This guidance clarifies existing rules on use of confidential patient information and on anonymisation. It also explains new regulations that enable the use of health data in the context of COVID-19 research.
Research using anonymous health information
A member of a patient’s or service user’s care team may render confidential patient information anonymous without breaching the duty of confidentiality. The care team includes registered health and social care professionals and other staff that directly provide or support care to patients.
Anonymised information can then be used in health and care research. There are two main scenarios that are likely to apply to health and care research:
- A member of the care team enters information about patients into a database (for example, using a secure web-based system) without any identifiers, where the primary purpose of the database is to support public health surveillance and wider clinical decision-making. That database would then hold information that would be anonymous to the researcher (where appropriate controls about linking that data to other data are put in place). The establishment of a database for public health or clinical purposes does not require review by a REC and should be managed under clinical governance arrangements. This anonymous data may then be used for research without REC approval
- A member of the care team enters information about patients into a study-specific database (for example, using a secure web-based system) without any identifiers, where the primary purpose of the database is to support an individual research project. Where the purpose of new data collection is for research, it requires review by a REC, even if the data analysed by researchers will be anonymous to the researcher. Where such research involves NHS Trusts, GP Practices or Health Boards in England and Wales, it requires HRA or HCRW approval.
In either scenario, a member of the care team does not need to have consent to enter de-identified data into the database.
Guidance for using patient data without consent
Ordinarily, applications are made for ‘section 251 support’ from the Confidentiality Advisory Group (CAG) where confidential patient information is to be processed in England and Wales without consent for research and non-research activities. The Secretary of State for Health and Social Care has issued a general notice under the Health Service Control of Patient Information Regulations 2002 to support the response to COVID-19. This notice, which applies only in England and Wales, requires NHS Trusts, Local Authorities and others to process confidential patient information (CPI) without consent for COVID-19 public health, surveillance and research purposes.
The notice has been extended until 31 March 2022 in an official statement on gov.uk, and provides a temporary legal basis to avoid a breach of confidentiality for COVID-19 purposes. This means that research activities (and non-research activities) that normally require CAG support for processing CPI without consent do not require CAG support where they relate to a ‘COVID purpose’ and while the notice is in force.
When this notice expires, all relevant information should be deleted, or alternative lawful basis put in place. If you are currently relying on the COPI notice and need to process patient information for COVID-19 purposes after 31 March 2022, we strongly advise you to submit an application to CAG as soon as possible to transition to section 251 support. Please read our COPI notice transition page for further information.
Data protection legislation
In addition to the common law relating to confidential patient information, you also need to meet data protection requirements, even where data is anonymised.
Patient information is personal data under data protection legislation if it is identifiable, or has the potential to be identifiable, on the basis of the information held by the organisation holding the data. So, patient information may be de-identified to a researcher but still be classed as personal data as far as the organisation holding the data is concerned.
In order to process personal data, the GDPR and the Data Protection Act 2018 require that you have a legal basis. Our GDPR guidance recommends that research organisations that are public authorities rely on public interest and commercial research partners should use legitimate interests as their legal basis. Explicit consent under the GDPR is not necessary for health and care research.
Transparency about use of patient data
Where patient information is being used for research, there should be as much openness and transparency about that use as possible. This may be through a mix of leaflets, posters, verbal information or information on websites. This should be proportionate and appropriate to the circumstances.
NHSX has published information governance advice around COVID-19.