In this section, we cover three types of health and care information and the legal frameworks governing them:
- health and care information that relates to identified or identifiable individuals
- health and care information that no longer relates to identified or identifiable individuals, which some refer to as anonymous data (also known as effectively anonymised data)
- synthetic data
2.1 Health and care information that relates to identified or identifiable individuals
There are two main legal frameworks governing the use of health and care information that relates to identified or identifiable individuals:
- data protection legislation (the UK General Data Protection Regulation (UK GDPR) within the Data Protection Act (DPA) 2018)
- the common law duty of confidentiality
If you want to use information about an individual relating to, or in connection with, their past or present use of NHS or adult social care services, you need a lawful basis to do so under both legal frameworks.
This guidance sets out legal basis requirements under the UK GDPR and the common law duty of confidentiality. As there is significant existing guidance on the UK GDPR, this guidance provides key information on legal bases and links to relevant existing guidance for greater detail.
In this guidance, we use the terms used in each legal framework. When referring to data protection legislation we use the term ‘personal data’ and when referring to the common law duty of confidentiality we use the term ‘confidential patient information’.
However, it is important to bear in mind that information about both the living and the deceased can be confidential patient information. By contrast, the UK GDPR only applies to information that relates to an identifiable living individual. Therefore, information relating to a deceased (identifiable) person does not constitute personal data and is not subject to the UK GDPR, although it is subject to the common law duty of confidentiality. Conversely, it is useful to remember that data protection law applies to all types of information that relate to identifiable living individuals, not just health and care information.
2.1.1 Data protection legislation
Personal data
Health and care information that allows a living individual to be identified or is about an identifiable individual is personal data. Data protection legislation requires that personal data is processed lawfully, fairly, and transparently. The Information Commissioner’s Office (ICO) is the UK body that upholds these information rights.
Article 6 of the UK GDPR sets out the legal bases for processing personal data. Health and care data is classed as a ‘special category’ of personal data, the processing of which also requires a condition under Article 9 of the UK GDPR.
This guidance only covers the UK GDPR requirement for a legal basis for processing personal data. It does not set out how to comply with other relevant obligations under data protection legislation. For comprehensive general guidance on the UK GDPR, see the ICO’s Guide to the General Data Protection Regulation. For health and care sector-specific guidance on the UK GDPR, see the NHS Transformation Directorate IG Portal. For health and care research sector-specific guidance on the UK GDPR, see Health Research Authority.
Personal data that has undergone pseudonymisation
Pseudonymisation is a security-enhancing process that replaces or removes information in a data set that directly identifies an individual. It is typically applied before information is shared with a third party (recipient). For example, it could involve replacing an NHS number, a name, or an address, with a unique number or code (a pseudonym), with the effect that identifying an individual directly from that data is not possible by the recipient without additional information (e.g. the ‘key’ that would enable matching the pseudonym to direct identifiers in the data set) or means to re-identify the data.
Personal data that has undergone pseudonymisation but could still be attributed to an identifiable individual by the use of the data alone or in combination with other data likely to be available, is legally presumed to remain personal data under UK GDPR. Personal data that has undergone pseudonymisation but that is no longer attributable to an identifiable individual is not personal data. If an organisation pseudonymises data and holds the key, that data remains personal data to that organisation. If the same organisation shares the pseudonymised data with another organisation but does not share the key, it should not be assumed that the data is personal data to the recipient. The determining factor is not whether or not the data is pseudonymised but whether or not it can be used (whether on its own, or in conjunction with other available data using reasonable means) to identify an individual.
Personal data that has undergone effective anonymisation
Personal data that has undergone effective anonymisation (also known as rendered anonymous) is not, however, regarded as personal data (and therefore not subject to the UK GDPR). This is because the data has been modified, and transferred or otherwise made available to another organisation, such that it no longer relates to an identified or identifiable individual. In particular, the recipient should be assessed not to have means reasonably likely to be used to identify the individual directly or indirectly, e.g. where appropriate safeguards that prevent the use of means reasonably likely to identify the individual are put in place. (See Recital 26 UK GDPR).
Data can be rendered effectively anonymised even in circumstances where the modified data retains a pseudonym. It depends on whether additional processes and safeguards are put in place, the cumulative effects of which are assessed to mitigate the risk of the individual being reidentified to a sufficiently remote level so that, in the hands of the recipient, it meets anonymisation requirements. Therefore, reidentification risk does not have to be eliminated completely for data to be considered anonymous in the context. However, any onward transfer of the data may change its status to be personal data again, depending on any additional information and means available to the onward recipient.
Those designing research should consider with their organisation whether the anonymisation process is one that has previously been used, or whether it needs assessment of its effectiveness for this project. More guidance can be obtained from the ICO’s new guidance on anonymisation, pseudonymisation, and privacy enhancing technology. See Section 2.2 below.
2.1.2 The common law duty of confidentiality
Confidential patient information
Health and care information, both clinical and demographic (such as name and address), relating to, or in connection with, an identified or identifiable individual’s past or present use of services (NHS or adult social care) is confidential patient information. This broad definition is in recognition of the importance of maintaining trust in health and care services, so that all individuals can be reassured in fully engaging with these services.
The common law duty of confidentiality requires one of the following legal bases for the disclosure of confidential patient information:
● Consent, which may be implicit or explicit as follows:
Implied consent for direct care - also called individual care. Implied consent can be assumed where people would have a reasonable expectation of their data being used, and is thus relied upon as the legal basis for the provision of care and services to individuals, usually referred to as direct care. For detailed guidance on implied consent for direct care, see: Consent and confidential patient information - NHS Transformation Directorate (nhsx.nhs.uk); Information: To share or not to share? The Information Governance Review; and, National Data Guardian (NDG) Report on Barriers to Information Sharing for Direct Care (published in August 2020) including a draft decision support algorithm to help provide additional clarity about what falls within direct care and what does not (indirect care, sometimes called secondary use, which can include research). The General Medical Council (GMC) also have a confidentiality decision tool to help health and care professionals, as well as guidance on confidentiality: good practice in handling patient information. More guidance relating to the use of data for direct care can be found on the NHS Transformation Directorate IG Portal.
Explicit consent to share data for purposes other than direct care - note that explicit consent as a legal basis for setting aside the common law duty of confidentiality is not the same as explicit consent under the UK GDPR. See NHS Transformation Directorate guidance on explicit consent under the UK GDPR.
● A statutory authority or gateway (legal power) that expressly sets aside the common law duty of confidentiality for any particular processing - for example, support under The Health Service (Control of Patient Information) Regulations 2002 (more commonly known as ‘section 251 support’). Applications to process confidential patient information for medical purposes under regulation 5 will be considered by the Confidentiality Advisory Group (CAG). As well as the advice it provides to the HRA for research uses, CAG also provides advice to the Secretary of State for Health for non-research uses. See CAG application guidance.
● In the public interest - this is a narrow basis that applies where use or disclosure of the information is justifiable in the public interest. The GMC, the British Medical Association (BMA) and the Department of Health and Social Care (DHSC) have each produced guidance on public interest as the legal basis for lifting the obligation of confidence.
● Pursuant to a legal obligation (such as a court order) to disclose the information.
Confidential patient information that has undergone pseudonymisation
Where confidential patient information has undergone pseudonymisation, but the identity of the individual is ascertainable indirectly from information in the possession of, or likely to come into the possession of, the person processing that information, it remains confidential patient information. You will therefore require a legal basis to lift the common law duty of confidentiality before it can be disclosed to a potential recipient.
Confidential patient information that has undergone effective anonymisation
Where confidential patient information has been anonymised so that it cannot be used to identify someone, it can be disclosed without a legal basis. This means that the information has been modified such that it cannot be used by the recipient to identify the patients or service users to which it relates (either directly or indirectly using separate information to which the recipient has access), and where appropriate safeguards that prevent the use of means reasonably likely to identify the natural person are in place. Data can be rendered anonymous in this context even if it retains a pseudonym.
The effectiveness of the anonymisation process should be assessed on a case-by-case basis. In general, data anonymised through aggregation (with small numbers suppressed) are rarely subject to the duty of confidentiality (or data protection requirements). More guidance can be obtained from the ICO’s new guidance on anonymisation, pseudonymisation, and privacy enhancing technology. See Section 2.2 below.
The National data opt-out
The national data opt-out allows patients and service users in England to say if they do not want their confidential patient information to be used beyond their direct care in specified circumstances . The opt-out does not apply to the use of confidential patient information that has undergone effective anonymisation. The national data opt-out does apply where the legal basis for processing confidential patient information is section 251 support obtained under regulation 2 or 5 of the Health Service (Control of Patient Information) (COPI) Regulations 2002.
Where someone has registered an opt-out, they can choose to consent to take part in specific research projects, and they can be asked about research opportunities as part of care consultations.
It is important to remember that just because someone has not registered an opt-out, this does not mean they have consented to the use of their confidential patient information beyond their direct care.
NHS Digital has published detailed information about the opt-out and compliance requirements.
2.2 Health and care information that cannot be used to identify an individual or no longer identifies individuals
Data protection legislation
As above, personal data that is rendered effectively anonymised (anonymous) is no longer personal data and its processing is not subject to the UK GDPR. There are several anonymisation techniques that can be used, for example:
- aggregating
- suppression
- rounding
- barnardisation
- reduction in detail
- addition of noise
More guidance can be obtained from the ICO’s new guidance on anonymisation, pseudonymisation, and privacy enhancing technology. They describe how each of these techniques can be used in more detail and set out controls around the process of anonymising or pseudonymising personal data and its subsequent use. It will also provide case studies for health and care.
The process of anonymising personal data requires a legal basis under the UK GDPR: see ICO guidance.
The duty of confidentiality
While confidential patient information that is rendered anonymous is no longer confidential patient information, the process of accessing confidential patient information in order to render it anonymous is subject to the duty of confidentiality.
A member of a patient’s or service user’s care team may render confidential patient information anonymous without breaching the duty of confidentiality. The care team are health and care staff who the individual would reasonably expect to have access to their record for individual care, specifically:
● Registered health and/or social care professionals and staff who directly provide or support direct care to an individual;
● Staff who are not registered with a regulatory authority and yet undertake direct care; and,
● Trusted third party data processors who are already contracted to process confidential patient information on behalf of health and care organisations to support individual care (for example, IT systems suppliers)
The most important point is that the individuals undertaking anonymising data must have a legitimate relationship with the patient or service user that relates to their care, and it should not be a surprise to the patient or service user that the individuals are anonymising their data. More advice on how to lawfully de-identify information to protect confidentiality will be contained in new guidance to be published on the NHS Transformation Directorate IG Portal.
The National Data Guardian provides further commentary on the scope of the care team, the importance of a legitimate relationship to the patient or service user, and of informing patients or service-users about how their confidential information is used and who has access to it, in Information: To share or not to share? The Information Governance Review.
Where the anonymisation is to be performed by anyone else who does not have a legitimate relationship, there will be a disclosure of confidential patient information, albeit solely for the purposes of anonymising it, and a legal basis to lift the common law duty of confidentiality is required. See the list of legal bases for the disclosure of confidential patient information under Section 2.1.2 above. Some organisations have a legal power to require and process data; for example, NHS Digital has powers to require and process confidential data under the Health and Social Care Act 2012. Otherwise, such processing of the data will remain subject to the common law duty of confidentiality.
It should be noted that an assurance (however binding) of maintaining confidentiality by someone receiving confidential patient information / personal data (who does not have a legitimate relationship with the person to whom the information relates), does not provide a legal basis for access/processing under the common law duty of confidentiality.
Such processing will also remain subject to data protection law while the information remains identifiable. In particular, research sponsors must be able to establish a condition under Article 9 UK GDPR for de-identifying confidential patient information as necessary for achieving a legitimate secondary purpose. They also need to be able to demonstrate that the benefits achieved by sharing this data for that purpose outweigh the risk of undermining public trust in the health and care system’s ability to provide confidential services.
The purpose must also be consistent with the information that has been given to patients and service users about the purposes for which confidential patient information might be anonymised. Where this is not the case, additional information must be included in privacy notices and other information materials (i.e. to ensure that there are “no surprises” for individuals). The HRA provides template text that health and care organisations should use to ensure their privacy notices and other information are consistent with the use of confidential patient information for research - Templates - Health Research Authority (hra.nhs.uk).
2.3 Synthetic data
Synthetic data is neither personal data nor confidential patient information. It is not subject to data protection legislation or the common law duty of confidentiality.
Where data is created artificially from confidential patient information or personal data, however, the act of creating it through a process of information synthesis is subject to the common law duty of confidentiality and data protection legislation - in the same way that the process of anonymisation is covered by these legal frameworks. See section 2.2 above.
Where synthetic data is generated to be statistically consistent with a real data set that it replaces, moreover, an assessment should be carried out regarding the likelihood of individuals being re-identified from the synthesised data. If necessary, additional safeguards may be needed to ensure that any reidentification risks (or other privacy risks) are sufficiently remote.