Your data

Every time you use the NHS, information about your care is recorded and used to support your treatment. Together, this creates one of the largest and longest-running health datasets in the world. With strict safeguards, this data can also power research through the Wessex Secure Data Environment, helping to develop life-saving treatments, improve care, and support new health technologies. This page explains what NHS patient data is, how it is kept safe, and what choices you have about its use for research.

Understanding NHS patient data

Health data is any recorded information about a person’s physical or mental health in the past, present, or future.

This means that health data may come from any interaction with the healthcare system, for example during an appointment with a GP, or with a nurse or doctor in a hospital. Health data may also be gathered from medical devices and from diagnostic tests (for example, blood tests or genetic tests).

Each NHS or social care service that you use stores its own record about you electronically. This data is stored in many ways and in lots of different places, using many different types of computer systems.

Health data records include personal information. This includes things like your name, NHS number, or your address. These can be used to identify you and to link records from different places together.

Some health data are simple numbers (like your height or weight) or are picked from standardised lists (like information about prescriptions, test results, or vaccinations). Other data are free-text notes (like the comments your GP writes during a visit).

Since patient data is stored in different ways, and scattered across different services, linking data together is the key for improving care and advancing medical research.

Keeping your data safe

Health and care information is sensitive and needs to be kept safe. The Wessex SDE is designed to meet the Five Safes framework developed by the Office for National Statistics. The ‘Five Safes’ are widely regarded as being best practice in data protection.

The SDE is working with patients, the public, and healthcare professionals in the Wessex region on the design of the SDE, and how we meet the Five Safes framework. Minimum requirements will be set by the government and there will be an accreditation scheme to ensure we meet them. Our approach is explained below.

Governance

Safe data

Health and care organisations from Wessex will send patient data to the SDE.

We will also use data from other public bodies and organisations. Data is encrypted during transfer to the SDE and de-identified before researchers can access it. Researchers only get to see the least amount of data they need for their project. We explain how we do all this in the ‘Protecting your privacy’ section below.

Safe people

The NHS decides which researchers are allowed access to the SDE.

They can only come from approved organisations and must have had appropriate training to use data safely. We control, monitor, and report publicly on who is using the SDE and what they are doing.

Safe projects

All research projects that want to use the SDE need to get approval.

Wessex will have an independent ‘Data Access Committee’ that will take these decisions. This committee will include public representation. While this is being developed we are using University Hospital Southampton’s Data Access Committee.

To provide access to data, research projects must have an explicit aim to benefit patients or the NHS. After a research project is approved, a legal contract is signed to use the data. This contract protects our strict rules.

Safe settings

Data is stored in a highly secure ‘digital lab’ environment with controlled access and robust IT systems to keep it safe.

Only approved users, with approved projects, are allowed into the digital lab to access and analyse data. The NHS controls what researchers can see, any new data they want to bring into the SDE, and the software and tools they can use to analyse the data.

Safe outputs

Once the research is complete, researchers will want to take their results out of the SDE.

Before this can happen, the data they want to take out is reviewed and approved by the NHS to ensure that it is not detailed enough to allow re-identification and further protect privacy. An audit trail is maintained to record all access to patient data and use of the secure data environment.

Protecting your privacy

The Wessex Secure Data Environment (SDE) safeguards your privacy using strict controls. Researchers can only see data where personal identifiers like names, NHS numbers, birth dates, and addresses are removed or disguised. This ensures you cannot be easily identified in a dataset.

The process we use to de-identify data in this way is called pseudonymisation. Personal identifiers in the datasets we hold are replaced with a ‘pseudonym’. This is a unique marker or reference number that does not reveal the patient’s ‘real world’ identity.

A key for linking pseudonyms back to actual patients is also created. These keys are stored separately and securely in the SDE. They are never shared with researchers and even our own team cannot access them without permission.

The SDE’s strength lies in its ability to link together lots of datasets from different organisations to create new, large datasets, while protecting privacy. Our team does this work in a secure and restricted part of the SDE that researchers cannot enter.

Checks are made before any dataset is made available to researchers. Similarly, our team reviews and approves any data that researchers want to take out of the SDE before that is allowed to happen.

Illustration showing a female inside a shield representing protecting privacy

Your choices

You have the right to choose whether your NHS patient data can be used for research nationally or just through the Wessex SDE. In some cases, you can also make a choice for someone else, like your children (under 13) or someone you care for.

Your choice will not affect your care.

Donating your patient data ensures that researchers have more complete and representative information for research into new treatments and technologies. If you are happy with your information being used, you do not need to do anything.

We understand that giving access to your data for research is not right for everybody. If you want to opt-out you can do this using either the National Data Opt-Out or the Wessex Local Data Opt-Out. More information about your choices can be found on our opt-out page.

Opt-out page

Any questions?

Our Frequently Asked Questions page provides key information about the SDE. If you would like to know more, you can submit questions and make enquiries using our Contact form.

Check out our FAQ