National engagement on data: Cohort 1 report
Published 29 January 2025
Important
This represents the recommendations of the public and is not official government policy.
This report was published on 26 March 2025; the publication date above refers to the date this page was created.
Executive summary
This publication was produced by:
- Thinks Insight & Strategy
- NHS England
- Department of Health and Social Care
Below you will find the executive summary. The sections in this executive summary mirror the chapters in the full report. You can download the full report at the bottom of this page.
The data deliberation: what we set out to cover
Thinks Insight & Strategy is a research and strategy agency. Early in 2024, we were commissioned by NHS England (NHSE) and the Department for Health and Social Care (DHSC) to conduct a large-scale public engagement programme, to build and maintain public trust in how data is used across health and social care.
Health data is defined by the Information Commissioner’s Office as “personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.” Public engagement is crucial to the success of digital and data transformation, as policy and services must be informed by a detailed understanding of public attitudes and shaped by public recommendations. Meaningful engagement can help to build trust and confidence in the decisions taken by government and the NHS.
This first phase of the programme – the data deliberation – had one overarching problem statement: What does the health and social care system need to do for people to feel confident in how their data is being used?

Image description
The national engagement on data programme consists of 3 cohorts:
- Cohort 1: Data use and access
- Cohort 2: Primary care data
- Cohort 3: The opt-out landscape
Each cohort contains the same 3 tiers of work. These are:
- Tier 1: Core deliberation
- Tier 2: Inclusive engagement
- Tier 3: Deliberative survey
Within this broad question, three areas were identified where the views of the public were most needed to inform and influence the cohort 1 policy deliberations:
- Secure Data Environments (SDEs) are being established by the NHS to store, manage and administer access to health and care data for research. We explored public expectations of how SDEs should make decisions, specifically looking at how governance and data access committees could work in a more joined-up manner.
- When health and care data is used for research, there is-often a potential value for the data user and costs for the NHS and social care providers. This data deliberation set out to define public expectations of how the NHS should also realise the value of data for research and appetite for the NHS to generate surplus value from data use and access.
- We tested one method of information provision, a Data Pact, developed by the NHSE/DHSC team to provide more information to individuals about data use.
We used a range of different methods, as shown in the diagram below, to ensure that the data deliberation generated a robust understanding of public attitudes. Our findings from all the three tiers have been consolidated into this report.

Image description
We first conducted an evidence review - a synthesis of existing research on public attitudes to data access and use.
Tier 1: Core deliberation
Who: 101 people, via a mix of sortition and purposive recruitment
What: 15 hours of deliberation over 3 full days
Where: Sheffield, Plymouth, Canterbury and North London
Why: To gain an in-depth understanding of attitudes
Tier 2: Inclusive engagement
Who: 88 people from seldom heard groups including those with health needs and in socially marginalised groups
What: Interviews and small groups, online and face to face
Why: To understand views of those missing from previous research
Tier 3: Deliberative survey
Who: 4,000 people, nationally representative sample
What: 10 minute survey
Where: Online
Why: To test findings with people who have not had the deliberative experience
Data from tiers 1 and 2 was captured via live note takers (tier 1) and audio recordings which were subsequently transcribed (tier 2). We then coded this raw data. This coding allowed us to compare responses across locations and identify key themes. We formed the recommendations once this analysis was complete, looking at the implications for national and regional policy makers, as well as for future engagement. Tier 3 then tested some of these recommendations and other themes from tiers 1 and 2 with a representative sample of respondents.
Where we started: baseline views on data use (chapters 2 and 3)
At the start of workshop 1, we found that the participants, whether in the main deliberation, inclusive engagement groups, or in the survey, shared many views that were consistent with the findings of the evidence review. When it comes to ‘data’, people tended to assume that it means personally identifiable data and were suspicious about who is accessing it and why. Spam emails, marketing phone calls and high-profile data breaches in the news were all front of mind.
On the other hand, when asked about health and social care data most participants across all tiers expressed trust in the NHS to use their data, because they expected the NHS to act with their interests at heart. Understanding more about potential benefits led to increased trust, mitigating some of the fears around unwelcome uses. Almost none of the participants had any awareness of the extent to which data is used currently. This lack of knowledge tended to mean these participants had a cautious outlook towards data use and access beyond the NHS. A few called out specific organisations, such as pharmaceutical companies or insurance companies, who are instinctively less trusted.
To build participants’ understanding of health and social care data use, ten case studies were explored, covering the four main use cases for health data use (individual patient care, improving the health of the nation more generally, optimising the way NHS England and DHSC operate, and researching advancements in health and social care) in different contexts. Responses to these case studies show how the same factors underpin trust in different contexts. Participants were most positive where they could see a clear benefit for themselves or the ‘greater good’, by improving treatment and diagnosis. Transparency, deidentification, consent, and clear opt-out mechanisms were key conditions which participants indicated built trust. However, concerns remained around data security, especially around data breaches, hacking and data sharing with third parties.
Governance and data access committees (chapter 4)
DHSC and NHSE are moving to a system where researchers who want to access NHS data in England must apply to one of 12 Secure Data Environments (SDEs). Each SDE holds data on around 5 million people, and they provide secure access only to the data needed for a particular research project. This means that only findings of any analysis can be withdrawn from the SDE, rather than any raw data. Each SDE has a data access committee (DAC) in place to assess applications from researchers and to decide whether or not to grant access to the data. We introduced SDEs to participants and explored their expectations of governance and DACs.
Participants were asked to explore the key challenge for policy makers in establishing the rules for DACs: the benefits and trade-offs of having a single, standardised process for all SDEs compared to each SDE having their own approach, the importance and extent of central oversight, and the impact all this can have on issues such as clarity of decision making and timeliness of access. Tier 1 participants were introduced to these topics in the second workshop, where we asked participants to weigh up the respective merits of three hypothetical approaches to managing a request for data from multiple SDEs, used as a device to get the public to discuss the tangible trade-offs.
Previous local engagement had led to findings that all SDEs involved in a project should be equally involved in decision-making, leading to a decentralised approach. However, the tier 1 participants were split on this issue. Roughly as many supported greater central coordination, consistency, and shared decision-making, as supported a model in which each SDE is involved in every decision. That is, the participants placed much greater emphasis on consistency and efficiency in the process than the previous local engagement indicated.
There were four clear priorities for policy makers to balance in deciding the rules that govern data access to an SDE:
Transparency of process: Participants in the data deliberation were shown principles for data management rooted in the Five Safes model. Openly demonstrating the principles that govern data use and access reassured participants, mitigating concerns that this might be kept hidden from the public. A lack of transparency about the principles would undermine trust in how data is used by raising fears about why these principles were not being shared.
Consistent application of principles: Ensuring that all organisations involved in decisions about data use and access are acting according to the principles was crucial for participants. They wanted principles to be enforced, with clear sanctions for any breaches. Participants also wanted decisions about who has access to data to be consistent and felt this would be a good test of whether principles are clear enough about appropriate use.
An inclusive process: Ensuring inclusion of a relevant diverse set of views in the decision-making process was also important, especially to those who felt at most risk of discrimination. More localised decision-making was seen as important to inclusion, balanced against the overall requirement for consistency. It was deemed essential that decision-making panels included lay people from diverse backgrounds, as well as specialists with the right expertise and knowledge.
Efficient decision-making: An efficient process, led by specialists and including public voices, which minimised bureaucracy and resulted in swift decision-making, instilled confidence. An overwhelming majority of participants opted against the most complex decision-making systems for researcher applications to more than one DAC.
Policy makers therefore need to consider how they deliver an efficient, consistent process for DACs; for instance, formalising the standards discussed and creating central oversight and escalation routes to drive consistency. They need to balance this with keeping enough local autonomy to reflect the diverse nature of the regions that are represented.
National policy recommendations
The quality and rigour of decision-making is the priority for the public, not a particular structure. Policymakers should utilise whatever structures meet this end.
Consistency and safeguarding of data, as expressed in the principles, were prioritised over all other considerations.
There should be some form of central oversight, including enforcement.
Policymakers should focus on fulfilling and balancing public expectations rather than be committed to any one set mechanism of oversight immediately.
Regional policy recommendations
DACs must reflect the diverse nature of regions.
Each SDE should conduct its own engagement on who sits on a DAC, as reflects the region.
The value of data for research (chapter 5)
Providing researchers with secure access to health and social care data costs the NHS money. This is offset by researchers via fees. However, there are further means by which the NHS could gain additional value from this data use which need to be balanced. It could make a financial surplus by charging researchers more money, it could negotiate deals with researchers for other benefits like early access to medicines or a share of profits, or it could keep costs low and attract more researchers to England. We introduced the concept of data for research to participants and then asked them about how important each of these options was to them.
We found that participants were broadly supportive of the NHS charging for access to data to cover its costs. They recognised the value of the health and social care data that is collected, and supported it being used for research that benefits individuals receiving care and the wider population. They wanted to see the value of data being shared fairly with the health and social care system.
However, it was important to participants that realising value from data should not detract from or conflict with the basic purpose of the health and social care system – to improve health and wellbeing outcomes. This principle then informed participants’ views on how to realise value from data. They told us that:
- Generating wider benefits (for example, early access to or discounts on treatments developed from health and social care data; more clinical trials for patients to participate in; ownership of intellectual property from new treatments) should be a high priority as this is most closely aligned with the mission of the NHS to improve health. Participants brought different values and assumptions to this part of the discussion and further exploration of 'wider benefits' will be required, as well as consideration as to which benefits should be prioritised.
- A surplus should be sought. Broadly, participants were keen that this happened, and that the surplus should be reinvested in the NHS. However, care must be taken to avoid perceived negative consequences like cuts in overall funding, or discouraging research that could lead to loss of wider benefits, particularly from charity and academic partners that may find high access charges a barrier. Importantly, participants did not feel that seeking a surplus from data accessed securely was the same as 'selling' their data.
- Encouraging research which uses NHS data in England is valued by participants. This was especially the case if there are clear benefits to patients and the public, either through surplus or wider benefits.
Importantly, all three of these ways of generating value from data were broadly supported by tier 1 participants. However, in this area we heard some important differences between the audiences:
- Our seldom heard tier 2 audiences were sometimes more cautious. Despite recognising the value of research in achieving health benefits, some had negative experiences of research benefits being promised but not arriving. Or, for transgender people and migrants, experiences of their data being used against them in the past. Therefore, these groups wanted reassurances that the wider benefits would, at the very least, not be actively harmful to people like them.
- In the tier 3 survey, where participants had only basic information about why and how the NHS shares data for research, there was greater reticence about the NHS making money by charging for access: around 1 in 3 in this tier told us that it is wrong for the NHS to make money from charging for access. They preferred a smaller surplus to a larger one and were more supportive when reassured that the surplus would be retained by the NHS. Thus, it seems clear that more information and time to discuss the implications of charging for access – as the tier 1 participants had – led to greater support for and trust in this concept.
National policy recommendations
Communicating clearly about what safeguards are in place to protect individuals’ data is essential for public trust in realising the value of health and care data.
Providing appropriate safeguards are in place, the public are happy for the NHS to generate value from data for research, whether that is value from wider benefits, generating a surplus, or encouraging research within the UK.
The purpose for access to be given to data must always be for public benefit. Arrangements for access should never be purely for the creation of value or benefit for third parties.
When generating value through encouraging research, all organisations involved must demonstrate that the benefits would be realised in England or the UK, not just that the research would take place using English health and care data.
All surplus must demonstrably be returned to the NHS and must not be used as a replacement for existing NHS funding.
Recommendations for future engagement
Support needs to be fostered through public engagement and information sharing.
Clear rules around enforcement of commercial principles must be communicated with the public.
Codesign of wider benefits and nuance of surplus charging to be further explored through deliberation.
A Data Pact (chapter 6)
DHSC and NHS England are drafting a ‘Data Pact’, a document aimed at giving people confidence in how the health and social care system uses their data. The pact will aim to do this by setting out clearly, in simple terms and in one place, commitments related to:
- keeping your data secure
- the steps involved in an organisation getting access to your data
- how you and the wider public will be involved in decision-making about how data is used
- what data you have access to
- how your data will be used
- the choices you have about how your data is used
The pact would not introduce any new laws but would set out existing laws and protections. We introduced a draft of the pact to tier 1 participants in the third workshop. This draft was created for the third workshop and intended to support discussion and deliberation. We asked participants about the impact they thought it might have, how likely they would be to read it, and how they felt about the language used in the draft.
Across the previous two days of discussions, tier 1 participants showed an appetite for more information to be shared with the public about how their health and social care data is used. They recognised that their own views had changed as they learned more, with most becoming more confident about how health and social care data is used. Those who were most reassured told us that the fact officials were taking the time to make this information widely available was in itself a sign that data security and public trust are being taken seriously and showed the good intentions of the health and social care system. Though there were those who felt that the Data Pact had little impact on their pre-existing views. And this was reflected in the survey data, where 62% of tier 3 respondents felt the pact would increase confidence, but close to a quarter (23%) said it would have no impact.
Participants felt that the pact as tested could be made more effective. For tier 1 participants, the word pact implied action, not just information. This meant that participants expected the document to be legally binding, rather than providing information about the legal framework that is currently in place. Participants were therefore confused about why the pact was not legally binding, and ultimately felt the draft data pact lacked authority. Some cited examples like the Post Office scandal to emphasise the importance of accountability in building trust. As well as binding conditions, they wanted the pact to have more information about recourse – that is to say, what would happen and what recourse is available if it has been broken.
National policy recommendations
A data pact needs to clearly outline what happens when data users break the rules.
The purpose of a data pact must be made clear to the public.
Recommendations for future engagement
The language used in a data pact needs to be refined and simplified further.
Policy makers should consider having multiple versions with different levels of detail for different audiences.
Where we ended up: the impact of the data deliberation on participants’ trust and confidence in the use of health and social care data (chapter 7)
At the outset of the deliberative workshops, tier 1 participants typically had misgivings about data use in general. While they were supportive and trusting of the NHS, they felt that they lacked sufficient information to feel confident. By the end, most tier 1 participants felt more confident about how their health and social care data is being used.
We identified three main factors driving this change:
- Understanding the benefits of data for research and seeing how these align with the goal of the NHS helped many participants have greater confidence in the purpose of data access. Sharing case studies and hearing from researchers and patients contributed to this understanding.
- Developing a greater understanding of the safeguards, principles, and processes in place was critical to building confidence. Secure Data Environments, data access committees, and a data pact were important parts of the infrastructure that participants wanted to know was in place to protect their data.
- For many participants the engagement process itself also contributed to greater confidence. The time and care invested in the data deliberation, along with the level of detailed information and scope for influence that were included, all contributed to a sense that the NHS and DHSC are taking public views seriously and that trust in good intentions is well founded.
However, we should not read outputs as providing blanket permission for use of health and social care data. First, there were participants across all tiers who remained critical throughout. These participants feared that safeguarding measures would not be sufficient to prevent the misuse of data and were sceptical of the intentions of actors like pharmaceutical and tech companies.
For domestic abuse survivors, unhoused people, and those with prior justice system involvement, this mistrust was grounded in previous negative experiences with public institutions and, therefore, that mistrust was also carried over to the NHS. They worried that their individual experiences would be replicated on a grand scale when it comes to data. Those who believed that the system remained too complex and opaque for them (or others) to have confidence in were a small but vocal cohort.
We also heard very clearly from participants about their expectations of a system of health and social care data use. They expected to see data used for public benefit, with no exceptions, and for this to be actively safeguarded by those granting access. They expected that the benefits of research should be shared among NHS patients and the public, not just private interests, and challenged the NHS to establish commercial arrangements to ensure this. And, above all, participants expect the security of this intensely personal data to be protected through appropriate safeguards for data, with meaningful and visible sanctions for infringement.