Skip to main content
Data sharing standard 7b – Duty of Confidentiality

This standard is part of a series of guidance documents to support the various stages of a DARS application.

Standard description

This standard relates to the duty of confidentiality in the context of NHS Digital’s receipt and subsequent dissemination of record-level data. The key points covered include:

  • ways to address the duty of confidentiality
  • considering the scope and adequacy of consent
  • section 251 support

The law relating to the duty of confidentiality is developed by decided cases. This standard does not constitute legal advice nor does it aim to comprehensively reference all relevant caselaw.

Disclosure of confidential information without consent in the public interest is outside the scope of this standard and DARS should seek the advice of NHS Digital Caldicott Guardian before bringing an application to IGARD.


Background

The scope of the duty of confidentiality

A duty of confidentiality arises when information is obtained in circumstances where it is reasonable for a person confiding personal information to expect that it will be held in confidence by the recipient of the information.

Section 263 of the Health and Social Care Act 2012 defines confidential information as "information in a form which identifies any individual, to whom the information relates or enables the identity of such an individual to be ascertained or any other information in respect of which the person who holds it owes a duty of confidence".

The NHS Act 2006 section 251 defines the term “confidential patient information” which is used in that section to define when the duty of confidentiality can be set aside in connection with processing that information for medical purposes.

In the NHS Act 2006 section 251 point 10, “patient information” means:

  • information (however recorded) which relates to the physical or mental health or condition of an individual, to the diagnosis of his condition or to his care or treatment, and
  • information (however recorded) which is to any extent derived, directly or indirectly, from such information, whether or not the identity of the individual in question is ascertainable from the information

In the NHS Act 2006 section 251 point 11, patient information is “confidential patient information” where:

  • the identity of the individual in question is ascertainable from that information, or from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and
  • that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual

In the context of NHS Digital applications and this standard, confidential information includes the demographic information the patient or service user supplied when they registered for care or as a research participant, their NHS number, information about their health condition, information about the care and treatment they received including when and where it was delivered, and outcome information.

In line with the Court of Appeal in WXY&Z v SSH [2015] EWCA Civ 1034 at para 39. The Health and Social Care Select Committee also consider that “patients’ addresses collected for the purposes of health and social care, should continue to be regarded as confidential” in the Fifth Report of Session 2017–19.

The duty of confidentiality extends beyond death and is distinct from the obligations under the GDPR and DPA 2018. For the avoidance of doubt, in addition to the duty of confidentiality the requirements under GDPR and the DPA 2018 (which address data protection as opposed to confidentiality) as well as any other legislation will also need to be met.

The duty of confidentiality may not apply to information that is held in the public domain, specifically civil registration data such as dates of death. For the avoidance of doubt, postcode and address information are owed a duty of confidentiality and cannot be treated as being universally in the public domain for example publication via the Electoral Register is optional. Also note that address itself may be confidential patient information if information about the individual could be ascertained (for example, specialist care home or refuge). Care should be taken to consider whether mortality data may in fact be confidential patient information in the context of the application, for example by virtue of being a member of a cohort (for example dates of death of a cohort of patients with prostate cancer) or through linkage with other information held by an organisation.

When is disclosure of confidential information permitted?

There should be no use or disclosure of any confidential patient information for any purpose other than the direct clinical care of the patient to whom it relates, however there are some broad exceptions.

  1. The patient explicitly consents to the use or disclosure.
  2. The disclosure is required by law, or the disclosure is permitted under a statutory process that sets aside the duty of confidentiality.
  3. The disclosure can be justified in the public interest.

Any application which includes a flow of confidential patient information needs to include evidence of how the duty of confidentiality has been met, and further information is given below for each of the above routes.

For applications that include consent or assent for the flow of confidential patient information about people without capacity refer to the Mental Capacity Act 2005 Code of Practice for guidance, in particular chapter 11, which states, for example, that the research must not affect a person’s privacy in a significant way.

The primary concern is whether the consent materials (consent form, participant information sheet (PIS) and supporting materials including those provided over the duration of the project) provide adequate information to enable the individual to understand the nature and purpose of the activities for which consent is sought. The materials should support the consent process by helping to ensure that all those who are invited to take part in a research study have been adequately informed. All the consent materials relevant to the application must have received a positive ethical opinion from an NHS Research Ethics Committee.

Children and young people

It is acknowledged that this is a complex area and early guidance should be sought from NHS Digital Caldicott Guardian or IG. As a starting point, consent for research involving children under 16 is generally given by those with parental responsibility taking into consideration the child’s best interests. Case law suggests that if a child has sufficient maturity and intelligence to understand what is proposed, and use and weigh this information in reaching a decision (that is they are 'Gillick competent'), he or she can give consent to treatment. In common law it is unclear whether a researcher can rely on the consent of a 'Gillick competent’ child, particularly in the context of clinical research that will not benefit the child. Professional guidance is more relaxed and suggests the Gillick principles might reasonably be used here. See the NHS Health Research Authority Consent and Participant Information Guidance and MRC Ethics Guide: Medical research involving children. Children under 16 cannot give consent to participate in clinical trials of medicines.

The Clinical Trials Directive (2001/20/EC) regulates clinical trials of medicines, including medicines under development, and was implemented in the UK by the Medicines for Human Use (Clinical Trials) Regulations 2004. Article 4(a) of the Directive contains the general requirement that a minor cannot be included in a clinical trial without the consent of his or her parent or legal representative. The Clinical Trials Regulations at Reg 28, and Sched 1, prohibit a minor being included in a trial without prior consent of a person with parental responsibility or a legal representative. Sched 1 part 4 states that researchers should consider the objections of a minor who is capable of assessing the information about the research.

Young people aged 16 or 17 are presumed to be competent to consent for treatment on their own behalf. The Family Law Reform Act 1969, section 8(1), states that a child aged 16 or 17 can consent to treatment and such consent shall be as effective as that of an adult. Again, this could be presumed in the case of therapeutic research, however the common law is unclear, particularly in the context of research that will not benefit the young person.

Are the consent materials sufficient?

For the avoidance of doubt, this standard deals with consent in the context of meeting the duty of confidentiality, which is separate and in addition to the need for a lawful basis in GDPR. Usually an application for NHS Digital data will not utilise consent under GDPR (i.e. Art 6(1)(a) &/or Art 9(2)(a)) but if it does so then the consent should be reviewed in line with published detailed guidance from the ICO.

Where the applicant is relying on consent as the basis in data protection legislation for processing and has met the requirements for consent, it will be taken that the consent material also meets the standard required in respect of the duty of confidentiality.

Many longitudinal studies are based on a consent standard which has now been superseded by modern best practice. It must be recognised that consent is an ongoing process and the law is developed by decided cases, with the consequence that even if a particular consent statement is deemed adequate today, it may later be found to be insufficient due to changes in the fact of what is being done with the data, or in light of subsequent legal decisions including:

  • Supreme Court case in 2015 moved the test for consent for treatment from the so-called Bolam test. The Justices said that the doctor has a duty to “take reasonable care that the patient is aware of any material risks … The test of materiality is whether, in the circumstances of the particular case, a reasonable person in the patient’s position would be likely to attach significance to it” Montgomery v Lanarkshire Health Board [2015] SC 11 [2015] 1 AC 1430. The focus on “this particular patient” is key; a material risk to one person may not be to another
  • the Court of Appeal in WXY&Z v SSH [2015] EWCA Civ 1034 at para 26 stated the test as to whether the disclosure breached the common law rights to privacy and confidentiality involves the question as to whether the reasonable person of ordinary sensibilities had a reasonable expectation of privacy in relation to the information

Applications with amended or additional data flows or substantive changes to the purposes of a study that could not have been foreseen by the data subject at the time of original consent will need to consider the duty of confidentiality. When considering whether the consent materials provide adequate information about the nature and purpose of the proposed use of their data, a good approach is to adopt the Caldicott concept that there should be ‘no surprises’ for the individual.

For example, in a consented research study there is, generally, the opportunity to inform participants about the research activities and data uses, which may lead to the expectation that there should be a relatively narrow interpretation of what activities might be inferred to be included within any consent given, that is the consent should be relatively specific and explicit about the processing activities. Medicines for Human Use (Clinical Trials) Regulations 2004 Schedule 1 para 3(1) describes the requirements for consent for clinical trials, which must be freely given after that person is informed of the nature, significance, implications and risks of the trial. It is recognised that in some cases, consent is relatively broad, and this is potentially acceptable, as long as the research participants have been adequately informed of the nature and purposes of the processing, and in particular the associated risks. See Appendix 1 which describes some of the questions that the Health Research Authority (HRA) advises researchers should ask themselves about the risk to confidentiality when developing their consent materials.

Appendix 2 lays out a (non-exhaustive) list of matters that might be considered in forming an opinion about whether consent is sufficient to allow the confidential patient information to be used as laid in the application. The following references may also be helpful:

Having considered the adequacy of the consent materials in relation to the application, a position should be taken as to whether the materials are likely sufficient to consider that the data subjects have given informed consent to the use of confidential patient information as laid out in the application. Appendix 2 describes the three positions that could be taken.

  1. Data flow is compatible with the consent.
  2. Data flow that is incompatible with the consent.
  3. Consent that is insufficient but data flow is compatible with the consent.

NHS Digital will record its decision and the reasons why the consent materials are assessed as being or not being sufficient.

Consequences of incompatible or insufficient consent

If an application uses confidential patient information (2 & 3), there are certain consequences.

Where the position is that the consent is considered to be incompatible with the proposed use of confidential patient information, the application cannot be approved until the duty of confidentiality is met. Occasionally it may be reasonable for individuals to be reconsented but this may not be feasible and would be a decision for the applicant.

Where the position is that the consent is considered to be insufficient but compatible, the applicant may take appropriate measures to make information available about the intended use of data that might otherwise be a surprise (that is improving transparency) and giving individuals the option to withdraw from this activity. If this is not practicable, and in particular if further contact is prohibited (for example by formal ethics opinion or perhaps by the fact of death), then it may be that the flow should be considered to be incompatible with the consent.

Alternatives to consent may include modifying the processing for example changing the data flow or pseudonymising or anonymising the data or an application for section 251 support. Note that under the relevant Regulations, CAG cannot recommend section 251 support when there is a practical alternative.


Disclosures required or permitted by law

Disclosures by NHS Digital that are required by law override the duty of confidentiality, for example compliance with a court order or a statutory requirement. There may also be a common law duty to disclose in a given case, for example safeguarding.

Disclosures that are permitted by a statutory gateway may or may not set aside the duty of confidentiality. For example, see s261(6) of the Health and Social Care Act 2012 which identifies those powers of NHS Digital which override the duty of confidentiality.

  1. The Information Centre may also disclose information which it obtains by complying with a direction under section 254 or a request under section 255 (whether or not it falls within subsection (2)) if—
    1. the information has previously been lawfully disclosed to the public,
    2. the disclosure is made in accordance with any court order,
    3. the disclosure is necessary or expedient for the purposes of protecting the welfare of any individual,
    4. the disclosure is made to any person in circumstances where it is necessary or expedient for the person to have the information for the purpose of exercising functions of that person conferred under or by virtue of any provision of this or any other Act,
    5. the disclosure is made in connection with the investigation of a criminal offence (whether or not in the United Kingdom), or
    6. the disclosure is made for the purpose of criminal proceedings (whether or not in the United Kingdom).
  2. Paragraphs (a), (b) and (f) of subsection (5) have effect notwithstanding any rule of common law which would otherwise prohibit or restrict the disclosure.

The exact basis on which the duty is set aside must be made clear in the application.

The Health Service (Control of Patient Information) Regulations 2002 – also known as ‘Section 251 support’

Regulations laid under NHS Act 2006 section 251 serve to set aside the duty of confidentiality. The regulations (as amended by Schedule 7 of the Care Act 2014) require CAG to advise the decision-makers (the HRA for research applications or the Secretary of State for non-research applications) whether applications to process confidential patient information without consent should be approved or not. The CAG website notes that NHS Digital is the final decision-maker in relation to data disseminations.

  1. Any application for NHS Digital data that relies on section 251 support should include the following documents and information:
    • a copy of the application for section 251 support (and any amendments made such that the scope of section 251 support can be clearly identified)
    • a copy of the section 251 support approval letters
    • copies of documents reviewed by CAG, as listed in section 252 support approval letters
    • a statement in the application as to the legislative basis under which the s251 support is granted.  This will be a named regulation under the Health Service (Control of Patient Information) Regulations 2002. This information most likely will be stated in the s251 support approval letter. Note that Regulation 3 of the COPI Regs is administered by Public Health England, not HRA CAG
    • confirmation of current section 251 support (for example presence on CAG register, the applicant’s latest annual review submission)
    • evidence of how any conditions of the section 251 support have been met
    • evidence of ethical approval. See separate standard on what documents are required to evidence ethical approval
  2. The above documents will be assessed to ensure the scope of the section 251 Support approval is aligned as follows:
    • to the receipt, linkage, and/or dissemination of confidential patient information by NHS Digital
    • to the purpose set out in the application
    • to any amendment to the purpose or data receipt, linkage or dissemination of a DARS application, in order to ensure continued alignment

Appendix 1

The HRA consent decision tool advises that researchers should ask themselves about their planned uses of confidential patient information when developing their consent materials. The content of the tool is updated from time to time but currently covers areas including patient participation leaflet content, details of what’s involved as well as the possible disadvantages and risks to taking part. Examples relevant to the potential risks to confidentiality for NHS Digital applications could include:

  • who is going to have access to this identifiable information (for example within the research team, auditors, inspectors)?
  • will you be passing identifiable information on to participants' GP?
  • are you intending to access information from other sources (e.g. the Office for National Statistics (ONS) / National Records of Scotland (NRS) or NHS central register etc)?
  • are you working with collaborators elsewhere who will access information about participants?
  • how will you ensure participant confidentiality is maintained despite wider information sharing?
  • what are your long term plans with respect to the data you collect?
  • will you be keeping research data beyond the life of this project: reusing it and/or sharing it with others, ensuring that it is optimally used?
  • how will you manage the risks to participant confidentiality?

Appendix 2

  1. A (non-exhaustive) list of matters that might be considered in forming an opinion about whether consent is sufficient to allow the confidential patient information to be used as laid in the application. It may be helpful to bear in mind the aim of “no surprises” for the individual.
    1. scope of the original consent:
      • do the consent materials identify the organisations that will hold, access or use the confidential patient information? 
        • do they mention that the confidential patient information may be sent to or disclosed by NHS Digital (or a predecessor organisation)?
      • do the materials explain the nature of all the organisations that the information will be shared with?
      • does the proposed data flow and any linkage fall within the scope of the description set out in the consent materials?
      • do the consent materials describe the data that is collected and will be shared?
      • do the consent materials explain that the patient may dissent, and withdraw consent and how to do so? Withdrawing consent will not affect the patients future care or care they received
    2. length of time since original consent:
      • what ongoing communication has there been with the individual to keep them informed of the use of their confidential patient information and any opportunity to modify or withdraw consent?
      • substantive changes to the scope of use (purpose) or processing (including new datasets)
      • are any changes reasonably within the scope of the consent?
      • what ongoing communication has there been with the individual to inform them of any changes to the use of their confidential patient information and any opportunity to modify or withdraw consent?
      • where the consent materials gave details of an study website, has the website been kept up to date with information about the progress and/or outcomes of the study and any changes to the purpose or data processing? Does the website contain a link to an accessible privacy notice?
  2. Having considered the adequacy of the consent materials in meeting the duty of confidentiality in relation to the application, one of the following positions should be taken as to whether they are likely sufficient to consider that the data subjects have given informed consent to the use of confidential patient information as laid out in the application:
    1. data flow is compatible with the consent
    2. data flow that is incompatible with the consent
      1. explicit exclusions, e.g. “we will keep your info confidential and not share with anyone”
      2. consent that is coercive – i.e. linked to delivery of care
      3. there are changes to the scope of the purpose or processing that are substantive and further information cannot be provided to the data subjects because further contact is prohibited or impracticable, or perhaps because they are deceased
    3. consent that is insufficient on consideration of (a)-(c) above but data flow is compatible with the consent

Issues leading to Class (2) or (3) must be resolved prior to dissemination of confidential patient information.

Last edited: 1 September 2020 4:54 pm