Health data security: report’s implications for pharma

Views & Analysis
abstract image Light traces. visualization of hacker attacks on information data server

Following the recent publication of the Department of Health’s response document on data security issues, Adam Marsh and Hassan Chaudhury highlight and assess the points that could have an impact on the pharma industry.

adam-marsh-ck-aspire-200 hassan-chaudhury-healthiq-200
Adam Marsh (left) & Hassan Chaudhury

On 12 July England’s Department of Health (DH) published its response to the National Data Guardian’s (NDG) Review of Data Security, Consent and Opt-Outs, and the Care Quality Commission’s Review Safe Data, Safe Care.

At over 80 pages, Your Data: Better Security, Better Choice, Better Care is a hefty document and, while much of it is of marginal interest to the pharma industry, some parts could have a major bearing on how it works with the NHS in future.

The document has four sections, on: Data Security Standards; Data Sharing and Opt-Outs; Equality Issues and Patient Empowerment.

Here are the key points from each section, followed by commentary on how they may impact the industry.

Data Security Standards

  • The Government accepts the NDG’s 10 Data Security Standards (listed in Appendix D of the report).
  • The Government will make increased funding available to improve data security and IT systems in the NHS
  • It will actively promote CareCERT, the new advisory body for healthcare data security
  • Redesign the Information Governance Tool Kit by April 2018.

The majority of this will only impact the NHS and how it operates, but there are a few things to bear in mind, particularly in relation to the NDG’s Data Security Standards:

  • All staff accessing patient data will need to be suitably trained (Information Governance Training). This will impact on the staff you can use when interacting directly with patients.
  • All access to data has to be attributable to an individual. Presuming this is implemented along the current lines, this will be done via smartcards1. This is an additional cost to consider for clinical trials, where you want to access patient medical records, or ‘beyond-the-pill’ schemes.
  • All software should be updated to actively supported systems and software. This should prevent the NHS using outdated systems that are difficult to interact with (either digitally or in person).
  • IT suppliers to be held accountable for their systems, and making sure that they are compliant with all Data Security Guidelines. Generally speaking, this already happens, but it is worth checking when talking to these companies to avoid negative repercussions later.

Data sharing and opt-outs

This section will have the most impact on the pharmaceutical industry.

  • A national Opt-Out of having your data shared will be developed which will simplify and standardise current options. (This is to be implemented by March 2018, with full transition to the new opt-out by 2020).
  • Legislation to put NDG on a statutory footing
  • More severe penalties for data breaches (May 2018)
  • Better communication, both with patients and across stakeholders
  • NHS Digital to implement a tool to allow patients to access and understand how their data is being used (by March 2020)
  • A continued commitment to explicit consent of the patient being the gold standard
  • Secretary of State for Health can give an exemption of a patient’s Opt-Out for invoice validation purposes
  • The Opt-Out does not apply to anonymised data as long as the ICO Guidelines and Caldecott Principles are applied.
  • New Anonymisation Guidelines to be devised by 2018.

A new national Opt-Out will create a standardised form (code?) to look for, simplifying how to identify patients whose data you are not allowed to use. It will also provide a good indicator of whether a patient is likely to want to take part in a clinical trial, which is useful for patient recruitment.

Putting the NDG on a statutory footing and allowing more severe penalties for data breaches adds a greater imperative for you and your subcontractors to get it right.

Communication and transparency are running themes throughout the report. If these are implemented, it should clarify what you can and can’t do, rather than having to send up test balloons each time you want to try something new.

Depending how the NHS Digital Tool is implemented, this could be one of the few negative points for pharma in the report. Aggregating information into practice summaries with broad categories could work quite well, and would have a limited effect on you. However, if implemented down to the individual patient and project level, this could be a huge administrative burden for both companies and the NHS, quite possibly stifling the current growing interest in research and cooperation.

A lot of the report is rewriting the rules on how data sharing consent works, so an explicit statement is welcome confirming that written consent from the patient still trumps everything else.

The continuation of the current rules allowing the Secretary of State for Health to override an Opt-Out for invoice validation might be yet another signal from the DH that it is keeping the door open for Innovative Pricing Schemes (in particular, outcomes-based schemes).

And, the big point: the Opt-Out does not apply to anonymised data. This finally answers the question of consent for Electronic Health Record (EHR) retrospective studies and prospective patient tracking. If you don’t have any patient identifiable data, the data can be shared freely, providing you meet the relevant guidelines. This should make the UK a paragon of research, lowering the barrier to entry and allowing greater insight to support the development of new treatments, and improve patient outcomes.

Equality issues

It is a well-known problem that there is a great amount of heterogeneity in the NHS, in terms of population and also standard of care. It is hoped that through better data sharing, some of these inequalities can be removed. What this means, in simple terms, is that data quality and the baseline standard of care should increase generally over the whole NHS. Increasing the baselines of care will make treatments more effective in real terms (patient outcomes) and should improve the calibre of coding for research.

Patient empowerment

  • Patients to have greater control of their own care
  • New Digital Health Tools to be created and implemented (apps etc)
  • uk to replace NHS Choices (September 2017)
  • Book appointments online
  • Technology to be implemented to improve diagnosis and record keeping
  • Link apps (and their data) to patients Summary Care Record.

The key point in this final section is the encouragement of apps and wearables, and (more importantly in some ways) linking that data to the patient’s EHR (even if it is just the Summary Care Record at this point). In theory, this starts the process of bringing huge amounts of potential data into a space where it can be utilised, for both the patient’s care and research.


The key points for the pharma industry are largely in the sharing data and Opt-Outs section. This supports the government’s aim to make the UK a research-friendly territory, exemplified by the Prime Minister’s ‘Ten strategic pillars’ for modernising Britain’s industry, as outlined back in January: that the UK ‘… must become a more innovative economy and do more to commercialise our world-leading science base to drive growth across the UK.’ Click here for the full statement.

This comes at an interesting time for the industry. Recent statements from the Association of British Pharmaceutical Industry (ABPI) hinted that if the UK didn’t start prescribing its new treatments, companies would stop running clinical trials in the UK (a scary thought for anyone who works in the research sector). This suggests that both Whitehall and pharma see the solution to the increasing pricing stalemate to be promotion of pharma research in the UK: making the UK a paragon of research will encourage pharma to run more studies, which, in turn, will encourage the NHS to be more invested in prescribing the treatments after launch. The problem is that the first move sits with an already overstretched NHS.

As with all reports, the real detail will be in the implementation – how these changes are acted upon, regulated and perceived by the NHS on the ground. However, it does signal a renewed DH commitment to the same broad vision it has been articulating through documents like the ‘Five Year Forward View’, to modernise and digitise the NHS.


  1. Smartcards are issued to each member of the NHS when they join and allow a relatively quick login process to NHS computer systems. Each smartcard has a unique identifier added to the system the member of staff needs to access. Any activities on the system are linked to a smartcard login and, in turn, to a specific member of staff. This is how the NHS currently gives access to its computer systems and tracks which staff have changed or added information.


About the authors:

Adam Marsh is Research Business Development Associate at CK Aspire. Prior to this, he worked at Optimum Patient Care, focused on their EHR database, research support and NHS-facing respiratory review service.

Contact him on:

Hassan Chaudhury is chief commercial officer and a co-founder at Health iQ, developing real-world data solutions for industry. His background is in NHS informatics, public health, commissioning and commissioning support.

He is also an Honorary Research Officer at Imperial College, London, teaching data science, a lay advisor at the Royal College of Ophthalmologists and a committee member of the PM Society.

Contact him on:

Read more from Hassan Chaudhury:

Healthcare innovation needs block chain

profile mask

Marco Ricci