NHS Digital Data Release Register - reformatted

The Boston Consulting Group Uk Llp projects

11 data files in total were disseminated unsafely (information about files used safely is missing for TRE/"system access" projects).

Boston Consulting Group UK - NHS England Data Extract — DARS-NIC-606839-V5X2P

Type of data: information not disclosed for TRE projects

Opt outs honoured: Anonymised - ICO Code Compliant, No (Does not include the flow of confidential data)

Legal basis: Health and Social Care Act 2012 – s261(2)(a)

Purposes: Yes (Consultancy)

Sensitive: Non-Sensitive, and Sensitive

When:DSA runs 2023-08-02 — 2024-11-01 2023.09 — 2024.06.

Access method: Ongoing


Sublicensing allowed: No


  1. Community Services Data Set (CSDS)
  2. Diagnostic Imaging Data Set (DID)
  3. Emergency Care Data Set (ECDS)
  4. Hospital Episode Statistics Accident and Emergency (HES A and E)
  5. Hospital Episode Statistics Admitted Patient Care (HES APC)
  6. Hospital Episode Statistics Critical Care (HES Critical Care)
  7. Hospital Episode Statistics Outpatients (HES OP)
  8. Mental Health Services Data Set (MHSDS)
  9. Patient Reported Outcome Measures (Linkable to HES)


Boston Consulting Group UK LLP (BCG UK), a UK subsidiary of the US based company The Boston Consulting Group, Inc., requires access to NHS England data for the purpose of providing consultancy services to clients in the health sector. BCG UK LLP is one of multiple worldwide subsidiaries that are legal entities under The Boston Consulting Group, Inc.. Boston Consulting Group UK LLP (BCG UK) have confirmed that they determine the purposes and the means of the NHSE data they receive under this agreement and that only BCG UK LLP will process the data under this agreement, no other subsidiaries of The Boston Consulting Group, Inc. will be involved in processing the data.

The data will be used to provide services to the following types of clients only:
• Department for Health and Social Care (DHSC)
• The Care Quality Commission (CQC)
• NHS Trusts
• Mental Health Trusts
• Community Provider Trusts
• Commissioning Support Units (CSUs)
• Integrated Care Systems (ICSs)
• Sustainability and Transformation Partnerships (STPs)
• Health and Wellbeing Boards

The data will be used to provide the following services only:
• Benchmarking
• Financial and operational performance analysis
• Demand and Capacity Modelling
• Service evaluation
• Service analysis
• Care pathway analysis
• Hospital feedback services
• Health economics and outcomes analysis

The following NHS England datasets will be accessed:
• Hospital Episode Statistics - Admitted Patient Care, Critical Care, Outpatients & Accident and Emergency
• Emergency Care Dataset (ECDS)
• Diagnostic Imaging Dataset (DID)
• Mental Health Services Dataset (MHSDS)
• Community Services Dataset (CSDS)
• Patient Reported Outcome Measures (PROMS)

The datasets listed above are necessary to provide information on patient journeys through NHS & supporting care services. The data will enable BCG to understand and benchmark service demands and capacity across its client’s jurisdiction or region, build a clear view of care pathways across clinical specialties and care provision settings and support identification of gaps in services, opportunities for development or efficiency improvements. The data will provide information on historic trends in use of care services for establishing accurate baselines and making robust projections.

The level of the data will be pseudonymised.

The data will be limited to data between 2018/19 financial year to latest available data available during the data sharing agreement period.

The data controller has reviewed the data items requested within this agreement and determined with the assistance of NHSE that they are necessary in order to help them achieve the intended outputs and benefits. The data controller has aligned their data request to similar requests from other commercial organisations in terms of the breadth of data being requested. The applicant will review the data disseminated throughout the term of the agreement and should it be determined that any data is not utilised as expected it would not be further requested and would be destroyed.

Boston Consulting Group UK LLP (BCG UK) is the data controller as the organisation responsible for ensuring that the data will only be processed for the purpose described above. The client types listed above commission to undertake the work. Clients do not specify what data are required to deliver the work nor how the data shall be processed to achieve that purpose. Such decisions are taken by BCG UK.

The lawful basis for processing personal data under the UK GDPR is:
Article 6(1)(f) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

BCG UK as part of their Legitimate Interests, will use the data to provide commercial services to improve healthcare for patients and provide support services to healthcare providers to enable those providers to deliver better healthcare to citizens. BCG UK has determined the processing is necessary for its legitimate interests in being able to conduct the following analyses to support production of advanced analytical tools and services that will benefit healthcare organisations:
• Demand & capacity modelling
• Financial & operational performance analysis and benchmarking
• Patient journey mapping

Without the processing of patient data, detailed analysis of the above areas to support improvements to patient care cannot take place. Models, forecasts, benchmarks and recommendations based on summary statistics cannot be as accurate as those built on detailed patient records. National data is necessary to enable accurate benchmarking of services against national standards including recognition of gaps or trends in service delivery.

The lawful basis for processing special category data under the UK GDPR is:
Article 9(2)(j) - processing is necessary for scientific research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Amazon Web Services provides IT support services to BCG UK through cloud storage and will store the data as contracted by BCG UK.

Any data to which BCG gains access via this agreement will be used for services commissioned by NHS and other public sector clients only which aim to benefit the health and social care system in the UK. The data will not be used for private sector organisations or for organisations outside of the UK. BCG UK LLP do charge clients for the work delivered using the requested data.

BCG UK maintains that there will be a persistent commercial aspect to the data processing included in this data sharing agreement. Through processing of NHS England data, BCG UK will seek to maximise the business effectiveness of services provided to NHS & UK Public Sector organisations. BCG UK provided services for patient pathway analyses for hospital clients in the UK using client & publicly available data, however has experienced limitations in the ability to perform comprehensive patient pathway analysis across multiple providers as well as benchmarking services against national standards.

BCG UK LLP may use insights from outcomes of processing the data on behalf of clients for commercial benefit by means of developing publishing articles and/or creating client engagement materials and analytical tools. All outputs of this form will contain aggregated data with small numbers suppressed only.

Whilst it is not possible to present full details of specific measurable benefits as they will depend on the project that BCG UK LLP is commissioned to deliver by each client, the aim of all BCG UK LLP’s projects with NHS and other public sector clients is to improve the provision of health and social care services for better public health outcomes in the UK. A few selected case studies are provided in the ‘Benefits’ section of the agreement to illustrate the way in which BCG UK LLP will deliver benefits using the data from NHS England. BCG UK LLP has delivered sizeable societal benefits via its work with NHS and UK public sector clients, by means of improved operational efficiency, quality of services and cost reduction to date. It is expected that the access to the requested data will increase the value in BCG UK LLP’s service offerings to these clients and the subsequent societal benefits resulting from the improved health and social care provision and effective health care planning delivered by the clients.


The expected outputs of the processing will be:
• A report of findings including graphs and tables based on outcomes of analysis submitted to clients.
• Presentations of aggregated data and findings distributed to clients.
• Publication of dashboards on [organisation’s] website
• web-based benchmarking tool with which the clients can use to view analysis outcomes under license with the client.
• Interactive workshops and working sessions with clients and stakeholders of the commissioned work to communicate findings of analysis undertaken.

BCG UK plan to publish the outcomes of analysis done using this data via publications in the forms of case studies and/or articles which may be published on BCG UK website and client engagement materials.

The outputs will not contain NHS England data and will only contain aggregated information with small numbers suppressed as appropriate in line with the relevant disclosure rules for the dataset(s) from which the information was derived.

The outputs will be communicated to relevant recipients through the following dissemination channels:
• Workshops & working sessions involving clients and associated stakeholders.
• Briefing documents provided to clients.
• Reports aimed at clients and associated stakeholders.
• Web-based portal access to benchmarking tools.

As BCG UK’s services and deliverables are tailored to the needs of individual clients, it is difficult to specify full details of expected outputs and their target dates. Each NHS or UK public sector client and the outputs will therefore vary depending on the commissioned work.


No data will flow to NHS England for the purposes of this Agreement.

NHS England data will provide the relevant records from the following datasets to Boston Consulting UK LLP (BCG UK):
• Hospital Episode Statistics
• Emergency Care Dataset
• Community Services Dataset
• Mental Health Services Dataset
• Patient Reported Outcome Measures
• Diagnostic Imaging Dataset

The data will contain no direct identifying data items. The data will be pseudonymised and individuals cannot be reidentified through linkage with other data in the possession of the recipient. There will be no requirement and no attempt to reidentify individuals when using the data.

The data will not be transferred to any other location. The data will be stored on servers at BCG UK. BCG UK stores data on the Cloud provided by Amazon Web Services. The data will not leave England/Wales at any time.

The data will be accessed by authorised personnel via remote access. The data will remain on the servers at BCG UK at all times. Personnel are prohibited from downloading or copying data to local devices.

Access is restricted to employees or agents of BCG UK who have authorisation from the Managing Director. All such individuals are substantive employees of BCG UK. BCG UK LLP is one of multiple worldwide subsidiaries that are legal entities under The Boston Consulting Group, Inc. For the processing outlined in this agreement, only BCG UK LLP will process the data under this agreement, no other subsidiaries of The Boston Consulting Group, Inc will be involved in processing the data.

All personnel accessing the data have been appropriately trained in data protection and confidentiality. Analysts from the BCG UK will analyse the data for the purposes described within the Objectives above.

Data will be deleted after 5 years on a rolling basis. i.e. the oldest year of data will be securely destroyed within 4 weeks when the next full year is received (rolling retention of 5 full years of data, plus current year-to-date). Data will be destroyed in line with NHS England's Data Destruction policy and a Data Destruction Certificate produced.