The Yorkshire and Humber Secure Data Environment (SDE) is committed to protecting your personal information and being transparent about how it is used.
This privacy notice explains:
- What data we use
- How and why we use it
- How we keep it safe
- Your rights
Who are we?
The Yorkshire and Humber SDE provides a secure platform where approved researchers can analyse health and related data safely, without the raw data ever leaving the platform.
The SDE is a partnership between NHS organisations and universities. These organisations act as Data Controllers for the SDE:
- Bradford Teaching Hospitals NHS Foundation Trust
- Humber and North Yorkshire Integrated Care Board
- South Yorkshire Integrated Care Board
- The University of Sheffield
- University of Hull
Data in the SDE is managed under strict technological and governance controls to ensure its security, and all the partner organisations meet national data security standards including ISO 27001 and the NHS Cyber Assessment Framework-aligned Data Security and Protection Toolkit.
Why we use your data
Health and care organisations collect information when they provide services to you. This data is a rich source of information about health and illness, and how health and social care services are delivered.
This data is used within the Yorkshire and Humber SDE to support research that benefits the public, such as:
- Improving diagnosis and treatment
- Changing clinical pathways and reducing waiting times
- Improving NHS services
- Understanding long-term health outcomes
Researchers only access data to answer specific, approved research questions that provide clear public benefit.
What does the data come from?
Data is provided by national and local organisations, including:
- NHS England
- GP practices
- Hospitals
- Social care services
- Local Authorities
What data we use
We collect data for everyone who has received care or services from our data providers, unless they have chosen otherwise.
Some of the data is already de-identified when it arrives at the SDE, for instance data from NHS England.
Other data is provided in identifiable form direct from providers. In these cases, we use limited identifying information to link records accurately, such as:
- Name and address
- Date of birth
- NHS number
- Hospital number
- Administrative information
- National data opt-out status
These identifiers are removed once the records are linked, so researchers do not have access to identifiable data or the codes used to de-identify it.
For all data, we process sensitive information, including:
- Health data (conditions, treatments, medical history)
- Care needs and disability information
- Test results (e.g. scans, blood tests, genetic data)
- Ethnic background
- Sexual orientation
Who can access the data?
Only researchers who are approved through the NHS Researcher Validation Service are able to access data in the SDE, and they must complete and maintain data security training.
Additionally, all research projects must be approved by one of the SDE’s Data Access Committees, which includes public representatives, before any data access is granted.
What is the Legal Basis for data processing in the SDE?
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
We use your data under the UK General Data Protection Regulation Article 6 (1)(e), and Article 9 (2)(j). This allows the processing of personal data for research purposes in the public interest.
We also meet our legal duty of confidentiality through approval under the NHS (Control of Patient Information) Regulations 2002.
We do not rely on consent to use data.
Data sharing outside the UK
In specific, limited cases, Yorkshire and Humber SDE may support international research collaborations where there is at least one UK based study site, and where the research provides demonstrable expected benefit to the health of the UK public.
International researchers must meet the same strict security and approval requirements as UK-based researchers.
Do we have any data processors we share information with?
We use trusted technology providers to host and manage the secure system, including:
- Amazon Web Services
- ARO IT Services and Solutions Company
- Catalyst IT Solutions Limited
- Microsoft
- NHS North of England Commissioning Support Unit
- RONIN Cloud
These organisations must follow strict security requirements to ensure data stored in the SDE is protected.
How long do we keep data?
Data is only kept as long as necessary for research purposes and while a valid legal basis exists.
Data in research workspaces is deleted when projects end. The data stored in the SDE is retained in accordance with the data sharing agreements with providers.
Your rights
You have rights under data protection law, including:
- Access– request a copy of your data
- Rectification– correct inaccurate data
- Erasure– request deletion
- Restriction– limit how your data is used
- Object– object to use of your data
In some cases, these rights may be better handled by the organisation that originally collected your data (for example, your GP or hospital). Where this applies, we will direct you to the relevant provider.
Opting out
You can choose not to have your confidential patient information used for research by registering a decision through the NHS National Data Opt-Out link to National Data Opt Out webpage.
You can also register to Opt-Out with your GP practice, in which case none of your GP records will be shared with us for research.
Please note, opt-outs cannot usually be applied to data that has already been de-identified before it reaches the SDE.
Choosing to opt out will not affect the care you receive.
Contact us
If you have any questions about the way we use your data in the Yorkshire and Humber SDE, please contact us at:
Complaints
If you are unhappy with how your data has been used, you can contact us at the above email address.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113