At a national level, some key organisations hold patient data or have responsibility for oversight about the purposes for which it can be used. They work with others to make decisions about how to safeguard data and set the conditions under which it can be accessed.  

When patient data is used for purposes beyond providing individual care, there are safeguards to ensure it is protected and used appropriately. Organisations follow set processes and criteria for the decisions they make about how patient data can be used, some of which are set out in law. There are also groups and committees who are often independent from these organisations involved in the process. It’s their job to give advice to these organisations on what would or would not be lawful and appropriate uses of patient data.

Who holds patient data?

GP surgeries, NHS Trusts, disease registries and charities that work with patients, all collect and hold data. They have their own systems for managing how data is used. They have to follow the law and manage the patient data they hold responsibly. They can make their own agreements with other organisations, including researchers and companies.

Some organisations at a national level hold patient data that is collected during routine clinical care, including from hospitals and primary care settings. In England, this includes NHS Digital and Public Health England. Scotland, Wales and Northern Ireland have similar bodies. They release a number of open, publicly available datasets and statistics created from aggregated patient data to provide information about how the health service is functioning. They also allow health service commissioners, researchers and commercial organisations to access more detailed data for specific purposes.

How are decisions made?

As part of the governance arrangements to ensure data is protected and used responsibly, independent groups often advise on whether or not applications to access patient data should be accepted. Any organisation that applies to access patient data has to satisfy several criteria. These usually include:

  • that patient data is only shared if there is a potential for public benefit 
  • that the data use must comply with the Data Protection Act (2018), which is informed by the EU General Data Protection Regulation (GDPR), and other laws (such as the Common Law Duty of Confidentiality)
  • that the guidance and codes of the Information Commissioner's Office (ICO) must be followed
  • that an application process for those requesting patient data justifies:

- what data is being requested

- why the data is needed

- who will be accessing the data

​​​- and how the data will be protected (including through data security arrangements) 

  • that any data accessed will either not contain personally identifiable data, or contain the minimum amount needed for researchers and companies to do their work.

The decisions they make will take into account whether participants have given informed consent, for example through participating in a research study, and the degree of risk that individuals could be re-identified from the data.

Find out more about the differences between identifiable data and anonymous data here.

People can opt-out of confidential patient information about them being used for purposes beyond their individual care. The opt-out currently applies to patient data held by NHS Digital and by Public Health England. By 2020 all health and care organisations must apply the national data opt-out to data that they hold. 

What organisations are involved?

Who are they?

NHS Digital is a statutory public body sponsored by the Department of Health and Social Care. It can only operate within the scope and limits set out for it in legislation, the Health and Social Care Act (2012) and the Care Act (2014), and cannot allow data it holds to be used for purposes beyond those set out by law.

What do they do?

NHS Digital has a number of legal duties including:

  • collecting, analysing and publishing health and care data 
  • providing national technology for health and care services. 

What do they do to safeguard access to patient data? 

There are three ways that patient data held by NHS Digital can be accessed:

The DSfC and SUS services are used by health professionals and people planning or commissioning healthcare services. DARS is the service for researchers and commercial organisations applying for access to patient data held by NHS Digital. 

Independent Group Advising on Release of Data

NHS Digital uses an independent group called Independent Group Advising on the Release of Data (IGARD) who advise them on allowing bespoke, individual-level data or confidential data to be provided.

IGARD is a panel of independent specialist and lay members and they meet on a weekly basis. They discuss data request applications and recommend if they should be approved. They might request amendments to applications or give advice. You can find out more about what they take into account when considering requests to access patient data.

NHS Digital also undertakes audit checks on how patient data is being used, stored and deleted by organisations it has released data to. They may stop the transfer of patient data if organisations are found to be in breach of agreements they have signed. NHS Digital also holds a register of all the requests for access to patient data it has processed and approved. 


Find out more about NHS Digital.

Found out more about IGARD including names and backgrounds of IGARD members and minutes from their meetings.


Who are they?

Public Health England (PHE) is an Executive Agency of the Department of Health and Social Care. PHE is responsible for protecting and improving the health of the population, through reducing health inequalities, supporting people to make healthier choices and responding to risks from infectious diseases and environmental hazards, as well as global threats to public health. This includes supporting local regions and the NHS to run immunisation and screening programmes.

PHE also holds data in registries, including the National Disease Registration Service (NDRS) and the National Cancer Registration and Analysis Service (NCRAS), which aims to collect data on all cases of cancer that occur in people living in England. Over 300,000 new registrations from individual cancer patients is added to the NCRAS register each year, via an approval from the Confidentiality Advisory Group (CAG) (see below). More information about this permission to collect and process cancer data is available here.

Patients can choose to opt-out of having information about them added to the cancer registry.

What do they do?

PHE researchers analyse patient data and use their results as evidence for how to improve the health of the population. This could be anything from looking at health information to track how many people get the flu in the UK compared to other countries in Europe, through to assessing what policies are effective in reducing harms caused by alcohol.

Most of PHE’s data is anonymised and aggregated, and could not identify individuals. PHE publishes this data openly as summaries that show statistics and figures at national and regional levels. PHE is encouraging the availability and use of this data in accordance with The Re-use of Public Sector Information Regulations (2015).

What do they do to safeguard access to patient data? 

Office for Data Release (ODR)

Requests to access non-publicly available data held by PHE are made to the PHE Office for Data Release (ODR), including access to cancer registry data.

Before any data can be accessed, the ODR reviews all requests on a case-by-case basis. Most requests for PHE data are for data that has been anonymised. Requests for personally identifiable data require a clear lawful basis and are only released with the approval of a Caldicott Guardian. The role of Caldicott Guardians is explained below. The names and backgrounds of those in ODR who make decisions on data releases, and the minutes of ODR meetings, are not publicly available. The ODR decision-making process is explained here.

The ODR is accountable to the PHE Data Release Assurance Board (DRAB). DRAB publish minutes from their meetings.

One member of the DRAB is the Caldicott Guardian for PHE. The role of Caldicott Guardian is outlined below.

PHE hold a register of all the other organisations that have accessed patient data that it holds, including cancer registry data.


Find out more about PHE.

More information about the process for requesting access to PHE data through the ODR can be found here.

Find out more information about NDRS and NCRAS.

Who are they?

The Health Research Authority (HRA) regulates health and social care research in England. Its aim is to protect and promote patient and public interests in research. It ensures that all research projects go through an ethical review. It promotes transparency and best practice in research. It is an extension of the Department for Health and Social Care and is accountable to it.  

What do they do?

The HRA manages the approval process for health and social care research projects. It does not hold any patient data itself, but it can permit the collection and use of data from patients and service users. In many projects, researchers will ask patients for their consent to take part in studies. This might involve a patient with a condition agreeing to fill out questionnaires or allowing a research team to use data from test results for their research.

What do they do to safeguard access to patient data?

If a research project involves using confidential patient data without consent, such as patient data collected through routine visits to the GP or hospital, it is likely that the research team will need a recommendation from the Confidentiality Advisory Group.

Confidentiality Advisory Group (CAG)

CAG provides expert advice to the HRA and Secretary of State for Health and Social Care on whether confidential patient information can be used in specific instances without consent. This is known as a ‘section 251 approval’, as the legal power to do this comes from s.251 of the NHS Act (2006).

In making these decisions, CAG considers both the need to protect public and patient interests, and to enable appropriate use of patient data for research. CAG has both professional and lay members.

CAG has a list of questions that applicants must answer when seeking s.251 support. This includes:

  • would the research be in the public interest? (this is an essential part of what CAG considers)
  • is confidential data essential for the research?
  • would seeking consent be feasible in principle?
  • have other methods of answering the research question (that don’t require confidential data) been considered first?

CAG keeps a register of all applications that are approved.


Find out more about the HRA.

Find out more about CAG including detailed minutes from their meetings.

Who are they?

The National Data Guardian for Health and Care (NDG) advises and challenges the health and care system to ensure patient data is protected and used appropriately. The NDG is independent but is sponsored by and works with the Department of Health and Social Care. Dame Fiona Caldicott is the first NDG and was appointed in 2014. The NDG role has a basis in law, which strengthens its powers to advise the health and social care sector.

The NDG is advised by an independent panel of experts who meet six times a year. They publish information about their members and minutes from their meetings.

What does the NDG do?

The NDG aims to build trust in how patient data is used in health and social care by both supporting and scrutinising other bodies and organisations. The NDG is currently an advisory function, working with regulators like the Information Commissioner’s Office (ICO). There is more information about the ICO below.

What do they do to safeguard access to patient data?

The NDG works across the whole health and social care system. This includes working with the national bodies and organisations listed here. The NDG does not have a role in approving individual applications to use patient data but does provide advice on the principles which should be considered.

Dame Fiona Caldicott has also chaired three key reviews on health and care data, which were published in 2016 (leading to the creation of a new national data opt-out in 2018), 2013 (which emphasised the importance of sharing data to support improvements in health and care) and in 1997 (which recommended that organisations should appoint a senior person to be responsible for safeguarding confidential information). The 1997 review led to the role of Caldicott Guardians being set up in 1999.

Caldicott Guardians

A Caldicott Guardian is a senior person within an organisation responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly, in ways that are appropriate, ethical and follow the law.

They follow the seven Caldicott principles to ensure the right balance is struck between protecting patient data and ensuring it is used appropriately. They might be asked to advise on applications to access patient data held by their NHS organisation.

All NHS organisations and local authorities which provide social services must have a Caldicott Guardian. Scotland, Wales and Northern Ireland have all chosen to have Caldicott guardians in NHS organisations too. The UK Caldicott Guardian Council is the national body for Caldicott Guardians.


Find out more about the NDG.

The manual for Caldicott Guardians, including the seven Caldicott principles, can be found here

Who are they?

The Information Commissioner’s Office (ICO) is the data protection regulator for the UK. It is responsible for ensuring peoples’ legal rights are upheld about how personal data is used, across all sectors. This includes the UK Data Protection Act (2018), informed by the EU General Data Protection Regulation (GDPR).

What do they do?

The ICO has a range of functions. It offers guidance about information rights to bodies and organisations and handles complaints from the public about how information has been used. The ICO can also prosecute those who are not complying with data protection law.


Find out more about the ICO.