Transparency data

Minutes of the National Data Guardian Panel Meeting, 17 September 2024

Updated 27 February 2025

Applies to England

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/national-data-guardian-panel-meeting-minutes-2024/minutes-of-the-national-data-guardian-panel-meeting-17-september-2024--2

1. Attendees

1.1 Panel members

  • Dr Nicola Byrne (chair)
  • Dr Natalie Banner
  • John Carvel
  • Claire Delaney-Pope
  • Dr Arjun Dhillon
  • Professor Edward Dove
  • Dr Fiona Head
  • Mr Adrian Marchbank
  • Maisie McKenzie
  • Dr Jess Morley
  • Professor Daniel Ray
  • Rob Shaw
  • Jenny Westaway

1.2 Office of the National Data Guardian team

  • Ryan Avison
  • Dr Helen Bauckham
  • Dr Vicky Chico
  • Layla Heyes
  • Rachael Merrison
  • Karen Swift

2. Observers

  • Dr George Fernie – Vice-chair UKCGC
  • Eric Sutherland - Senior Health Economist OECD

3. 1. Welcome, apologies, and declarations of interest

National Data Guardian (NDG), Dr Nicola Byrne, chaired the meeting.

  • Apologies were received from Dame Moira Gibb and Professor James Wilson.
  • The NDG confirmed that this was Professor Edward Dove’s final panel meeting. The NDG thanked him for the invaluable support and guidance he provided during his time on the NDG’s panel.
  • Claire Delaney-Pope, Chief Privacy and Assurance Officer and Data Protection Officer at South London and Maudsley NHS Foundation Trust (SLaM) has joined the NDG’s Panel. Claire introduced herself and provided a brief background of her career.
  • Dr George Fernie, Vice-chair of the UK Caldicott Guadian Council and Eric Sutherland, Senior Health Economist, the Organisation for Economic Co-operation and Development (OECD) (previously Executive Director, pan-Canadian Health Data Strategy), attended as observers.
  • Panel member Dr Arjun Dhillon (an NHS England employee) declared a declaration of interest on Item 4 the Data Access Policy Team & Data for Research and Development Programme Team update. Arjun confirmed that he is not currently working with that programme. The chair and panel agreed that he could take part in discussions.
  • Claire Delaney-Pope also declared a declaration of interest on Item 4, the Data Access Policy Team & Data for Research and Development Programme Team update. Claire has a professional link to the London Regional Secure Data Environment (SDE). She is the Southeast London information governance (IG) Lead and is part of the OneLondon IG group, which is currently reviewing the governance for this programme. The chair and panel agreed that she could take part in discussions.
  • Professor Daniel Ray also declared that he is advising on the SAIL scientific advisory board. The SAIL databank is a repository of anonymised, person-based data for health and social care research in Wales. The chair and panel agreed that he could take part in discussions.
  • There were no other potential conflicts of interest declared.

4. 2. Minutes from previous meeting, actions, and decisions

Panel members accepted the minutes from its 09 July 2024 meeting.

All actions were agreed as having been completed prior to this meeting.

5. 3. Key updates

Ryan Avison led the key updates, summarising key ONDG activities since the last panel. Other ONDG members also contributed.

5.1 3.1 Changes to the NHS Data Security and Protection Toolkit: adopting the Cyber Assessment Framework as its new assessment mechanism

On the 3 October 2024, the NDG and NHS England published a joint statement regarding the NHS Data Security and Protection Toolkit (DSPT). The statement announced that the DSPT will adopt the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its new assessment mechanism, replacing the current NDG 10 Data Security Standards as the basis of the assessment. The NDG acknowledged the DSPT programme team’s thoughtful engagement with the ONDG throughout this process, noting their impressive responsiveness to feedback. As a result of the joint working the basic principles embodied in the three leadership obligations of ‘people, process and technology’ from the NDG’s standards remain fundamental and are built into the CAF’s requirements.

5.2 3.2 NDG annual report 2023 - 2024

The NDG annual report is currently in the stakeholder checking phase and once all approvals are in place it will be shared with the sponsor team at DHSC and published in 2024.

The NDG is also refining her strategic objectives, taking into consideration Lord Darzi’s report on the state of the National Health Service in England. The NDG is interested to consider how she can feed into the Secretary of State for Health and Social Care’s strategy to develop a 10-year NHS plan.

5.3 3.3 Large Scale Public Engagement work

The NDG provided an update on the Department of Health and Social Care’s large-scale public engagement programme, for which she chairs the steering group. The first phase (Cohort 1) report has been drafted and is planned to be published in October 2024.

Following the change of government, the programme team sought ministerial approval to restart their engagement efforts. The Secretary of State has now approved the resumption of the programme, albeit to a revised timeline. The team will proceed with Cohort 2, which will focus on primary care data and Cohort 3, which will look at addressing opt outs.

5.4 3.4 NDG policy position on reflective practice as integral to safe direct care

Dr Vicky Chico, Senior Privacy Specialist in the Office of the NDG, provided a further update on the development of the reflective practice position paper, which has been discussed at previous panel meetings. The paper has been discussed in detail with professional regulators and the Health Research Authority’s Confidentiality Advisory Group (CAG). CAG has fed back its ‘strong agreement’ with the position as outlined in the paper. The NDG has written to the DHSC Data Policy team and NHSE’s Privacy, Transparency and Trust team to review the paper. The ONDG intends to work with NHSE’s IG policy engagement team to create guidance for frontline staff, which will be available via the NHS IG Portal.

5.5 3.5 Legal scrutiny of the Federated Data Platform (FDP) Product Data Protection Impact Assessment (DPIA) – NHS Privacy Enhancing Technology (PET) National Data Opt Out (NDOO application)

The ONDG confirmed that they had raised the recent piece published in the Register at the FDP Information Governance (IG) meeting.

5.6 3.6 Reasonable Expectations project

Dr Helen Bauckham, Senior Project Manager in the Office of the NDG, provided a recap of the Reasonable Expectations project, outlining the new timelines and progress to date. She reported that the team recently concluded the qualitative phase, during which they tested the co-designed communication materials with the public in deliberative workshops and focus groups, and revised the materials based on participant feedback.

Helen also updated panel on the ongoing development and planning of the quantitative phase, which will involve further testing the communication materials with the public through a survey. Thinks Insight and Strategy, the research supplier, will conduct cognitive and usability interviews to refine the survey before they disseminate it to a wider audience. Helen noted that unforeseen delays in the project have resulted in a two-month zero-value contract extension, pushing the project’s conclusion to December 2024. She informed panel members that a dedicated panel session to discuss the project will now be scheduled for early 2025.

6. 4. Data Access Policy Team and Data for Research and Development Programme Team update

The Data Access Policy Team and Data for Research and Development Programme Team attended panel to provide a background to the Secure Data Environments (SDE) programme, including programme development and policy updates, the recent ‘transition to data access’ document and an update on upcoming SDE accreditation standards.

Panel members discussed the key themes from the presentations and highlighted some critical areas that needed further consideration.

Panel members discussed the importance of the SDE accreditation standards and the need for a balance between national consistency and regional autonomy in the governance of SDEs. The panel emphasised that a robust accreditation process would be key to building and maintaining public trust in SDEs. A discussion around the interaction between regional and national SDEs followed, with questions raised about accountability, oversight and the need for consistent governance structures.

The NDG and panel members highlighted the importance of embedding the systematic evaluation of public benefit (noting published NDG guidance) into criteria during the request for data access process. Panel members also discussed the need for a focus on transparency about the programme and its associated processes, given that transparency is the foundation for public trust. Panel members also questioned the implications of failing to reach the required standards to meet an SDE accreditation.

The NDG and panel members thanked the policy and programme teams for their presentations and contributions to the discussion. A follow-up roundtable meeting will be arranged in November 2024 to explore specific topics and address outstanding questions.

2024.09.17/4.1: The office will arrange a roundtable meeting with the Data Access Policy Team and the NDG office in November.

7. 5. Any other business

No further points were raised.

Back to top