Secure data environments (SDEs) are data storage and access platforms that uphold the highest standards of privacy and security of NHS health and social care data when used for research and development. They allow only approved users to access and analyse data without the data leaving the environment.

More information is available on our research page and on the NHS Research Secure Data Environment Network page.

Only approved users, with approved projects, are allowed to access and analyse data, and only approved non-identifiable outputs can leave the environment. SDEs will allow the NHS to control:

• who can become a user to access the data
• the data that users can access
• what users can do with the data in the environment
• the information users can remove.

You can find more information on the research and your data pages.

In some cases, researchers may gain approval to access identifiable data within a secure data environment, where it is necessary to conduct research for patient and public benefit. Only approved aggregated outputs can leave the secure data environment. SDEs make it faster and more secure to gain access to life-saving data, while offering the highest levels of data privacy.

You can find more information on the your data page.

 

As set out in the strategy data saves lives, we will increasingly bring people closer to their data. We will harness data to improve patient safety and communicate openly and honestly to give people confidence. Currently, individuals can access data held about them through a subject access request or a freedom of information request. The data strategy sets out our plan to strengthen the ability for the public to see how their data is used through improving technology to enable everyone to have easy access to their own health and care data.

To analyse and make best use of all the data it holds, the NHS and care system needs to work in partnership with a wide range of organisations:

• academic researchers may be able to answer important questions using data
• commercial analytical companies may have the best expertise and technologies for making sense of large and complex information from hospitals and GP practices and can help the NHS redesign and improve patient services
• charities may use data to identify gaps in service provision for the groups they represent
• pharmaceutical companies use data to help develop drugs or test their effectiveness or safety.

You can find more information on the collaborators page.

 

NHS and care organisations are committed to keeping people’s information safe and being transparent about how it is used. There are strict rules around how data can, and cannot, be used and shared to protect privacy, security, and confidentiality. Providing access to data must have an explicit aim to benefit the public, the health and care system, or both. Data must never be shared for insurance or marketing purposes.

You can find more information on the your data page.

 

The West Midlands SDE, and its supporting technical team, comply with a range of best practice industry cybersecurity standards and ‘defence in depth’ design principles. These principles involve using multiple layers of independent security measures to strongly minimise potential security and data integrity risks when managing and looking after valuable data.

 

The West Midlands SDE

The West Midlands SDE stores and processes data on cloud-based remote servers and in physical buildings. Most data is held on cloud computing in a highly secure warehouse. Small amounts of data is moved to high-performance computers used in physical NHS data centres to support low-cost research. All the data is protected by automated threat-detection systems and is encrypted, whether it is in use or not. The structure of the overall system and its operation comply with the principles laid down by the National Cyber Security Centre, which is the UK government’s principal authority for securing computer systems against threats.

The West Midlands SDE team has also worked extensively with key suppliers to complete the NHS design. All areas of the West Midlands SDE are regularly penetration tested to ensure there are no technical vulnerabilities that could be exploited by malicious actors.

 

Technical team

Each member of the technical team will complete NHS-standard information governance training. They will also receive further training, including the benchmark international information security standard ISO27001, for which the West Midlands SDE has received independent accreditation. This process defines the risks and associated management controls for the secure operation of the West Midlands SDE by the technical team. Each member also receives extensive technical training, including on the UK Statistics Authority’s ‘Five Safes’ framework for data access, and foundational courses covering cloud, data, and cybersecurity best practice.

Secure data environments for research will be the primary way of accessing data, although there may be exemptions in very specific circumstances, such as consented clinical trials. In these cases, the highest standards of security and confidentiality will continue to apply. Any organisation that wants access to data must have a clear and legal reason to do so for health and care purposes (never for insurance or marketing). Only the minimum amount of data needed to meet the specific purpose will be made available.

When providing external partners (for example researchers and industry) access to data for legally valid reasons, they must meet very high standards around transparency and accountability. These are clearly set out in our five principles governing data-sharing arrangements entered into by NHS organisations, published in July 2019. These principles are in line with the Data Ethics Framework.

You can find more information on the research page.

There is no difference between what were previously called TREs and what are currently called SDEs for research. Based on public engagement, the term ‘secure data environment’ is now the recommended alternative term to ‘trusted research environment’.

The Federated Data Platform is not a data collection. It is software that will help connect disparate sets of data and allow them to be used more effectively for care.

It will sit across NHS trusts and integrated care systems allowing them to connect data they already hold in a secure and safe environment. GP data will not be part of the national platform.

The software will be ‘federated’ across the NHS. This means every hospital and integrated care board will have its own version of the platform that can connect and collaborate with other data platforms as a ‘federation’. This makes it easier for health and care organisations to work together, compare data, analyse it at different geographic, demographic and organisational levels and share and spread new effective digital solutions.

We need researchers to keep trying to find new, life-saving medicines and treatments, especially for our biggest health problems such as cancer and dementia.

We also need a better understanding of the health and care needs of people living in our region so we can support them to live healthier, longer lives by transforming the way we work.

What we can learn by analysing people’s health and care data is the key to making all this possible.

If you are happy for your health and care information to be used for research and care planning, you do not need to do anything.

However, it is entirely your decision. If you would like to opt out, you can find out how on our Local Data Opt-Out page and our National Data Opt-Out page.