Transformation Directorate

A guide to effective NHS data partnerships

First published 12 July 2023

Updated 6 December 2023 – see updates.

A guide to effective NHS data partnerships

Interactive version

Open an interactive version of this guide in your browser


Data assets are fundamental to public sector activity and are a potential source of significant social and economic value. This is true of NHS data.

Giving trusted external academic, commercial or third-sector organisations access to specific NHS data through data partnerships can maximise the data’s potential social and economic value. Successful data partnerships speed up the development of innovations that benefit patients, health and care systems, and the general public and also increase economic activity.

However, the objectives of NHS organisations in a data partnership are different to those of commercial organisations. The focus of NHS organisations is not on maximising financial returns to their business partner but on maximising the wider benefits of the partnership to society.

NHS organisations should therefore seek to ensure that society receives a fair share of any benefits arising from a data partnership with an external organisation, including any financial returns. Society should also be fairly compensated for the value of the knowledge and other public sector assets that NHS organisations put into data partnerships.

By the end of this guide, you will:

  • know your organisation’s knowledge assets and how their value forms your background IP
  • know the types of data partnerships you are interested in entering and the types of data access currently available
  • consider having a written data asset management strategy with a clear governance structure and information governance in place
  • know how to obtain fair value for the public from data partnerships and incorporate NHS England’s commercial principles into this strategy
  • understand that the ownership of any eventual foreground IP needs to be negotiated at the start of the partnership and stated in the commercial terms of the partnership agreement
  • have established a cost strategy that splits services, data access and value of data but retains flexibility to change the exact value sharing approaches and amounts as SDEs and their customer bases develop to respond to market forces
  • know how to implement your approach and be able to find suitable organisations to partner with
  • know that help is available from the CIDC to any NHS organisation considering a data partnership

You may also wish to email us your completed templates at for further discussion.

Who is this guide for?

Data assets held or generated by publicly funded health and care organisations are a growing source of potential benefits for patients, the public and health and care systems. Increasingly, NHS organisations are forming partnerships with third parties to realise the benefits of the data assets they hold. The Data Saves Lives Policy recognises such data partnerships as critical to advancing innovation in health and care.

In today’s changing data landscape, forming data partnerships raises a number of strategic and operational risks for NHS organisations as well as opportunities. This guide, produced by the NHS Centre for Improving Data Collaboration (CIDC), aims to help NHS organisations design and manage successful data partnerships as part of their data asset management strategy. The CIDC was created to help NHS organisations enter data-sharing partnerships that benefit the NHS, patients, and the public. Readers are invited to contact the CIDC at for tailored advice.

The guide Is intended for any individual or team in an NHS organisation thinking of entering a partnership with a third party (non-commercial, academic or business) that involves any use of data at all. It is meant for people working in all parts of the NHS at any level. The guide draws heavily on the Rose book, published by HM Treasury in 2021 to support better management of publicly-owned knowledge assets. It is also in line with the current policies and papers relevant to managing NHS data asset management listed in the appendix.

1. Understanding key data partnership concepts

The world of data is full of jargon. This chapter explains the key terms and concepts for understanding data partnerships.

Knowledge assets and data assets


"It is easy to recognise the physical assets held by an organisation – they are the buildings, land, equipment and other physical infrastructure in which an organisation invests. However, knowledge assets can be more challenging to identify. They are the information an organisation holds, the skills and experience of its staff, even its reputation."

(From the Rose Book, HM Treasury, 2021).

NHS organisations have 2 knowledge assets that are key to data partnerships: their data assets and the skills and experience of their staff.

In some data partnerships, the staff knowledge assets are more important than data assets. Examples include the interpretation skills of data analysts, experience in understanding strategic interventions provided by operational staff, and the experience and knowledge of clinical staff.

This guide largely covers the management of data assets in data partnerships. How to approach the management of other knowledge assets will be covered in more detail in the upcoming Intellectual Property (IP) policy refresh.

Data partnerships

A data partnership is an agreement between an NHS organisation and an external organisation that allows the external partner to access health and care knowledge assets for a specific purpose.

There are four main types of data partnership:

  1. A third-party requests access to your organisation’s data assets for research and development purposes.
  2. A third-party requests access to your organisation’s data assets and assistance from your staff for research and development purposes.
  3. A third party approaches your organisation with a solution to a healthcare problem and requests access to your data and/or staff expertise to validate it. If they are successful, the partnership may develop further, including co-development, local testing and local adoption.
  4. Your organisation proactively reaches out to a third party to establish a partnership that uses your data to solve a particular challenge. Solutions developed through these partnerships may also be commercialised and sold by either party in national or international markets.

In future, individual organisations reacting to approaches of Type 1-3 may pass them on to a national or subnational secure data access platform known as a Secure Data Environment (SDE – see data access arrangements below).

Data access arrangements

NHS organisations can arrange data access for external partners in three ways:

1. Data stays within the NHS environment.

This option is considered low risk, as the data never leaves the NHS environment. Only NHS staff who have knowledge of the organisation’s clinical and organisational structures work on the data. The third party staff will only access aggregated results and won't be able to see or work on the patient level data itself. This option is best for direct care and operational purposes, such as when a tech company is ‘plugging in’ and configuring their tool to a hospitals software system.

2. Data is made accessible via secure data environments.

Secure data environments (SDEs) are data storage and access platforms, which uphold the highest standards of privacy and security of NHS health and social care data when used for research and analysis. They allow approved users to analyse data without leaving the secure environment or seeing patient-identifying data. This option is best for most research and development purposes and should be the default way for sharing data. In the future, all access to NHS data will take place through a network of accredited SDEs.

3. Data is shared with the third-party organisation.

NHS organisations can share pseudonymised data (that is, data that has undergone a process that replaces or removes information in a data set that identifies the individuals it comes from – from the ICO website) or anonymised data (meaning data from which it is not technically possible to identify the individuals it comes from), and the 3rd party holds the data securely. This option is still possible in a small number of cases, such as consented cohorts, but comes with risks.

Going forward, instances of analysing or disseminating data outside of an SDE will be extremely limited. Any exceptions will require significant justification, such as where explicit consent from clinical trial participants has been obtained.

Background and foreground intellectual property

The knowledge assets (data and staff) that an NHS organisation brings to a partnership are known as its background intellectual property (IP).

The partnership may lead to the development of new IP, known as foreground IP, to which the NHS organisation’s background IP has contributed.

Commercial terms

Ownership of any eventual foreground IP should be negotiated at the start of the partnership and clearly stated in the commercial terms of the partnership agreement. The commercial terms should specify what foreground IP you expect the partnership to generate, who will own it and who will have the rights to use it in the future. The owner of the foreground IP is responsible for protecting, maintaining, defending and enforcing their rights as owner, as well as bearing the associated costs.

Owning foreground IP may not be the most effective way for your organisation to maximise public benefit, especially financial benefit. Generally, it is best for marketable foreground IP to be held by the partner with a track record in taking products to market.

Ownership of foreground IP does not necessarily imply ownership of all the financial benefits it may generate. Your partner may own the foreground IP but you may be able to negotiate a share of the financial benefits that are generated when the IP is commercialised, for example, through a royalty agreement.

The Rose Book lists key questions to consider before entering contracts with third parties that will generate IP or other knowledge assets.

Commercial and non-commercial uses of data

NHS organisations need to distinguish between non-commercial and commercial uses of data.

Non-commercial use is when all partners agree that the foreground IP expected from a data partnership may be freely licensed on a non-exclusive basis to any third parties for a specific purpose. In some cases, these partnerships might lead to unforeseen commercial uses of data. Including ‘consent to commercialise’ clauses in the agreement will allow parties to negotiate fair value sharing in these cases before commercial use is permitted.

Commercial use is when the expected foreground IP is intended to be sold for commercial gain. The commercial arrangement should fairly allocate the commercial gains between the parties based on their contributions, roles, responsibilities, risks and investment.

Value sharing

When entering a data sharing agreement, NHS organisations must agree fair terms for the use of their data and consider what constitutes ‘fair value’ in each case. Value sharing is the process of compensating partners for their contributions to a data partnership in line with their value, and fairly sharing any commercial gains that arise from the data assets created by the partnership. To obtain fair value from a data partnership, NHS organisations need to assess the value of their contributions to the partnership, the potential financial value that could arise from it and their share of any eventual financial value, considering their inputs.

However, it is rare that a data partnership generates financial value. Often, an idea developed through a data partnership will not be widely adopted. This is not to say that there isn’t potential for the NHS to gain significant financial benefits from rare commercially successful innovations. But financial returns from these successes will take time to materialise.

In partnerships anticipating commercial uses of data, partners can agree how to share the resulting value up front using payments or revenue royalties as detailed in Chapter 4. Partnerships expecting non-commercial uses of data can include a ‘consent to commercialise’ clause in the contract enabling partners to negotiate fair value sharing in case of future commercialisation.

Here are some mechanisms to consider for sharing value:

Fixed payment

A fixed payment for access to your data or fixed payments determined at the outset. These can be spread over time and linked to deliverables.


A good way of compensating for costs

Easy to administer, contract for and value

Immediate source of income


No sharing in the future returns from product sales

Lump sum payment distorts income stream

Subscription payment

A regular payment for a licence to access your data. This is best suited for data partners that require regular access to your data for similar purposes.


Simple to administer and more predictable

Smooth income stream


No sharing in the future returns from product sales

Milestone payment

Fixed predetermined payments linked to the delivery of milestones, either jointly or by your partner, that result from the use of the data, rather than your direct actions in providing data or analysis.


The NHS can share in the future returns from product sales

It may be a more feasible and affordable way for small and medium enterprises to pay


The achievement of milestones will often be out of your organisation’s control; you will need to pick your partner carefully

Revenue royalty

The NHS receives a percentage of the revenue generated from the sale or licensing of commercial products developed by the partner using NHS data.


Can help to align partners’ incentives, ensuring that the NHS organisation helps its partner to develop a good product

Substantial upside for the NHS with potential for a long-lasting revenue stream


Opportunity for the product to be exploited by commercial partners by reducing its price or giving it away for free when selling another product

Generally reduces a commercial partner’s incentives to commercialise and market the product

Full and marginal costs

All products and services are made up of many components. To calculate the full cost of an item, all the inputs must be included:

  • raw materials
  • cost of employees creating the product or performing the service
  • employee benefits, if applicable
  • building costs, including rent, mortgage interest, depreciation and property taxes
  • income and sales taxes
  • overhead costs, including legal fees, personnel costs, management and accounting

All costs are then divided by the number of units produced to obtain an average full cost.

Marginal costs are the additional costs to create one more unit of a product or service. From the above list, raw materials and the cost of employees are usually included in both marginal and full cost. The other items are generally considered fixed and are not included in marginal cost.

Marginal cost + overhead costs = full or total cost

2. Successful data partnerships in a changing data landscape

NHS data assets and partnerships today

NHS organisations take a variety of approaches to managing their data assets. These range from collecting data for direct care purposes and storing it in data warehouses, to actively managing data assets to realise their potential public benefits.

External organisations seeking access to NHS data assets generally form bilateral agreements with individual NHS organisations in a wide variety of partnership agreements, each with different access arrangements and commercial terms.

For instance, an innovator seeking access to similar data assets held by different NHS organisations may need to sign 10 bilateral agreements with different access and commercial terms in each one.

The CIDC anticipates that bilateral arrangements between individual NHS organisations and external innovators will continue, and some new ones will be formed. However, we expect that the terms of these partnerships will be more consistent in the future, thanks to the adoption of standard commercial principles for NHS data partnerships and the IP Policy refresh.

We also expect more data partnerships for research and development between external partners and groups of NHS organisations at a regional or national level. These partnerships will make use of large-scale data assets available for research and development purposes. Watch Claire Bloomfield, Director, Centre for Improving Data Collaboration explain the research and development vision for 2025.

Successful data partnerships

The Department of Health and Social Care has set out 5 principles for data partnerships to follow in order to deliver their potential public benefits.

5 principles for data partnerships

  1. Use of NHS data must have an explicit aim to improve patient health and care or the operation of the NHS.
  2. Ensure ‘fair terms’ for the NHS and safeguard the value of the data
  3. NHS organisations should not enter exclusive arrangements, nor undermining the wider NHS digital architecture.
  4. Arrangements should be transparent and clearly communicated.
  5. Arrangements should adhere to all applicable legal, regulatory, privacy and security obligations.

These principles should be factored in by NHS organisations and partners when entering data agreements.

The principles are intended to cover data agreements that all NHS organisations at primary (general practice), secondary and tertiary care levels may enter. This includes relevant data from organisations that are contracted and funded to deliver NHS services.

The principles apply to agreements which include a commercial partner or where the outputs could be commercialised, regardless of the type of organisation the NHS is partnering with.

Examples of successful NHS data partnerships

Some of the most successful data partnerships the CIDC have seen are those where an NHS organisation uses its knowledge assets (data and staff expertise) to solve a particular clinical or operational challenge. These partnerships lead to direct patient benefits and can evolve into commercial opportunities where the solution is sold to other organisations in national or international markets.

Example 1: A collaboration between Alder Hey Innovation, Microsoft and Mindwave led to the development of a hybrid digital health platform, AlderHey@nywhere. This delivers patient and clinical care in a hybrid world, both physical and virtual, creating a ‘hospital without walls’.

Example 2: University Hospitals Birmingham partnered with Skin Analytics on an artificial intelligence powered skin cancer pathway. This has helped 40% of patients avoid the need for a hospital appointment.

Example 3: Great Ormond Street Hospital for Children partnered with Roche to work on four key areas:

  1. Improve research capability and clinical decision support systems.
  2. Use digital tools to improve how they collect data from research and in clinical trials.
  3. Use anonymised real-world data to improve paediatric personalised healthcare.
  4. Improve clinical and research data using sensors, devices and wearable technology.

3. Creating a strategy to manage your data assets

Why have a data asset management strategy?

NHS organisations should consider having a data assets management strategy that defines their approach to using their data assets. This should set out the organisation’s stance on data partnerships and whether they are approaching partnerships proactively, reactively or avoiding them.

NHS organisations who wish to enter data partnerships should define how they will create, maintain, track and deploy their data assets. Their strategy should be made clear to all of the NHS organisation’s staff to ensure that employees deal consistently with approaches from external parties seeking access to data.

NHS organisations should be able to distinguish between non-commercial and commercial uses of data. When entering into a data sharing agreement, NHS organisations have an obligation to ensure they agree fair terms for the use of their data, including a comprehensive consideration of what constitutes ‘fair value’. Value should be looked at holistically. Organisations should consider the value of assets contributed to the partnership and the potential financial value that may arise from the partnership.

Developing your data asset management strategy

We have produced a Data asset management strategy template to help NHS organisations work through the steps of strategy development, including clarifying the type of data partnerships, if any, that will be considered. You can edit the template or incorporate it as a section in your wider commercial strategy. Please email us to request the latest version of this template.

We have developed a second template to help you consider individual data partnerships and decide whether and how to pursue them. This template can be completed for each request or partnership you are considering. Please email us to request the latest version of this template.

If you would like advice from the CIDC on a particular data partnership, please complete this template and email it to us, attaching relevant information. Any documents you send us will be treated in strictest confidence and will only be viewed by relevant staff within the CIDC.

Strategic planning: preparing to decide whether data partnerships suit your organisation

1. Identifying and recording your unique data assets

Start by reviewing the data assets your organisation holds. Identifying data assets can be tricky. One good starting point is to carry out an IP Health Check using a tool created by the Intellectual Property Office. You will be asked questions and prompted to consider whether you have generated intellectual property and taken appropriate steps to protect it.

Another good source of information is to spend time with different teams within your organisation to find views on what the organisation‘s data assets are. The following questions may help you find assets:

  • What does your team deliver?
  • What systems do you use to digitally record your work?
  • What data is generated from these systems?
  • How do you use it?
  • Do you get internal or external requests for your data or expertise?
  • Have you recently invested in new capabilities to improve data collection? For example, to make it better, cheaper or quicker.

The answers to these questions may help you build a picture of what data assets you hold and whether and how they should be protected and used.

2. Defining the organisational challenges and objectives that your data assets can help you meet

Record the strategic or clinical challenges that could be addressed by using your data and other capabilities (such as staff expertise or infrastructure).

3. Reviewing your organisation’s capacity and capability to meet the demands of a data partnership

Different types of data partnerships demand different amounts of skill and resource from your managers and clinicians. It is important to ensure that you are able to meet the demands of the partnerships you enter. If you are planning to be involved in several partnerships, how would your organisation scale its contributions? Look at both capability and capacity.

Capability: You may require skills that are not commonly found in traditional NHS settings, including commercial, legal, regulatory and governance expertise. You may not need to employ individual specialists in some of these areas, but you will need to consider how to call on these skills when they are required. Does your data partner have expertise in these areas and will they be contributing this capability as part of the partnership? Can you stipulate in the contract that your staff will be trained by these experts, improving their capability in the future?

Capacity: Consider ring-fencing the time staff will spend on partnerships from spent on their usual roles. Consider limiting the number of partnerships you are initially involved in so that staff can meet their commitments. A trust with pressing quality and operational issues may not have the capacity to commit to large scale partnerships but could consider partnerships that are less resource intensive and easier to govern.

4. Understanding the risks of data partnerships and how to mitigate them

Entering a data partnership may carry risks for an NHS organisation, but these can be mitigated with careful planning. Organisations should consider the public benefits of a data partnership and balance these against the partnership’s potential risks and your ability to mitigate them.

Here are some common risks we have encountered when working with NHS organisations considering data partnerships.


Too much time or expertise required to make a partnership a success

Mitigation: Spend time at the beginning of a partnership looking at scenarios that may result in extra demands. Establish how you will recharge for this if the scope or complexity of work increases. Continuously assess the value of the partnership and make sure you are able to stop work if it is no longer making a positive contribution.


Patients, staff or members of the public feel the partnership is inappropriate or distracts from other objectives

Mitigation: Engaging with patients, public and staff at all stages of the data partnership will ensure their views are heard and feedback into the decision-making process. It is also worth being clear on why the partnership may lead to improvements (clinical and operational) and communicate this clearly to all staff involved. For recommendations on patient and public engagement email the CIDC.


Concerns around how data will be handled by the third party.

Mitigation: Following the correct information governance processes is crucial. It is also worth considering your organisation’s data access arrangements.


Lack of clarity on what type of data can be shared and what steps should be followed

Mitigation: Discuss any partnership early with your information governance (IG) team. They will be able to lead you through the appropriate steps.


Not agreeing a fair value or financial return from a partnership

Mitigation: Spend time considering the financial return options available to you. Chapter 4 discusses how to obtain fair value, and the CIDC can be contacted at to discuss any individual value returns that you are considering.


The possibility of major changes in the partner organisation (for example, a change in management or ceasing operation)

Mitigation: The contract you agree will need to protect you in a range of situations, including major changes in your partner organisation. In this situation, the data must be returned to the NHS or destroyed, in accordance with contractual terms. If the partnership is using a secure data environment, the data is controlled by your organisation.

You will be able to make it unavailable at any point. If data is shared, then you should consider this risk with your IG team. Please also contact the CIDC at We have experience of these situations and will be able to assist.

Organisations should also refer to the Orange Book. This sets out principles for assessing and managing opportunity and risk in government organisations connected to the use of tangible assets (usually physical objects like equipment) and intangible assets (nonphysical property like patents and trademarks).

Taking the decision: are data partnerships right for you?

The steps above will help you decide whether a data partnership is appropriate for your organisation.

Data partnerships are not right for every organisation. You may not have the necessary capability or capacity, or you may conclude that the risks are too high. Recognising this before proceeding with an inappropriate partnership is a good outcome.

Your organisation can still be involved in data partnerships by making your data available to your regional secure data environment (SDE). SDEs are set to become the default method for researchers to access NHS health and social care data for research and analysis.

If you decide a data partnership is appropriate, then you can move on to the next step of your strategy development.

Creating a clear governance structure to oversee data partnerships

You will need to form a data assets management committee or assign data assets management to an existing group. This body will make decisions about and provide oversight of your organisation’s data partnerships.

Who should form the committee?

The group should be led by a senior responsible owner (SRO) and contain a diverse group of individuals representing key interests and areas of expertise (patient voices, an array of clinical and operational backgrounds, financial and commercial professionals).

Your staff will often be the end users of solutions created by a partnership, so it is important to ensure good representation of relevant staff groups on the management committee.

What will the committee be responsible for?

The terms of reference of the committee should set out clearly what decisions it is responsible for. Initially, they will decide your organisation’s strategy on different types of data partnerships. Once your strategy has been decided, the group’s responsibilities will include deciding on the creation of new data assets and approving new data partnerships.

Who will run the committee?

Ideally, a dedicated member of staff will be responsible for the management of data assets. They will provide regular reports and take recommendations to the committee. They will work to ensure that data assets support additional uses beyond their primary purposes and give support to staff involved in the creation and use of data, including employees using data assets and those responsible for developing them. They may also be the main point of contact for third parties wishing to access your data or services.

The data asset management strategy, please email us to request the latest version of this template, provides an example governance structure for overseeing data partnerships.

Ensuring your organisation’s information governance arrangements are right for data partnerships

This section gives an overview of the law covering the use of data in data partnerships. Contact your information governance (IG) team to make sure any proposed data partnership is compliant.

Health data is sensitive and has the potential to identify individuals. Organisations must comply with the law governing personal data to avoid breaching public trust and to provide assurance that personal and sensitive data is treated safely, securely and ethically within appropriate governance frameworks.

Robust IG arrangements will ensure that any information collected, used and shared as part of a data partnership is appropriate. Working with IG colleagues will help you find ways to share information lawfully.

Different rules will apply depending on:

  • the type of data being shared
  • who it is being shared with
  • what the purpose of the sharing is

Successful data partnerships must consider the following IG questions:

Purpose – what is the purpose of the data use?

The specific purpose for using the data must be agreed at the outset of the project and before any data is shared. A clear explanation of why a proposed partnership needs to use data will help IG colleagues understand this purpose. The law allows information to be shared for different purposes.

Using information for purposes beyond individual care is essential to run a safe, efficient and equitable health service. These purposes include:

  • reviewing and improving the quality of care provided
  • researching what treatments work best
  • developing new treatments
  • commissioning clinical services
  • planning public health services

However, it is important that the purpose is agreed because the rules for sharing data for the purpose of individual care are different to those for sharing data for other purposes such as research.

Lawfulness – is the proposed use of data fair and lawful?

The UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 are the major sources of regulations and laws governing the use of personal data. Together, they provide a framework for sharing personal data rather than a barrier to sharing. Other important legislation, such as the Human Rights Act 1998, must also be considered when sharing information.

Common law also shapes the rules on privacy and sharing information. Common law is a form of law based on previous court cases decided by judges. The ‘common law’ duty of confidentiality says that health and care information about a person cannot be disclosed without that person’s consent.

Implied consent can be used when sharing relevant information with those who are directly involved in providing care to an individual. Implied consent can also be used for local clinical audit or local care audit by staff who were involved in providing health and social care services to an individual.

Explicit consent is normally required for purposes beyond individual care. If you don’t think that it is possible to obtain explicit consent, you should talk to your IG team. You may need to seek approval from the Health Research Authority or the Secretary of State for Health and Social Care to use the data.

Refer to NHS England, Transformation Directorate IG portal to understand more about consent and confidential patient information.

Minimum amount of data – what data is needed to achieve your aim?

Wherever possible, anonymous data must be used in a data partnership. Where this is not possible, the minimum amount of personal data necessary for the purpose must be used.

Pseudonymisation should be considered to reduce risk to confidentiality. IG colleagues will likely want to work with you to understand the rationale for the amount of data needed for the data partnership.

Refer to our IG portal to understand more about de-identifying information. The Health Research Authority has published guidance about accessing data for research that includes a glossary of terms.

Transparency – how are staff, patients and the public being informed?

You must be able to explain to patients and service users how you are using their information. You should have a communications plan to support the implementation of the data partnership and this should promote transparency. Patient information leaflets and social media posts, for example, can be used to explain how data is being used to key audiences.

Your organisation will have a privacy notice telling people how their data is collected and used. It will set out what happens to their personal data, who is responsible for it, who it is shared with, the purposes and legal justification of that sharing and what patients’ and service users’ rights are. This will need to be updated by your IG team if your data partnership involves a new use of data.

Privacy notices include:

  • what happens to personal data
  • who is responsible for what
  • who personal data is shared with
  • the purposes and legal justification
  • what their (patients/service users) rights are

Due diligence checks will have to be carried out on any supplier involved in the data partnership and the following processes and documents will also ensure that IG principles are being applied:

Data Protection Impact Assessment (DPIA) - a process that helps organisations identify and mitigate the risks associated with processing personal data. It is a requirement under GDPR

Due diligence checks - must be carried out on any supplier involved in the data partnership.

Data Processing Agreement (DPA) - a legally required agreement between a data controller (such as an NHS organisation) and a data processor (such as a third party involved in the data partnership)

Data Sharing Agreement (DSA) - documents and justifies data sharing between health and care organisations, and demonstrates that relevant compliance issues have been considered and addressed.

Transparency information - your organisation must provide information to people whose personal data they collect, hold and use. A privacy notice is one way of providing this information.

Understanding the rules surrounding access to health data can prove daunting but help is available. Contact your IG team, they will be able to help you work through the proposed use to find a way forward from an IG perspective.

Additional IG resources

This short, free module from Health Education England will help you to understand the key principles for sharing information and how to apply them at work. It covers the rules that apply when using data for different purposes.

The Understanding Health Data Access (UHDA) project offers a suite of resources introducing some of the key legal requirements for data sharing in England.

This animated film from the Understanding Health Data Access project is aimed at people with little previous experience of making data applications. It introduces the principles that organisations should work within to ensure that data is shared safely, legally and fairly.

This animated film on duty of confidentiality explains in more detail some key areas of data-sharing legislation. It focuses particularly on the duty of confidentiality and how it applies to health data applications.

Protecting your data assets

Knowledge and data assets are fundamental to delivering public services and they need to be protected. NHS organisations should be seeking to ensure that the UK society receives a fair share of the benefits in the knowledge asset that have been built up through public sector investment.

One way to protect them could be to close them off from external access and only use them internally. However, this can prevent others from building innovations using the assets and missing out on their potential social benefits including new economic activity. Another approach is to view data as ‘non-rivalled’ i.e one person's use of it does not diminish other’s ability to use it, so we maximise benefits by maximising users.

The concept of protection can feel counter to the culture of public service that exists across the UK public sector. There is a natural and understandable instinct among public servants to share ideas and resources so that others can benefit from them. However, doing so without proper consideration for protection may result in significant costs and lost opportunities.

The Rose Book approach proposes 3 levels of protection:

Level 1 – open access

Level 2 – access restriction or confidentiality

Level 3 – registered and unregistered rights

Further assistance on IP protection will be covered in the upcoming NHS IP policy refresh. It is worth remembering that if a public sector organisation doesn’t protect its assets, another organisation or third party may put in place protection themselves – which may restrict the public sector organisation’s ‘freedom to operate’.

4. How to obtain fair value for the public from data partnerships

Ensuring fair terms in a data agreement

Research from the National Data Guardian shows the public supports NHS policy that encourages R&D to improve patient care. At the same time, the public has concerns about how securely data partnerships use sensitive data. People also want the NHS to agree fair terms for the public resources used in data partnerships, including a fair share of earnings from outputs of data partnerships that are commercialised.

Until now, individual NHS organisations have applied the Guiding Principles for data partnerships to their own data partnerships in different ways. This has led to a degree of variation in the terms sought by NHS parties and, in some instances, has led to delays or even deterred some data partnerships of significant potential benefit to patient health taking place.

Negotiating a fair share for the NHS of any value arising from a data partnership can be challenging. Setting a specific monetary value for data is complex and depends on numerous factors, such as the use case, the type of data being asked for, who else is asking for the data, the work needed to collect and curate the data, and the ability of organisations to pay. There is no single solution to evaluating the worth of data. These challenges can lead to protracted negotiations that delay or block valuable innovation. In some cases, there is a risk of entering partnerships on terms that are not fair.

To ensure NHS parties agree fair terms, the CIDC has designed a simple set of commercial principles to simplify and accelerate negotiations between the NHS and external organisations for data partnerships. The objective of these principles is to promote innovation by aligning incentives and simplifying processes. They are based on extensive engagement by the CIDC with data partners and the public.

While the principles will remain constant, the details of the value-sharing arrangements they shape will evolve over time. They will reflect improvements in data, the expansion of the SDE network and changes in the numbers of users of NHS data and their needs. These principles will be mandated in certain national investment areas, such as the national SDE and sub-national SDEs. They are strongly recommended for use in all NHS bilateral partnerships.

Testing the commercial principles with patients and the public

In 2022, NHS England appointed Britain Thinks to run engagement activities with the public about the commercial principles. 2,000 people completed an online survey and three deliberative workshops were organised. The exercise showed that:

  • a majority strongly agree that NHS data has great potential to support innovation, bring benefits to patients and bring income to the NHS
  • at least 70% of participants from the online survey think the commercial principles are clear. A similar proportion think the commercial principles are acceptable
  • 70% of participants felt it was appropriate for the NHS to recoup the costs of data access, with 7% feeling it was not appropriate
  • qualitative feedback indicated that participants felt that charging for access based on commercial and non-commercial uses was acceptable, and having different prices for commercial and non-commercial use was right and fair
  • participants agreed that the NHS needs to increase its income, but they wanted to avoid high costs being prohibitively expensive for individuals or small organisations who were not selling their outputs
  • some participants felt that higher charges would not significantly impact commercial organisations with the potential to make large profits from selling the outputs and that they therefore could be charged a higher fee
  • 70% of participants thought it was appropriate for the NHS to share in the value of revenue generated from products or innovation that used NHS data
  • qualitatively, most people supported the NHS taking a value share of revenue, though struggled to articulate why they believed this was fair, beyond a feeling that the value share would be a small proportion of the commercial ventures’ revenue and could greatly benefit the NHS

The aims of the commercial principles

Our aim has been to think through the trade-offs of different commercial approaches and draw up principles for making commercial decisions that take these trade-offs into account. The commercial principles have been designed to ensure the NHS’s approach to achieving fair terms in data partnerships is consistent, easy to transact and simple for our external partners to respond to. Together, the commercial principles aim to:

  • align incentives by making sure the share of value available to industry, researchers and NHS partners from each data partnership is appropriate
  • support and encourage research and innovation that delivers patient benefit
  • speed up and simplify negotiations
  • ensure financial returns are shared appropriately across the NHS

The 4 commercial principles governing commercial terms for data partnerships

Principle 1: Cost of access should not prevent good use of data

Researchers and innovators should be encouraged to securely access NHS data, which has the potential to improve patient care. Protracted negotiations risk delaying or even preventing the NHS from delivering these benefits to the public. A consistent, efficient approach that aligns incentives for all parties is preferred to optimising each individual negotiation. The costs of access should not be prohibitive to good uses of data.

Principle 2: The NHS will always charge a fee for accessing health data

The NHS should seek to recover the costs of providing access to data. Failing to recover these costs, including a proportionate share of overheads, takes money away from frontline services.

Principle 3: The cost of access should depend on how data is being used

When deciding how much to charge for access to data, NHS organisations should consider how the data will be used, as well as the type of data being requested. The cost of access should not be dependent on the nature of the partner organisation. This means NHS parties should not routinely set a relatively high charge for commercial companies and a low or no charge for non-commercial academic institutions or charities – the charge should depend on the use case.

Principle 4: The NHS should share in the value created by its data

The NHS should seek a share of any commercial value arising from a data partnership proportionate to the NHS’s contribution to that value. The NHS contribution will vary by project and will factor in the source data and any clinical or analytical expertise.

For partnerships with non-commercial uses of data, ‘consent to commercialise’ clauses in initial agreements can allow for the negotiation of financial value sharing in the future. For partnerships with commercial uses, value shares can be agreed upfront using milestone payments or revenue royalties. The ability to command value shares, particularly from commercial uses of data, will depend on the maturity of the service offering compared to international comparators. To support a thriving innovation landscape, the NHS should focus on providing data within SDEs that meets user needs, rather than seeking value shares that stifle innovation. Value shares will follow and increase once NHS data can meet the needs of researchers and innovators.

5. Establishing your pricing strategy for data partnerships

This chapter looks at developing a pricing strategy for your organisation. While the commercial principles are expected to remain constant, your organisation’s pricing strategy may evolve over time. Factors influencing price might include changes in demand, improvements in your data offer, the expansion of secure data environments and changes in the needs of users.

For example, your organisation might develop a pricing strategy that uses fixed payments to share the value created by its data. As your organisation’s offer matures, you might change this to feature a more sophisticated approach to value sharing such as including milestone payments or revenue royalties.

Having a well-designed method to reflect all the costs of providing access to data for a partnership, along with an agreed value share, will enable you to capture a fair share of the partnership’s future commercial potential. Any pricing strategy that you create should be iterative and must be regularly updated to reflect changes, such as improvements to existing data assets, the creation of any new data assets, new staff capability and new software that improves your data assets.

Price isn’t always a driving factor for a good strategy; you can be competitive without being cheap. Innovators will pay a higher rate for good quality data, provided it is supported by robust, clear and transparent processes. Innovators may also be willing to pay for clinical and other expertise that comes with data. NHS organisations that take a strategic approach to investing in their data quality may find that they can increase prices over time.

We begin the pricing strategy by developing a method to capture all the fixed and variable costs of the partnerships.

Pricing strategy categories

Data partnerships incur a variety of costs. It is important that you anticipate them and are clear about how they are going to be paid. If costs are not reimbursed to the NHS, you will effectively be taking money from frontline services to cover them.

We separate costs into two categories: services and data access.

We charge these to external organisations based on how they are using data. We generally recommend charging in different ways depending on whether the use is commercial or non-commercial.

Cost category 1: Services

Your organisation should establish a way to identify the services associated with the partnership and charge for them appropriately. These will generally be applied to each use of the data and reflect the actual service required by each use.


For example:

  • data preparation – data in various locations and formats will need to be linked to create an actionable dataset
  • data transformation – quality assurance, control processes, de-identification, pseudonymisation and anonymisation
  • clinical and operational experts help to make sense of the data and work with the third party to improve the product, solution or service
  • bespoke software

Non-commercial pricing approach - Marginal cost

Commercial pricing approach - Full cost

Cost category 2: Data access

This can be split into variable, fixed and capital costs. It includes legal, data access and cloud hosting costs. It is important to note that this category should not factor in the cost of collecting the data in the first place as this has usually been done for the purpose of direct care.

Variable, people and fixed costs

Variable costs - these costs will not be consistent and will change for every data partnership. Examples include and other costs.

People costs include:

  • business, project management and IT support
  • commercial advice such as legal advice
  • review of purpose and the proposal to access data
  • stakeholder meetings such as board or patient and public engagement meetings

Other costs include:

  • costs of third party licences (for example, analytical tools)
  • data processing and storage charges

Non-commercial pricing approach - Marginal cost

Commercial pricing approach - Full cost

Fixed costs

These costs will be consistent and will need to be paid whether you enter 1 data partnership or many. Examples include:

  • managerial staff costs
  • platform operating costs
  • building and utility costs for these staff

Non-commercial pricing approach - % of the overall marginal cost

Commercial pricing approach - % of the overall full cost

Capital costs

Any infrastructure directly related to the data partnership. Examples include:

  • costs of building a secure data environment (SDE)
  • costs of acquiring and processing new data to enter the SDE
  • costs of improving the platform and service and any new or upgraded facilities needed

Non-commercial pricing approach - % of the overall marginal cost

Commercial pricing approach - % of the overall full cost

Pricing your data

It is important to value your data appropriately. This will allow you to capture a fair share of any future commercial gain. One method for valuing data is to look at its contribution to the ‘foreground IP’ being generated. This can be done by reviewing the characteristics of the data being provided and the intended use.

  • Low-value characteristics

    • Common data easily available
    • Low quantity or quality
    • Unlinked data
    • Low volume of features, variables or complexity
    • Low diversity of population
    • Low coverage (for example, episodic)
  • High-value characteristics

    • Rare data (such as a unique patient cohort)
    • High quantity or quality
    • Well linked to other data
    • High volume of features, variables or complexity
    • High diversity or population
    • High coverage (for example, cradle to grave)

The use of the data should also be treated in different ways, example data uses:

  • early exploration of data (for example, to test a theory or hypothesis)
  • training and validating a machine learning (ML) or artificial intelligence (AI) model (for example, an algorithm built on a test dataset requiring further training on hospital data prior to validation)
  • deployment and integration of a ML or AI model (for example, an algorithm is developed and requires deployment to prove it can be integrated into hospital processes)
  • clinical trials recruitment and monitoring (for example, to identify individuals or groups of people who may be suitable for a clinical trial or long-term monitoring)
  • real-world studies (for example, investigating the potential benefits and risks of a medical product using hospital data)

Once you have identified the characteristics of your data and you know how the data will be used you can apply a costing approach based upon the intended outcome, ie whether the data is being used for commercial or non-commercial use. The CIDC recommendation for valuing data for non-commercial and commercial is:

Commercial uses: If any data asset arising from a data partnership is going to be used commercially, then the commercial arrangement governing the partnership should fairly allocate the commercial gains between parties based on their respective contributions, roles, responsibilities, risks and investment. Suggested value sharing options include fixed payments, subscription payments, milestone payments and revenue royalties.

Non-commercial uses: The price of data should not be factored into the cost. Outputs will be open source. Consent to commercial clauses will apply stipulating that, if there is a move to commercialisation, the distribution of benefits will have to be agreed between the parties before commercial use is permitted.

If you would like advice from CIDC on pricing your data, please email us with relevant information. Any documents you send us will be treated in the strictest confidence and will only be viewed by relevant staff within the CIDC.

6. Implementing your approach

In this chapter we look at methods to implement the approach you have created. At this stage you will:

  • know your organisation’s knowledge assets and how their value forms your background IP
  • know the types of data partnerships you are interested in entering and the types of data access currently available
  • have an idea what should be in your data asset management strategy with a clear governance structure and information governance in place
  • know how to obtain fair value for the public from data partnerships and incorporate NHS England’s commercial principles into this strategy
  • understand that the ownership of any eventual foreground IP needs to be negotiated at the start of the partnership and stated in the commercial terms of the partnership agreement
  • have established a pricing strategy that splits costs into various categories but retains flexibility to change the exact value sharing approaches and amounts as SDEs and their customer bases develop to respond to market forces
  • know that help is available from the CIDC to any NHS organisation considering a data partnership - you may also wish to email us your completed templates for further discussion at

This chapter covers some additional factors to help you implement your data asset management strategy successfully.

How to find suitable organisations to partner with

A successful data partnership requires a partner who is a good strategic and cultural fit with your organisation and has complementary resources.

Potential partners can vary widely in their culture (sector, management style, values, reputation), the kind of data they are looking to access from the NHS and the resources they can bring to a partnership (scale, experience, finance, people, knowledge, skills and capabilities, geographic reach).

To ensure a potential partner aligns strategically with your organisation, consider the following questions during your due diligence process:

  • What is their vision and who is responsible for delivering this?
  • Is the company new or established?
  • Have the people responsible for the company been involved in other companies before?
  • What strategic actions have they made in the past that can help inform your assessment of them?
  • What is the company’s footprint in the UK?
  • Do they have enough funding to cover the partnership’s duration?
  • Is the company’s typical user from healthcare or from another sector?
  • Is the company/product unique in the market and what is their strategy to grow?
  • Do they need to show a return on investment in an unrealistic timescale that is incompatible with your aims or capacity?
  • Is their strategy realistic in the current market and within the timeframes they have suggested?
  • What are the strategic advantages/disadvantages of partnering with them instead of another organisation?
  • Are their strengths and weaknesses apparent? And will these hinder a partnership?

To ensure the partner aligns culturally and ethically with your organisation, consider the following questions during your due diligence process:

  • What are their staff like and how have they interacted with you?
  • If the company approached you, how did they go about this?
  • What is their leadership style? Are they led in an open and agile manner?
  • In your interactions so far, have their staff set realistic and clear expectations that they have been able to meet?
  • Can you work with their management and delivery style?
  • Do you share common values in overall outcome, attention to detail and innovation?
  • Do you know other hospitals using the partner and do they speak positively about their experiences?
  • Do they listen to your staff and are conversations two-way discussions?
  • Are they responsive and transparent, or do they avoid issues and difficult questions?
  • Have they acted in a way that raises doubts about their ethics?

To ensure the partner’s skills align with your organisation, consider the following questions during your due diligence process:

  • What skills does the company have?
  • Are these skills in-house and available to use now?
  • Does the company have the right skills to deliver the project?
  • Do they have enough staff and backup resources as contingency? If not, how quickly can you get these resources?
  • Will their staff be assigned exclusively to work with you or will they be working on multiple projects?
  • Does your staff have similar skills to their staff?
  • Is it necessary to have duplicate skills?
  • How will you be able to verify the quality of their work?
  • Do they have examples of previous projects where their skills have been used in an NHS environment?

Further guidance on finding suitable partners is available

The Accelerated Access Collaborative (AAC) brings together industry, government, regulators, patients and the NHS to remove barriers and accelerate the introduction of ground-breaking new treatments and diagnostics which can transform care.

The NHS England Transformation Directorate’s digital playbooks support clinical teams to reimagine and redesign care pathways by showcasing tried and tested technologies to solve real-world problems.

Academic Health Science Networks (AHSNs) were set up by NHS England in 2013 to operate as the key innovation arm of the NHS, covering every area of England.

The NHS England Transformation Directorate have created an AI buyer's guide and assessment template. Although not exclusively for data partnerships, it sets out important questions to consider when making decisions about buying AI products. The assessment template will help you answer the questions above.

The Digital and data-driven health and care technology guide contains a set of principles on what the NHS expects from suppliers and users of data-driven technologies. It is designed to support innovators in understanding what the NHS is looking for when it buys digital and data-driven technology for use in health and care. These good practice principles can be built into the strategy and product development ‘by design’.

Communicating your intentions externally

Data partnership enquiries will inevitably come to your organisation in a variety of ways. Having a section on your website that outlines your stance on data requests is the clearest way to communicate your intentions externally. This section of your website can also support internal staff dealing with data enquires.

For an example of an organisation that takes this approach, see Alder Hey Children’s Innovation Centre, which showcases the priority challenges they are looking to solve, along with projects and solutions they have devised.

Discuss your approach internally

Often, the most successful partnerships are discussed internally from an early stage and involve clinical staff from the start. This could include asking for interested clinical staff to join your data assets management committee.

Alternatively, you could outline your team’s work in the organisation’s newsletters or bulletins. This is a good way to showcase publicly announced partnerships, highlight the due diligence work to understand any potential partners and partnerships, and encourage clinical innovators to contact you for support with their ideas. In some organisations, it may be helpful to introduce incentive schemes to recognise, reward and support clinical innovators.

Devise clear processes and systems to track partnerships

You will need to devise a systematic method for recording information about potential or current data partnerships. This should be created in collaboration with your data assets management committee and should be designed in a way that allows the committee to easily track the progress of all partnerships. There are many free and paid for task management tools that can help with this, for example Microsoft Teams Tasks and Trello.

Evaluation and review of strategy

Your data asset management strategy should be regularly evaluated and reviewed to ensure priorities identified remain relevant and that the approach is effective in achieving these strategic objectives.

Identifying new data assets that arise from partnerships early on helps to manage them in the future. For example, your organisation will be better placed to make strategic decisions about their ownership, protection and potential wider uses. Making these decisions early will maximise the value of new data assets over the long term. A strategy review is also an opportunity to consider whether your organisation already holds or has access to existing data assets that could be repurposed to deliver greater value for money than creating a new data asset.

CIDC support and further resources

Support is available from the CIDC for any NHS organisation considering a data partnership. We are available to talk about the topics covered in this guide to your board or other interested individuals in your organisation.

We are also able to review organisations completed Data asset management strategy template or data enquiry template, please email us at to request the latest version of these templates. Please send feedback on this guide and suggestions for improvement to the same email.

Further reading

Better, Broader, Safer: Using Health Data for Research and Analysis ‘The Goldacre Review’ (April 2022)

Data saves lives: reshaping health and social care with data ‘The Data Strategy’ (June 2022)

Transforming for a digital future: 2022 to 2025 roadmap for digital and data (June 2022)

The Reproducible Analytical Pipelines (RAP) Strategy (June 2022)

Data: a new direction - government response to consultation (June 2022)

Consultation on the future regulation of medical devices in the United Kingdom (June 2022)

A plan for digital health and social care (June 2022)

The UK Digital Strategy (July 2022)

The Data Protection and Digital Information Bill (July 2022)

Secure data environment for NHS health and social care data - policy guidelines (September 2022)

What do we mean by public benefit? Evaluating public benefit when health and adult social care data is used for purposes beyond individual care (December 2022)


Email us to request the latest version of the:

  • Data asset management strategy
  • Data enquiry template


6 December 2023: Team email address updated throughout document