What is patient data, how can it be used, by who and why – find out more here. We will be adding to this list of questions, let us know what else you would like to find out about.
Your patient record is accessible to people providing you with individual medical care, but there are audit trails in place to discourage inappropriate access to data, and accessing someone’s records without reason is a criminal offence.
Your data may be accessed by researchers or planners, but only for public benefit, and the data is in the vast majority of cases de-identified, unless there is a lawful reason and need to use identifiable data. Read more on our web page about how data is used.
The use of identifiable data is subject to strong safeguards to protect data.
Private sector organisations in this context refers to organisations that are not part of the state or voluntary sector.
It is important to note that there are some private sector organisations that work within the NHS. For instance, GP surgeries are owned by GPs, most often in a partnership arrangements, and provide NHS services by contract, but they bound by law to manage your data in an appropriate way.
Private sector companies also provide the IT systems used to store medical records. Other private sector organisations might work with the NHS in a public-private partnerships and therefore access data to help deliver a service or a project.
Private companies can also apply to access data for research, for instance to be able to research and manufacture potential new treatments. The NHS will only grant access to data if there is a clear public benefit and they will never share identifiable data for marketing and insurance purposes.
In the vast majority of cases, private sector organisations can only access de-identified data. For more information on identifiable and de-identified data, see our guide to identifiability and guide to large datasets.
There are always contracts in place to protect data and strict controls on how organisations can use data.
Find out more about why private sector organisations access data, how the NHS works in partnership with them, and the safeguards that are in place to protect your privacy.
The NHS is not allowed to sell your data for profit, and will only share data when there is a strong and valid reason to do so. It publishes details of every organisation that uses NHS data. It is prohibited by law for NHS patient data to be shared for marketing, insurance of other solely commercial purposes.
However, it does operate on a cost recovery basis, so it is allowed to charge for the cost of processing and delivering the data, but not for data itself. The charge depends on the type of application, amount of data requested, and the amount of work that the NHS will need to do.
Individual NHS organisations (e.g. Trusts) will enter into different arrangements when working in partnership with private sector organisations.
As new digital technologies develop, we are beginning to understand more about the value of data. While people may feel uncomfortable with the idea of the NHS receiving any sort of payment related to data, there would also be concerns if valuable data is given away to private sector organisations for free as the NHS still needs to prepare the data and put in work to provide access to it.
There needs to be much more discussion about how the NHS and patients can benefit from the unique resource of NHS data. NHS England has published a Value Sharing Framework for NHS data partnerships that sets out the NHS’s thinking on these issues in more detail. According to the Framework, the NHS should seek a share of commercial value arising from the use of NHS data, proportional to the NHS’s contribution to the project. However, more detail is needed about how this will work in practice. We wrote a blog post about this in August 2023.