The UK’s new Health Data Research Service: Balancing Innovation and Privacy

Last week, the UK government announced the establishment of a new Health Data Research Service (the “Service”); a significant initiative aimed at revolutionising medical research. The Service intends to streamline research by providing a safe and centralised access point to national health datasets, improving patient care and accelerating medical advances.

This initiative, backed by a substantial £600 million investment from the UK Government and the Wellcome Trust, will be based at the Wellcome Genome Campus in Cambridgeshire.

It is notable that this announcement is set in the context of the ongoing government focus on Life Sciences as a key growth area. It builds on other initiatives aimed at boosting UK clinical trials, such as the recent creation of Commercial Research Delivery Centres (“CRDCs”) intended to enhance the speed and efficiency of commercial clinical research delivery, backed by a £72 million investment from the National Institute for Health and Care Research. Additionally, the government is undertaking a major overhaul of clinical trials regulations which are intended to bring the UK broadly in line with EU standards. These new regulations, which we posted about previously in 2023, will come into force in early 2026 following a 12-month implementation period.

Key Details of the Service

The government’s announcement of the Service follows the recommendations of the Sudlow Review; an independent review of the UK’s health data, published in November 2024. We previously commented on this review in the following article. In short, the Sudlow Review emphasised the need for a more efficient and accessible health data infrastructure to unlock the potential of the UK's health data, which aligns with the intention of the new Service.

The Sudlow Review emphasises that throughout the COVID-19 pandemic national programs were able to link and analyse health data in a secure way. This made it possible for practitioners and policymakers to share knowledge regarding successful treatments and make informed policy decisions. However, such access is no longer the norm.

The Service will also streamline the process of accessing various datasets, which are currently scattered across different parts of the NHS. By consolidating these datasets into a single, secure platform, the Service aims to eliminate the need for multiple time-consuming applications, thereby accelerating the pace of medical research.

A notable target outlined in the government’s announcement is the intention to reduce the time required to set up clinical trials from over 250 days to just 150 days by March 2026. The Service is also expected to reposition the UK as an attractive destination for clinical trials, thereby driving growth in the life sciences sector and contributing to the government's broader economic strategy.

Implications

The government has stated that it intends to ‘transform the access to NHS data’ and ‘slash red tape for researchers’ through the Service. However, this raises the critical question of how health data will be adequately protected within the utilisation of the Service.

Health data is a particularly complex area within the UK’s data protection regime. Health data is classified as ‘special category data’ under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”) and requires additional safeguards to protect such data (such as seeking express consent). The Sudlow Review notes that although most participants in clinical trials will give their express consent to participate in a trial, “consent is rarely – if ever – the lawful basis for access to health data for research”. This is because consent must be specific to the intended processing and seeking updated patient consent for each strand of research can be challenging. Alternatively, it is worth noting that health data can be lawfully processed and shared for public health purposes or conducting research without requiring express consent from the data subject, provided that ‘suitable and specific measures’ are in place. 

Some of the protective methods broadly referenced in the government’s announcement include ensuring that all personally identifiable information is removed from the datasets before they are made accessible to researchers through the centralised national access point, as well as implementing rigorous security protocols to protect the data from unauthorised access and breaches. A measure mentioned in the announcement is establishing virtual locked rooms, which would facilitate online access to groups of documents containing health data. Common security features of virtual locked data rooms include encryption, the possibility of using watermarks, and modifying document functionalities to control whether documents can be downloaded and printed. However, it should be noted that locked rooms are not infallible, and it should be expected that the integrity of such security measures will be subject to increased scrutiny, in particular following the ICO’s strong response to breaches involving health and genetic data. This includes the £3.07 million fine recently imposed on Advanced Computer Software Group for failing to provide the necessary Multi Factor Authentication security steps to protect NHS medical data), as well as incidents involving 23andMe and various HIV charities.

Furthermore, the centralisation of health data triggers concerns about data ownership and the use of proprietary data. While patients ultimately retain ownership of their health data, the NHS is the legal custodian of such data; once anonymised however, institutions and researchers may have to navigate complicated licence agreements before acquiring access to the proposed virtual rooms. Clear guidelines on licensing terms, including the scope of permissible use and any restrictions on data sharing, will be essential. The potential commercialisation of research findings derived from NHS data leads to further complexities and ethical considerations. 

Takeaways

The announcement of the new Health Data Research Service marks a significant step forward in the UK's efforts to enhance medical research and improve patient care. A huge barrier to medical research can potentially be overcome through the Service; researchers who previously needed to present numerous time-consuming applications to access the numerous datasets now dispersed around NHS systems, will be able to access a single, secure platform that compiles available datasets.

By providing a secure and streamlined platform for accessing NHS data, the Service is expected to accelerate the development of new treatments and therapies, ultimately benefiting patients and the broader healthcare system. However, it is crucial that the implementation of this Service is accompanied by robust data protection measures to ensure the confidentiality and security of health data.

If you have any questions or would otherwise like to discuss how the recommendations may impact you or any other issue raised in this article, please contact Rory Trust, Patrick Parkin, Madelin Sinclair McAusland, Amanda Leiu  or a member of Burges Salmon's data team. 

This article was written by Victoria McCarron.