In December 2021 we signed a Strategic Research Agreement (SRA) with Arcturis (opens in a new tab) (formerly Sensyne Health) to provide de-identified data for health research. At the time, we were one of thirteen NHS trusts to enter into a SRA with Arcturis.
We took this step because we are committed to delivering the best care we can, both for the people of Cambridgeshire and Peterborough for whom we provide acute services, and for the wider population across the East of England for whom we are the regional specialist centre. We also want to play our part in broader medical research that has the potential to accelerate the discovery and development of new treatments and contribute towards digital health innovations in the future.
Our agreement with Arcturis includes safeguards to protect data privacy. Under the terms of our contract with Arcturis, data are de-identified prior to being made available to Arcturis. The costs of the de-identification process are covered as part of the agreement and the provision of data will operate under a Data Processing Protocol.
Our agreement with Arcturis involves the provision of de-identified data to support specific research queries from Arcturis. Each application for de-identified data will go through a defined process within our Trust to assess the appropriateness or otherwise of the request. For approved applications, the Trust will follow a set of protocols to compile the requested de-identified datasets.
What are the terms of your contract with Arcturis?
The terms of our contract with Arcturis (Sensyne Health) were set out in our press release, namely:
'CUH will receive 4,285,714 ordinary shares in Sensyne Health plc.
CUH will also receive from Sensyne an investment of up to £350,000 per year over the five-year term of the contract for specific ongoing investments in information technology to enable the ethical curation and analysis of de-identified data under the SRA. The Trust will receive a royalty on revenues that are generated by Sensyne from the research undertaken under the SRA. The financial return CUH receives from Sensyne will be reinvested back into the NHS to enhance patient care. The Trust has entered into a lock-up agreement whereby it has agreed not to dispose of any shares for a period of two years from the date the shares are issued.'
What is the process for de-identifying and sharing data with Arcturis?
In order to make a request for data, Arcturis submits a document to us containing specific information about the request.
A data processing request (“DPP”) outlines the data Arcturis is requesting and their intended purpose for analysing the de-identified patient data, the potential patient benefit they expect to arise from their analysis of the data and clear descriptions of the retention and deletion of the data. The data request is assessed and, if we are satisfied with the information that Arcturis has provided, the request for transfer of the de-identified patient data is approved.
Data analysts employed by the Trust then extract the requested data from our systems and remove information that could identify individual patients. This process is designed to create a de-identified dataset which contains no patient identifiable information.
After we have completed this de-identification process, we transfer the data to Arcturis using a secure process which follows all NHS approved security policies in place at the time of transfer. Arcturis then applies further anonymising techniques before undertaking any analysis.
Arcturis can also submit an Aggregate Information Request to us if they require information about a dataset that we have provided, for example requests for the number of patient records that contain a measurement of a specific vital sign, or requests for the number of patients with a specific condition. These requests do NOT require a signature from our Caldicott Guardian and Data Protection Officer as it is information that could otherwise be obtained via a Freedom of Information request. Arcturis formally logs these requests as part of their own process.
What data will you share with Arcturis?
We will not share data that can identify an individual, for example a full postcode or date of birth. Depending on the data request, and if it is agreed through our protocols, we may share the first part of a postcode and age groups.
The Trust have developed protocols, in line with best practice, to ensure that anonymity is not compromised through attempts to identify individuals using combinations of different data fields provided by the Trust.
What does Arcturis do with the de-identified data?
Arcturis does not receive information that can directly identify a patient. The data it receives is de-identified by the Trust before we send it to Arcturis.
Arcturis analyses the data to find ways to improve patient care and accelerate medical research. Arcturis does not share the data, it does not leave the company and it does not use the data for anything other than for the purposes for which it was supplied as set out in its data request to the Trust.
For more information on what Arcturis do with the data, see the Arcturis website (opens in a new tab).
How does GDPR apply?
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is used fairly, lawfully and transparently. Detailed information about GDPR is available on the Information Commissioners Office (opens in a new tab) website.
GDPR applies to personal data which is information that relates to an identified or identifiable living individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors, or a combination of datasets.
GDPR does not apply to the data that will be shared with Arcturis as the data are de-identified. We will never share any data with Arcturis that can directly identify an individual. Our process for assessing a request for data from Arcturis and our response is described above.
What is the National Data Opt Out?
The National Data Opt Out (opens in a new tab) is a service that allows patients to opt out of their confidential patient information being used for research and planning.
You can choose if data from your health record is shared for research and planning. Information is available on the nhs.uk website (opens in a new tab).
The nhs.uk (opens in a new tab) website also sets out when your choice does not apply. This includes when information that can identify you is removed. Information about your health care or treatment might still be used in research and planning if the information that can identify you is removed.
Does the National Data Opt Out apply to your agreement with Arcturis?
We have committed to omit the de-identified data from any individual who completes a National Data Opt Out.
Glossary of terms
De-identified data: The process of removal of identifiers to make it de-personalised or de-identified. It is a criminal offence to re-identify data without the data controller’s permission under S171 of the DPA.
Personal data: Data which relates to a living individual who can be identified from that data, or from data and other information which is in the possession of, or likely to come into the possession of, the data controller.
Confidential Patient Information: Confidential patient information is when two types of information from health records are joined together, i.e. something that can identify the patient and something about their healthcare or treatment.