Brilliant question Matthew, I am also waiting for the answer to this question, because it would be very interesting to know how this data was used and how guidelines and procedures were followed to ensure that correct organizational and technical controls are in place, i.e. follow privileges, GDPR and other relevant laws The end date should not be longer than any fixed end date, indicated in one of your supports.. For example, if you rely on s251 support for the common law confidentiality obligation and your approval has a specific end date, the end date of your agreement should be filed – If you plan to renew your s.251 authorization, we assume that you would submit your extension each year and so you can choose the corresponding end date as described above. Perhaps a coordinated NHSX/Center GDPR-FOI request can draw attention to individuals` needs as a speed if patient data collection gains momentum? As a patient, I still can`t have online access to my own data, data that is undoubtedly accessible to endless data mining and research/academic community. This includes providing legal and technical guidance to NHS organisations, developing model contracts and assessing the value of proposed data sharing agreements. . . .