Protecting patient data - NHS Digital (2024)

In the UK, the legal frameworks covering how patient data must be looked after and processed are the Data Protection Act (DPA) 2018, which brought the EU General Data Protection Regulation (GDPR) into law, and the Common Law Duty of Confidentiality (CLDC).

Data protection legislation requires that the collection and processing of personal data is fair, lawful and transparent.

This means there must always be a valid lawful basis for the collection and processing of data as defined under data protection legislation, and the requirements of the CLDC must also be met.

Under GDPR, for recording and processing health and care data, both of the following must be satisfied:

• an Article 6 condition - for personal data
• an Article 9 condition – for health data, as a special category of data

You can read more about GDPR on the Information Commissioner’s Office (ICO) website.

Consent under the DPA must meet certain criteria to be valid. Consent must be:

• freely given without any unfair pressure
• specific - for a limited and clearly defined purpose
• informed
• unambiguous
• withdrawable - as easy to withdraw as it was to give it

If using consent as a lawful basis for processing, the individual must also be given certain rights, including the rights to erasure and portability, as defined in the DPA.

To meet the requirements of the CLDC there must be one of the following conditions:

• a mandatory legal requirement or power that enables the CLDC to be set aside, such as the Children Act 1989 which requires information to be shared in safeguarding cases, powers for Care Quality Commission inspections, reporting of food poisoning,reporting of infectious diseases such as measles, and the powers given to NHS Digital under section 259 of the Health and Social Care Act 2012
• a court order, where a judge has ordered that specific and relevant information must be provided, and to whom
• an overriding public interest, where it is judged that the benefit of providing the information outweighs the rights to privacy for the patient concerned and the public good of maintaining trust in the confidentiality of the service
• explicit or implied consent
• legal support for the use of confidential patient information without consent under the Health Services (Control of Patient Information) Regulations 2002, under section 251 of the NHS Act 2006

You can read more about the CLDC on the Caldicott Guardian website.

Consent under the CLDC falls under two categories:

• implied consent – this will normally apply where data is being used to support individual care and treatment and the patient would reasonably expect data about them to be used in this way, for example when they are referred to another clinician
• explicit consent – this applies where a patient has agreed to the use of data for a specific purpose, after they have been fully informed, for example for their data to be included in a research project

The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information without patient consent. It provides advice to the Health Research Authority (HRA) for research uses, and to the Secretary of State for Health and Social Care.

Its main purpose is to protect and promote the interests of patients and the public, while also making sure that confidential patient information can be used when it is appropriate, for purposes beyond individual care.

CAG can give Section 251 approval (S251) for the use of confidential patient information without consent for a specific purpose by the HRA or the Secretary of State for Health and Social Care. This would usually only be granted when an organisation requesting the data makes the case that it would be very difficult or impractical to seek consent from every individual whose data they wish to use.

For more information about CAG see: www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/

As well as having a duty to be fair and a lawful basis for collection and processing of data, all organisations must also be transparent.

Transparency is an important element of data protection. You must make sure your patients know how their data is used and for what purposes it is shared. There should be ‘no surprises’ for a patient in terms of how their data is used.

The ‘transparency’ requirements are set out in full in Articles 12, 13 and 14 of the GDPR. They include making the following information publicly available:

• who the data controller is and how to contact them
• purpose of the data processing
• the lawful basis for the data processing
• information about the data subjects’ rights and how to exercise them
• any third parties with whom the data is shared, including
• any transfers to a country outside the European Economic Area (a ‘third country’) and the safeguards.

Organisations can use a ‘privacy notice’ or ‘fair processing’ information to inform their patients, or use other methods. By law, the information provided should be concise, easy to understand and easily accessible.

Where personal data is provided from one organisation to another for purposes beyond an individual’s care a data sharing agreement should be put in place. The agreement will confirm who maintains responsibility and control over the data, referred to as the data controller, and should comply with the relevant data protection legislation and the ICO guidance on data sharing agreements. See the ICO's Data sharing code of practice for more information.

The agreement will set out terms and conditions including, for example:

• the purpose for which the data is being provided, which must support the provision of health and care services or the promotion of health
• the security requirements for the organisation receiving the data
• the retention period for the data

Each organisation’s terms and conditions of employment include strict guidelines on how staff handle and protect patients’ information, with disciplinary procedures in place, including dismissal, for any member of staff who does not comply with those guidelines. Staff must also be regularly trained in information governance responsibilities.

The Data Security and Protection (DSP) Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Professional bodies such as the General Medical Council and Health and Care Professionals Council also set out standards which their members must meet.