Access to confidential patient information without consent
The HRA’s responsibilities for the regulation and governance of health and social care research are defined in the Care Act 2014. To carry out these responsibilities in relation to data, the HRA appoints the Confidentiality Advisory Group (CAG) to provide advice on uses of data as set out in the legislation.
The CAG function provides independent expert advice in this area, including providing advice to the HRA itself. It advises under two separate legal frameworks:
- The Health Service (Control of Patient Information) Regulations 2002 (also known as ‘section 251 support’). Under this legislation, the CAG advises the decision-makers, the Health Research Authority and the Secretary of State for Health, whether applications to process confidential patient information without consent should or should not be approved.
- The Care Act 2014. This is a new function where, broadly, the CAG will advise the Health and Social Care Information Centre (HSCIC) on aspects relating to their dissemination function.
The key purpose of the CAG is to protect and promote the interests of patients and the public whilst at the same time facilitating appropriate use of confidential patient information for purposes beyond direct patient care.
Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information but it is not always practical to obtain consent. More information is available from our ‘What is Section 251?’ page.
The following bodies take the final decisions; their decision is informed by the advice provided by CAG:
- The Health Research Authority (HRA) – for research applications
- The Secretary of State for Health (SofS for Health) – for non-research applications
- The Health and Social Care Information Centre (HSCIC) – in relation to data dissemination
Research and non-research applications
The role of CAG for research and non-research applications is to review applications and advise whether there is sufficient justification to access the requested confidential patient information. Using CAG advice as a basis for their consideration, the HRA or SofS for Health will take the final approval decision. Approval is provided within the framework of the Health Service (Control of Patient Information) Regulations 2002.
We have developed a series of FAQ sheets to help you to understand:
- The law itself – Section 251
- The role and remit of CAG
- How CAG considers applications and who makes the final decision on applications
A paper has been published that sets out how CAG approaches key considerations when providing advice.
A position paper which aims to provide guidance to ‘Section 251’ applicants is available below. This paper outlines the ICO and CAG position on what to take into account when considering making an application if the applicant thinks seeking consent would result in a significant amount of non-response. It is important that applicants take note of this guidance prior to starting data collection as it is not intended that this option would be available once a study has started and response is poor.
The Health and Social Care Act 2012 (as amended), sets out that the HSCIC must have regard to advice from the CAG in connection with data dissemination. The CAG will consider advice requests from the HSCIC that relate to the HSCIC’s Dissemination Framework and responses they have proposed to specific issues which they think test or challenge the boundaries of this Framework (known as ‘edge cases’). In this respect, the CAG will provide a form of peer review service to the HSCIC. The HSCIC will take the final decision, taking into account the advice provided by CAG. The CAG will make its advice publicly available in its minutes.
- This FAQ document explains more about the CAG role in relation to data dissemination.