Skip to main content
Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. More about the merger.

Protecting patient data

Patient data must be looked after carefully in line with the law. This guidance covers data protection legislation and other protections for patient data.

In the UK, the legal frameworks covering how patient data must be looked after and processed are the Data Protection Act (DPA) 2018, which brought the EU General Data Protection Regulation (GDPR) into law, and the Common Law Duty of Confidentiality (CLDC).

Data protection legislation requires that the collection and processing of personal data is fair, lawful and transparent.

This means there must always be a valid lawful basis for the collection and processing of data as defined under data protection legislation, and the requirements of the CLDC must also be met.

Data Protection Act 2018

Under GDPR, for recording and processing health and care data, both of the following must be satisfied:

You can read more about GDPR on the Information Commissioner’s Office (ICO) website.


Because of this, the ICO has advised that using consent as the lawful basis for the recording and processing of data under GDPR should be avoided by public authorities, such as health and care providers. This is because it is unlikely to be able to meet the strict requirements around consent. In particular it cannot be considered freely given if access to health and care services are dependent on it.  The ICO recommends that another lawful basis is used.

Common Law Duty of Confidentiality

To meet the requirements of the CLDC there must be one of the following conditions:

  • a mandatory legal requirement or power that enables the CLDC to be set aside, such as the Children Act 1989 which requires information to be shared in safeguarding cases, powers for Care Quality Commission inspections, reporting of food poisoning, reporting of infectious diseases such as measles, and the powers given to NHS Digital under section 259 of the Health and Social Care Act 2012
  • a court order, where a judge has ordered that specific and relevant information must be provided, and to whom 
  • an overriding public interest, where it is judged that the benefit of providing the information outweighs the rights to privacy for the patient concerned and the public good of maintaining trust in the confidentiality of the service
  • explicit or implied consent
  • legal support for the use of confidential patient information without consent under the Health Services (Control of Patient Information) Regulations 2002, under section 251 of the NHS Act 2006

You can read more about the CLDC on the Caldicott Guardian website.


It is still possible to use consent to satisfy the CLDC when recording or processing health and care data, and there is no need to change consent practices that already meet the CLDC requirements. Consent under CLDC does not need to meet the requirements for consent set out in the DPA.

Section 251 (NHS Act 2006) approval

The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information without patient consent. It provides advice to the Health Research Authority (HRA) for research uses, and to the Secretary of State for Health and Social Care. 

Its main purpose is to protect and promote the interests of patients and the public, while also making sure that confidential patient information can be used when it is appropriate, for purposes beyond individual care.

CAG can give Section 251 approval (S251) for the use of confidential patient information without consent for a specific purpose by the HRA or the Secretary of State for Health and Social Care. This would usually only be granted when an organisation requesting the data makes the case that it would be very difficult or impractical to seek consent from every individual whose data they wish to use. 

For more information about CAG see:

The national data opt-out is a policy offering that exists alongside the DPA and CLDC. It only applies to data being used or disclosed where the CAG has granted section 251 approval, and no specific exemption to the national data opt-out policy has been granted.

What patients need to know about their data

As well as having a duty to be fair and a lawful basis for collection and processing of data, all organisations must also be transparent.

Transparency is an important element of data protection. You must make sure your patients know how their data is used and for what purposes it is shared. There should be ‘no surprises’ for a patient in terms of how their data is used.

The ‘transparency’ requirements are set out in full in Articles 12, 13 and 14 of the GDPR. They include making the following information publicly available:

  • who the data controller is and how to contact them
  • purpose of the data processing
  • the lawful basis for the data processing
  • information about the data subjects’ rights and how to exercise them
  • any third parties with whom the data is shared, including
  • any transfers to a country outside the European Economic Area (a ‘third country’) and the safeguards.

Organisations can use a ‘privacy notice’ or ‘fair processing’ information to inform their patients, or use other methods. By law, the information provided should be concise, easy to understand and easily accessible.

Other protections for patient data

As well as these specific legal requirements, patient data is protected in other ways.

Data sharing agreements

Where personal data is provided from one organisation to another for purposes beyond an individual’s care a data sharing agreement should be put in place. The agreement will confirm who maintains responsibility and control over the data, referred to as the data controller, and should comply with the relevant data protection legislation and the ICO guidance on data sharing agreements. See the ICO's Data sharing code of practice for more information.

The agreement will set out terms and conditions including, for example:

  • the purpose for which the data is being provided, which must support the provision of health and care services or the promotion of health
  • the security requirements for the organisation receiving the data
  • the retention period for the data

Organisational and professional standards and guidelines

Each organisation’s terms and conditions of employment include strict guidelines on how staff handle and protect patients’ information, with disciplinary procedures in place, including dismissal, for any member of staff who does not comply with those guidelines. Staff must also be regularly trained in information governance responsibilities.

The Data Security and Protection (DSP) Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

Professional bodies such as the General Medical Council and Health and Care Professionals Council also set out standards which their members must meet.

What happens if an organisation breaks the law?

The Information Commissioner regulates and enforces data protection laws. If the ICO identifies that an organisation has not complied with data protection legislation, it can impose fines of up to £17 million or 4% of global turnover (for the most serious data breaches).

Although the national data opt-out is a policy offering, rather than a specific legal requirement, any organisation that does not comply with the national data opt-out policy could be considered to be breaching the requirement to be fair and transparent. See 10.5 Compliance with the national data opt-out: ICO position in the operational policy guidance document.

Last edited: 14 November 2022 5:37 pm