Many people are uncomfortable with the idea of companies accessing health information. Find out why commercial organisations might need to use data, how the NHS works in partnership with companies, and the safeguards that are in place to protect your privacy.

  • Companies are involved in many ways in the delivery of care and research across the NHS, but there are strict controls on how companies can use patient data, to protect your privacy.
  • Personally identifiable patient data can only be used if there is a health benefit.
  • The NHS will never share your personally identifiable data for marketing or insurance purposes (unless you specifically say that it is OK).


Many different types of company may be allowed to use patient data, under strict conditions, for a range of purposes. These include:

  • Software providers
  • Pharmaceutical companies
  • Analytics services
  • Chemists / pharmacies
  • Digital developers and tech companies
  • Private healthcare providers
  • Insurance companies

To find out more about why these companies may access data, see the examples below.

The information from patient records can be used to help understand more about disease, to develop new treatments, to monitor safety, to plan services and to evaluate NHS policy. But the NHS can’t do all the data analysis on its own. It has to work in partnerships, with academic researchers, charities, regulators - and commercial companies. 

Companies are involved in many ways in the delivery of care and research across the NHS, but there are strict controls on how companies can use patient data, to protect your privacy.

Some examples of how companies use patient data, when you visit the GP, hospital or pharmacy, and in developing drugs are given below.

The NHS will never share your name or contact details with companies to use for marketing purposes, unless you give consent. Pharmaceutical companies have to follow strict rules about marketing, and they are not allowed to advertise prescription medicines to patients in the UK.

It’s worth noting that you may see adverts targeted to you online, for example for non-prescription treatment or devices like hearing aids. This would be possible because of your internet searches, not because your patient data has been shared with a company. With 1 in 20 Google searches now health-related, targeted advertising is increasingly common.

Only with your permission. All the evidence shows that people are particularly concerned about insurance companies using patient data, but there are strict controls on this use. There are two reasons insurance companies might want to use patient data:

  1. Individual applications for insurance

    If you are applying for life insurance cover, an insurance company will want to know information about your medical history. The insurer will usually ask you questions about your lifestyle and relevant family history, but may also want to see your medical records. This is only possible with your permission. Only if you agree, your GP will then provide the relevant information to the insurer. There is currently a ban on insurers using genetic information.

    You can find out more here:

  2. Setting insurance premiums

    Insurance companies may also want to use data about health and lifestyle to help understand and predict risk, in order to work out how much insurance cover will cost. Insurers are only allowed to use anonymous data about large groups of people, and they would not be able to identify any individuals from this information.

    Using anonymous patient data in this way may lead to higher or lower premiums, depending on an individual’s situation. In some cases, if insurers have access to accurate information it may actually lead to lower premiums – for example by helping them understand more about living with cystic fibrosis, or when setting travel insurance premiums for people with a cancer diagnosis. In other instances, insurers may link health data with other information, for example about different regions or age groups, to set risk calculations which could lead to some groups of people having higher premiums.

NHS Digital, the central repository of NHS information, is not allowed to sell data for profit but operates on a cost recovery basis. It is allowed to charge for the cost of processing and delivering the service, but not for data itself. The charge depends on the type of application, amount of data requested, and the amount of work that NHS Digital will need to do.

Individual NHS Trusts will enter into different arrangements when working in partnership with companies, depending on their requirements and the services that are offered.  

As new digital technologies develop, we are beginning to understand more about the value of data. While people may feel uncomfortable with the idea of the NHS ‘selling’ data, there would also be concerns if valuable data is given away to companies for free. There needs to be much more discussion about how the NHS and patients can benefit from the unique resource of NHS data. For example, if patient data is used to develop a new algorithm, should the NHS get access to that service at a reduced rate? Should the NHS be able to make a profit from commercial access to data? 

Companies are involved in the delivery of care and research across the NHS in many ways. The NHS does not have the expertise or resource to make sense of all the large and complex datasets, or to develop new drugs in-house, and so they need to partner with companies to provide these services. While companies may make a profit, for example from developing a new treatment, they should only be allowed access to data if there is a health benefit. There are strict controls on how companies can use patient data, to protect privacy. 

A lot of people worry about data going to companies that are going to use it for making drugs, but that’s good, because they’re making drugs to improve treatment.”
Nicole Larkin, patient advocate, useMYdata

Whoever the user, there are strict rules regarding access to patient data. Companies have to sign contracts setting out what they can and cannot do with the data, including limits on passing data to third parties. Data must be stored securely, with controlled access and robust IT systems to keep data safe, and there are strong sanctions if data is misused.

The NHS will never share your personally identifiable data to companies for marketing or insurance purposes, unless you specifically give permission.

Find out more about how privacy is protected and what is being done to reduce the risks and protect data here.

Any company accessing patient data must sign a legal contract before data can be transferred. This will usually state that data cannot be passed to any third parties, unless explicitly approved in the application. Some analytics companies work with a number of different clients and may want to use the same data with different organisations but they are only allowed to do this if it has been specifically agreed, and the purpose must be approved. 

Find out more about what is being done to reduce the risks and protect data here.


Companies are involved in many ways in the delivery of care and research across the NHS. Below are some examples and more can be found in our case studies


GP looking at screen

At the GP

When you visit your GP, you’ll have seen them typing information on a computer. Companies provide the software that GPs use to keep electronic patient records. The company stores the full records but the GP is the ‘data controller’ and decides who can access the information. Companies also provide the services that allow you to access your patient records, book appointments online and order repeat prescriptions. This may mean processing some identifiable data.

All GP software must include robust IT systems to keep data safe, including controls around who can access the data and audit trails to record who has viewed it.


Outside a hospital

At the hospital

NHS hospital trusts work with analysis companies to help them understand and interpret large and complex data. This can help identify differences in the treatment provided (for example after a heart attack or surgery success rates), giving the hospital the information it needs to deliver services more effectively – providing better care and saving NHS money.

Analysis companies can also help provide insights for commissioners who plan NHS services, to compare performance between different hospitals.

Companies will only be given access to the minimum amount of identifiable data. Usually data will be de-personalised, and coded so it looks something like this:

Example of coded de-personalised patient data. Not based on real people.
Example of coded de-personalised patient data. Not based on real people. 


At a pharmacy counter

At the pharmacy

Your local pharmacy (or chemist) is also a commercial company. Pharmacists have to meet strict standards of confidentiality as part of their professional registration.

A pharmacist may need information from your patient record to be able to provide you with the medicines that your doctor has prescribed and to check that there would not be any reaction with other medication you are taking. To do this effectively, they may need access to your Summary Care Record – they will ask for your consent first.

Pharmacies also use patient data to ensure an appropriate supply of medicines. For example, by looking at anonymous data about the numbers of people with a particular condition in an area, they can ensure they have enough medicine in stock to treat everyone.

Pharmacists may also want to target services to some patients, for example to encourage smoking cessation or to offer a review of medicines. You will only be contacted in this way if you say it’s OK.


Data analytics company

Developing new diagnostics and treatments

For diagnosis:  Technology companies are developing software tools that support clinical decision-making to help provide a diagnosis more quickly. For example, new software could be used to analyse a patient’s MRI scan, and identify any cancerous tissues more effectively than a person can.  

To develop new drugs:  Pharmaceutical companies need to use patient data at all stages of the drug development process – from understanding more about a disease to identifying potential drug targets, from recruiting people for clinical trials to demonstrating whether a new treatment is effective and monitoring the safety of drugs.  

To develop new smartphone apps and wearables:  Technology companies develop apps that help patients self-manage conditions, or that allow remote monitoring, for example tracking glucose levels in people with diabetes, or alerting a clinician if a patient’s condition changes. The apps may collect patient data to function effectively – each app should have a privacy policy that explains how data is used and protected. You can find more examples of new technologies using patient data for healthcare here.