Most people trust the NHS to keep their health data secure, even amongst those who are less trusting of the NHS more broadly. However, many remain concerned about security threats such as cyber-attacks and there is little awareness or understanding of what is done to keep health data safe. Research by the University of Manchester Centre for Social Ethics and Policy and The Patients Association found that patients want to be told more about their data is kept safe due to concerns about leaks or misuse, and are keen to understand whether NHS systems are good enough to prevent this. The report recommends more accessible and understandable information about “how the NHS assures the technical quality of its data handling, plus details of its successful track record in minimising breaches” as part of future NHS public awareness and information campaigns on health data. Even in research exploring public attitudes towards other health data topics, such as data linkage, the importance of data security is frequently emphasised by public participants. Despite some attitude shifts towards health data sharing pre- and post-Covid-19, one sentiment that seems to have been consistent is a concern about the strength of the legislation in place to protect individuals from data misuse, with doubts over its enforcement and sufficiency.
With perceptions of health data security inevitably influencing attitudes towards the sharing and use of personal health data for research and planning, there is a risk that without exploring what people want to know, whether and how these needs can be met, and co-creating potential solutions, these concerns, well-founded or not, can undermine trust in the many uses of health data. Providing an opportunity for people to access transparent, accessible and understandable explanations about the genuine practices, risks, and successes or failures of health data security, can help inform better quality conversations and decisions.
NHS communications about data security, which understandably tend to promote positivity and reassurance, can be perceived particularly by those who are more ‘disengaged and health data protective’ as too emotive or pressuring, while media stories which tend to focus on breaches and cyber-attacks in an alarmist way can spark panic and misunderstandings of risks and consequences. Between these two approaches of reassure and alarm is one that instead seeks to help people to understand the basic facts of health data security, to support them to make more informed choices about their own data, and to take a more critical approach to information given by various organisations.
Many existing online explainers are directed at organisations, to support them to ensure data and cyber security and to conform to legislation. Explainers directed at the public tend to be resources for those who believe their data to have been leaked, shared, misused etc., or only offer basic explainers in an unengaging way. Progress continues to be made on the standards and measures for data security capabilities across health and social care organisations in line with other sectors, but this is not necessarily always well-communicated with the public. UPD has a written resource on our website on this topic, but this focuses more on broad concepts and may have gaps in what the public really want to know and how they want to see this information.
Therefore, UPD is commissioning a supplier to undertake desk research, and conduct deliberative engagement and co-creation workshops to develop specifications for resources on this topic. This will form part 1 of a two-part programme, where part 2 will involve producing the resources.
We anticipate that this project will run from mid-November 2024 to April 2025.
The deadline for submissions is 5pm on Friday 25th October 2024.
More information can be found in the invitation to tender below, and if you have any further questions please contact hello@understandingpatientdata.org.uk or emma.morgan@understandingpatientdata.org.uk