SVMPharma Ltd,Landmark House

Station Road, Hook, Hampshire, UK,

RG27 9HA

CONTACT US enquiry@svmpharma.com

+44(0) 1256 962 220www.svmpharma.com

Patient level data access in the NHS: Generating positive outcomes through RWE

Patient level data access in the

NHS: Generating positive outcomes

through Real World Evidence

The existence of the NHS provides a hugeadvantage to medical studies in the UK. As auniversal service free at the point of access,the NHS has a vast volume of data coveringalmost all of the population, across a variety ofmedical conditions. Sharing of data isinvaluable to providing improved healthcareservices, however there is a necessity toensure information is handled legally,efficiently, and securely. These objectives arestraightforward and, for the most part,uncontroversial. However, the practicalarrangements for delivering them are complexand sometimes confusing. This obligation toprevent information from being improperlyhandled should not stop it being sharedappropriately with organisations in theinterest of improving patient healthcare, so weexamine the how and why of data access inthe NHS.

1. Why do you need access to

NHS data?Patient information is an exceptionally valuableresource, with great potential to improvepatients’ healthcare. Studies use data tounderstand more about diseases, assessingclinical tests, treatments and interventions, andtest the safety and effectiveness of drugs andmedical devices.

Collecting and connecting data nationally willhelp the NHS and pharmaceutical industry to:

• Better understand diseases and developdrugs and treatments that can change lives

• Understand patterns and trends in publichealth and disease, ensuring better qualitycare is available to everyone

• Plan services that make the best of limitedNHS budgets

• Monitor the safety of drugs and treatments• Compare the quality of care provided across

the country.

2. The purpose defines the riskAccessing NHS data means that potentiallyconfidential patient information may beinvolved. The intent of the study will define theexposure risk of confidential data: [1]

Researchers looking to conduct trials andinterventional studies involving allocation oftreatment means identification of individualpatients is unavoidable. Research requires aclear legal basis for data access, as well asethical approval. Many studies employed byReal World Evidence are non-interventional,meaning the risk to disclose confidentialinformation is lower. In these studies, patientconsent is not required, but approval is stillneeded to access patient data.

2

Research Service EvaluationDesigned to find out what

you should be doing, by

conducting studies to test a

hypothesis, including

allocation of treatment.

Designed to answer: “What

standard does the current

service achieve?”

No allocation of treatment.

Clinical Audit SurveillanceDesigned to answer: “Does

this service reach a

predetermined standard?”

No allocation of treatment.

Designed to answer: “What

is the cause of this incident

or outbreak?”

No allocation of treatment.

Many studies employed by Real World Evidence are non-

interventional, and whilst still requiring approval to access patient data, the risk of the need to disclose

confidential information is lower.

Patient level data access in the

NHS: Generating positive outcomes

through Real World Evidence

www.svmpharma.com

©2016 SVMPharma Ltd. All rights reserved

3. How do you access NHS data?

Every organisation accessing data needs anInformation Governance policy in place. Youcan learn more about IG in SVMPharma’s “DataGovernance For UK RWE: What Do You Need ToKnow?” found in our Resource Centre. Thisincludes use of secure networks to send andreceive data, and encrypted UK servers to holdconfidential information.

Those who determine the purposes for, and themanner in which any personal confidential dataare or will be processed (whether they areindividuals or an organisation) are termed DataControllers. Data controllers must ensure thatprocessing of personal data for which they areresponsible complies with the Data ProtectionAct, 1998. Any person or organisation (e.g.SVMPharma) who manages this information onbehalf of the data controller are known as DataProcessors. [1]

Who approves your access to NHS data?When working with the NHS to access data,involvement of healthcare professionals isadvised, particularly when deciding on whatinformation will be useful to the study. Clinicalleads can inform on data and help to refinecollection parameters, assumptions and datagaps. In addition, their consent to access dataregarding patients under their care data isuseful in gaining IG approval.

A team of Information Governance officersmay review your proposed study in order toascertain whether confidential data is beingaccessed, and confirm whether or not patientconsent needs to be sought. Approval for yourstudy lies with the Caldicott Guardian. [2]

The Caldicott Principles were devised toadministrate information governance that couldbe used by all organisations with access topatient information: [1,2]

1. Justify the purpose2. Don’t use personal confidential data unless

it is absolutely necessary3. Use the minimum necessary personal

confidential data4. Access to personal confidential data should

be on a strict need-to-know basis5. Everyone with access to personal

confidential data should be aware of theirresponsibilities

6. Comply with the law7. The duty to share information can be as

important as the duty to protect patientconfidentiality

A Data Access Agreement may be drawn upbetween the data controller(s) and dataprocessor(s) to outline how the caldicottprinciples will be upheld throughout the study.

3

Caldicott Guardian: “A senior person,preferably a health professional, [who]should be nominated in each healthorganisation to act as a guardian,responsible for safeguarding theconfidentiality of patient information andenabling appropriate information sharingby providing advice to professionals and

staff.”Recommended by the ‘Review of the Uses ofPatient-Identifiable Information’, chaired byDame Fiona Caldicott (1997). [2]

www.svmpharma.com

©2016 SVMPharma Ltd. All rights reserved

4. Knowing your data requirementsThe increasing use of electronic records revealsa wealth of available healthcare informationand is a boon to studies looking to link differentdata sets to learn more about diseases orcurrent clinical practice. This data abundancemeans that study collection parameters must bewell defined and limited to extracting only themost salient information and reducing patientidentifiable data.

What are Patient Identifiable data?Despite establishing that data access in the NHScan and should have positive outcomes, dataaccess will be denied if the risk of identifying apatient without consent is too great. The mostdirect way to identify a patient would bethrough extraction of data fields deemed to be‘patient identifiable data’. These fields include:NHS number or any other unique identifyingcode, date of birth/admission/discharge/death,name, or age, to name a few. [1] Whether anysingular identifier actually identifies anindividual depends on the context andpotential linkage with other information. It willbe the job of the Caldicott Guardian to decidewhether the information requested could beclassified as ‘identifiable’.

What are de-identified/pseudonymised data?De-identifying data can be achieved byremoving patient identifiers (effectiveanonymisation), the use of identifier ranges(range instead of age), or pseudonymisation(replacement of identifiers with a uniquecode).[1] Information can be distinguished but isanonymous to the people who receive it (e.g.processors such as SVMPharma), while allowingthose responsible for the individual’s care toidentify them.

Can extracted data be further protected?Information is often accessed via patient leveldata, i.e. information is collected relating to asingle patient. Aggregated data is theconsolidation of data relating to multiplepatients. Typically aggregated data is used forthe generation of routine reports and strategicplanning within the pharmaceutical industryand the NHS. For this reason, it is suggestedthat only aggregate data be shared with otherorganisations requiring the data for modellingor health technology assessment (HTA)purposes. Security concerns for aggregated dataare not as crucial as for patient data, as it isusually impossible to identify a particularperson to an aggregate statistic. However, datacan still be misused and misinterpreted byothers, and should not be distributed withoutadequate data dissemination policies in place.

Data entry Data processing

AnonymisationPseudonymisation

Anonymous data is entered by HCPs to the database,where a unique code is generated to pseudonymise thedata before processing by SVMPharma.

4

“Personal data means data whichrelate to a living individual who canbe identified –(a) From those data, or(b) From those data and other

information which is in thepossession of, or is likely tocome into the possession of, thedata controller”

-The Data Protection Act, 1998 [3]

©2016 SVMPharma Ltd. All rights reserved

www.svmpharma.com

5

1. Williams Lea Information: To share or not to share? The Information Governance Review. Department of Health 2013. Available from https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf Accessed May 2016

2. Caldicott et al. Report on the Review of Patient-Identifiable Information. Department of Health 1997. Available from http://webarchive.nationalarchives.gov.uk/20130107105354/http:/www.dh.gov.uk/prod_consum_dh/groups/dh_digitalassets/@dh/@en/documents/digitalasset/dh_4068404.pdfAccessed May 2016

3. Legislation.gov.uk Data Protection Act. 1998. Available from www.legislation.gov.uk/ukpga/1998/29 Accessed May 2016

4. Information Commissioner’s Office Determining what is personal data. 2012. Available from https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf Accessed May 2016

NHS data needs to be shared to enable the health and social care system to plan, develop,

innovate, and conduct research in order to improve patient care and clinical practice. Rigorous

safeguarding the confidentiality of personal information is vital to ensuring data is shared

lawfully, ethically and appropriately.

SVMPharma’s history of working with over 50 NHS Trusts and 100+ healthcare professionals

across various disease areas mean we are practiced in identifying which data fields are

meaningful for your study to provide efficient and confidential extraction of data with minimal

risk to patients’ privacy.

SVMPharma have a tested methodology for accessing your patients’ NHS data

with the care and privacy needed

SVMPharma is an innovative strategic consultancy, specialising in Real World Evidence (RWE) forthe pharmaceutical industry. SVMPharma generates RWE within UK and Europe through bespokeonline Real World Treatment Evaluators, leading to successful health technology appraisal (HTA)submissions. Clinical trial programmes do not reflect real-world clinical practice and outcomes,RWE supplements and enhances clinical datasets. SVMPharma’s specialist teams focus ondelivering the outcomes that matter to your brand. SVMPharma also provides Global RWE, PatientReal World Outcomes, and Big Data Analytics.

To find out more call +44 (0) 1256 962 220

www.svmpharma.com

Written by Dr Harrison Davis

©2016 SVMPharma Ltd. All rights reserved

CONTACT SVMPHARMA

Vaneet NayarDirector SVMPharma

enquiry@svmpharma.com

Tel: +44 (0) 1256 962 220

SVMPharma LtdLandmark HouseStation RoadHook, HampshireRG27 9HA

Visit svmpharma.com

Follow @svmpharma

Follow on Google+

Connect via LinkedIn

Get In Touch