Updated February 2022
This notice is to tell you about why and how The Health Foundation processes data about patients.
The Health Foundation is an independent charity committed to bringing about better health and health care for people in the UK. As part of our work, we apply for and are granted access to data about patients and their experiences in the health service, to enable us to conduct in-depth analysis for specific, approved projects. Having access to patient data allows the Health Foundation to analyse the impact of new initiatives and to gain insights on trends in people’s health and care in order to drive learning and improvement.
Our activities extend across three key work streams:
- Improving health service delivery
- Making health policymaking more effective
- Promoting healthier lives for all
The data used as part of our projects comes from different data suppliers. These data suppliers include NHS Digital, NHS England and the Medicines and Healthcare Products Regulatory Agency, among others.
The data we access about patients tells us about:
- when they have visited hospitals and their GP practices
- any operations and treatments they have received
- experiences of health and social care services such as care homes and the 111 non-emergency phone number for medical help
When we apply to access data about patients from these organisations, we are required to make a formal application. In the application, we have to explain what data we would like to access, why we want to access them, how we will use the data (e.g. analysis techniques) and what our outputs will be (such as journal publications, official reports). We must:
- Demonstrate that we have a legal basis for accessing and using the data, under the UK General Data Protection Regulation (UK GDPR). See legal basis section.
- Describe our robust data protection systems to look after the data
- That at the end of the project, we can and will securely destroy the data; and that we can confirm and demonstrate this
All the information we hold on patients is de-personalised. This means that we can’t tell who the patients are, because we never receive names, addresses or patients’ NHS numbers. We only hold data about patients and their journey in the health service to do our analysis. Examples include data about how long patients stay in hospital, what they are diagnosed with, and some basic demographic information such as age, gender and ethnicity. More information about patient data and how they can be used for analysis can be found at the Understanding Patient Data website.
Maintaining data security
We are committed to keeping the data we analyse about patients safe and secure, therefore we will always use state-of-the-art infrastructure, which is properly assessed, to store and access any sensitive data. Our secure remote data centre, the Secure Data Environment (SDE), is the key part of this ensuring among others that the data we hold are never transferred outside the UK. The SDE is accredited to two standards: the NHS Digital Data Security and Protection Toolkit and the ISO27001 Information Security Management standard. Both of these standards are about ensuring we have the right controls in place for protecting data. They also list procedures and policies that we should have in place and follow. We are audited against both standards every 6 months.
All staff, contractors and other researchers that support our work by working on these data in our SDE must undergo Information Governance training and sign an appropriate Non-Disclosure Agreement promising to maintain the confidentiality of the data even when they are working from home. We check all of the work produced before it leaves our secure system to make sure that patients can’t be identified. At the end of each project the data will be securely destroyed in accordance with our contract with data owners.
We employ a number of data professionals to help manage the data we use. Their job is to receive the data, and make sure that the right analysts have access to data for the correct projects. They are also responsible for ensuring that the data is destroyed when projects have been completed, in line with the Data Sharing Agreements that are in place with the organisations we receive data from.
Who at the Health Foundation uses patient data?
Improvement Analytics Unit
The Improvement Analytics Unit is a partnership between NHS England and the Health Foundation, which provides rigorous data analysis to determine whether new ways of delivering care are having an impact.
The Improvement Analytics Unit analyses patient data through the Secure Data Environment. All staff with access to the environment, whether employed by The Health Foundation or NHS England, have to complete information governance training and are contractually bound to maintain patient confidentiality. View a list of publications where we have used data about patients
In-house analytics team
The In-house analytics team use data about patients for a variety of projects. Our work examines various aspects of health, health care, and social care, for example using data to investigate how well the health service cares for care home residents, patients with multiple health conditions, or those from deprived areas. We also design and create new data initiatives, such as the Networked Data Lab, to ensure that the UK has the data assets it needs to improve health. View a list of publications where we have used data about patients
REAL Centre
The REAL Centre (Research and Economic Analysis for the Long term) provides independent analysis and research to support better long-term decision making in health and social care. The team use data about patients to look at forecasting future demand caused by having a condition (for example diabetes) or a combination of conditions and the pressure this puts on the health service in terms of activity and costs, as well as looking at the cost of providing services in hospitals (e.g. routine operations). View our publications
We do not pass on any of the data we have received to any third-parties, including academic organisations, health care organisations (including public sector) or commercial companies. We simply do not pass on data to others.
| Name of data | Description | Purpose |
| Hospital Episode Statistics | Inpatient, outpatient and accident & emergency hospital records data for patients in England. | We use these data to analyse the quality of care delivered by the NHS, funding pressures, health inequalities and productivity. |
| Mental Health Services data | Data about children, young people and adults, who are in contact with mental health, learning disabilities or autism spectrum disorder services. The data does not include actual full care records, or narrative text. | We use these data to analyse the quality of care delivered by the NHS, funding pressures, health inequalities and productivity. |
| Patient episode database for Wales | Hospital records including inpatient, outpatient and accident & emergency data for Wales. | We use these data to analyse the quality of care delivered by the NHS, funding pressures, health inequalities and productivity. |
| Secondary Use Services hospital data |
Inpatient, outpatient and accident & emergency hospital records data for patients in England. For some local areas, the data is |
We use these data to analyse the quality of care delivered by the NHS, funding pressures, health inequalities and productivity. |
| Clinical Practice Research Datalink | This database contains records about patients and their visits to GP practices, including diagnoses made and treatments prescribed, as well as referrals to hospitals. | We use this data for a number of projects: - Understanding of the impact of COVID-19 on primary care and consequences for population health - Understanding how primary care has changed since 2000 - Examining whether the association between multiple long-term conditions and mortality risk varies across sociodemographic groups - Estimating the prevalence of common menstrual disorders - Forecasting future health service demand in primary care - International comparisons of high-need health service users - Trends in remote GP consultations and the impact of remote consultations on antibiotic prescribing |
| Linked primary and secondary care data for Tower Hamlets | General practice and hospital data about patients aged over 50 and at high risk of emergency admission. | We use these data to evaluate integrated care pathways in Tower Hamlets. |
| NHS 111 and out-of-hours GP services linked to A&E data | Data about patients who call NHS 111, and their activity in out-of-hours GP and emergency departments. | We use these data for our analysis into the effect of clinical input during a 111 call on emergency department attendance. |
| Minimum master patient index |
GP registration records of patients in UK, including month and date of birth, gender and local area of where the patient lives. For some local areas, the data is linked to information about new services and treatments available. |
We use the data in the Improvement Analytics Unit to provide rapid feedback on the progress being made by local health care projects in England to improve care and efficiency. |
| General Practice Extraction Service (GPES) Data for Pandemic Planning and Research (GDPPR) | This dataset comprises general practice data on patients registered in England including ethnicity, sex, GP practice and diagnoses and treatments. | We use a specific extract of the data in the Improvement Analytics Unit to evaluate the effectiveness of the Covid Oximetry @ Home initiative. |
| Second Generation Surveillance System (SGSS) | Data on COVID-positive tests, including the full date of first COVID-positive test. SGSS is the national laboratory reporting system used in England to capture routine laboratory data (mainly on infectious diseases and antimicrobial resistance). | We use a specific extract of the data in the Improvement Analytics Unit to evaluate the effectiveness of the Covid Oximetry @ Home initiative. |
| Covid Oximetry @ Home Onboarding Data | This dataset lists the dates of patients onboarding (enrolling) onto the Covid Oximetry @ Home intervention. | Used by the Improvement Analytics Unit to evaluate the effectiveness of the Covid Oximetry @ Home initiative. |
| Covid Oximetry @ Home Offboarding Data | This dataset lists the dates of patients offboarding (leaving) the Covid Oximetry @ Home intervention. | Used by the Improvement Analytics Unit to evaluate the effectiveness of the Covid Oximetry @ Home initiative. |
| Office for National Statistics (ONS) Mortality data | This data set includes the registered date of death of any patients eligible for the Covid Oximetry @ Home intervention. | We use a specific extract of the data in the Improvement Analytics Unit to evaluate the effectiveness of the Covid Oximetry @ Home initiative. |
The Health Foundation has restricted access to these data under a Control of Patient Information (COPI) notice. The Secretary of State for Health and Social Care has issued NHS Digital with a Notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require NHS Digital to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes.
Because all patient information we hold is de-personalised, we cannot identify individuals from the data. For this reason, we cannot respond to subject access requests, or apply one's 'right to be forgotten'. To find out more about what we mean by depersonalisation, please visit this resource on Understanding Patient Data. For information about your rights concerning data, you can visit the Information Commissioners website.
The legal basis for processing the data we hold
In order to work with the data we hold, the Health Foundation is required to have a legal basis for accessing personal and special category data to comply with Article 6 and Article 9 of the General Data Protection Regulation (GDPR).
Our legal basis under Article 6 is ‘legitimate interest’. Our legitimate interest for using these data is grounded by the fact that as a health research institute, we are interested in using patient and other data to improve health, healthcare, and the health service. We do not think that anybody would be too surprised to find out that an institution such as ours, would apply to access such data for the purposes of improving the healthcare and health outcomes. The purposes stated in all of our applications to access patient data are, broadly, to lead to improved outcomes of health and better delivery of healthcare services.
Our legal basis under Article 9 is condition J, which allows us to work with special category data if it is necessary for scientific research purposes. As part of this condition, we must also have measures in place to protect the patient data; our secure data environment, accreditation, and security policies, are examples of how we meet this requirement.
Often, there may be ethical considerations about how we use patient and other data. This may depend on the subject of the analysis we are attempting to undertake, and therefore the data about the individuals used for these analyses. Some subjects may be topical, and may be in the news, and therefore there may be some nervousness about the subject we are analysing; however, we will only undertake analyses if they fall into our mission of improving health and healthcare and healthcare delivery. Often, we are trying to provide evidence to add to the debate about how the health service is managed, and therefore the topics we use personal and special category data to analyse may weigh heavily in the public conscious.
Acknowledgements
We would like to thank our patient partners for their help and advice putting the contents of this page together. We are committed to working with the public and patients wherever possible.
Contact us
If you believe that we have misused data or wish to complain about our policies or procedures, you are entitled to lodge a complaint with a supervisory authority. The ICO is the supervisory authority for the use of data in the UK. Please see their website for more information.
If you have any concerns about how your personal data is being collected and processed, or wish to exercise any of your rights detailed in our Privacy Notice please contact:
The Health Foundation Data Protection Officer (DPO)
The Health Foundation
8 Salisbury Square
London
EC4Y 8AP
Work with us
We look for talented and passionate individuals as everyone at the Health Foundation has an important role to play.
View current vacanciesThe Q community
Q is an initiative connecting people with improvement expertise across the UK.
Find out more
