The table below describes commonly-arising situations, which have been identified and discussed at meetings of the CAG. A broad range of members have applied their expertise to the establish precedent advice.

Category Description Submission advice
1. Participant identification applications (applications to identify a cohort of patients and subsequently seek their consent). This category can support the recruitment of participants to research studies or surveys, enabling applicants to access confidential patient information on potential participants in order to send them study invitations or surveys.

Section 251 support may be requested to screen patient records to check eligibility, as well as to access patient contact details to send invitation letters.

The preferred options for seeking consent are for a member of the care team (who is recognised by the patient as such) to directly ask the service user’s permission for the care team to pass on their details to the researcher, or for a member of the care team to pass on information about a study to the service user, who can then contact the researcher if they so wish. This allows the direct care team to determine whether it is appropriate to contact the patient, and engenders the trust of patients, both in the specific activity and in research activity in general.

Applications should only be made under this category where the above options are not feasible and the activity can be justified in terms of public interest.
You should explore ways to limit access to confidential patient information without consent. This could include limiting the length of time the confidential patient information is accessed, limiting the number of people accessing the confidential patient information, sending letters on premises.

There should be a local method of opt-out which is clearly described in the application in terms of how it will be applied. Given the breach of confidentiality occurs prior to receipt of the invitation the local opt out method should be clearly communicated to the patient cohort for a period prior to the screening of patient records (for example, through posters in waiting areas)

Where reminder letters are sent to potential participants, this should be limited to one letter only.


Exit Strategy
Once consent is obtained, Section 251 support under the Regulations is no longer required. The return of a completed survey or questionnaire may constitute implied consent. Where consent is not obtained deidentification of confidential patient information is the appropriate exit strategy. How deidentification will be achieved, and the time until this will be undertaken, should be clearly described in the application.
2. Access to deceased person’s confidential patient information This category applies where some or all the entire cohort is deceased.

It is clearly not feasible to obtain consent from a person who is deceased. The Next of Kin cannot give consent in this situation, unless they are the Legal Personal Representative.

In some cases where some of the cohort is deceased, finding out an individual’s mortality status (whether deceased or not) could lead to the further disclosure of identifiable information, and it has been therefore accepted that it is not practicable to do so.

You should consider all practicable alternatives. These could include asking the direct care team to access the confidential patient information and de-identify it before providing the information, or completing an application to NHS England to obtain pseudonymised data on the cohort.

If no alternative can be found, the focus should be upon minimising the disclosure of patient confidential information. You should ensure that only information which is necessary for the purpose of the activity is accessed, and for the minimum length of time.
A local opt out mechanism is not feasible where the entire cohort is deceased patients but is expected to be applied where some of the cohort may be living. It is expected that the National Data Opt-Out will be applied in all cases.

Whilst some or all of the patient population is deceased CAG expects general patient notification to be provided to the general public. This should provide a local opt out option where some of the cohort may be alive but is not necessary where the entire cohort is deceased.

Public involvement should be conducted with a cohort of living patients with a similar condition, around the use of confidential patient information without consent, and evidence of outcomes provided with the application.

Exit Strategy
Anonymisation or pseudonymisation of the confidential patient information is likely to form the exit strategy for an application in this category.
3. Where applicants are accessing confidential patient information on-site to extract deidentified data. The preferred method for access to confidential patient information is for the direct care team to extract and deidentify the information from medical records, avoiding any breach of patient confidence.

Applications under this category should only be made where this method is not practicable and there is justification for the applicant to access confidential patient information for a short period of time in order to anonymise it on-site.
You should clearly demonstrate that you have explored all possible practicable alternatives: in addition to asking the direct care team to extract and deidentify the information, applicants could sit in with care teams who provide only the required information from the medical records (limiting researcher access to confidential patient information).

Confidential patient information should not be removed from the site.

Exit Strategy
You should specify the exact length of time for which you require Section 251 support and explain why this time period is necessary.

Deidentification is the required exit strategy for this category. The time taken to extract deidentified confidential patient information is considered on a case by case basis; however an appropriate length of time for use of confidential patient information under this category would be around 6 months
4. Time limited access to undertake record linkage/validation and to anonymise the dataset This category allows applicants to collect follow-up or additional data on a particular cohort. The data may be added to a dataset that is already held, or the applicant may be asking for a combination of confidential patient information from two datasets held by a third party (in this case the linkage is carried out by the third party).

It may also be used to check that confidential patient information is correct, for example verifying names and addresses before contacting patients to seek consent for research.

Applications under this category most commonly involve NHS England, as the third party carrying out data linkage

Such applications typically involve sending confidential patient information to NHS England to obtain data on individuals within a particular cohort. Identifiers will usually include name, NHS number and date of birth to ensure accuracy. NHS England extracts the requested data and returns it to the applicant in anonymised form.

Section 251 support under this category covers the disclosure of identifiers to the third party for linkage or verification, and also covers the third party to use the data for the specific purpose outlined in the application.
In some cases, you may be instigating the flow of data without accessing any identifiable data. An example would be where you ask the direct care team, or an organisation holding confidential patient information on individuals with a particular health condition, to send identifiers to NHS England on your behalf so that NHS England can return an anonymised dataset to you. Section 251 support is still required to allow the third party to disclose identifiable information on your behalf, and to cover NHS England for the linkage.

You should liaise with the third party to ensure that you are providing them with the minimum number of identifiers necessary in order to link the datasets. The risk that a patient could be identified from any data returned should be minimal. If the resultant dataset contains identifiers (with the exception of date of death) this will exclude the application from the Precedent Set pathway.

The submission of a data flow diagram to illustrate the data flows is particularly important for applications in this category. This should explicitly detail the flows of confidential patient information.

You should provide evidence of correspondence from the organisation that holds the confidential patient information to ensure clarity regarding the scope of s251 support.

Exit Strategy
Anonymisation is the required exit strategy for this category.
5. Applications utilising the CAPSS (Children and Adolescent Psychiatry Surveillance System) methodology. The CAPSS methodology is a surveillance methodology designed to support the epidemiological study of rare mental health disorders or events amongst children and adolescents.

The methodology uses the reporting card system: every month an electronic reporting card with a list of conditions currently under surveillance is sent to consultants in child and adolescent psychiatry, who return the card notifying the CAPSS of any cases they have seen, or not seen of this condition. CAPSS pass the details of consultants who have reported cases of the relevant condition to the researcher, who will send the consultant questionnaire for each reported case, requesting pseudonymised, clinical data to be returned for analysis.

Some researchers may use an NHS-accredited data safe haven for consultants to send pseudonymised clinical data. Where follow-up questionnaires are required, researchers will hold the details of the patient in the data safe haven and access them at the appropriate time point. These will be shared with the consultant by the researchers.

These methodologies were devised in conjunction with the CAG, to reduce the risk of identifiability where information about small numbers of patients with rare diseases is transferred.
You should illustrate the data flows with a data flow diagram, which should explicitly detail the flows of confidential patient information. Although the method of data collection and the data flows should not vary between applications, the data items returned by the clinician to the applicant may differ in each project.

You should ensure that the data returned to you from the consultant contains the minimum level of information needed to achieve the aims of the application. In cases where a second questionnaire will be sent to the clinician for follow-up of the patient, it will be necessary to store pseudonymised information in order to link the resulting data – you should ensure that the risk of identifying the individual is minimal.

You should not keep identifiers such as date of birth or postcode, unless this can be justified in terms of the study aims. If you are retaining identifiers (except for date of death) the application would be excluded from the Precedent Set pathway.

Exit strategy
Anonymisation of the confidential patient information is an appropriate exit strategy for this category.
6. Applications utilising the BPSU (British Paediatric Surveillance Unit) methodology or the British Ophthalmological Surveillance Unit (BOSU) methodology The BPSU methodology is used to collect data nationally on rare childhood diseases, to enable research to be carried out where numbers in any one area would be too low due to the rarity of the disease.

The BOSU methodology is a surveillance methodology designed to support and enable data collection research for patients with rare eye conditions in the UK.

Both methodologies use a reporting card system: every month an electronic reporting card with a list of conditions currently under surveillance is sent to participating clinicians (including consultants, and their supervised trainees, and other specialists who provide direct care). When a case is seen, clinicians will click on a link to report cases through secure encrypted methods to a secure clinical area in a Data Safe Haven (currently at the Health Informatics Centre Data Safe Haven at University of Dundee). Reporting clinicians will also access a link to complete a questionnaire on the reported case within the clinician area. The study team will review the questionnaire (with identifiers) as part of a QA process, after which it will be accepted and data moved into the study database (held in a separate area within the Data Safe Haven) for analysis.

It is possible that follow-up questionnaires may be sent via the data safe haven and these should be detailed in the application.

These methodologies were devised in conjunction with the CAG, to reduce the risk of identifiability where information about small numbers of patients with rare diseases is transferred.

Note that BPSU are transitioning to this new methodology. It is possible that some BPSU applications may still be submitted using the CAPSS methodology described in category 5 until 31 December 2023. All future BOSU applications are expected to use the new methodology.
You should illustrate the data flows with a data flow diagram, which should explicitly detail the flows of confidential patient information. Although the method of data collection and the data flows should not vary between applications, the data items returned by the clinician to the applicant may differ in each project.

You should ensure that the data returned to you from the clinician contains the minimum level of information needed to achieve the aims of the application. In cases where a second questionnaire will be sent to the clinician for follow-up of the patient, it will be necessary to store pseudonymised information in order to link the resulting data – you should ensure that the risk of identifying the individual is minimal.

You should not keep identifiers such as date of birth or postcode outside of the clinician area of the data safe haven (not accessible to anyone other than the clinician), unless this can be justified in terms of the study aims. If you are retaining identifiers (except for date of death) the application would be excluded from the Precedent Set pathway.

Some applications may also link with additional data sources. These can be included in the precedent set application unless the linkages would meet the exclusion criteria below. If this is the case this should be explicitly detailed in the application, and the flows of confidential patient information for linkage should be included in the data flow diagram.

Exit strategy
Anonymisation of the confidential patient information is an appropriate exit strategy for this category.
7. Validity of consent This applies to situations where the legal entity responsible for releasing confidential patient information states that the wording of the original consent is insufficient to provide a common law legal basis to for them to allow access. Prior to submitting an application both parties should seek to resolve this locally, exploring other practical alternatives as necessary. An application should only be made if this cannot be resolved.

This category is also used where contact details of participants are held under consent but need to be validated by requesting up to date details from other sources such as NHS England .
You should provide copies of the original patient information sheets, template consent forms that were used to consent patients.

You should provide evidence of review of consent materials and assessment of validity by the legal entity from whom confidential patient information is being requested, and why it is not considered valid. The application cannot be processed without this information.

It is important that the information requested should be in the spirit of the original consent provided. This category cannot be used to significantly extend or vary the terms of the consent but is intended to resolve issues around the interpretation of the existing consent.

Materials to inform the patient population should include a short statement about why the original consent is not valid for the activity, why section 251 support has been given and provide the opportunity to opt out.

Patient and Public Involvement should be conducted with the patient group under study, or an organisation which represents them.

Exit strategy
An appropriate exit strategy for the activity should be described within the application.
8. Data cleansing of historical studies (discontinued) This category has been discontinued.
9. Access to mortality, cancer or GP data from NHS England (‘class support applications’) (discontinued) This category has been discontinued.
10. Exposure to confidential patient information when observing practices and procedures in a privileged area within a health and social care setting This category allows for situations where the individual is going into privileged environments where they know that they are likely to be exposed to confidential patient information without patient consent. This typically occurs with observations for ethnographic, qualitative and audit purposes.

Example of when this category would apply

Observation of a multi-disciplinary team meeting where health professionals discuss the care of patients, and where prior consent has not been given by the patients. Although the access to confidential patient information is incidental it still involves a breach of confidentiality in cases where that observer would not usually have access to that confidential patient information because they are not in the a multi-disciplinary team meeting as part of the direct care team but instead to observe for other purposes.

In this example, if the researcher observes only those the section of the a multi-disciplinary team meeting dealing with patients who have consented to the observation, or if the a multi-disciplinary team meeting is arranged such that confidential patient information is not disclosed then there is no breach and no application to CAG is necessary.

Examples of when this category would not apply (and no application to CAG is necessary)

Observation of staff meetings not directly related to patient care. For example, reception team meetings, management meetings. These meetings are not expected to discuss direct patient care and should therefore not involve the disclosure of confidential patient information. Nevertheless, meeting attendees should as good practice be reminded that an observer is present and to be mindful to not disclose identifiable patient information as part of the meeting.

Observation of patient care (both inpatient and outpatient care). It is expected where observing direct patient care interactions that consent is obtained from the patient receiving care. The form of consent should be appropriate to the situation and may include oral consent. Note that observers may potentially overhear other conversations related to other patients outside the research. However this is not over and above what other visitors on the ward/clinic may hear, given it is a public space, and does not necessitate an application to CAG on this basis.

Observation of health services in a publicly accessible area, for example a reception waiting area. NHS Staff are bound by the duty of confidentiality and should not be disclosing confidential patent information in a publicly accessible area. An observer therefore is not exposed to any information that any external visitor (such as. other patients) would not be exposed to and no breach in confidentiality occurs. However, it is good practice to display information, such as posters, in the area to be observed, to raise awareness to those attending this area.

Researcher operating within a clinical setting (with consent/approval for the research project at hand), cannot avoid overhearing patient information being overheard (such as names being called out in a waiting room).
You should demonstrate that it would be impracticable to seek consent from service users whose confidential patient information will be disclosed to observers during the course of the meeting and that it is not practicable or appropriate to modify the meeting such that patient identifiers will not be disclosed.

Audio/Video recording of the observation should be avoided, and written records of confidential patient information should be not made by observers.

Security assurances are required for the site where the observations take place. Support will be based on confirmation that the Data Protection and Security Toolkit at the site will be complied with and that no identifiable information will be recorded and kept onsite or removed from the site.

Where support under this category is requested patient notification materials should be displayed. The notification should confirm that no confidential patient information will be recorded and provide the opportunity for patients to opt out.

Exit strategy
The need for support under the Regulations should be time-limited, as no confidential patient information will be retained or removed from site – the analysis will not be concerned with service user information.
11. Applications to administer patient surveys made by organisations on behalf of Care Quality Commission (CQC) Organisations (for example the Picker Institute and IPSOS UK), are commissioned by the CQC to administer patient surveys on their behalf.

CQC is the data controller for the surveys, bearing overall responsibility for the data processing. Any breaches to the agreed methodology are the responsibility of CQC.

Participating NHS Trusts are provided the option to send out the surveys to their patients, however where it is not practicable for staff at the hospital to do this, approved contractors can complete this work on their behalf.

Section 251 support is applied on behalf of participating NHS Trusts to cover the provision of patient identifiable information (patient name, address and mobile telephone number for the purpose of sending reminders) to contractors, who then send the survey to the patient.

Section 251 support also covers the provision of demographic information on all patients who were sent the survey, so that organisations, on behalf of the CQC, can look at whether the survey responses are representative of the whole population.

Approved contractors process the confidential patient information for the purpose of mailing out surveys to patients.

The methodology remains the same for each survey, although minor changes are regularly made to improve data security and new approaches aimed at improving response rates are frequently piloted.
The methodology for the surveys is approved in principle by the CAG. Any changes to the methodology should be highlighted in the main body of the application and will be considered on a case by case basis by the Sub-Committee.

Any changes involving a significant change to data security or flows, or engaging any of the exclusion criteria listed here, will be referred to a full meeting of the CAG.

These activities have a policy level exemption the National Data Opt-Out, but a local opt-out procedure should be in place at participating NHS Trusts and this should be clearly described in the application.

Patient notification materials should clearly detail a local opt out mechanism as well as confirming the National Data Opt-Out will not apply due to policy exemption

Exit Strategy
The support requested is time limited in order to access names and addresses to send out patient surveys.

Anonymisation/destruction of confidential patient information or consent (implied by the return of a completed questionnaire) form the exit strategy for this category.
12. Use of the NHS England DigiTrials service to invite patients NHS England DigiTrials offers a range of services to researchers. This criterion specifically relates to the service to identify and invite patients to consent to a research study.

NHS England will use data sources under their control to identify potential participants. This activity is undertaken under Directions given by the Secretary of State for Health and Social Care. This activity therefore is outside the scope of support.

Section 251 support is required to transfer name, address and postcode to a third party mailing supplier. This supplier may vary but should be named in each application.

Identifiable information will not be shared with the research team prior to consent by the patient.
The methodology in principle remains unchanged, but third-party mailing suppliers may change. Where the research team will receive identifiers prior to consent this would be escalated to full CAG review.

Steps should be taken to inform the patient population of the activity for a period prior to any data release by NHS England, which should be proportionate to the scale of data release.

As part of the communication strategy prior to data release, participants should be provided the opportunity to opt out of their confidential patient information being used on a project specific basis. As well the National Data Opt Out should be applied. Any proposed deviation of approach should be considered at a full CAG meeting.

The invitation letter to patients, whilst after the breach in confidentiality, should clearly explain how their confidential patient information was used to invite them into the study. This should include a statement on the role of CAG.

Whilst it is recognised that NHS England have undertaken broad public involvement on the DigiTrials, it is expected that study specific public involvement is undertaken to demonstrate the acceptability on the use of confidential patient information for the specific research to support the public interest.

Exit Strategy

Consent is the exit strategy for those that agree to participate in the research.

For those that do not participate it is expected that the mailing supplier deletes all identifying information within a short timeframe after the mailout (two weeks is usually appropriate)
13. Establishing a legal basis for a historical dataset Some activities may have collected identifiable patient information many years ago, potentially before the introduction of the NHS (Control of Patient Information) Regulations 2002. Some may have established a common law legal basis at the time (e.g. consent), whilst others may not have had an established common law legal basis.

Where the common law legal basis is uncertain for the current retention of confidential patient information applicants should first liaise with their IG department/Data Protection Office to determine the most appropriate common law legal basis.

Where no common law legal basis for the continued retention of confidential patient information can be established, an application to CAG can be made. The application should include a statement from the IG department/Data Protection Officer to summarise the considerations that have been made and why there is no current common law legal basis.

These applications may be for the continued retention of confidential patient information only, or may include linkage with other datasets, provided they fall within the inclusion/exclusion criteria

Any support that is given will provide a common law legal basis prospectively only and would not provide any retrospective legal basis.
Applicants will need to provide clear justification as to why the historical dataset cannot be deidentified, and why identifiers need to be retained. This is particularly important where no linkage with other datasets is planned.

Where the confidential patient information is retained only it may not be possible to apply the national data opt out, particularly if retained in a non-NHS setting. However, the NDO would be expected to be applied if any further linkages are undertaken.

Exit Strategy

The application should detail a clear exit strategy, most likely to be deidentification, and provide a timeframe for this to be achieved.

Exclusion Criteria

Applications meeting any of the following criteria will be excluded from review by the precedent set sub-committee and considered at a full CAG meeting:

  1. Access to information about potential abuse, social care data and/or prison populations
  2. Applications involving access to free text, except for the following categories where an exception can be applied:
  • a) Applications submitted under precedent set category 3 (where applicants are accessing confidential patient information onsite to extract anonymised data), where the confidential patient information in question will be extracted from medical notes at a GP surgery or
  • b) Applications submitted under precedent set category 10 (‘exposure to identifiable information when observing practices and procedures in a privileged area within a health and social care setting')
  • These exceptions will only apply where access to free text is time-limited, and no free text will be removed from the site

3. The establishment of a national database or one with a higher risk due to the quantity of information to be held and/or the information security arrangements to be implemented

4. Prospective data collections where consent is not intended to be sought

5. Seeking access to, or linkage with, the Human Fertilisation and Embryology Authority research register, genetic information or non-health data

6. The transfer of confidential patient information outside of the European Economic Area (EEA), or to organisations who intend to use the information for commercial purposes

7. Projects where support is requested indefinitely without a specified exit strategy.

Back to what is the cag precedent set review pathway?