By Marcus Grazette, Europe Policy Lead at Privitar


Privitar has released a new report that showcases best practices for organizations sharing health data for research purposes. It includes two case studies, providing a detailed account of the decision-making process at two leading organizations: Cambridge University Hospitals Trust and the Centre for Epidemiology Versus Arthritis at the University of Manchester.


Becoming ‘data ready’

Medical research and innovation relies on safe, timely access to health data. However, organizations holding health data can lack experience in data sharing, and may be nervous about public opinion or about legal and regulatory compliance. Recent public debate about NHS Digital’s rollout of the GP Data for Planning and Research (GPDPR) project shows that collecting and using health data can be complex and emotive.

Our report focuses on health data, but is relevant to any organization collecting and using personal and sensitive data. It describes the roles, processes and technology underpinning effective data sharing. In other words, the decisions an organization makes about who can use data, subject to what controls and for what purposes. Creating and maintaining these roles, processes and technology contribute to ‘data readiness,’ meaning that an organization is poised to reap the benefits of data.

We launched the health data sharing case studies project to help organizations to overcome uncertainty around data sharing and to improve their data readiness. The project report is based on numerous conversations with data stakeholders. It includes the two case studies and extensive analysis and commentary. We worked with a panel of four reviewers, including the Office of the National Data Guardian and the Medical Research Council, to make sure that the practices we document align with regulators’ and standard setters’ expectations.


Key findings

Organizations need to balance several competing priorities when responding to requests for access to data. The list of issues to consider includes scientific value, ethics, data protection and privacy risk, public and patient perceptions, and resource constraints. Organizations also wanted to be able to take decisions quickly, to avoid delaying research, and in a consistent manner.

We found that a safe, efficient data sharing process requires:

  • A clear, well defined process for making decisions about whether to share data and under what conditions. The process includes a set of roles and responsibilities to be allocated to different stakeholders.
  • Streamlined workflows. The stakeholders in the decision-making process including the researcher requesting data, legal, compliance and risk teams, or data protection officer should all be able to understand who needs to take what decision at each stage.
  • An agreed set of criteria for triaging requests working alongside precedent-based decision-making. Triage allows the organization to subject high risk requests to more intense scrutiny, without delaying low risk requests. Using precedent, in other words repeating previous decisions relating to previous, similar requests, can lead to quicker decisions.
  • A nuanced approach to de-identification. De-identification means applying controls to the data itself (e.g. reducing precision) or to the environment in which it is processed (e.g. access in a secure location) to reduce the risk of harm to the individual to whom the data relates.

Learn more by downloading the executive summary or the full report. You can also request a briefing for advice on data readiness and making the most of the data you hold.