MIL-OSI United Kingdom: The data strategy: a blueprint for the evolution of a trustworthy data system?

1

Source: UK Government

I believe that our ability to successfully achieve better things through data and digital hinges on the strength of the relationships that will deliver this change. And whether it’s ICSs working together to innovate well, or organisations looking at how best to engage the public on data matters, understanding, trust and respect are central to these relationships. It is with this belief in mind that I read and considered the government’s new data strategy, Data Saves Lives – asking to what degree the commitments it makes provide a blueprint for the evolution of a trustworthy data ecosystem, and whether it provides for all of the conditions that must be met in order to create an environment in which innovation can flourish.
I had advised on an earlier draft that the importance of public trust needed a greater emphasis, and so was pleased by the strong focus it was given in the published version, alongside the recognition that “The data we talk about is not an abstract thing: there is an individual, a person, a name behind each piece of data.” This is important. People need to know that the government understands just how unique this highly private information is – and that as such, commitments will be needed to demonstrate how confidentiality will be protected and respected. The data pact (or ‘charter’) it is proposing to co-author with the public will be a good start.
Also important was the government’s admission that it made mistakes with the General Practice Data for Research and Planning (GPDPR) programme by taking people’s trust for granted, and that it needed to do better to rebuild and strengthen that trust. The strategy outlines that to tackle this, it will:
keep data safe and secure
be open about how data is used
ensure fair terms from data partnerships
give the public a bigger say in how data is used
improve the public’s access to their own data
Maslow’s ‘hierarchy of need’ is useful here. It is a concept from developmental psychology that describes the conditions needed for humans to reach their full potential. It is visualised as a layered pyramid: at the bottom are our most basic requirements (food and shelter) with successive layers incorporating more complex emotional and social needs. I found it helpful to think about the data landscape in these terms. What are the conditions that must be satisfied before our health and care data ecosystem can reach full maturity in terms of its trustworthiness to patients and professionals alike? And does what the strategy is proposing sufficiently meet them?
I would suggest that in this parallel, those conditions are:
legal compliance
strong privacy protections
a commitment to transparency
establishing and demonstrating public benefit
ensuring appropriate mechanisms for choice
sharing power with the public
Legal compliance
At the most basic level, a data system must demonstrate legal compliance. However, whilst lawful data use is a necessary foundation, it is insufficient alone. Previous failed national data initiatives have been lawful. To earn trust, organisations need to do more than not break the law, as the final version of the data strategy implicitly recognises.
Strong privacy protections
All health and care data is collected within a relationship of trust. Maintaining confidentiality is essential for people to feel able to share information with those caring for them; the consequences of not doing so are great. Given this, the strategy’s commitment to privacy enhancing technology is reassuring.
In particular, the shift towards data access in secure data environments (SDEs) – of which trusted research environments (TREs) are a subset – and away from routine disseminations is a significant development and a move that I strongly support. The ethical framework that underpins the use of the SDEs through the use of the ONS’s ‘5 safes’ is also key. For those who haven’t read it, what Professor Ben Goldacre says about TREs in his recent review is very informative. It is important that the government gets the governance wrapper and accreditation framework right for SDEs so that standards and safeguards are consistent, and what is in place as the ‘gold standard’ in the national SDE is scalable and achievable elsewhere.
A commitment to transparency
We know that whilst privacy remains a key concern, it is not the only concern that people have. There is good evidence, including from empirical research during the pandemic, that how data is being used and why, and who is making decisions about it – and what motivates those decisions – are also questions that matter. I’d therefore place transparency as the next condition to be met. This includes good public engagement and dialogue – providing people with clear, accessible information about who will be accessing their data and why, the safeguards that are in place and what choices they have about it. There should also be a commitment to working out in the open as all of these changes are implemented.
The strategy makes strong commitments in these areas. I was pleased to see pledges to make it clearer to people how and why data is being used, including the provision of information about the benefits and risks of use, the safeguards in place, and how people can opt out of sharing for purposes beyond than their own care if they choose. The plan for rebuilding public trust will be a pivotal deliverable that I am keen to get into the detail of. I have also been asked to feed into work on the data pact, which the strategy says will “set out how we will use health and care data and what the public has the right to expect”. As a product that will set the scene for the public in terms of their data, we need to get this right.
Establishing and demonstrating public benefit
Taking us to the next level is how a system ensures, evaluates, and demonstrates, the public benefit from data use. Society’s familiarity with the beneficial uses of data has improved thanks to its prevalence in conversations around the pandemic. However, this does not mean that an enduring trust can be presumed which grants a social licence for all future uses of data collected in providing care for other purposes that may benefit the public. Trust is context and use-case specific. The likely public benefit of any new data use needs to be established. This must include demonstrating credible, authentic engagement with potential risks and their mitigations, as well as the exciting opportunities from data use.
When it comes to public benefit, transparency remains key. There must be clarity about the role of third-party data access, including by profit-making commercial companies. The strategy speaks simply of ‘innovators’ which masks the complexity; it is important to be clear about who may benefit from any data use in addition to the public, whether that is a commercial company or an academic institution – and also why that may be necessary and justifiable. The system must be straight about the ‘who’ if it is to develop the maturity for more complex discussions about ‘how, when, what and why’ of fair data partnerships.
Also of note here is the reference in the strategy to the Centre for Improving Data Collaboration’s work on a value-sharing framework to support good data partnerships. I hope to see this framework evolve in a way that will support better conversations with the public about the value of data and what ‘fair’ terms for the NHS might look like in practice.
Ensuring appropriate mechanisms for choice
As public sector organisations and systems evolve and become more complex, with increasing ambitions to deliver public good, the rights, agency, and experiences of individuals – both the professionals within it and the public it serves – can get lost as the system strives to ‘deliver’. In this context, actively maintaining individual choice regarding how data about them is used is an important ethical safeguard.
It was reassuring, therefore, to see opt-out, which was absent from the draft strategy, now included in it. I am looking forward to hearing more about, and getting involved in, the plans for ensuring that the opt-out landscape is simplified. Opt-out choices need to be clear, coherent, simple to action and – perhaps most importantly – authentic: we need to ensure that they are doing what people expect them to do. There is work to be done with the public to navigate the tension between providing for the common good (through more efficient and safe individual care, planning, research, and innovation) and establishing what people should have a right to determine for themselves regarding when and how their confidential data is used.
Sharing power with the public
Finally, I’d propose for any organisation or system to reach full maturity it needs to develop the capacity to be self-reflective about how power is exercised and experienced, both by those working within it and receiving its services. I was very struck by the repeated use of the word power in the data strategy. But what does a mature exercise of power look like? It is demonstrated by a system confident enough to genuinely engage, listen and respond to what it hears, and strong enough to think how power can be meaningfully shared. This has to involve independent scrutiny and challenge, and public involvement in decision-making.
I was therefore pleased to see the strategy commit to undertaking in-depth public engagement, including working with seldom-heard groups, to consider policy questions such as the delivery of SDEs and the future of opt-outs. I was also delighted to see the commitment to a statutory safe haven for health and care data in NHS England, where data access decisions will be subject to independent scrutiny, as well as the commitment to the sharing of decision-making power with the public in the strategy’s draft guidelines for SDEs: ”secure data environments must ensure that patients and the public are actively involved in the decision-making processes to build trust in how their data is used”.
These are good examples of how systems can improve and strengthen trust by being open to challenge. There is much that can be learned here from the experience and expertise within existing independent bodies such as the Independent Group Advising on the Release of Data (IGARD) and the Confidentiality Advisory Group (CAG). If delivered well, these commitments will demonstrate system maturity in action: transforming words around power to meaningful deeds.
Some final thoughts
Some of the strategy’s commitments have very ambitious delivery timescales, which I hope are achievable. As the strategy now transitions into delivery, much detail still needs to be worked through around many of the commitments. This includes the sizeable pledge to engage with the public to build trust. It is important to move at pace where this is practical and achievable, but some things will take time to get right, and I think working with the public, and working out how best to involve and engage them, is one of those things. Equally, determining the nature and intent of any legislative changes concerning identifiable data will also be critical.
This is an exciting time to be NDG. My panel and I are hopeful for the future as outlined in the strategy, and we look forward to supporting all those working hard to improve health, care and treatment experience and outcomes through better use of one of our most valuable national assets: our health and care data.

MIL OSI United Kingdom