Although certain information is considered especially sensitive, all information about someone's health and the care they are given must be treated confidentially and in accordance with legislation and NHS Digital protocols at all times.
There are a limited number of people authorised to have access to the record level data, all of whom must adhere to the written protocol issued by NHS Digital on the dissemination of HES data. For example, guidance is given on handling the very small numbers that sometimes occur in tables to reduce the risk that local knowledge could enable the identification of either a patient or clinician.
HES is a record level data warehouse and it contains information that could (if it was made freely available) potentially identify patients or the consultant teams treating them. In some cases record level data may be provided for medical/health care research purposes. For example, data are likely to be required by the Care Quality Commission and other such bodies. The information may be given following a stringent application procedure, where the project can justify the need and where aggregated data will not suffice. Any request involving sensitive information, or where there may be potential for identification of an individual, is referred to the appropriate governance committee. NHS Digital publishes a quarterly register of data releases, which includes releases of HES data.
HES data are stored to strict standards: a system level security protocol is in place. This details the security standards that are in place to ensure data are secure and only accessed by authorised users.