Guidance for using patient data

Last updated on 30 Jun 2022

This guidance clarifies existing rules on use of confidential patient information and on anonymisation. It also explains new regulations that enable the use of health data in the context of COVID-19 research.

Research using anonymous health information

A member of a patient’s or service user’s care team may render confidential patient information anonymous without breaching the duty of confidentiality. The care team includes registered health and social care professionals and other staff that directly provide or support care to patients. 

Anonymised information can then be used in health and care research. There are two main scenarios that are likely to apply to health and care research: 

  • A member of the care team enters information about patients into a database (for example, using a secure web-based system) without any identifiers, where the primary purpose of the database is to support public health surveillance and wider clinical decision-making. That database would then hold information that would be anonymous to the researcher (where appropriate controls about linking that data to other data are put in place). The establishment of a database for public health or clinical purposes does not require review by a REC and should be managed under clinical governance arrangements. This anonymous data may then be used for research without REC approval 
  • A member of the care team enters information about patients into a study-specific database (for example, using a secure web-based system) without any identifiers, where the primary purpose of the database is to support an individual research project. Where the purpose of new data collection is for research, it requires review by a REC, even if the data analysed by researchers will be anonymous to the researcher. Where such research involves NHS Trusts, GP Practices or Health Boards in England and Wales, it requires HRA or HCRW approval.

In either scenario, a member of the care team does not need to have consent to enter de-identified data into the database.

Guidance for using patient data without consent

The general COPI notice expired on 30 June 2022. The notice, issued by the Secretary of State for Health and Social Care, provided a common law legal basis to process confidential patient information (CPI) without consent for COVID-19 public health, surveillance and research purposes, and required NHS Trusts, Local Authorities and others to process for such purposes.

We have been working with applicants who were relying on the COPI notice to seek an alternative permanent legal basis for processing of this data to continue, or to cease processing by 30 June 2022. Alternative legal bases could be obtaining patient consent, Regulation 3 support or applying to the Confidentiality Advisory Group (CAG) to transition to Regulation 5 (section 251) support. If an alternative legal basis is not in place, then all identifiable information should be deleted by 30 June 2022.

From 01 July 2022 if you are planning new COVID-19 related research or non-research activities where confidential patient information is being processed without consent you should submit an application to CAG.

Data protection legislation

In addition to the common law relating to confidential patient information, you also need to meet data protection requirements, even where data is anonymised.

Patient information is personal data under data protection legislation if it is identifiable, or has the potential to be identifiable, on the basis of the information held by the organisation holding the data. So, patient information may be de-identified to a researcher but still be classed as personal data as far as the organisation holding the data is concerned.

In order to process personal data, the GDPR and the Data Protection Act 2018 require that you have a legal basis. Our GDPR guidance recommends that research organisations that are public authorities rely on public interest and commercial research partners should use legitimate interests as their legal basis. Explicit consent under the GDPR is not necessary for health and care research.

Transparency about use of patient data

Where patient information is being used for research, there should be as much openness and transparency about that use as possible. This may be through a mix of leaflets, posters, verbal information or information on websites. This should be proportionate and appropriate to the circumstances.

Further guidance

NHSX has published information governance advice around COVID-19

Back to covid-19 research