South West SDE privacy policy

This privacy policy sets out how the partners in the South West Secure Data Environment (South West SDE) process and store your information. There is a separate statement covering information you share with us while using this website.

A man in a green sweatshirt talking to a woman.

What are Secure Data Environments?

Secure Data Environments, or SDEs, are online platforms for approved researchers to safely analyse sensitive data. SDEs are also sometimes known as Trusted Research Environments (TREs) or Secure Research Environments (SREs).

The South West Secure Data Environment (South West SDE) is a collaboration of health and care organisations from across the region. It includes Integrated Care Boards, local authorities (represented by South West Councils), National Institute for Health and Care Research (NIHR) Biomedical Research Centres (BRCs), NIHR Applied Research Collaborations (ARCs) and Health Innovation Networks.

Each partner organisation is responsible for the data they make available for access within the South West SDE.

Each partner organisation is bound by a duty of confidentiality and must follow the legal requirements set out in the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).

The South West SDE has a leadership board made up of representatives from our partners. They oversee the operation of the South West SDE, making sure it is developed to meet the needs of our region.

Public representatives, known as Digital Critical Friends, are part of our leadership. They help keep the public’s perspective at the heart of our decision-making.

The purposes of the processing

The NHS Secure Data Environments provide access to approved researchers to analyse routinely collected health and social care data from the NHS and local government, for approved projects.

This research must be for public benefit and meet the definition set out in the UK Policy Framework for Health and Social Care. A decision tool that provides a definitive answer about whether a project counts as research under this policy framework is available at www.hra-decisiontools.org.uk/research. This excludes audits of practice and service evaluations.

SDEs can securely host data from many different organisations across a region. This allows researchers to look at data from many different places. By linking this data, they can discover completely new insights about diseases and their treatments.

The lawful basis for the processing

Anyone who can view your personal data must comply with the law and ensure that your personal data is handled in a lawful way.

When we use your information for research, we do so with reference to:

  • Article 6(1)e (“processing is necessary for the performance of a task carried out in the public interest”); and
  • Article 9(2)j (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”)

of the General Data Protection Regulation (GDPR), in combination with Schedule 1, Part 1, Article 4 of the Data Protection Act (DPA) 2018 (“processing for research purposes carried out in the public interest”).

In addition, patient information is governed by the common law duty of confidentiality.

The categories of personal data obtained

The South West SDE stores de-personalised ‘routinely collected’ data from NHS and local government organisations. This might include information about:

  • Illnesses and conditions
  • Treatment and care
  • Medical imaging such as X-rays
  • Test results
  • Medicines and allergies
  • Appointments and hospital admissions
  • Care and support outside hospital including social care

The recipients, or categories of recipients of the personal data

From improving clinical trials to enabling population studies, the South West SDE opens up new possibilities for the use of health and care data for research in the region.

Researchers and organisations that wish to use your information to conduct research within the South West SDE will only have access to depersonalised information.

These are some examples of who might access data within the South West SDE:

  • Academic researchers can answer important questions using data
  • Analytical companies can identify patterns in healthcare use and model different scenarios
  • Charities can identify gaps in service provision for groups with unmet health and care needs
  • Pharmaceutical companies use data to help develop drugs and medical devices or test their effectiveness or safety

These are some examples of the kinds of potential research projects that might use the South West SDE:

  • Artificial intelligence (AI) and algorithm development: testing, training, and validation
  • Clinical trials: feasibility, recruitment, and follow-up
  • Real-world studies: safety, effectiveness, and cost-effectiveness
  • Translational research: academic discovery and implementation of discovery into practice
  • Epidemiological studies: large cohorts for population health research
  • Health systems research: evaluation of systems or processes, including operation and applied research

How information is kept secure

South West SDE data is safeguarded using the UK Data Service 5 Safes Framework.

  • Safe people – Only trained and specifically accredited researchers can access the data
  • Safe projects – Data is only used for ethical, approved research for a medical purpose with the potential for clear public benefit
  • Safe settings – Access to data is only possible using the South West SDE
  • Safe data – Researchers only use data that has been depersonalised to protect privacy.
  • Safe outputs – All research outputs are checked to ensure they cannot be used to identify subjects

Data held in the South West SDE is depersonalised. This means any personally identifiable information, such as names, addresses and NHS numbers, is removed before the researcher accesses it.

No automated decision-making or profiling activities are undertaken within the South West SDE.

Access to data within our SDE is controlled by the South West SDE Data Access Committee. They approve whether researchers can use the South West SDE for their proposed projects.

Retention periods for personal data

Following the expiry of the relevant retention period, your personal information will be fully anonymised and archived or destroyed. Where information is to be destroyed, this will be done in a confidential manner and in accordance with the NHS Records Management Code of Practice. Anonymised archived data may be re-used for scientific or historical research purposes.

Access to the South West SDE from other countries

We may approve access to data by researchers from selected countries outside the UK.

Anyone who accesses your data outside the UK must do what we tell them so that your data has a similar level of protection as it does under UK law. We will make sure your data is safe when being access from outside the UK by doing the following:

  • Some of the countries your data will be shared with have laws that offer a similar level of protection to data protection laws in the UK
  • We use specific contracts approved for use in the UK which give your data the same level of protection it has in the UK
  • We do not allow those who access your data outside the UK to use it for anything other than what our written contract with them says
  • We require other organisations to have appropriate security measures to protect your data which are consistent with the data security and confidentiality obligations we have. This includes having appropriate measures to protect your data against accidental loss and unauthorised access, use, changes or sharing
  • We have procedures in place to deal with any suspected data breach. We will tell you and applicable regulators when there has been a breach of your personal data

Your rights in respect of data processing

The South West SDE requests data from partner organisations when a research project is approved. The data held by the South West SDE about you is only part of your data. If you wish to access the full data held on you, you need to contact the organisations providing your care.

If you wish to exercise your rights regarding any data the South West SDE may hold on you, please contact the South West SDE with your request. We will assess and respond to your request as soon as we can, within the appropriate legal timescales.

The right to opt out

There are different options to withdraw your consent for your healthcare data to be used.

  • Type 1 or GP opt-out: This is done by contacting your GP practice and means your GP will not share your data for research. However, NHS information about you may still be collected and shared from other healthcare providers, such as hospitals
  • Type 2 or national opt-out: A national data opt-out service allows you to opt out of your NHS information being used for all research and service planning, unless required by law. Please read the national opt-out service website carefully to understand your options
  • South West SDE opt out: If you would like to opt out in the South West, but not nationally, you can opt out of the South West SDE or other SDEs individually. Please contact us to do so.

Opting out will not affect your care.

Contact details

The South West Secure Data Environment (South West SDE)

Email: bnssg.swsde@nhs.net

Telephone: 0800 073 0907

Address: South West Secure Data Environment, c/o Bristol, North Somerset and South Gloucestershire Integrated Care Board, Floor 2, North Wing, 100 Temple Street, Bristol, BS1 6AG

The Data Protection Officer for the South West SDE is Paul Anthony. He can be contacted on bnssg.data.protection@nhs.net.

The right to lodge a complaint with a supervisory authority

If you believe we are not processing your personal data in accordance with the law, you have the right to make a complaint to the Information Commissioner. The address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Version 1 published August 2025.