

Caldicott Guardian

While the ONS is not required to have a Caldicott Guardian, it has chosen to create this role given the processing of health data that it undertakes. The ONS's director for Health Analysis and Pandemic Insight takes on the role of ONS Caldicott Guardian. They fulfil their responsibilities as set out in the Caldicott Guardian guidelines by:

• ensuring that the confidentiality of patient confidential information is achieved through the ONS's wider processes for ensuring confidentiality, including commitments made in its data protection and special category policies

• advising on disclosures of confidential information, and whether they can be made in line with the common law duty of confidentiality

• working closely with the ONS Data Protection Officer, Head of Data Ethics, and the ONS Data Governance Committee to champion any health-specific data issues as required

Training

In addition to the standard ONS training on data protection, ONS health analysts are experienced users of health data. They receive specialist training on statistical disclosure control for health data when producing statistics. The ONS Health Analysis and Pandemic Insight directorate also has a small number of specialists with more detailed knowledge of health-specific data protection considerations, ethical issues and legislation. In conjunction with the ONS legal service and ethics teams, they provide an advisory service to all health analysts as required.

Compliance

All staff, contractors and others working on behalf of the UK Statistics Authority and its executive office, the ONS, are required to comply with this policy. Compliance with the policy will be monitored by the Data Protection Officer.

National Statistician and the Statistics Board

The National Statistician and the Statistics Board are responsible for the organisational compliance with data protection legislation and are ultimately accountable to Parliament.

Data Protection Officer (DPO)

The DPO monitors compliance and provides advice and guidance to the organisation on all matters relating to data protection. The DPO reports to the National Statistician.

Data Protection Compliance and Audit (DPCA)

The DPCA team within the Data Governance Legislation and Policy branch reports to the DPO and monitors and audits the organisation's compliance with data protection. The team will also provide advice and guidance to the organisation.

Legal Services

Legal Services provide advice and support to the organisation on all legal matters. They are accountable to the National Statistician.

Chief Security Officer (CSO)

The CSO and their team ensure organisational services using special category personal data are compliant. They are accountable to the National Statistician.

Security and Information Management Team

The Security team oversee and implement the Office for National Statistics' (ONS's) security procedures across the office. They provide oversight to all data management activities, including those specifically related to health data. The team are accountable to the Chief Security Officer.

Departmental Records Officer

The Departmental Records Officer is responsible for records management and document storage and provides advice. They are accountable to the Chief Security Officer.

Information Asset Owner and Data Steward

The Information Asset Owner (IAO) and Data Steward role holders are responsible and accountable for data governance activities assigned to them as part of their appointment to the role. Data governance responsibilities relating to this policy include:

• responsibility for decisions on use, transfer and access requests for data assets that contain special category data, and oversight around associated processing activities

• decision making in relation to project or user accreditation relating to access to special category data

• ensuring a data sensitivity assessment has been undertaken for assigned data assets that contain special category data, and that associated risks are managed accordingly

IAOs are accountable to the National Statistician.

Caldicott Guardian

Caldicott Guardians help their organisations to ensure that confidential information about health and social care service users is used ethically, legally, and appropriately. In the ONS, they do this in collaboration with the Data Protection Officer, and the assistance of specialist health data IAOs. They are accountable to the National Statistician.

National Statistician's Data Ethics Advisory Committee (NSDEC)

NSDEC consider project and policy proposals that make use of innovative and novel data from the ONS, the Government Statistical Service (GSS), and beyond. They advise the National Statistician on the ethical appropriateness of these. This is especially important for projects that use health data.