Section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. In practice, this means the person responsible for the information can disclose confidential patient information without consent to an applicant without being in breach of the common law duty of confidence, if the requirements of the regulations are met. The person responsible for the information must still comply with all other relevant legal obligations such as the Data Protection Act 2018 and the Human Rights Act 1998
Regulation 2 permits confidential patient information relating to patients referred for the diagnosis or treatment of cancer to be processed for the medical purposes set out in the regulation.
Regulation 3 provides specific support for identifiable patient information to be processed to diagnose, control or prevent, or recognise trends in, communicable diseases and other risks to public health. Regulation 3 applications are managed by Public Health England.
Regulation 5 can be used to permit processing for a range of medical purposes, broadly defined to include ‘preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health and adult social care services.