Intended for healthcare professionals

Rapid response to:


Hundreds of patient data breaches are left unpunished

BMJ 2022; 377 doi: (Published 11 May 2022) Cite this as: BMJ 2022;377:o1126

Linked Opinion

NHS data breaches: a further erosion of trust

Rapid Response:

Learn from lessons past to safely unlock the power of health data

Dear Editor,

Your recent article by Esther Oxford (11 May) shines a light on the data sharing processes within the NHS and the organisations accessing this data for research and innovation. As the national institute for health data science these challenges are at the heart of our mission to unlock the power of health data in a way that benefits society and improves people’s lives. Organisations need to act now and work together to support the use of sensitive data in a way that demonstrates trustworthiness and earns public confidence. This can only be done through partnerships with the public, involving people in decisions about data use and access, being open and transparent on how and why data are used, and on what terms, through consistent approaches to data governance and by harnessing privacy-enhancing technology.

These challenges are nothing new. They resonate with decades-long public concern and we must learn from past lessons and recommendations. In 2008, the then Information Commissioner Richard Thomas and Mark Walport Director of the Wellcome Trust published a report to the then Prime Minister on data sharing after the personal records of 25 million individuals, including their dates of birth, addresses, bank accounts and national insurance numbers had been lost in the post by HMRC. One of the 19 recommendations stated that “safe havens should be developed as an environment for population-based research and statistical analysis in which the risk of identifying individuals is minimised….” and went as far as to say “We think that implementation of this recommendation will require legislation, following the precedent of the Statistics and Registration Service Act 2007. This will ensure that researchers working in ‘safe havens’ are bound by a strict code, preventing disclosure of any personally identifying information, and providing criminal sanctions in case of breach of confidentiality.”

Data travel carries risk. There are longstanding examples in the UK where this risk has been attenuated through the adoption of safe havens or trusted research environments (TREs), for example by ONS, the SAIL Databank in Wales, eDRIS in Scotland and more recently from OpenSAFELY and the British Heart Foundation Data Science Centre in partnership with NHS Digital. Failure to learn from data infrastructures of this kind will not result in change or support future innovation.

At Health Data Research UK we are listening to the public and working with the UK’s leading healthcare providers including NHS England and research institutes to advocate for privacy-enhancing technology, including TREs that have robust and independent accreditation, monitoring, and auditing and promote good data governance. Clear guidance on Trusted Research Environments has been published and downloaded almost 4,000 times providing standards and approaches with our 60-plus partners in the UK Health Data Research Alliance. These standards are structured around the Office for National Statistics’ “Five Safes” framework for the access of health data – safe people, safe projects, safe settings, safe data, safe outputs. This approach was endorsed by the recent Government review, led by Ben Goldacre, which sets out principles for the federation of Trusted Research Environments – and how they can be linked, to substantially enhance the scale of secure and trustworthy data linkage and research.

As William Gibson said “The future is already here – it’s just not very evenly distributed.“ For such a matter of great public interest and concern, now is the time to invest in these technologies and support the organisations that are working in partnership to demonstrate trustworthiness in data use.

Yours sincerely,

Andrew Morris, Director of Health Data Research UK
Amanda White, Executive Director Engagement and Insights, Health Data Research UK

Competing interests: No competing interests

17 May 2022
Amanda J White
Executive Director, Engagement and Insights
Andrew Morris, Director, Health Data Research UK
Health Data Research UK