Keeping NHS Data Safe

There are huge benefits when patient data is used responsibly to save lives and improve health and care. However, it is true that collecting and using patient data will never be totally risk-free. There must be robust measures in place to reduce the risks as much as possible. We look at the concerns people have and what’s being done to reduce the risks.

An introduction to health data security in the NHS

Check out this short animation explainer which introduces how data is collected and safely used within the NHS, as well as what can happen when things go wrong.

Health data breaches

Explore these interactive infographics which take a journey through characters' experiences with different types of data breaches, including prevention, responses, and consequences.

Click on the image to take you to the infographic:

Text saying "What is an accidental internal data breach? Follow Amir's story to learn more". There is a continue button, and a link button to the animation. There is an image of Amir sitting on a couch, he is wearing a yellow jumper and has brown skin and dark hair.

Text saying "What is an accidental external data breach? Follow Hannah's story to learn more". There is a continue button, and a link button to the animation. There is an image of Hannah sitting on a couch, she is wearing a pink jumper and blue trousers, has light skin and brown hair.

Text saying "What is an malicious internal data breach? Follow Gemma's story to learn more". There is a continue button, and a link button to the animation. There is an image of a laptop with Gemma's data on, and a security lock symbol.

Text saying "What is a malicious external data breach? Follow Rezina's story to learn more". There is a continue button, and a link button to the animation. There is an image of Rezina, who has nurses uniform with brown skin and dark hair, looking at a computer with a skull and bones symbol on, as well as a security lock symbol.

You can find out more about how we co-created these resources with the public here.

Weighing up benefits and risks

We increasingly rely on digital technologies across all areas of our lives, benefiting from access to online services and tailored information when we need it, based on data about us or people like us. At the same time, reports of misuse of data, like Facebook and Cambridge Analytica and data breaches in the NHS, have highlighted the implications for privacy.

Some people may be willing to share personal data about themselves widely, for example through social media or brand loyalty cards, but others will be more cautious. Individuals are prepared to make different trade-offs, depending on the benefits they receive in return. It may also depend on the type of data, for example whether it relates to finances, health, travel or purchases.

When considering the use of patient data specifically, questions you might want to ask include:

There are huge benefits of using patient data, both for individual care, improving health and care services, and supporting research. When patients are treated in the NHS, they benefit from insights based on the data of previous patients like them. Find out more about the benefits.

Sharing patient data will never be totally risk-free, but there must be robust measures in place to reduce any risks as much as possible, and to respond rapidly and effectively when things do go wrong. Surveys suggest that there are three main things people are concerned about:

The ICO gather and analyse data on data breaches, which you can explore here. It allows you to filter the data to just explore the health sector, and dissect the data by incident type.

The failure to collect or use data in the NHS can negatively impact patient care, and waste scarce resources. For example, capturing data on a patient's demographics or treatment history might be imperative for prescribing the right drugs, providing them with an appropriate clinician, and understanding their engagement with different parts of the interconnected health system. Without this, patient safety could be compromised, they might have a poor experience with a service, or fall through the net.

This will vary from person to person. People may accept greater risks for their individual care if they are more likely to benefit. They may not want to take the same risks for other uses of their data. On the other hand, someone with a rare disease may be most at risk of loss of privacy because they could be easily identifiable from data, but they will often be the most keen for data to be used. In the search for a diagnosis or treatment, they are often willing to take more risk of their data being used for research, but they might see a different acceptable balance between benefit and risk with data being used in services or over time.

Data use in the NHS is based on the concept of 'implied consent' - patients do not have to explicitly consent to their data being accessed and used amongst staff directly involved in your care, as it is considered reasonable that they need to have information about you in order to deliver safe and appropriate care. Find out more about implied consent.

However, beyond direct care, the national data opt-out, introduced in May 2018, allows patients some choice about the use of their confidential patient information beyond their individual care, for example for research purposes.

At a national level, some key organisations hold patient data or have responsibility for oversight about the purposes for which it can be used. They work with others to make decisions about how to safeguard data and set the conditions under which it can be accessed.   

Find out more about how decisions are made on who can access and use patient data, and what choices you have. 

More information

Public participants who helped us co-create the resources above also identified further related topics that were of interest in relation to data security, access, and risks. We have set these out below. 

Data use in the NHS is based on the concept of 'implied consent' - patients do not have to explicitly consent to their data being accessed and used amongst staff directly involved in your care, as it is considered reasonable that they need to have information about you in order to deliver safe and appropriate care. Find out more about implied consent. 

 You can access your own GP records, including test results and treatment details, both online or in the NHS App.

You can also get guidance on accessing records for someone else to help them manage their health and care.

You can find a breakdown of the rules and regulations around the retention of health data in patient records across the UK and across services.

The use of data beyond direct care purposes is often referred to as ‘secondary use’ of health data - this typically includes things like service planning, monitoring population health, and research. 

For example, researchers use patient data to help us to understand more about disease, develop new treatments, monitor safety, plan and monitor services, and evaluate policy. This kind of research is vital to improve health and care for everyone.  

Researchers can apply to access data like GP or hospital records, or national registers. There are also tools and support available through organisations like the National Institute for Health and Care Research, who fund initiatives to help researchers access the health data they need, or Health Data Research UK. Before a researcher is granted access, their study is usually assessed by an independent review committee, who check that the reason for using the data is appropriate. Learn more here about the different organisations and approvals involved in this.   

As the NHS moves away from data ‘sharing’ towards a model of data ‘access’ by default, more and more researchers will be required to access data via approved environments, known as Trusted Research Environments or Secure Data Environments

Find more examples of what data is used by researchers in our case studies.

Most people trust the NHS, but some are wary about third-party organisations – particularly in the private sector - outside the NHS accessing health data. Research shows that most people are comfortable with the private sector having access to patient data when it is used for public benefit, but some people are concerned that other organisations could potentially misuse data, or that the data could be shared onward. 

There are strict controls on how third parties can use patient data. To protect your confidentiality, organisations are only allowed access to identifiable data if there is a legal basis. They should sign contracts setting out what they can and cannot do with the data, including restrictions on passing data to other third parties. 

Find out more about private sector organisations accessing patient data and how your data is protected here. 

Your health data is highly confidential and protected by law, and therefore generally cannot be seen by other services like the policy or your employer without explicit informed consent.  

There are times where it might be necessary for your health data to be shared with other services, such as if you are being cared for in hospital following an injury sustained due to someone committing a crime being investigated by police. Where possible, and appropriate, this would be done with your consent. Find out more about how this works here.

The Caldicott principles  are a set of good practice guidelines for using and keeping safe people's health and care data. They are intended to apply to all data collected for the provision of health and social care services where patients and service users can be identified and where they would expect this to be kept private. All NHS organisations must have a Caldicott guardian, who work closely with other information and legal colleagues to help ensure health and care information is used ethically, legally and appropriately. 

Find out more about Caldicott principles and guardians here

The ICO gather and analyse data on data breaches, which you can explore here. It allows you to filter the data to just explore the health sector, and dissect the data by incident type. 

However, this just covers incidents that were discovered and reported to the ICO, so it is not a definitive source, but it gives a general overview of relative estimates. 

The infographics above mention that the likelihood and severity of the risk of harm to a patient(s) following a breach impacts decision-making around how to respond.  

The ICO advises organisations that, when deciding whether to take actions such as reporting an incident to them or notifying the affected patient(s), a judgement must be made about the potential for impact such as discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality, or any other significant economic or social disadvantage. This can help to make a pragmatic decision about what level of action is needed.  

Although it has been produced to support organisations rather than the general public, if you are interested you can explore the guidance given by the ICO, including on judging risk, here.

The ICO's approach to the public sector aims to improve data protection standards through guidance and proactive engagement, preventing harms before they occur and learning lessons when things have gone wrong.

This approach includes using discretion when fining public sector organisations, meaning they will use powers such as warnings, reprimands and enforcement notices, with fines only issued in the most serious cases.

Issuing fines would take money out of the health service, which would only put patients at further risk.

You can find out more about the ICO's approach to the public sector here.

In the past, patient records were only stored on paper. These may have been safer from cyber attacks but could easily be lost or mislaid. There are too many examples where appointments have been wasted, or even lives lost, because paper records have not been available to the right people at the right time. 

Digital records have the potential to be much safer, particularly if the whole care team can access up-to-date information using joined up electronic records. However, increasing use of digital records, and the fact that data may be stored in several places, does mean that the potential impact of a data breach could be greater. Many more people may be affected, for example if a whole database is hacked, or more information could be put at risk. 

On the other hand, digital technology can also be used to improve security and reduce the risks. Technology can be used to protect data, for example by restricting access (using passwords or swipe cards to control access to data), or using encryption so the data can only be read with a code. There can also be a robust audit trail showing who has accessed data and when. 

The Government’s Plan for Digital Health and Social Care set a target of all Trusts having electronic patient records by March 2025 (subsequently pushed back to 2026), which includes a requirement for all organisations to have increased cyber security capabilities, resilience, clinical safety and accessibility. This commitment was supported by £2bn in funding to support organisations meet digital standards. 

The healthcare system and its data security systems and practices can vary across England, Scotland, Wales, and Northern Ireland.

We have tried to ensure that the resources above are applicable across the UK where possible, but it is important to also recognise the specific variations.

We are working on developing a resource which sets out these key differences, including in relation to health data security.