This guidance clarifies existing rules on use of confidential patient information and on anonymisation. It also explains new regulations that enable the use of health data in the context of COVID-19 research.
Research using anonymous health information
A member of a patient’s or service user’s care team may render confidential patient information anonymous without breaching the duty of confidentiality. The care team includes registered health and social care professionals and other staff that directly provide or support care to patients.
Anonymised information can then be used in health and care research. There are two main scenarios that are likely to apply to health and care research:
- A member of the care team enters information about patients into a database (for example, using a secure web-based system) without any identifiers, where the primary purpose of the database is to support public health surveillance and wider clinical decision-making. That database would then hold information that would be anonymous to the researcher (where appropriate controls about linking that data to other data are put in place). The establishment of a database for public health or clinical purposes does not require review by a REC and should be managed under clinical governance arrangements. This anonymous data may then be used for research without REC approval
- A member of the care team enters information about patients into a study-specific database (for example, using a secure web-based system) without any identifiers, where the primary purpose of the database is to support an individual research project. Where the purpose of new data collection is for research, it requires review by a REC, even if the data analysed by researchers will be anonymous to the researcher. Where such research involves NHS Trusts, GP Practices or Health Boards in England and Wales, it requires HRA or HCRW approval.
In either scenario, a member of the care team does not need to have consent to enter de-identified data into the database.
Guidance for using patient data without consent
Ordinarily, applications are made for ‘section 251 support’ from the Confidentiality Advisory Group (CAG) where confidential patient information is to be processed in England and Wales without consent for research and non-research activities. The Secretary of State for Health and Social Care has issued a general notice under the Health Service Control of Patient Information Regulations 2002 to support the response to COVID-19. This notice, which applies only in England and Wales, requires NHS Trusts, Local Authorities and others to process confidential patient information (CPI) without consent for COVID-19 public health, surveillance and research purposes.
The notice has been extended until 30 September 2021 in an official statement on gov.uk, and provides a temporary legal basis to avoid a breach of confidentiality for COVID-19 purposes. When this notice expires, all relevant information should be deleted. If you are relying on the COPI notice and need to process patient information for COVID-19 purposes after 30 September 2021, please notify the CAG via email@example.com by 30 June 2021. We will advise you on what you need to do next.
This means that research activities (and non-research activities) that normally require CAG support for processing CPI without consent do not require CAG support where they relate to a ‘COVID purpose’ and while the notice is in force.
A temporary arrangement has been made for research COVID-19 studies to go through the fast-track ethical review process, in which support from CAG is not required as the Notice provides a legal basis. However, to support research ethics committees the CAG is providing informal advice as part of that ethical review fast-track process.
How to use patient data without consent
If accessing centrally held data, such as that held by NHS Digital or Public Health England, NHSX has created a process for capturing and using COVID-19 data without consent under the terms of the Notice. If you plan to use such data without consent from these data sources contact firstname.lastname@example.org, instead of applying to the CAG.
If accessing relevant patient data from local sites, your research study will still need a research ethics review, so you should apply for fast-track ethical review in the same way as other COVID-19 studies. Though formal CAG support is not required it has been agreed that CAG will provide informal advice to the researcher about the use of confidential patient information in the study. CAG will receive information it needs on your study from NHSX or from your application for fast-track ethical review, so you do not need to contact CAG separately.
Data protection legislation
In addition to the common law relating to confidential patient information, you also need to meet data protection requirements, even where data is anonymised.
Patient information is personal data under data protection legislation if it is identifiable, or has the potential to be identifiable, on the basis of the information held by the organisation holding the data. So, patient information may be de-identified to a researcher but still be classed as personal data as far as the organisation holding the data is concerned.
In order to process personal data, the GDPR and the Data Protection Act 2018 require that you have a legal basis. Our GDPR guidance recommends that research organisations that are public authorities rely on public interest and commercial research partners should use legitimate interests as their legal basis. Explicit consent under the GDPR is not necessary for health and care research.
Transparency about use of patient data
Where patient information is being used for research, there should be as much openness and transparency about that use as possible. This may be through a mix of leaflets, posters, verbal information or information on websites. This should be proportionate and appropriate to the circumstances.
NHSX has published information governance advice around COVID-19.