Each participating organisation will be required to sign a Data Centre Agreement (DCA) and Data Sharing Agreement (DSA). the agreement is between the individual NHS data partner, Health Innovation East as the delivery arm of the SDE and Cambridge University Hospitals NHS Foundation Trust as the SDE host. These contracts set out the basis for processing and describe the legal roles and responsibilities of the organisations involved and form an important part of the SDE governance framework.   

The Eastern England SDE has received approval from an NHS Research Ethics Committee (REC) to operate as a Research Database and has Section 251 approval from the NHS Health Research Authority Confidentiality Advisory Group (CAG) to enable data to be linked across organisations.  All data has identifying information removed before controlled access is given to researchers.     

Under UK General Data Protection Regulation (GDPR), Cambridge University Hospitals NHS Foundation Trust (CUH) is usually the data controller for NHS data held in the Eastern England SDE (although we are working towards other organisations or regional SDE teams being able to make use of this platform too).     

The Eastern England SDE is owned and run by the NHS. The technical infrastructure is hosted by CUH on behalf of the East of England and East Midlands NHS Regions.  The SDE programme team reports regularly to the members of the CUH Executive team and is accountable to the CUH Board as well as the National SDE team at NHS England and the Department of Health and Social Care.  

Delivery of the Eastern England SDE is facilitated by collaboration agreements between CUH, Cambridge University Health Partners, and Health Innovation East.  

In addition, the Eastern England SDE has completed the NHS Secure Data Environment (SDE) self-accreditation process, demonstrating alignment with nationally defined standards for data security, privacy, and governance. This self-assessment provides assurance that the platform operates in line with NHS requirements for safeguarding patient information and supporting trusted research. 

The data platform has been built to the Standard Architecture for Trusted Research Environments (SATRE) specification, a DARE UK funded initiative which has incorporated knowledge and best practices from multiple institutions and sectors across the UK to define the standard for implementing Trusted Research Environments (TREs).

The Eastern England SDE is also ISO27001 certified and is subjected to penetration testing on a yearly cycle to test the security infrastructure. The Eastern England SDE is reviewed as part of the Cambridge University Hospital’s Data Sharing and Protection Toolkit (DSPT) which demonstrates the SDE meets the National Data Guardian’s ten data security standards. 

To enable the SDE to access de-identified patient data a node is deployed into the NHS data partner organisation that will be connected to the Eastern SDE and the HDR Gateway (National Portal for health data research). The node is designed to safely and securely provide: 

• access to the data provider patient data 

• harmonisation of that data into a common data model (CDM)  

• querying of the data 

• de-identification (reversible pseudonymisation or irreversible anonymisation) 

• computation of statistical attributes (e.g. record counts)  

• release of aggregated counts for cohort discovery 
• release of record-level data if approved by the data provider for research purposes (either via HDR Gateway or the Eastern England SDE). 

Data from NHS organisations is access on a federated basis and is not stored in a data lake. Only approved de-identified data enters the SDE platform and is removed after a fixed period of the research being completed.

A Data Protection Impact Assessment (DPIA) will be required between the NHS data partner organisation and the SDE node supplier (FITFILE). The DPIA is required because the intended nature, scope, purpose and context of the project potentially involves:  

• Large-scale processing of information. 

• Special category information. By law, special categories of personal data are considered sensitive and merit enhanced protection and safeguards. 

• Processing that may impact on the rights and freedoms of individuals. right to healthcare and rights in healthcare. 

• The use of new innovative technology.  

In addition to a DPIA the data partner will also need to give IT approvals for firewall changes as well as to establish a subscription, and the provision of IP addresses. Coordination between the provider IT/ Network team, FITFILE and the SDE engineering team will ensure secure network setup and management of the required changes in line with the providers governance and approvals processes. 

Yes, funding is available for data partners to cover the costs of installation, maintenance costs for connection to the SDE as well as funding for the provision of data for research. Details of funding can be discussed and agreed with potential data partners. 

The SDE team will work with data partners to agree what de-identified NHS datasets will be available and from which hospital/primary care system. The types of data requested will include: 

• Demographic information, such as age and ethnicity. 
• Medication history and dosage. 
• Diagnoses. 
• Procedures. 
• Investigations. 

Data is typically accessed from hospital electronic patient records (EPR), however other systems may be utilised to capture the required information. Specific data subsets may also be pulled through from data partner organisations on a per-approved-project basis. 

Healthcare data can vary greatly from one organisation to the next. The SDE national network utilises the Observational Medical Outcomes Partnership (OMOP) Common Data Model (CDM) which is an open community data standard, designed to standardise the structure and content of observational data and to enable efficient analyses that can produce reliable evidence. Hospital data is mapped to the OMOP data model ahead of being extracted, transformed and loaded (ETL) into the SDE. 

Timelines vary based on individual organisations’ resources and governance requirements. However, the SDE team supports data partners throughout the process to ensure local resource requirements are minimised. We aim to onboard sites within 2 to 3 months of signing the Data Centre Agreement (DCA). 

Email our team with your enquiry and they will be happy to help.

Email: cuh.eastern.sde@nhs.net