Skip to main content

Part of National data opt-out operational policy guidance document

Appendix 6: Confidential Patient Information (CPI) definition

The national data opt-out applies when S. 251 support, which enables the processing of Confidential Patient Information (CPI) without consent, is the legal basis for using data.  This appendix provides guidance for health and care professionals in assessing what is CPI for the purposes of applying the national data opt-out.

Summary

The national data opt-out applies when S. 251 support, which enables the processing of Confidential Patient Information (CPI) without consent, is the legal basis for using data.  This appendix provides guidance for health and care professionals in assessing what is CPI for the purposes of applying the national data opt-out.


A6.1: What is Confidential Patient Information?

Confidential Patient Information is a legal term in use across the health and care system.  It is defined in section 251(10) and (11) of the National Health Service Act 2006 (see below). (Section 251 has been updated to ensure that the definitions used expressly include local authority social care, that is care provided for, or arranged by, a local authority). Broadly it is information about either a living or deceased person that meets the following 3 requirements: 

  1. identifiable or likely identifiable e.g. from other data likely to be in the possession of the data recipient; and
  2. given in circumstances where the individual is owed an obligation of confidence; and
  3. conveys some information about the physical or mental health or condition of an individual, a diagnosis of their condition; and/or their care or treatment.

The definition of "patient" specifically includes an individual who needs or receives local authority social care or whose need for such care is being assessed by a local authority.  Confidential Patient Information cannot be defined by a specific data item (e.g. name or postcode) alone, as it needs to be considered more broadly to take account the nature of the information and the circumstances of the record, including the reasonable expectations of a patient.

Prior to making a disclosure or using data for a purpose beyond individual care an assessment must be made that considers whether the information concerned is Confidential Patient Information; what the lawful basis is for the disclosure or change of purpose; and, if lawful, whether the national data opt-out needs to be applied in line with this operational policy guidance document. This guidance aims to provide information that will support this assessment and provide some illustrative scenarios that set out some of the relevant factors to consider in making this assessment.

It is important to remember that any personal data which is identifiable but is not deemed to be Confidential Patient Information (for example because it does not tell you anything about the health or care or treatment of the individual) still needs to be processed lawfully, fairly and transparently in line with wider data protection legislation.

Broadly there are 2 types of patient identifiable data held in the NHS:

  • patient registration data – this is personal data provided by the patient when they register for health services.  (Patient registration data is classified as personal data under GDPR/Data Protection legislation.) Most often through a GP (for example through completing a GMS 1 form and/or through other local processes).  Registration data comprises demographic data (for example name, address, NHS number etc) which uniquely identifies an individual but does not include any clinical or medical information.  This enables the Secretary of State to maintain a list of patients in order to fulfil his statutory duty to provide general medical services to the resident population of England.  This registration data is collected and held separately to records of health, care or treatment in various clinical or care records.  Registration data are used for a range of administrative purposes within the health and care system for example to facilitate transfer of medical records, to manage GP lists, enable payment of GPs, fraud prevention and to secure and allocate resources.  The separation from clinical care records can be illustrated by the fact that it is possible to be registered as a patient before any clinical record is created for example through the visa application processes for overseas visitors.
  • clinical/care records – this includes demographic information that identifies an individual alongside a range of information about their physical or mental health, their condition(s) and diagnoses, assessment of an individual’s needs for social care services, records of care or treatment given that are gathered in from a range of health and care settings.  Any identifiable information taken from your clinical/care records is always Confidential Patient Information.  An individual may have a number of clinical/care records in a number of different settings for example dental records, GP records, hospital records.  Registration data may be used to populate or update a clinical/care record.

The interactions of these two types of data are illustrated below:

infographic showing registration data flows summarised.

Figure 2: Registration dataflows

It is important that there is a complete list of patients for the NHS and care services and it is not possible to opt-out from the central patient register held on PDS.  There are strict controls in place for use and access to patient registration data as this remains personal data.

It should be noted that in some circumstances clinical systems may be used to provide updates to patient registration data, for example where a patient has provided an update to their address during a clinical interaction.  Such processes are for efficiency and convenience and in the future it is anticipated that patients will be provided with other mechanisms to enable them to provide such updates more directly (for example via an NHS app).  The fact that the patient has provided an update to their address via a clinical interaction does not mean that the information is owed a duty of confidence.  The information provided must have the necessary ‘quality’ of confidence to be confidential, i.e. more than just a name and address.  Separately there has to be a context (for example, confidential relationship, e.g. doctor/ patient) set by a patient's reasonable expectations that makes the information confidential.  Most often such updates are provided to a receptionist.


A6.2: Assessing what is Confidential Patient Information

As set out above Confidential Patient Information cannot simply be defined by a specific data item (for example name or postcode) alone, as it needs to be considered more broadly to take account of the circumstances of the record and disclosure.  There may be some other information provided at the time, or which can be inferred from the context of the disclosure, that means that it becomes Confidential Patient Information.  This assessment needs to take into account what patients might reasonably expect to happen to their data in the particular circumstances in question and whether they might reasonably expect the national data opt-out to apply based on the information provided to them.  The national data opt-out patient facing information and resources are found on the national data opt-out webpages – this, and other relevant patient information and communications, should be considered when making the assessment.

The national data opt-out public communication materials make it clear that the national data opt-out is limited to Confidential Patient Information and that patients cannot opt out of registration data.  In addition the privacy notice for the Personal Demographic Service (the nationally held patient register) is also clear in this regard.

The following examples illustrate the factors that need to be taken into account when making this assessment particularly when considering demographic information in different scenarios:

Type of data and context of disclosure

Is it CPI

Rationale

Name and date of birth on its own drawn from registration data

No

Anyone can register to receive medical services whatever their state of health.  This is identifiable, but it does not reveal anything about an individual’s health, care or treatment.

Sample of NHS numbers drawn from registration data

No

NHS number on its own is not Confidential Patient Information – it is an administrative number assigned by the NHS.  However, for someone with access to other NHS data it can act as the key to identify an individual. It is for that reason that it is protected by safeguards.  

Name and address drawn from registration data

No

As for NHS number, name and date of birth, this is not Confidential Patient Information. However, connecting this identifying data to other information may make it Confidential Patient Information.  For example for a very small number of patients who have no other correspondence address and where the address is an in-patient setting for people with severe learning disabilities or a specialist nursing home that cares for those with dementia then it may become Confidential Patient Information.  This would be the case where the address itself said something about the individual’s health, care or treatment.

Name and address – drawn from clinical records for example of those with a specific condition in order to write to them about a research study.

Yes

Although the disclosure is on the surface of it demographic only - the circumstances of the disclosure may reveal something about a person’s health, care or treatment if this is shared with a third party.  However, where a clinician involved in the patient’s care has written directly to the patient there is no disclosure of Confidential Patient Information and the opt-out would not apply. 

Name and address drawn for a Patient Administration System (PAS) in a Mental Health Trust

Yes

The information is disclosed by a mental health trust and would constitute Confidential Patient Information as it does give some information about a person’s health, care or treatment especially if it discloses that the person has either registered with the Mental Health Trust or has been treated.


A6.3: Further information and advice

The Information Governance Alliance has published a range of information and guidance on data protection and confidentiality for the health and care system.

The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information.  This includes providing advice to the Health Research Authority (HRA) and Secretary of State for Health and Care on the appropriate use of confidential patient information for purposes beyond individual patient care.  As part of this CAG gives advice about what constitutes Confidential Patient Information.

The Department of Health and Social Care has published a Code of Practice on Confidentiality

NHS Digital has published a Code of Practice on Confidential Information. (This Code is being reviewed and is due to be updated.)


A6.4: Extract from NHS Act 2006 Sec 251

The following is an extract from the NHS Act 2006 Sec 251 defining Confidential Patient Information:

(10)    In this section “patient information” means—

(a)      information (however recorded) which relates to the physical or mental health or condition of an individual, to the diagnosis of his condition or to his care or treatment, and

(b)      information (however recorded) which is to any extent derived, directly or indirectly, from such information,

whether or not the identity of the individual in question is ascertainable from the information.

(11)    For the purposes of this section, patient information is “confidential patient information” where—

(a)      the identity of the individual in question is ascertainable—

(i)   from that information, or

(ii)  from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and

(b)      that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.

NB: It is worth noting that Section 251 has been updated to ensure that the definitions of ‘patient information’, ‘confidential patient information’ and ‘medical purposes’ expressly includes ‘local authority social care’.  The definition of "patient" now specifically includes an individual who needs or receives local authority social care or whose need for such care is being assessed by a local authority.  All references to “care” within this definition now includes “local authority social care” which is defined as:

  • social care provided or arranged for by a local authority, and
  • any other social care all or part of the cost of which is paid for with funds provided by a local authority;

Last edited: 25 February 2020 12:54 pm