Three years as National Data Guardian: what I have learnt
Following reappointment for a second term as National Data Guardian, Dr Nicola Byrne reflects on some of the most significant things she has learnt in the role to date.
Earlier this year, I was honoured to be reappointed as the National Data Guardian (NDG) for a second term. The maximum term is six years. As I stand at this midpoint, I have been reflecting on what I’ve learned and how it can inform my strategic objectives and priorities for the remainder of my term. Through my work and the part data can play, I also want to support our new government’s mission to build an NHS fit for the future.
Better data use (that the public trusts) is central to my mission. This is because data is critical to the long-term health of our NHS, and ensuring its principles and values are upheld in practice. My approach to the NDG role, meanwhile, is grounded in my vocation as a doctor. I’m determined to protect the relationship of trust between healthcare professionals and their patients. Those of us entrusted with people’s care are all familiar with the moment a patient hesitates, deciding how much they trust us and whether they feel comfortable sharing highly sensitive information that will be entered into their record. People making system-level decisions about healthcare data must always acknowledge and respect the human element behind that data. I urge decision-makers never to forget where it comes from and why people are concerned about how it is used and by whom.
After my first three years in the NDG role, I remain optimistic about the great potential for research and innovation to improve healthcare outcomes and experiences for everyone, locally and globally, when data is used to unlock vital insights. However, using our information beyond individual care relies on patients having a trustworthy relationship with the health and care system and the third-party organisations that depend on its data. We have witnessed well-intentioned data-driven endeavours fail when this trust was not adequately established amongst professionals and the public. I am here to ensure that we learn from these experiences.
My experience thus far as NDG has then only strengthened what I’ve experienced clinically: healthcare is fundamentally about relationships. The success of any endeavour, whether clinical, operational or technical, depends mostly on a culture of investing in and maintaining healthy relationships. This is true whether we consider relationships between staff and patients, within teams, or across organisations at every level.
Two recent examples.
In discussions about cybersecurity preparedness and response, I’ve been struck by technical experts’ comments about the importance of and greater need for non-defensive collaboration between organisations.
A broader example to consider is what constitutes a healthy relationship between NHS England and Integrated Care Systems. For example, how much central oversight should there be compared to local autonomy in areas such as software procurement or third-party data access decisions? What level of central control would the public expect or consider intrusive?
My NDG experience has most certainly deepened how I think about relationships when it comes to healthcare data, with specific reference to the three areas outlined below:
1. The prerequisites for establishing public trust
Firstly, it has furthered my understanding of how people relate to their own health and care data. It is clear to me that there is a ‘hierarchy of need’ regarding the steps organisations that use data must take to build trust and confidence in those uses.
Privacy is just one concern. Transparency, accountability and fairness are also crucial. Organisations need to demonstrate, rather than claim, that they are trustworthy. They need to be clear with people about who can access the data, for what purpose, who is making the decisions and on what terms, and how the public can have a say.
We shouldn’t only focus on the positive aspects of data use. It’s important to also discuss potential risks, safeguards, and plans for when things go wrong. Because despite everyone’s best efforts, mistakes and deliberate wrongdoing can occur. People have valid concerns about cyber-crime, data breaches, and disruption to critical services. Organisations must demonstrate they not only have strong data privacy protections in place but also well-thought-out and tested business continuity plans. These plans are crucial to ensure they can continue to deliver safe care even if their digital systems are unavailable.
In addition, the public needs to feel confident that effective measures, such as deterrents, are in place to prevent inappropriate access to people’s medical records by those who work in or alongside health and care organisations. Deterrents include technical, contractual, legal, and professional safeguards, including meaningful sanctions if breaches occur. Because it is not enough to have deterrents in principle, sanctions must be enforceable and impactful to uphold public trust in the integrity of the system itself.
Many people still have doubts about third-party involvement with their data. They may feel uneasy about private companies managing data on behalf of the NHS, or about commercial organisations accessing data for research or innovation. Concerns include whether companies’ values align with those of the NHS, the extent of commercial profit made from NHS data, and whether the NHS is getting fair value back, for example, in terms of financial or treatment benefits. However, I do think that these concerns can potentially be addressed provided there is demonstrably strong, transparent and trustworthy governance around decision-making, demonstrating public benefit, and implementing safeguards.
Therefore, to establish trust, organisations must be transparent and operate within the boundaries of public expectations. Respecting the duty of confidentiality owed to our most personal information requires more than just respecting our privacy. It also involves ensuring we can trust that our data will only be used in ways that we would expect and support.
2. The interconnectedness of our health
Secondly, I’ve become more aware of the extent to which our individual health interests are interconnected to each other’s through our data.
As a result, I believe that our personal rights and freedoms should not come at the expense of our obligations and responsibilities to each other. I’d argue this is particularly relevant in the context of our publicly funded healthcare system, where the quality and effectiveness of our care rely on insights gained from the care given to others before us. For example, data derived from others’ care may have led to the development of new medication or the opening of clinics from which we have benefited. Therefore, I actively support a ‘paying it forward’ mindset because while not everyone will personally benefit from every piece of data-driven research, collectively, it’s a win for all of us.
With this in mind, I’ve been encouraged by the growing evidence from research, including our own, which demonstrates that most people are open to having their data used for purposes beyond their care, as long as it benefits the public. However, it’s important to note that national data opt-out rates (opting out of one’s data being used for research and planning) continue to rise. I understand that individuals will have their reasons for exercising this choice. Nevertheless, given the strong indication that the majority of people are in favour of using their data for research and planning, and considering how crucial this is for the future of the NHS, I believe it is my duty to speak up for the public and advocate for the use of their data in ways that benefit everyone. I hope that, over time, as trust is strengthened, this rise won’t simply continue, and people who have opted out will consider opting back in.
3. The importance of being straight with people
Thirdly, I’ve been struck by how much an organisation’s values are often reflected in its communication, both internally with its employees and externally with its stakeholders and the public. This includes what it chooses to say and how it says it. I believe it’s important to be straight with people. Not only is it the right thing to do, but things can get complicated otherwise. However, being open and frank can be as challenging for organisations as it is for people. Organisations can naturally feel anxious to maintain a positive image, which can sometimes lead to a ‘corporate reality gap’: a disconnect between what an organisation says and the actual experiences of patients, the public, and staff.
For example, communications about cutting-edge technologies intended to be inspirational may not be well received if the initiatives are seen as a costly distraction by staff forced to waste precious time grappling with their basic IT. Likewise, by patients who’ve spent all morning on the phone battling to book a GP appointment. It’s essential that aspirational communications about exciting innovations go hand in hand with acknowledging and addressing the fundamental infrastructure issues that frustrate patients and staff.
I’d also stress the importance of using language accurately, whether in public communications or in policy and guidance for professionals. Trust cannot be built if words are used to confuse or distort reality. For instance, I’ve seen attempts to falsely describe some activities that rely on patient data, such as population health management, as ‘direct care’. This attempts to bypass bureaucratic yet essential safeguards that ensure the data processing for secondary uses has an appropriate legal basis. However, calling something ‘direct care’ does not make it so. Language that does not reflect reality corrodes truth and, thereby, trust, so we need to challenge it whenever we encounter it.
What next?
I’m looking forward to the rest of my time in this role. I am fully committed to applying what I’ve learnt so far and continuing to learn. In service to the public, I remain dedicated to promoting the values of transparency, accountability and fairness. I hope my upcoming annual report outlining specific pieces of work over the last year will prove that to you. The report will also contain my strategic objectives, which I’ve refreshed to prioritise what matters most at this point.
In all my work, I will continue to focus on establishing and maintaining a culture of healthy working relationships, including my own. Because here, as with all of health and care, healthy working relationships make ‘the bad stuff’ less likely to happen and ‘the good stuff’ more.