At a national level, some key organisations hold patient data or have responsibility for oversight about the purposes for which it can be used. They work with others to make decisions about how to safeguard data and set the conditions under which it can be accessed.

When patient data is used for purposes beyond providing individual care, there are safeguards to ensure it is protected and used appropriately. Organisations follow set processes and criteria for the decisions they make about how patient data can be used, some of which are set out in law. There are also groups and committees who are often independent from these organisations involved in the process. It’s their job to give advice to these organisations on what would or would not be lawful and appropriate uses of patient data.

Who holds patient data?

There are a number of different types of organisations – sometimes called data controllers or data custodians -  that hold patient data, both at a national and regional or local level.

At a national level, the health service holds patient data that is collected during routine clinical care, including from hospitals, mental health, ambulance and community services. Across the UK, this includes NHS England, NHS National Services Scotland, NHS Wales and Health and Social Care Northern Ireland. They release a number of open, publicly available datasets and statistics created from aggregated patient data to provide information about the health of the population and how the health service is functioning. They also allow commissioners, researchers and commercial organisations to access more detailed data for specific purposes. To access this data, organisations will need to submit an application and demonstrate that it is being used for public benefit.

In addition to health service and government bodies, other organisations like charities, academic and research institutions may also hold data on patients who have consented to their data being collected.

At a regional and local level, GP surgeries, NHS Trusts and Integrated Care Systems (ICSs) all collect and hold data for individual care and service planning and evaluation. They have their own systems for managing how data is used. They have to follow the law and manage the patient data they hold responsibly. They can make their own agreements with other organisations, including researchers and private sector organisations.

Some organisations at a national level hold patient data that is collected during routine clinical care, including from hospitals and primary care settings. This includes organisations like the UK Health Security Agency, Public Health Scotland, Public Health Wales, and the Public Health Agency in Northern Ireland. They release a number of open, publicly available datasets and statistics to provide information about how the health service is functioning and how key public health threats are being monitored.

How are decisions made?

As part of the governance arrangements to ensure data is protected and used responsibly, applications are reviewed to determine whether the request to access patient data should be accepted. Any organisation that applies to access patient data has to satisfy several criteria. These usually include:

  • that patient data is only shared if there is a potential for public benefit 
  • that the data use must comply with the Data Protection Act (2018) UK General Data Protection Regulation (GDPR), and other laws such as the Common Law Duty of Confidentiality
  • that the guidance and codes of the Information Commissioner's Office (ICO) must be followed
  • that an application process for those requesting patient data justifies:
    • what data is being requested
    • why the data is needed
    • who will be accessing the data
    • ​​​and how the data will be protected (including through data security arrangements) 
  • that any data accessed will either not contain personally identifiable data, or contain the minimum amount needed for researchers and companies to do their work.

The decisions they make will take into account whether participants have given informed consent, for example through participating in a research study, and the degree of risk that individuals could be re-identified from the data. If a request is asking for access to confidential patient data without consent, and there is no legal exemption in place, the requester may need to go to groups like the Confidentiality Advisory Group (for England and Wales) to get this approval first.

Caldicott Guardians may also be involved in this decision-making process. This is a senior role for an organisation which processes health and social care personal data, which ensures that personal information is used legally, ethically and appropriately. The individual acts as a leader on complex matters involving confidentiality and information sharing.

Find out more about this in our guide to large datasets here.

People can opt out of confidential patient information about them being used for purposes beyond their individual care(except for where there is an exemption). Read more about the opt-out and your choices here.

What organisations are involved?

The below information relates specifically to England. Similar organisations and arrangements are in place across all four nations.

Who are they?

NHS England (NHSE) is a statutory public body sponsored by the Department of Health and Social Care that leads the health service in England and commissions services. Prior to 2023, a separate body called NHS Digital was responsible for collecting and holding data on NHS services in England. In 2023, the organisations merged and these powers were transferred to NHS England. It can only operate within the scope and limits set out for it in legislation, the Health and Social Care Act (2012), Care Act (2014), and Health and Care Act (2022) and cannot allow data it holds to be used for purposes beyond those set out by law.

What do they do?

NHS England has a number of legal duties regarding patient data including:

  • collecting, analysing and publishing health and care data 
  • providing national technology for health and care services. 

To learn more about this, visit NHS England’s page on how data is managed.

What do they do to safeguard access to patient data? 

Patient data held by NHS England can be accessed via:

The DSfC and SUS services are used by health professionals and NHS staff planning or commissioning  services. DARS is the service for researchers and commercial organisations applying for access to patient data held by NHS England. 

In the future, all external access to patient data in England will be managed via a network of Secure Data Environments (SDEs) that provide a single access point for all data held by NHSE. To learn more about this, visit our explainer on how data is kept safe.

Independent Group Advising on Release of Data

Prior to the merger of NHS Digital and NHS England, NHS Digital used an independent group called Independent Group Advising on the Release of Data (IGARD) who discussed data request applications and provided recommendations for whether or not they should be approved. NHSE is in the process of establishing a new advisory group. In the meantime, an interim group composed of members of the previous IGARD and other NHSE representatives are providing this advice in the interim.

NHS England also undertakes data sharing audits on how patient data is being used, stored and deleted by organisations it has released data to. They may stop the transfer of patient data if organisations are found to be in breach of agreements they have signed. They also keep a register of all the requests for access to patient data it has processed and approved. 


Learn more about the merger of NHS Digital and England here

Who are they?

The UK Health Security Agency (UKHSA) is an executive agency sponsored by the Department of Health and Social Care responsible for health protection and planning and executing the response to external health threats such as infectious disease capability. It follows the dissolution of Public Health England which previously held responsibilities for health protection.

What do they do? 

As part of its health protection remit, UKHSA generates, curates and integrates data on infectious diseases and other external public health threats to prepare for, prevent and respond to threats to health, and deliver research. UKHSA is responsible for ensuring the safe and effective data for individual and public benefit and mitigating any harm.

The Health Protection (Notification) Regulations 2010 places a duty on registered medical practitioners (e.g. doctors) to notify the local authority (which in turn notifies UKHSA) if they treat a patient they know or suspect to be infected or contaminated with specific infectious diseases. It also puts a duty on medical or clinical laboratories that test human samples for these diseases (e.g. nasal swabs, salvia tests, blood tests, etc) to report to UKHSA when they detect organisms that can lead to the development of these diseases. As these diseases can be serious and infectious, this includes sharing personal information about you like your name and address, and you cannot opt out of your data being shared in these instances.

The data collected by UKHSA includes:

  • Immunisation uptake
  • Healthcare associated infections
  • Infectious disease such as COVID-19, flu, norovirus and tuberculosis
  • Mortality surveillance data (deaths)
  • Sexually transmitted infections and HIV surveillance data

Some of the data curated by UKHSA is de-identified and aggregated, and provided in the form of dashboards, reports and data tables. This data – ‘open data’ – can be accessed by anyone. Read more about UKHSA’s publicly available statistics and reports here.

Data that is considered personal or special category data, or where there is a chance that data can be ‘re-identified’ is not publicly available – this is referred to as ‘protected data’ and this data is subject to additional safeguarding measures and governance protocols.

What do they do to safeguard access to patient data? 

It is sometimes important to share protected data with researchers, the NHS, local public health organisations and the third sector to strengthen health security. UKHSA will only share data in order to support efforts to protect the UK against external health threats.

Organisations wishing to access protected data held by UKHSA can apply via an online form. Applications will be assessed to ensure the data is processed appropriately for a legitimate purpose in the public interest. UKHSA sets a number of approval standards and takes into account:

  • the benefits and risks of how the data will be used
  • compliance with policy, regulatory and ethical obligations
  • data minimisation
  • how the confidentiality, integrity, and availability will be maintained
  • retention, archival, and disposal requirements
  • best practice for protecting data, including the application of ‘privacy by design and by default’, emerging privacy conserving technologies and contractual controls

UKHSA is currently developing a data access approvals register for publishing information about the type of data shared, with whom, and for what purpose. It is also developing its data platform, which will bring together its datasets.


Find out more about UKHSA.

More information about the process for requesting access to UKHSA data can be found here.

Who are they?

The Health Research Authority (HRA) regulates health and social care research in England. Its aim is to protect and promote patient and public interests in research. It ensures that all research projects go through an ethical review and promotes transparency and best practice in research. The HRA is an arms-length body sponsored by the Department for Health and Social Care and is accountable to it.  

What do they do?

The HRA manages the approval process for health and social care research projects. It does not hold any patient data itself, but it can permit the collection and use of data from patients and service users. For many projects, researchers will ask patients for their consent to take part. This might involve a patient with a condition agreeing to fill out questionnaires or allowing a research team to use data from test results for their research.

What do they do to safeguard access to patient data?

If a research project involves using confidential patient data without consent, such as patient data collected through routine visits to the GP or hospital, it is likely that the research team will need a recommendation from the Confidentiality Advisory Group.

Confidentiality Advisory Group (CAG)

CAG is an independent body that provides expert advice to the HRA and the Secretary of State for Health and Social Care on whether confidential patient information can, in specific instances, be used without consent. This is known as a ‘section 251 approval’, as the legal power to do this comes from section 251 of the NHS Act (2006). CAG’s remit is England and Wales.

In making these decisions, CAG considers both the need to protect public and patient interests, and to enable appropriate use of patient data for public benefit. CAG has both professional and lay members.

CAG has a list of questions that applicants must answer when seeking section 251 support. This includes:

  • would the research be in the public interest? (this is an essential part of what CAG considers)
  • is confidential data essential for the research?
  • would seeking consent be feasible in principle?
  • have other methods of answering the research question (that don’t require confidential data) been considered first?

CAG keeps a register of all applications that are approved.


Find out more about the HRA.

Find out more about CAG including detailed minutes from their meetings.

Who are they?

The National Data Guardian for Health and Care (NDG) advises and challenges the health and care system to ensure people’s confidential information is protected and used appropriately. The NDG is independent but is sponsored by and works with the Department of Health and Social Care. The current National Data Guardian is Dr Nicola Byrne, who was appointed in March 2021.

The NDG is advised by an independent panel of experts who meet six times a year. The Office of the NDG publishes information about the panel members and minutes from their meetings.

What does the NDG do?

The NDG aims to build trust in how patient data is used in health and social care by both supporting and scrutinising other bodies and organisations. The NDG role was placed on statutory footing by the Health and Social Care (National Data Guardian) Act 2018, which grants it the power to issue official guidance which health and care organisations must take note of. The NDG’s remit covers the processing of health and social care data in England.

The NDG is an advisory function, not a regulator, and as such does not have enforcement powers. However, the NDG works with regulators like the Information Commissioner’s Office (ICO).

What do they do to safeguard access to patient data?

The NDG works across the whole health and social care system. This includes working with the national bodies and organisations listed here. The NDG does not have a role in approving individual applications to use patient data but does provide advice on the principles which should be considered.

The NDG owns and maintains the Caldicott Principles, which set out eight principles for health and social care data to ensure people’s information is kept confidential and used appropriately. The principles are intended to guide organisations and staff and are intended to apply both for the use of identifiable, confidential information within health and care organisations as well as when such information is shared.

The role of Caldicott Guardian was established to uphold these principles.

Caldicott Guardians

A Caldicott Guardian is a senior person within an organisation responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly, in ways that are appropriate, ethical and follow the law.

They follow the eight Caldicott principles to ensure the right balance is struck between protecting patient data and ensuring it is used appropriately. They might be asked to advise on applications to access patient data held by their NHS organisation.

Following NHS England guidance in 1999, NHS Trusts and local authorities which provide social services have been required to appoint a Caldicott Guardian.

Scotland, Wales and Northern Ireland have all chosen to have Caldicott Guardians or equivalent roles, though there are some differences. The UK Caldicott Guardian Council is the national body for Caldicott Guardians.


Find out more about the NDG.

The eight Caldicott Principles ca be found here.

The manual for Caldicott Guardians can be found here

Who are they?

The Information Commissioner’s Office (ICO) is the data regulator for the UK, with a mission to uphold information rights in the public interest. It is responsible for ensuring peoples’ legal rights are upheld about how personal data is used. This includes the UK Data Protection Act (2018), Freedom of Information Act, GDPR regulations, and other data and privacy legislation.

The ICO is an independent, non-departmental public body which reports directly to the UK Parliament. Its remit is personal data across all sectors, across the UK.

What do they do?

The ICO has a range of functions. It offers guidance about information rights to bodies and organisations and handles complaints from the public about how information has been used.

The ICO can also prosecute those who are not complying with data protection law. Breaches or potential breaches of data security must be reported to the ICO, and the ICO publishes information and statistics about data protection breaches on their website.

Read more about data breaches and sanctions on our website.


Find out more about the ICO.