Patient Data Privacy Notice

Who Flatiron Health UK is and what we do

Flatiron Health UK is a healthcare technology company dedicated to accelerating cancer research and improving lives by learning from the journey of every cancer patient. Flatiron does not directly provide cancer care; we support and work with researchers across the cancer community in finding treatments for those living with cancer. This privacy notice explains the personal data that Flatiron Health UK Ltd. (“Flatiron Health UK”, “we”, or ”us”) processes in order to support cancer related research.

Flatiron Health Inc is a global company, with offices in the United States, Germany, and Japan. Flatiron Health UK Ltd operates separately from other Flatiron companies, with local operations, employees, and processes. 

Flatiron Health UK is registered with the Information Commissioner’s Office: ZA610200

This privacy notice was developed with Flatiron Health UK’s Patient Voices Panel. Our sincere thanks to them for their time and thoughtful feedback in the development of this policy.

When does Flatiron Health UK hold personal health data?

We always make sure that:

  • We only hold data relevant to improving cancer care
  • We only collect data with agreement from our hospital partners and other ethics review
  • You know how to stop sharing your data by “opting-out”

High level: Flatiron Health UK partners with hospitals who treat patients with cancer (referred to in this document as our “Partners”) in order to create datasets that are used for research to improve cancer care. We do not collect personal data from any other source other than our Partners. These hospitals will include NHS Trusts, Health Boards in Scotland, and other UK hospitals.

Before sharing any personal data with Flatiron Health UK, Partners provide their patients with the opportunity to opt-out of this partnership if they wish to do so. Partners also apply the National Data Opt-Out, so if patients have already opted-out, they do not need to do so again. Information about the National Data Opt-Out, and how to use it, can be found at https://www.nhs.uk/using-the-nhs/about-the-nhs/opt-out-of-sharing-your-health-records/

Flatiron Health UK and Partners also undertake communication campaigns to ensure that patients whose personal data is shared with Flatiron are aware of the partnership, how their personal data will be used, and how to opt out. This will be done in a number of ways, including sending letters to patients, making information available online, and creating physical and digital posters within the hospital. 

Flatiron Health UK will not process any personal data until an NHS Ethics group has agreed that processing can go ahead. 

More Information: Flatiron Health UK acts as a Data Processor and as Joint Controllers with our Partners, for different stages of the data preparation and processing. This relationship is managed under appropriate Data Agreements, which outline the roles and responsibilities of the Partners and Flatiron Health UK in relation to the processing of personal data. No transfer of personal data would ever occur without these legally binding contracts in place. Flatiron Health UK will not use personal data for purposes outside of these legally binding contracts. 

Flatiron Health UK is also undergoing the necessary reviews by the Health Research Authority (HRA) which will include ethics approval.  These reviews are required by all organisations who wish to use patient data to help improve research. Flatiron will not process any personal data until all required approvals from the HRA are received. 

What personal data is processed by Flatiron Health UK?

We always make sure that:

  • Data is hosted in the UK, and worked on by UK-based employees
  • No directly identifiable data is made available to researchers
  • Data is only accessed by researchers through a secure method

High level: Partners make a dataset of cancer patients who have not opted out available to Flatiron Health UK. This data is securely uploaded to a shared NHS and Flatiron platform, where it is anonymised.  This anonymised data (i.e., data which can no longer identify an individual patient) is then securely transferred to Flatiron Health UK’s platform in the UK. All of the people who work on the data are based in the UK, and subject to strict confidentiality provisions which have been reviewed by the NHS.

Flatiron Health UK then further processes the anonymised data and transfers it to a Trusted Research Environment (TRE), where it is accessible to researchers in industry and academia for cancer research. A Trusted Research Environment is a secure environment for research and analysis. Flatiron follows the “Five Safes” model promoted by HDRUK; you can learn more the model about here.

More Detail: Lots of data about cancer care is not readily structured or easy to analyse today. This means that in order to create a complete picture of a single patient which can be used by NHS care teams, academics, and industry researchers, Flatiron Health UK needs to combine and then organise different types of data from the same hospital. We call this data “structured” (e.g., treatment codes, date of birth), and “unstructured” data (e.g., notes written by a doctor after seeing a patient). Personal data could be in either format, but personal data is harder to remove from unstructured data. Flatiron Health UK takes a number of steps to protect personal information at every stage: 

  • Before data is uploaded to the shared Flatiron Health UK and NHS secure platform, structured data is stripped of direct identifiers like name or address, using both manual and automated processes. 
  • In the secure shared platform, Flatiron Health UK staff then transform the unstructured data using a process called “abstraction” to extract clinically relevant information – for example, the progression of cancer – from unstructured data like clinician notes or referral letters. Abstractors do not extract any direct identifiers – like name, or address – from unstructured data.
  • Staff working with personal data are UK-based, and are contractually bound to a duty of confidentiality in handling any personal data. 
  • Within the secure shared platform, the data then undergoes further minimisation and an anonymisation process before it is transferred to Flatiron Health UK’s own secure platform.
  • In Flatiron Health UK’s platform, data is further processed and made ready for research. 
  • Researchers are provided access to anonymised data in a Trusted Research Environment, in line with the 5 Safes and HDRUK’s guidance for TREs. The “five safes” is a framework for safeguarding the use of data, developed by the Office for National Statistics. You can learn more about the “five safes” here or here.

What does Flatiron Health UK do with data?

Flatiron Health UK processes personal data in order to create datasets that can be used by the NHS and researchers to accelerate cancer research. As we do so, we always make sure that: 

  • Data is secured at every step of the process
  • Data is only made available to health researchers, for cancer research
  • Patients are involved in decisions as to how data is used

High level: Flatiron Health UK processes data about cancer patients treated at Partner hospitals, who have not opted out. The processed, research-ready data is returned to Flatiron’s Partners to support research, planning and clinical decision-making. 

In collaboration with Partners, Flatiron Health UK also undertakes a process to anonymise the data, and combine it with anonymised data from other hospitals. This creates a detailed but anonymised dataset about cancer treatments and outcomes in the UK. “Anonymised” means that the data has been stripped of personal identifiers in such a way that individuals are no longer identifiable. Those anonymised datasets will be made available to researchers through a Trusted Research Environment (TRE), to be used for cancer research. All researchers must sign a contract agreeing to specific privacy requirements before accessing the datasets. 

This approach means that researchers cannot identify any individual patient in the datasets, and that Flatiron Health UK will maintain control over the data in a secure environment. Researchers will be able to view detailed but anonymised data in the TRE, and researchers will not be able to extract this data from the TRE. Researchers will only be able to extract aggregated data (e.g., statistics), not patient-level data, from the TRE. 

Flatiron is dedicated to accelerating cancer research and improving lives by learning from the journey of every cancer patient. Data will only be made available to health researchers in industry and academia. We do not make data available to insurers, marketing companies or cigarette manufacturers, just to name a few. Applications to use the anonymised Flatiron Health UK data will be reviewed by a panel of both patients and Flatiron Health UK staff. This panel will also create simple summaries of the proposed research, which will be made publicly available. If you are interested in becoming a patient representative or getting involved in our work, we would love to hear from you. Please contact us at learn-more-flatiron-uk@flatiron.com 

More Detail: Flatiron Health UK has reviewed this process with UK anonymisation experts to ensure that this process will protect individual’s identities and that the anonymisation process meets the standards set out by UK law and regulators. 

We will continually review our approach and the status of the data in line with any new change in law or regulatory guidance.

Personal data is only ever processed for the following purposes:

Purpose Article 6 Lawful Basis Article 9 Exemption
Undertaking anonymisation to enable cancer research  Article 6(1)(f) – legitimate interests Article 9(2)(j) – research purposes
Undertaking abstraction to remove identifiers from the NHS data Article 6(1)(f) – Legitimate interests Article 9(2)(j) – research purposes

 

You can learn more about the GDPR definitions of lawful bases for accessing data, here.

The legitimate interests pursued by Flatiron Health UK for these purposes are to improve both the delivery and outcome of cancer care and prevention. A legitimate interest test has been completed for these purposes. 

Who does Flatiron Health UK share personal data with?

We always make sure that:

  • Data is stored in the UK, and worked on by UK-based staff
  • Data is secured at every stage
  • The data made available to researchers is anonymised

All of Flatiron Health UK’s data centres are in the UK, and no personal data about UK patients is transferred outside of the UK. All of the people who work on the data are based in the UK. 

Flatiron Health UK uses Amazon Web Services (AWS) to store our data in the UK, which is the same cloud provider that many NHS organisations use to store their own data. Flatiron employees from our Japanese and German affiliates sometimes assist in the management of the data centres. Whilst they have no access to the personal data, safeguards are nonetheless put in place to prevent any inadvertent access. The UK Information Commissioner’s Office (ICO) has recognised both these countries as having an adequate level of protection in regard to data protection.

No personal data will be transferred or made available to our US affiliate, Flatiron Health Inc.  

Once data is made available to researchers in the Trusted Research Environment (TRE) the data is fully anonymised and is no longer personal data. The use of anonymised data is described in more detail in the section “What Flatiron Health UK does with data,” above. 

Individual rights

High level: Data protection law provides you with a number of rights in relation to your personal data, including:

  • Right of Access
  • Right to Rectification 
  • Right to Erasure
  • Right to Object

These rights are free to exercise and Flatiron will provide you with this information free of charge. The ICO does allow organisations like Flatiron to charge for information in very limited circumstances, for example if requests are “repetitive and excessive.” You can read more about the ICO’s guidance here.

As Flatiron Health UK does not hold any direct identifiers to identify you, nor do we want to know your identity, we will be unable to answer questions about any individual patient. If you are a cancer patient at one of our Partners and you have questions about your rights, we therefore recommend that you first contact your local hospital. If you have questions about how Flatiron Health UK use data, you may contact our Data Protection Officer (DPO) at dpo.flatiron@kdpc.uk who can assist in any data protection queries you may have.

Detailed: In some instances such as if your anonymised data has been submitted to a regulator like NICE or MHRA to approve a new cancer medicine, your rights may not apply or an exemption may apply. Individual right requests will be treated on a case-by-case basis. Where it is not possible to comply with your request you will be informed and provided with details of your right to make a complaint. 

Retention

We will securely store data in the UK, during the term of our collaborations with Partners and afterwards to the extent required by law. 

Security

Data is stored on Amazon Web Services (AWS) servers within the UK region. AWS is the same secure Cloud platform that NHS England and NHS Digital use to store patient data. AWS provides physical infrastructure and software services to Flatiron Health UK and other organizations, but we have a set of strict contractual and technical controls in place that prevent AWS from accessing the actual data that is stored and processed using AWS services. For example, all data is encrypted using a secret key, to which AWS does not have access.

Flatiron Health Inc uses AWS to store data in each country in which it operates, but UK patient data is stored in separate AWS accounts with strict separation and access controls between the accounts, which prevent Flatiron Health employees from other areas of the organization from accessing UK data. 

Staff who have access to data undergo annual training on data protection and security and are committed to a duty of confidentiality. Annual penetration testing of systems is carried out using an external accredited supplier. Flatiron Health UK is Cyber Essentials Plus certified and completes the annual NHS Data Security & Protection Toolkit (DSPT). Flatiron Health UK has met or exceeded the DSPT requirements each time. 

Contact

We have appointed a Data Protection Officer to monitor our compliance against UK data protection law. You may contact them directly at dpo.flatiron@kdpc.uk

Complaints

If we are unable to resolve any complaints, you may also contact the UK regulator for data protection, the Information Commissioner’s Office. They can be contacted at icocasework@ico.org.uk