Whenever we go to a GP, a hospital or a pharmacy, information will be collected about us and our medical history. Only healthcare professionals who are directly involved in your care will be able to access your full patient record. But some of the information from your record may also be useful for specific purposes beyond your individual care, to improve health, care and services across the NHS. People need to be able to find out what’s allowed and what’s not, and how data is kept safe.

How is data kept safe?

It is essential that patient data is kept safe and secure, to protect your confidential information. There are four ways that privacy is protected:

  • Removing details that identify a person and taking further steps to anonymise information. 
  • Using an independent review process to make sure the reason for using patient data is appropriate.
  • Ensuring strict legal contracts are in place before data is transferred or accessed.
  • Implementing robust IT security.

Find out more about the safeguards.

Who can access patient data?

Your full patient record will only be seen by healthcare professionals who are directly involved in your care.

There are strict controls on how anyone else can access patient information. The purpose must be approved before anyone can use data, and they are only given access to the minimum amount of data necessary. The types of organisations that can use patient data include:

  • NHS providers and commissioners: use data to monitor trends and patterns in hospital activity, to assess how care is provided, and to support local service planning.

  • University researchers: use data to understand more about the causes of disease, to develop new ways of diagnosing illness or to identify ways to develop new treatments. Explore our case studies for some examples. 

  • Charities: use data to evaluate services and identify ways to improve care.

  • Companies: use data if they are partnering with the NHS to provide care and research. The NHS can’t do all of the analysis on its own, and companies may have the best expertise and technologies for making sense of large and complex data from hospitals, or for developing new treatments. People often have lots of questions about how and why companies can access data. Find out more about companies using patient data.

Find out more about how decisions are made on who can access and use patient data.

How are decisions made about who can access patient data?

At a national level, some key organisations hold patient data or have responsibility for oversight about the purposes for which it can be used. They work with others to make decisions about how to safeguard data and set the conditions under which it can be accessed. 

Find out more about how decisions are made on who can access and use patient data.

Can I be identified from the data?

People want to know whether they could be identified when data about them is used. Often, it is only a row of numbers and codes that can be seen. But what does this really mean in practice, is it ever possible to re-identify someone?

Take a look at the section on 'How my privacy is protected' in our guide to health datasets, to learn more

Some data will be used to produce statistics that are published monthly by the NHS, for example A&E waiting times or vaccination coverage. The information can only be openly published if the data is anonymous, so it is not possible to identify any individual.

What are the risks?

Do the benefits of using patient data outweigh the risks? Could something go wrong, and what would be the impact? What are the consequences of not using data? 

Sharing patient data will never be totally risk-free, but there must be appropriate measures in place to make any risks as low as reasonably possible. Data is anonymised wherever possible. There are audit processes to check who is accessing data, and robust penalties can be issued where data is misused.

Find out more about what is being done to reduce the risks and protect data here.

What choices do I have?

In England, a national data opt-out was introduced in May 2018, following recommendations from the National Data Guardian. People can opt out of having their confidential patient information shared for reasons beyond their individual care, for example for research and planning.

Find out more about the national data opt-out.


View all FAQs