Transparency data

Minutes of the National Data Guardian Panel Meeting, 12 March 2024

Updated 6 June 2024

Applies to England

Attendees

Panel members

• Dr Nicola Byrne (chair)
• Dr Joanne Bailey
• Dr Natalie Banner
• John Carvel
• Dr Edward Dove
• Dame Moira Gibb
• Sam Bergin Goncalves
• Dr Fiona Head
• Mr Adrian Marchbank
• Maisie McKenzie
• Eileen Phillips
• Rob Shaw
• Jenny Westaway
• Professor James Wilson

Office of the National Data Guardian team

• Ryan Avison
• Dr Helen Bauckham
• Dr Vicky Chico
• Layla Heyes
• Karen Swift

Guests

• Timir Goswami – NHSE
• Louise Greenrod - DHSC
• Mark Gubby - NHSE
• John Hodson - NHSE
• Shaid Hussain – NHSE
• Gareth James - DHSC
• Katy Lindfield - NHSE
• Tom Lymn - DHSC

1. Welcome, apologies, and declarations of interest

National Data Guardian (NDG), Dr Nicola Byrne, chaired the meeting.

• Apologies were received from Professor Ian Craddock and Dr Arjun Dhillon.
• Dr George Fernie, Vice-chair of the UK Caldicott Guadian Council, attended as an observer.
• This was the final panel meeting for members Dr Joanne Bailey, Eileen Phillips, and Sam Bergin Goncalves, and the NDG thanked them for their support. The NDG also confirmed that panel member Dr Edward Dove will be leaving panel in September 2024.
• Dr Nicola Byrne confirmed she has been re-appointed for a second term as National Data Guardian. The term lasts three years, from 17 March 2024 to 16 March 2027.
• There were no conflicts declared.

2. Minutes from previous meeting, actions, and decisions

Panel members accepted the minutes from its 16 January 2024 meeting as an accurate record. One minor amendment was highlighted under item 4 to be corrected before publication.

Head of the Office of the National Data Guardian (ONDG), Ryan Avison, confirmed that there are no open actions. They were all completed prior to this meeting.

3. Key updates

Ryan Avison led the key updates, providing a summary of key ONDG activities since the last panel. Other ONDG members also contributed.

3.1 New member of staff in the ONDG

Following their appointment, a new privacy specialist will join the ONDG team in April.

3.2 Federated Data Platform information governance arrangements

The NDG met with NHS England to discuss the information governance (IG) documentation for both the Federated Data Platform (FDP) and its associated privacy enhancing technologies (PET). The FDP programme has committed to engaging closely with the Information Commissioners Office (ICO) and NDG as it develops its overarching information governance documentation for the programmes. The NDG appreciates the commitment to engage the NDG and the ICO on the development of these documents and recognises that the FDP team is working at pace to meet demanding timelines.

3.3 Reasonable Expectations project update

Helen Bauckham, Project Manager in the Office of the National Data Guardian (ONDG), provided a recap of the Reasonable Expectations project, outlining the timeline, key personnel involved, and anticipated project outputs.

Helen updated panel on the recently completed co-design phase of the project. She explained that the co-design phase had exceeded the initial timeline expectations. However, she emphasised that this extension was essential to ensure the accuracy of the materials with the partner programmes before advancing to the public deliberation phases. The communication materials are currently being developed by the research supplier design team at Thinks Insight and Strategy to transform the content into leaflets for each partner programme, focusing on formatting and design aspects.

Helen explained that the research supplier is currently developing the first draft of the workshop materials, designed to guide constructive, meaningful discussions capable of delivering the required outputs. These materials will be shared with the wider project team for review and feedback.

A panel member, and expert member of the project’s working group, expressed concerns about not having had the opportunity to review any materials for the deliberative workshops and focus group stages. They emphasised the importance of having a detailed plan for these phases, and allowing sufficient time for review, deliberation and development with the wider project team. Helen and Vicky Chico explained that the primary focus to date had been on ensuring the accuracy of communication materials for testing with partner programmes. In the future, the office project team will work closely with the research supplier to develop strategies for running the deliberative workshops and focus groups and gathering feedback on the workshop materials.

4. Data Security and Protection Toolkit and Cyber Assessment Framework

Mark Gubby, Timir Goswami, John Hodson, and Shaid Hussain from NHS England (NHSE) and Katy Lindfield from the Department of Health and Social Care (DHSC) joined the panel meeting as guests. They were invited to discuss NHSE and the DHSC’s plan to implement the Cyber Assessment Framework (CAF) within the Data Security and Protection Toolkit (DSPT).

Their discussion paper outlined:

• How the health and care CAF presented in the DSPT will build on the success of the National Data Guardian’s 10 data security standards (NDG standards).
• A proposal for a phased withdrawal of the NDG standards, supported by the adoption of minimum expectations that the CAF sets standards which are more robust or at least as stringent as those currently set through the DSPT, thereby maintaining and strengthening the underlying objectives of the NDG standards.

The NDG reiterated that the introduction of the 10 data security standards across the NHS was an outcome of the Review of Data Security, Consent and Opt-Outs. The standards were not published as official guidance, although the review’s recommendations were accepted by the government in 2016.

Panel members discussed the key themes from the presentation and made several observations. They thought that moving to an outcomes-based model could be a more meaningful tool to help measure and mitigate risks, where the emphasis would be on good decision-making and not what ticks a compliance box. Panellists appreciated that what people are required to do under the CAF framework will remain constant and stable for many years, with only the minimum achievement level varying from year to year. This stability is important as it will enable organisations to plan better to meet their responsibilities.

Panel members were reassured that a health and care CAF overlay would be embedded within the DSPT, adding further outcomes in a custom section on ‘using and sharing information appropriately’. This will ensure that the data protection, confidentiality, and other information governance issues will continue to be fully covered in the DSPT. Panel members were reassured that NDG standards had been considered and mapped to this new overlay. However, the panel noted that during the review process that led to the 10 NDG security standards, it was found that data breaches were caused by people, processes and technology, and strong leadership was essential to address these issues. As a result, the standards were clustered into leadership obligations. The panel members raised concerns about how the leadership element of the NDG standards would be maintained and whether it would be given less importance by embedding the standards in a CAF overlay.

The panel members believed that stakeholder communication would be essential and recommended that the NDG should issue a joint public statement with colleagues from NHSE and DHSC. The statement should explain why NDG is supporting the adoption of the new CAF-aligned information standard. The panel also suggested it would be crucial for the NDG to make it clear that the change is an ‘evolution’ of the existing standards and not a ‘withdrawal’ of the NDG standards.,

The NDG and her panel thanked the NHSE and DHSC representatives for attending the meeting.

24.03.12/4.1:  The ONDG to consider with NHSE/DHSC how the leadership elements of the NDG standards will be maintained through the proposal and to look at drafting a joint statement on the evolution of the NDG standards.

5. National Data Opt-Out (NDOO) reform paper

Louise Greenrod and members of the DHSC/NHSE Joint Digital Policy Unit’s Data Policy Team attended the NDG’s Panel meeting to update on current plans for the reform of the National Data Opt-Out (NDOO).

They confirmed that they will use the large-scale public engagement exercise they are running later this year to engage members of the public on the subject. They explained that the public engagement exercise is intended to cover a wider range of topics than just opt-out – and in particular to meet the public engagement commitments made in the 2022 Data Saves Lives Strategy. The DHSC and NHS England are jointly leading the engagement work and will establish a steering group to advise on it.

A discussion about the complexity and constraints of the existing NDOO model followed. With a specific reference to opt-out, panel members expressed a concern that the objectives of the public engagement exercise, as currently drafted, may not be clear or well-defined enough to prompt useful ‘actionable’ feedback from participants. They suggested that the scope should be narrowed, or that more clearly defined options for opt-out reform should be presented to the public for discussion. The DHSC Data Policy Team acknowledged these points, noting that this was an early opportunity for input ahead of the design phase of the public engagement work and that they are keen to engage further as the work progresses.

The NDG and her panel thanked the DHSC representatives for attending. The ONDG will continue to engage with the DHSC and NHS England representatives and report back to panel as plans for the public engagement exercise progress.

6. Any other business

No further points were raised