At a national level, some key organisations hold patient data or have responsibility for oversight about the purposes for which it can be used. They work with others to make decisions about how to safeguard data and set the conditions under which it can be accessed.
When patient data is used for purposes beyond providing individual care, there are safeguards to ensure it is protected and used appropriately. Organisations follow set processes and criteria for the decisions they make about how patient data can be used, some of which are set out in law. There are also groups and committees who are often independent from these organisations involved in the process. It’s their job to give advice to these organisations on what would or would not be lawful and appropriate uses of patient data.
Who holds patient data?
There are a number of different types of organisations – sometimes called data controllers or data custodians - that hold patient data, both at a national and regional or local level.
At a national level, the health service holds patient data that is collected during routine clinical care, including from hospitals, mental health, ambulance and community services. Across the UK, this includes NHS England, NHS National Services Scotland, NHS Wales and Health and Social Care Northern Ireland. They release a number of open, publicly available datasets and statistics created from aggregated patient data to provide information about the health of the population and how the health service is functioning. They also allow commissioners, researchers and commercial organisations to access more detailed data for specific purposes. To access this data, organisations will need to submit an application and demonstrate that it is being used for public benefit.
In addition to health service and government bodies, other organisations like charities, academic and research institutions may also hold data on patients who have consented to their data being collected.
At a regional and local level, GP surgeries, NHS Trusts and Integrated Care Systems (ICSs) all collect and hold data for individual care and service planning and evaluation. They have their own systems for managing how data is used. They have to follow the law and manage the patient data they hold responsibly. They can make their own agreements with other organisations, including researchers and private sector organisations.
Some organisations at a national level hold patient data that is collected during routine clinical care, including from hospitals and primary care settings. This includes organisations like the UK Health Security Agency, Public Health Scotland, Public Health Wales, and the Public Health Agency in Northern Ireland. They release a number of open, publicly available datasets and statistics to provide information about how the health service is functioning and how key public health threats are being monitored.
How are decisions made?
As part of the governance arrangements to ensure data is protected and used responsibly, applications are reviewed to determine whether the request to access patient data should be accepted. Any organisation that applies to access patient data has to satisfy several criteria. These usually include:
- that patient data is only shared if there is a potential for public benefit
- that the data use must comply with the Data Protection Act (2018) UK General Data Protection Regulation (GDPR), and other laws such as the Common Law Duty of Confidentiality
- that the guidance and codes of the Information Commissioner's Office (ICO) must be followed
- that an application process for those requesting patient data justifies:
- what data is being requested
- why the data is needed
- who will be accessing the data
- and how the data will be protected (including through data security arrangements)
- that any data accessed will either not contain personally identifiable data, or contain the minimum amount needed for researchers and companies to do their work.
The decisions they make will take into account whether participants have given informed consent, for example through participating in a research study, and the degree of risk that individuals could be re-identified from the data. If a request is asking for access to confidential patient data without consent, and there is no legal exemption in place, the requester may need to go to groups like the Confidentiality Advisory Group (for England and Wales) to get this approval first.
Caldicott Guardians may also be involved in this decision-making process. This is a senior role for an organisation which processes health and social care personal data, which ensures that personal information is used legally, ethically and appropriately. The individual acts as a leader on complex matters involving confidentiality and information sharing.
Find out more about this in our guide to large datasets here.
People can opt out of confidential patient information about them being used for purposes beyond their individual care(except for where there is an exemption). Read more about the opt-out and your choices here.
What organisations are involved?
The below information relates specifically to England. Similar organisations and arrangements are in place across all four nations.
Who are they?
NHS England (NHSE) is a statutory public body sponsored by the Department of Health and Social Care that leads the health service in England and commissions services. Prior to 2023, a separate body called NHS Digital was responsible for collecting and holding data on NHS services in England. In 2023, the organisations merged and these powers were transferred to NHS England. It can only operate within the scope and limits set out for it in legislation, the Health and Social Care Act (2012), Care Act (2014), and Health and Care Act (2022) and cannot allow data it holds to be used for purposes beyond those set out by law.
What do they do?
NHS England has a number of legal duties regarding patient data including:
- collecting, analysing and publishing health and care data
- providing national technology for health and care services.
To learn more about this, visit NHS England’s page on how data is managed.
What do they do to safeguard access to patient data?
Patient data held by NHS England can be accessed via:
- Data Services for Commissioners (DSfC)
- Secondary Uses Service (SUS)
- Data Access Request Service (DARS).
The DSfC and SUS services are used by health professionals and NHS staff planning or commissioning services. DARS is the service for researchers and commercial organisations applying for access to patient data held by NHS England.
In the future, all external access to patient data in England will be managed via a network of Secure Data Environments (SDEs) that provide a single access point for all data held by NHSE. To learn more about this, visit our explainer on how data is kept safe.
Independent Group Advising on Release of Data
Prior to the merger of NHS Digital and NHS England, NHS Digital used an independent group called Independent Group Advising on the Release of Data (IGARD) who discussed data request applications and provided recommendations for whether or not they should be approved. NHSE is in the process of establishing a new advisory group. In the meantime, an interim group composed of members of the previous IGARD and other NHSE representatives are providing this advice in the interim.
NHS England also undertakes data sharing audits on how patient data is being used, stored and deleted by organisations it has released data to. They may stop the transfer of patient data if organisations are found to be in breach of agreements they have signed. They also keep a register of all the requests for access to patient data it has processed and approved.
Learn more about the merger of NHS Digital and England here
National Data Guardian for Health and Care
Who are they?
The National Data Guardian for Health and Care (NDG) advises and challenges the health and care system to ensure people’s confidential information is protected and used appropriately. The NDG is independent but is sponsored by and works with the Department of Health and Social Care. The current National Data Guardian is Dr Nicola Byrne, who was appointed in March 2021.
What does the NDG do?
The NDG aims to build trust in how patient data is used in health and social care by both supporting and scrutinising other bodies and organisations. The NDG role was placed on statutory footing by the Health and Social Care (National Data Guardian) Act 2018, which grants it the power to issue official guidance which health and care organisations must take note of. The NDG’s remit covers the processing of health and social care data in England.
The NDG is an advisory function, not a regulator, and as such does not have enforcement powers. However, the NDG works with regulators like the Information Commissioner’s Office (ICO).
What do they do to safeguard access to patient data?
The NDG works across the whole health and social care system. This includes working with the national bodies and organisations listed here. The NDG does not have a role in approving individual applications to use patient data but does provide advice on the principles which should be considered.
The NDG owns and maintains the Caldicott Principles, which set out eight principles for health and social care data to ensure people’s information is kept confidential and used appropriately. The principles are intended to guide organisations and staff and are intended to apply both for the use of identifiable, confidential information within health and care organisations as well as when such information is shared.
The role of Caldicott Guardian was established to uphold these principles.
A Caldicott Guardian is a senior person within an organisation responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly, in ways that are appropriate, ethical and follow the law.
They follow the eight Caldicott principles to ensure the right balance is struck between protecting patient data and ensuring it is used appropriately. They might be asked to advise on applications to access patient data held by their NHS organisation.
Following NHS England guidance in 1999, NHS Trusts and local authorities which provide social services have been required to appoint a Caldicott Guardian.
Scotland, Wales and Northern Ireland have all chosen to have Caldicott Guardians or equivalent roles, though there are some differences. The UK Caldicott Guardian Council is the national body for Caldicott Guardians.
Find out more about the NDG.
The eight Caldicott Principles ca be found here.
The manual for Caldicott Guardians can be found here.
Information Commissioner’s Office
Who are they?
The Information Commissioner’s Office (ICO) is the data regulator for the UK, with a mission to uphold information rights in the public interest. It is responsible for ensuring peoples’ legal rights are upheld about how personal data is used. This includes the UK Data Protection Act (2018), Freedom of Information Act, GDPR regulations, and other data and privacy legislation.
The ICO is an independent, non-departmental public body which reports directly to the UK Parliament. Its remit is personal data across all sectors, across the UK.
What do they do?
The ICO has a range of functions. It offers guidance about information rights to bodies and organisations and handles complaints from the public about how information has been used.
The ICO can also prosecute those who are not complying with data protection law. Breaches or potential breaches of data security must be reported to the ICO, and the ICO publishes information and statistics about data protection breaches on their website.
Read more about data breaches and sanctions on our website.
Find out more about the ICO.