Guidance

Approval standards and guidelines: confidential patient information

Updated 2 August 2024

Approval standard: confidential patient information

When must this standard be met

This standard must be met when the application includes the processing of confidential patient information.

For the purpose of this Standard, confidential patient information is defined in Section 251(10) and 251(11) of the National Health Service Act 2006, as information about either a living or deceased person that meets the following 3 requirements:

  • identifiable or likely identifiable
  • given in circumstances where the individual is owed an obligation of confidence; and
  • conveys some information about the physical or mental health or condition of an individual, a diagnosis of their condition; and/or their care or treatment

Standard

1. All applications requesting to process confidential patient information must evidence how the duty of confidentiality has been set aside to allow confidential patient information to be lawfully processed for the specific purpose(s) in the scientific protocol.

2. Where the processing of confidential patient information is for ‘Direct Care’, the data application form must name the organisation’s Caldicott Guardian and be accompanied by a signed letter of support that:

  • specifies the nature of the direct care activity and necessity of processing confidential patient information

  • is dated no more than 3 months before the submission of the application

  • is signed by the Caldicott Guardian, as named on the UK Caldicott Guardian Counsel’s Register

3. Where the processing of confidential patient information will rely on the explicit, informed consent of the individual (the data subject), the application must:

  • include blank versions of the consent form, participant information or other materials used to obtain consent – each version must be clearly labelled, and where changes to these documents have been made over time, the application must include the complete version history

  • if consent is obtained for research, the application must demonstrate the consent materials have received favourable ethical opinion; for further information, see the Approval standard and guidelines: ethical assessment

4. Where the processing of confidential patient information will rely on a statutory exemption obtained under Section 251 of the National Health Services Act 2006, as enacted under The Health Service (Control of Patient Information) Regulations 2002, the application must:

a) demonstrate all reasonable alternatives to processing patient confidential data have been discussed with UKHSA’s Data Release and Acquisition Team and have been disregarded

b) include the reference assigned by the Secretary of State, Confidentiality Advisory Group or other approval body (where applicable)

c) include the date of next review or renewal (as required under Regulation 7 of The Health Service (Control of Patient Information) Regulations 2002)

d) include all correspondence from the approving body to demonstrate support is current and the scope of such approval agrees with the processing operations described in the application (including any amendments made)

e) ensure that the processing activities within scope of the support are consistent with the application, including, in terms of the population or sampling frame, data to be requested and timeline for the retention of patient confidential data

f) include as part of the ethical assessment, the exit strategy for processing confidential patient information – see Approval standards and guidelines: ethical assessment

g) demonstrate how the requirements of the National Data Opt-Out are met or are not applicable – for further information, see Approval standards and guidelines: upholding objections under the national data opt-out

5. Where the processing of confidential patient information will rely on any other legal provision, the data application form must state and justify the specific:

  • express statutory powers
  • implied statutory powers
  • prerogative and common law powers

Guidelines

This standard focuses on processing confidential patient information.

A duty of confidentiality arises when information is obtained in circumstances where it is reasonable for the person providing the information to expect that it will be held in confidence by the recipient. Not all information is confidential though. To be confidential the information must have a ‘quality of confidence’, meaning that it must not be something which is public property or public knowledge, and must be capable of identifying the individual it relates to. This is important, as when data is effectively anonymised, it is no longer confidential information.

The common law duty of confidentiality is distinct to the responsibilities placed on data controllers for lawful processing under UK GDPR and does not remove or replace the need for applications to be compliant with UK GDPR. For more information, see Approval standards and guidelines: lawful basis (UK GDPR).

Common law duty of confidentiality

When information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the individual’s consent. This duty of confidentiality extends beyond death and is distinct from obligations under data protection legislation. However, it is not absolute and confidential information can be lawfully disclosed when there are appropriate grounds to set this duty aside.

If your application includes the processing of confidential patient information (such as NHS number, name, hospital identifier or date of birth), you must show how the duty of confidentiality will be set aside.

Valid exemptions include but are not limited to:

Direct care

The individual care of patients by one or more registered and regulated health or social care professionals and their team, with whom there is a legitimate relationship for the care of the patient through implied consent. This includes the conduct of local clinical audit or service evaluation by the healthcare provider but excludes audit or evaluation across organisations for which the use of personal confidential data is permissible where there is approval under Regulation 5 of The Health Service (Control of Patient Information) Regulations 2002.

The individual has capacity and has explicitly consented to the processing described in the protocol. This means the individual knows and understands how their data is to be used and shared. There must be ‘no surprises’ about how any data will be processed and the person giving their consent should fully understand the implications of their decision to consent.

The disclosure is:

  • required by law, such as the requirement for laboratories in England to report specific notifiable infectious diseases to UKHSA under the Health Protection (Notification) Regulations 2010, or

  • permitted under a statutory process that sets aside the duty of confidentiality for a limited purpose; for example, support granted under Regulation 5, Health Services (Control of Patient Information) Regulations 2002

In addition, there may be other situations which mean sharing confidential patient information is necessary to safeguard the individual, where there is an overriding public benefit, or because of a contractual relationship with the individual. These exemptions are outside the scope of this Standard and application process.

Direct care

Direct care has been defined by the National Data Guardian as:

A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

Purposes beyond direct care include:

  • health services management
  • research
  • risk prediction or stratification
  • health needs assessment
  • financial audit

These purposes are not directly associated with the healthcare that patients receive, and it cannot be assumed that patients who seek healthcare are content for their information to be used in these ways.

Where data is requested from UKHSA for direct care, the application must demonstrate oversight by the applicant’s Caldicott Guardian and that they are satisfied that:

  • the processing of confidential patient data will be lawful, ethical and strictly for a direct care purpose only
  • the data will be processed on a ‘need to know’ basis
  • the applicant is a registered and regulated health or social care professional who has a legitimate relationship for the care of the patient through implied consent.

To demonstrate this oversight, the data application form must name the Caldicott Guardian who has been consulted and application include a signed letter of support.

The letter must:

  • specify the nature of the direct care activity and necessity of processing confidential patient information – for example, the letter may state the title of the clinical audit and that personal data is necessary to enable a case-note review using locally held records
  • be dated no more than 3 months before the submission of the application
  • be signed by the Caldicott Guardian, as named on the UK Caldicott Guardian Counsel’s Register

Applicants who are unclear about whether their project is direct care should seek assistance from their information governance team or Caldicott Guardian.

The National Data Opt-Out does not need to be applied to any data releases for direct care.

The duty of confidentiality can be satisfied with the consent of the individual.

Consent is the approval or agreement for something to happen after consideration. For consent to be valid, the individual must be informed, must have the capacity to make the decision in question and must give consent voluntarily. This means individuals should know and understand how their information is to be used and shared (there should be ‘no surprises’) and they should understand the implications of their decision, so they can provide an unambiguous indication of their agreement.

When UKHSA considers informed consent as the basis to set aside the common law duty of confidentiality, the consent materials (consent form, participant information sheet (PIS) and supporting materials) are reviewed to consider whether they:

  • give adequate information to enable the individual to understand the nature and purpose of the activities for which consent is sought
  • are compatible with the proposed processing described in the scientific protocol

It should be noted that over time, as case law has changed, the standard of consent that was once expected has been replaced by what is best today. So, it’s important to understand that the practice of obtaining consent is an evolving process and the law changes as cases are decided. This means that even if a particular consent statement is deemed sufficient today, it may not be sufficient in the future if what’s being done with the data changes or if the law changes.

UKHSA recognises that in some cases, consent will be broad, and this can be acceptable if the individual has been adequately informed about the purposes for which their data will be processed and any associated risks. Where the processing described in the scientific protocol is not compatible with the consent obtained, it may be reasonable for individuals to be reconsented. However, in situations where this is not feasible, a statutory exemption may need to be sought.

There may also be circumstances where consent cannot be obtained. In such cases, the common law duty of confidentiality may need to be set aside through a statutory basis or legal duty to disclose.

For research using NHS data, all the consent materials must receive a favourable ethical opinion from a Health Research Authority (HRA) NHS Research Ethics Committee. For further information, see Approval Standards and guidelines: ethical assessment.

It is important to keep in mind that UK GDPR consent is separate from the duty of confidentiality. But in cases where consent is determined to meet the UK GDPR standard for consent set out in Article 7 and Recital 32, Recital 42 and Recital 43 of UK GDPR, it will also be judged to have satisfied the standard for setting aside the common law duty of confidentiality. See Approval standards and guidelines: lawful basis (UK GDPR).

The National Data Opt-Out does not need to be applied when informed consent is in place, unless this is promised to individuals. Please note the right to object must still be respected and that it is the responsibility of the organisation which obtains consent to manage this locally.

There is no universal statutory power to disclose confidential patient information, just as there is no general power to obtain, hold or process it. This reflects that legal gateways are created in response to the specific requirements of the public bodies that rely on them and the scope of discretion conferred to the authority.

The list below shows some examples, but is not exhaustive:

  • Children’s Act (1989) allows certain organisations to obtain confidential patient data to safeguard and promote the wellbeing of children
  • Civil Contingencies Act (2004) allows certain organisations to obtain data as part of their statutory duty to plan and prepare for, advise about, respond to and recover from emergencies

Some legislation compels data sharing to occur for a specific reason and other legislation creates discretionary powers to share confidential information where it is necessary and proportionate to do so.

For example, where it is impossible or impracticable to gain the consent of individuals for medical research and the use of anonymised information would not achieve the desired outcome, researchers can apply for the duty of confidentiality to be temporality lifted. This is achieved though Section 251 of the National Health Service Act 2006 and its current Regulations, The Health Service (Control of Patient Information) Regulation 2002.

The ‘gateways’ through which information can be shared must be detailed in the application, with due reference to the:

  • express statutory powers – these are powers expressly conferred by specific legislation (such as an Act of Parliament)
  • implied statutory powers – these are powers that are not necessarily explicitly set out in the legislation but are properly and reasonably regarded as incidental to the express power
  • prerogative and common law powers – these are powers that can be exercised by government ministers to do things which are ancillary or incidental to the ordinary business of central government but are limited by the restraints of public law and constitutional principle

Health Service (Control of Patient Information) Regulations 2002

In England and Wales, Section 251 of the NHS Act 2006 (originally section 60 of the Health and Social Care Act 2001) provides a temporary gateway to permit the use of patients’ medical information without their consent. Such disclosures are permissive, not mandatory.

Where support has been obtained under the Regulations and will operate as the gateway to set aside the common law duty of confidentiality, the application must include:

  • a copy of the section 251 support approval letters, including amendments
  • copies of documents reviewed by the approving body
  • confirmation of current support (for example presence on the Confidentiality Advisory Group (CAG) register and/or the applicant’s latest annual review submission)

Processing of anonymised data does not fall within the scope of the Regulations as access to anonymised information would not involve a breach of confidentiality.

It is expected that before completing an application for support under the Regulations, all reasonable alternatives to the processing of confidential patient information are considered. These must be discussed with UKHSA prior to submitting an application for any approvals. Where UKHSA is supportive of the project, the Data Release and Acquisition team will provide a letter of support that can accompany the application.

Guidance on the application process to the CAG is available from the HRA.

All processing of confidential patient information that relies on Regulation 5, unless specifically exempted by the Secretary of State, will require the National Data Opt-Out to be upheld. For further information, see Approval standards and guidelines: national data opt-out.