The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

2. The problem

Last updated on 29 Aug 2025

The problem that this report tries to address is that it is not clear to researchers, health care professionals or patients who can access identifiable confidential patient information to find potential participants.

There has historically been varied interpretation of the common law duty of confidentiality. The common law duty of confidentiality is the law that has been decided through the courts, to recognise that patients have expectations of privacy about their health and care information. In broad terms, people expect information about their health to be restricted to those who need to know that information to give their care.

This document explores this issue and makes recommendations for actions that aim to earn public trust and make it easier to offer people options to take part in research. The UKCRD Programme partners will prioritise the recommendations for action. This report also provides guidance to address some areas of confusion. In other areas, next steps by way of further work to agree consistent and detailed guidance is needed. These areas of further work are underway in parallel to this report.

This work focuses only on using patient information to find and contact potential participants about clinical research. It does not try to deal with wider uses of patient information for research or address matters of compliance with the UK GDPR and Data Protection Act 2018.

2.1 Structure of report

The structure of this report is as follows:

  • the report starts with a set of principles about people-centred research that has informed this report. Most of the report focuses on aspects relating to finding potential participants
  • the first section of the report explores how the principles that apply to access to confidential patient information for individual care apply to research. It clarifies the limited circumstances when research can form part of the patient care pathway. It also explains which people are allowed to access confidential patient information when research is part of the care pathway and in what ways, in compliance with the common law duty of confidentiality
  • then the report explores issues around methods for patients to consent to be contacted about research where it is not feasible for those with access to find and contact patients or where the research is not part of the care pathway. There is a brief section on the complexities when patients lack capacity to consent to be contacted about research
  • the next section explores methods that use electronic systems to search patient records (known as ‘digital intermediaries’) alongside registers for people to sign up to be contacted about research options (which we have termed ‘sign-up registers’), as both rely on the accuracy, completeness, and relevance of patient record information. This is followed by a section exploring issues around what is held in patient’s records and the relevance of information in patient’s records to eligibility for research - including how these considerations also apply when patient records are linked to information in sign-up registers
  • the report then addresses some issues that relate to the small number of situations where identifiable confidential patient information can be accessed without consent.
  • there is a brief section towards the end on some of the factors to consider when contacting potential participants
  • a summary of all the recommendations and proposals for next steps follow on from the conclusions

The report contains several distinct but connected outputs:

  • Principles – overarching values that underpin everything in the report
  • Key findings – conclusions from previous public engagement activities and insights derived in developing this report
  • Recommendations – this report recommends that UKCRD Programme partners decide whether to take these forward and prioritise the recommendations
  • Standards – consistent requirements for certain systems (such as sign-up registers and digital intermediaries) so researchers can use them effectively and the public can understand how their data is used by these systems
  • Guidance – policy decisions that can be applied immediately to address uncertainty or inconsistency
  • Next steps – actions that must follow but need further engagement or work before being implemented

2.2. Definitions

There are lots of different words used to describe patient information. Sometimes different people use one word to mean more than one thing, and sometimes different words are used for the same thing. This creates some of the confusion for people about confidentiality. Some have used the term ‘de-personalised’ data to explain the broad spectrum between ‘personally identifiable’ information that fully identifies an individual and ‘anonymous’ information that cannot be used to identify an individual. However, ‘de-personalised’ does not have a specific technical meaning. This report does not use the terms ‘personal’ or ‘de-personalised’, because of the risk of confusion with the term ‘personal data’ which has a specific legal definition under the Data Protection Act 2018. This report does not discuss personal data in relation to the Data Protection Act. Taking account of the suggestions about language from Understanding Patient Data, this document uses the following descriptive words with specific definitions that are relevant and useful when thinking about the use of patient information to find and contact people about research:

  • ‘Identifiable confidential patient information’ means information held in or obtained from medical records, or given by patients, from which it is possible to find individuals. This includes health and care information accompanied by one or more identifiers including NHS or equivalent number, name, contact information or date of birth. It also includes contact information alone held or accessed in the context of health and care information, such as potential suitability for a study
  • ‘De-identified patient information’ means information obtained from medical records, or given by patients, from which all the above identifiers have been removed. In this report, de-identified patient information means that such identifiers have been replaced by a unique code or mechanism that can be used to link the health and care information to the individual, so that they can be contacted about research options. Although this information should still be handled carefully because it is possible to re-identify people when the information is joined up with other information holding the same unique code, it should not be possible to identify an individual from the information on its own. This report does not explore when such de-identified patient information is personal data under the terms of UK GDPR
  • ‘Implied consent’ is applicable where patients reasonably expect a person directly involved in providing, supporting, or advising on the provision of their care to have access to their identifiable confidential patient information because of the legitimate relationship between the patient and the person caring for them. It does not rely on a verbal or written confirmation

Although the principle of implied consent is understood in the NHS, there is no consistent understanding as to whether it provides a legal basis for access for finding and contacting people about research. Where it is accepted that implied consent may provide a legal basis for access in the context of research as care, there remains a diversity of opinion as to which research team members that legal basis covers. This report aims to clarify a more consistent approach, while also signposting to ongoing discussions with other stakeholders on options and opportunities for public engagement to inform next steps.

This report is presented to the UKCRD Programme partners for consideration. Researchers or sponsors should not adopt the recommendations proposed until they have been accepted, and the necessary actions taken by the relevant UKCRD Programme partners. We encourage alignment, wherever possible now, with the guidance and standards set out in this report, and we will take forward the next steps identified. Where these are linked to recommendations, their formal adoption depends on acceptance and action by the UKCRD Programme partners.

Previous section | Next section

1. Background | 3. Summary principles

Back to using health information to let patients know about research options: legal, policy and ethical issues
© Copyright HRA 2025
Site by Big Blue Door