4. Finding potential participants

4.1. Identification by those directly involved in providing, supporting or advising on care

In the NHS, staff understand that unless someone has been asked for and given consent for disclosure, the only people who can access confidential patient information are those directly involved in providing, supporting, or advising on the provision of individual care to that patient. However, there is often confusion about what activities are part of individual care. Clinicians and NHS organisations have not been clear about when individual care includes research, or which staff are part of the patient’s care pathway when research is part of individual care. This mirrors confusion that sometimes exists around other uses of confidential patient information that do not involve individual care, such as for risk stratification purposes.

Healthcare and medical research are in many respects regulated as distinct activities. One of the key reasons for the distinction is that individual care focuses on the best interests of the individual patient, while the primary purpose of research is to generate new knowledge. Healthcare research spans a very wide range of activities that involve patients in different ways. In many types of research there is no direct involvement of patients, or there is no change to patients’ care. This type of research does not involve giving care, even if the results of the research may inform the care of future patients. Staff have been less clear about whether other types of research involve giving individual care. This confusion has sometimes been because research can involve treatments or activities that are being tested to see if they work, and there is therefore uncertainty about whether the patient will benefit from the care. This report clarifies that uncertainty about whether a treatment will work does not affect whether it is part of individual care. After all, in many cases, individual care is done without certainty about the benefit to the patient. It is not the certainty of the benefit that makes an activity individual care, but the intention to act in the best interests of the patient. If the decision to offer the research choice is in the best interests of the patient, because there is a possibility that a treatment, preventive measure, or diagnostic procedure will help the patient, then the activity is both research and individual care.

Research that is also individual care can involve comparison between one or more care options, or comparison of a treatment with placebo. There does not need to be a known benefit of the research procedure for it to be a valid care option, as long as there is uncertainty about the best option for eligible patients. This uncertainty over which care choice will be best is called equipoise. Research Ethics Committees routinely consider whether there is equipoise when deciding whether they should approve a trial. Research Ethics Committees can therefore be asked to confirm when research is also individual care.

Outside research, patients generally expect that the staff involved in giving their individual care change over time depending on the care that they need. Giving care may include delivering care, supporting the care, or advising on suitable care. Care may be provided by a team of people, and patients may be referred to another person or team for new treatment or tests or activities. In the same way, patients may be referred to another person or team for care that is also research.

In this report we clarify that implied consent that is relied on by care teams in the use of identifiable confidential patient information for individual care, can also be relied on by those providing, supporting or advising on care when individual care is delivered through research. This reliance is possible because, although the individuals involved in delivering care through research may be different from those who would deliver care outside research, the same legitimate relationship between the patient and the people giving or supporting care still applies when the research forms part of individual care. The existence of this legitimate relationship, together with the patient’s reasonable expectations, is key to defining who can access confidential patient information to contact people about research as care options. In practice, this means the individual must be directly involved in providing, supporting or advising on the provision of the research as part of the patient’s care. It must also be within the patient’s reasonable expectations - for example, because it relates to their existing care, or to a condition they have, which would make them eligible for the research. This does not mean that such use will always be what everyone expects or wishes, and it is therefore important that uses of confidential patient information in line with the recommendations of this report are accompanied by transparent information about how confidential patient information is used. In addition, clear and accessible means for patients to object to such use of their information should be provided.

When research is individual care, it does not guarantee a benefit for people who take part. Even where research is part of the care pathway for a patient, it is important for patients to be informed about any possible risks of taking part so that they can make a choice about taking part.

Note that this concept of research as a care choice only applies where the intention is that all patients whose information is used are likely to be suitable for the care choice given by the research. This means that only the information of those who are broadly likely to be eligible would be accessible in principle on the basis of implied consent. This aligns with what patients can reasonably expect, and with who they would regard as having a legitimate relationship with them for their care. It will not be within the reasonable expectations of patients that their identifiable confidential patient information will be accessed when there is only a small chance that they would be eligible to be offered the individual choice through research.

The data protection principle of data minimisation is relevant here: the minimum data needed should be accessed from the minimum number of people to fulfil the task.

The authors of the report heard requests from the research community for access to identifiable confidential patient information in a variety of circumstances that the report did not accept. The project recognises that the research community want to make it easier to do research, because of the value of research in improving patient care in the future. The project also recognises that there is a wide diversity of views amongst patients and the public about the level of privacy that they expect to be applied to their identifiable confidential patient information. The report balances these positions to set out arrangements that can be applied now, and recommendations for actions that may in future allow this balance to be reviewed.

Recent public engagement work provides important nuance to this balance. The Welsh public dialogue Using health data to identify and approach people about health and care research (2024) examined how people view the use of their health information to find and contact potential research participants. This, together with the Accessing Patient Data for Research-as-Care Purposes: A Public Dialogue (2025) report, adds to the evidence on public views about the conditions under which access to identifiable confidential patient information for research recruitment may be considered within reasonable expectations. It suggests that support is contingent on strong safeguards, in-system processing, and alignment with established policy principles, rather than representing a blanket shift in those expectations.

A consistent finding from these dialogues is that public acceptability is not fixed – it is shaped by context. Participants often supported broader access to health data for research as care purposes than current practice allows, but only where robust safeguards, strong governance, transparency, and clear communication are in place. In both the Welsh dialogues and recent output from a ‘Creating Reasonable Expectations’ work programme by the National Data Guardian (as set out in the National Data Guardian Annual Report 2022–2023 and Annual Report 2023–2024), two factors were particularly influential: a clear and legitimate relationship between the data user and the patient, and alignment with the patient’s reasonable expectations of privacy. The National Data Guardian programme shows the potential to create reasonable expectations in people about the use of patient data through communication and engagement, using materials co-designed with members of the public. These factors could extend public support in situations directly connected to access of confidential patient information for research as care, but they demand careful explanation of why the access is necessary and how it will be safeguarded.

Findings from the Welsh report - Accessing Patient Data for Research-as-Care Purposes: A Public Dialogue (2025) - indicate that the public can be comfortable with their data being accessed to offer research as care opportunities in a variety of situations – such as within local GP clusters and wider national networks, by non-clinical administrative NHS staff, by reputable institutions outside the NHS, and in very narrow circumstances using AI tools to assist in identifying eligible patients. However, comfort levels varied: participants were most at ease when an NHS administrative staff member accessed data to offer options for a severe condition, and least at ease when sensitive data was accessed by a geographically distant GP identifying participants via national NHS networks. These findings reinforce the importance of involving relevant people in designing approaches to finding and contacting potential participants, and of applying existing research governance safeguards – including ethics and confidentiality oversight. Any adjustments must be grounded in clear criteria and safeguards, limited to the narrow situations discussed in this report, and applied within existing governance frameworks to make sure that protections for privacy and trust are preserved.

The HRA believes that, to maintain public trust, certain safeguards must be adhered to for identifying and contacting potential research participants. These criteria are set out below to clarify expectations. These focus on how researchers and their employers need to think and work in people-centred ways when designing how they will find and contact potential participants.

1. Employers should make sure that policies and rules relating to confidentiality apply to non-regulated staff as part of their contract of employment obligations. These should explicitly reference applicable NHS Codes of Conduct and related contractual standards, so that confidentiality duties are embedded in everyday practice. Registered health professionals are accountable to their regulators for protecting confidentiality.
2. Any health professionals or members of staff who are employed by a different organisation to the organisation giving care through research, but will be involved in delivering the care through research, should have proper arrangements in place, through use of honorary research contracts or letters of access. Honorary Research Contracts or Letters of Access cannot be used to create a mechanism for access to identifiable confidential patient information for people who are not involved in provision of care, or will not be involved in the delivery of care through research. These criteria mean that staff involved in digital intermediaries (see below) will never be able to rely on implied consent to access identifiable confidential patient information unless they meet the legitimate relationship and reasonable expectation conditions identified with strengthened safeguards and oversight.
3. Patients contacted following such disclosures should be given clear and accessible information that has been approved by the Research Ethics Committee about the referral or means of identification. This should explain not only the fact of access but also the context, such as whether access was local, within a broader network, or supported by a PET, reflecting factors that influence comfort levels identified in public engagement.
4. NHS organisations should give all patients transparent information about how options to receive care through research are offered. This information is part of the standard expectations on NHS organisations to explain how information about patients is used. Such transparency should be proactive and contextual, making clear who may access data and under what circumstances, in line with participants’ expectations from public dialogues.
5. A patient may proactively refuse any information about research options, in the same way that patients can refuse to receive information about screening tests. This sort of refusal is different to opt-outs such as the National Data Opt-Out (NDOO) or other systematic opt-out processes like the Summary Care Record (SCR), as it relates specifically to being approached about research rather than to the broader use of a patient’s data. Currently, there are no consistent methods for recording such refusals.
6. Research teams should set out their approach to meeting these criteria to the Research Ethics Committee. For any broader approaches informed by public dialogue findings, such as access by non-clinical administrative staff or via national networks, the Research Ethics Committee application should clearly set out how the approach was co-developed with relevant patients or members of the public, and how additional safeguards will be developed, maintained, and reviewed.
7. Where research is not delivering care to a patient, implied consent for access to that patient’s identifiable confidential patient information cannot be relied on by those who do not have a legitimate relationship with the patient. Honorary Research Contracts or Letters of Access do not create a mechanism for access to identifiable confidential patient information, and are therefore not an alternative to consent. This principle applies equally to PET-assisted identification methods: these must operate within the same legitimacy and reasonable-expectation boundaries as other recruitment approaches, make sure that any access is supported by an appropriate common law legal basis, and incorporate appropriate human oversight.

The work through this project underlines the role of reasonable expectations of patients in applying the common law duty of confidentiality. Reasonable expectations can be adjusted over time through public communication and engagement about how patient information supports research, greater transparency about the use of patient information, and clearer opportunities to register dissent.

This report concludes that further public engagement and involvement work is needed about the use of patient information to find and contact people about research. This should build on recent work, such as the Welsh public dialogues and recent output from the National Data Guardian. That would allow further recommendations to be actioned in this area, including the possible option of a change in legislation if that proves necessary.

4.2. Consent for others to access identifiable confidential patient information for contact purposes

The above section explained that people directly involved in providing, supporting or advising on care in research can access identifiable confidential patient information to find and contact a patient about research. When that is not feasible, or when the research is not part of the care pathway, then access to identifiable confidential patient information to contact people about research needs consent.

One option is for consent to be sought by someone who already has legitimate access to identifiable information, to ask a patient to consent to their identifiable confidential patient information being accessed by others for more detailed screening.

Alternatively, members of the public can be invited to sign up to a register to hear about research options. Such sign-up registers may invite people to express interest in particular therapy areas or types of research, or to self-declare patient information, or to consent to link their care record with their identifiable confidential patient information. In some sign-up registers, people can ask to hear about a wide range of research, without giving any medical information. Sign-up registers should give clear information to people about what identifiable confidential patient information may be accessed by research teams or by electronic screening, the legal basis for such access, and clear mechanisms and reminders for patients to review their consent at suitable intervals.

These sign-up registers rely on information entered by individuals. Where those signing up have agreed for additional information about themselves to be shared with researchers, and it is relevant and appropriate for the register to do so, it may be preferable for registers to seek consent to set up live links to national, regional or specialist sources of patient information, rather than receiving extracts of data that may become out of date. However, registers should assess whether asking for consent to access more identifiable confidential patient information upon registering to a service has the unintended consequence of reducing sign-up rates, because of privacy concerns. Behaviour of patients may vary for different therapy areas.

It is important for researchers to be aware that only a small proportion of eligible patients are likely to proactively sign up to hear about research. This may reduce the diversity of the people approached or create a biased sample.

It is not possible for sign-up registers to link to NHS ‘DigiTrials’ (a digital intermediary) service, as the service is designed to support individual projects. Instead, these registers need to access data directly from NHS organisations or through other routes, for example the NHS England Data Access Service. Feedback suggests that, even where patients give consent for researchers to access data held by NHS England, the process of requesting access, or renewing access, is regarded as burdensome and slow for researchers. This is often due to differing interpretations of consent standards.

Registers that seek consent to search medical records and contact people about research use different approaches. Some sign-up registers allow people to sign up to allow wide access to their medical records for a wide variety of research purposes. Others seek consent to search a small set of information for a particular purpose only, for example consent to use information collected in one research study to ask people about taking part in further research on the same topic. This results in debate about whether each new research study is covered by the consent previously given.

There is a risk that researchers seek patients meeting narrow eligibility criteria, which could exclude those whose care records do not hold sufficiently detailed, correct or up to date information. Sign-up registers, where patients have consented to have their data accessed and to be contacted about options to take part in research, could explore with patients when there may be greater take-up and a more diverse study population if an invitation to find out about research is sent to a wide population based on a small number of broad criteria. Invitations can allow people to choose whether the research is relevant to them based on self-declared health information, which can then be confirmed at enrolment. For example, researchers finding participants for a trial in a disease with a long diagnostic journey should search for patients with a broad range of relevant symptoms rather than a specific diagnosis, with further screening at the eligibility stage.

Sign-up registers should involve patients to understand any selection bias in their patient cohort, and to assess how to remove any barriers to signing up.

‘Join Dementia Research’ was the first national scale register for people to sign up to be contracted about research options. As part of the process of assuring its development it had a one-off review process by the HRA to assess its standards, and therefore individual research projects can add the use of Join Dementia Research to any previously approved mechanisms for identifying potential participants without making a substantial amendment.

Currently, in the absence of any national standards, individual research projects wishing to use a sign-up register need to include reference to the register in their application for Research Ethics Committee review, or make a substantial amendment to add in the use of the register. This is because changes to recruitment pathways, including related data flows and governance arrangements that affect how participants are identified or informed, require review.

These new national standards for registers for people to sign up to hear about options for taking part in research aim at consistency of compliance at a national level. This will allow registers to show only once, as part of a new Research Ethics Committee (research database) application or upon updating an existing approval, that they adhere to the standards. Approved registers can then be added to any study through a non-substantial amendment not requiring study-wide review.

The authors have found limited exploration, in the material reviewed for this project, of the motivations of the people who sign up to registers – whether broad in scope or therapy area-specific and what their expectations are, and how these are affected by protected characteristics. There is limited understanding about what people who sign up are looking for or expecting in terms of frequency of contact about studies, ongoing communication, or other opportunities. It is also important to explore how resources such as these registers could build public understanding and earn trust in research.

The UK-wide register ‘Be Part of Research’ is currently only available to NIHR funded or NIHR supported studies or an equivalent Devolved Nation counterpart (including studies on the NIHR Research Delivery Network Portfolio), whilst in public beta.

There is some work underway to explore the technical aspects of linking information across sign-up registers, in recognition that researchers who only search for potential participants using one register would miss those signed up elsewhere. However, there appears to be limited understanding of the needs and expectations of researchers for such an 'interlinked' resource (or network of resources) of potential research participants.

The NIHR is exploring the possibility for the NHS to set up a mechanism for patients to choose to hear about research options, like a subscription preference, for example through the NHS App. This method would need to give clear information to patients about what identifiable confidential patient information may be accessed by research teams, with clear mechanisms and reminders for patients to review any long-term consent to access at suitable intervals. Given the broad range of patient information that could be accessed through such a mechanism, patients should be able to choose to hide information that they regard as private from searches of their records (even if conducted using fully automated processes). Care providers would also need to confirm patients’ ongoing consent to access when new information is added to their medical records. These steps would help to build public confidence. Researchers would need to consider the implications of these safeguards for how they design their research.

The authors heard from GPs that uncertainty about the rules for access to patient records, and concerns about liability have led to GPs taking a risk-averse approach to supporting or taking part in research. Some GPs have called for an indemnity scheme that would indemnify against negligence in information governance matters. Although some of the liabilities of data protection issues are already transferred through the regulatory review process, this does not cover all the aspects that GPs would be concerned about that are outside the regulatory process. Study-wide checks are undertaken on behalf of NHS organisations as part of the research approval process, which shifts liability for matters checked through these reviews away from GPs. However, this cannot absolve GPs from fines by the Information Commissioner’s Office, or indemnify local checks such as cybersecurity matters. The project also heard that some GPs are concerned about patients raising concerns, whatever the technicalities of liability, because of the risks to patient relationships and reputation. We hope that the guidance resulting from this project will give clarity for GP practices, thus increasing compliance and reducing risks.

4.3. Managing consent to contact and mental capacity

There is a lack of consistent interpretation of mental capacity legislation in England of the impact of losing capacity on the ability of researchers to rely on a presumption of enduring consent to access identifiable confidential patient information. For all research that is part of care, this report clarifies that access to identifiable confidential patient information about people who lack capacity, or have lost capacity since giving consent, for the purpose of finding and contacting people about research can be given on the same basis as for anyone with capacity.

Similarly, for research that is a care choice, access to identifiable confidential patient information of children can be given on the same basis as for adults with capacity.

There is a need to undertake further public engagement, and seek wider legal opinion, on the use of identifiable confidential patient information of adults lacking capacity, or who have lost capacity since giving consent, and of children, for the purposes of contacting people about research that is not part of care.

4.4. Identification through use of digital intermediaries

Digital intermediaries are organisations (which can be commercial or non-commercial) offering services that can allow potential research participants to be found. Digital intermediaries rely on using electronic systems to search for people on behalf of researchers. The search methods may be manual or automated, including through use of AI-enabled matching systems.

This allows researchers to search for suitable people to contact, but without being able to identify or contact the individuals themselves. Some types of digital intermediary conduct the search and contact suitable individuals, so the researcher does not see any confidential patient information. Individuals who are contacted can then choose to contact the research team if they are interested. In other models, researchers can search de-identified patient information. Patients meeting the search criteria are given a unique code. Individuals with existing access to the patient information, within the organisation holding the contact details, can then use the codes to find and then contact the patients.

A digital intermediary may use existing electronic health records by giving the ability to search directly in the medical records, but in a way that prevents the researcher from being able to see individual records or identify individuals. Other types of digital intermediary take de-identified patient information from electronic health records and transfer it into a separate database. This sort of database can pull together information about people from different sources, for example GP and hospital records.

Many digital intermediaries employ staff who need access to identifiable confidential patient information in order to maintain their systems. For example, some access may be necessary to make sure that de-identification and linkage techniques are carried out accurately and with minimal risk of error. However, implied consent only applies where access is restricted to staff who are directly involved in providing, supporting or advising on care. Staff operating intermediary systems do not normally fall into this category, and the systems themselves are not providing care, even if they are used by researchers to identify potential participants for research that contributes to care. Where consent is not obtained, another lawful basis under the common law duty of confidentiality is required. [1]

This report clarifies that there is no breach of the common law duty of confidentiality in the research context where pseudonymisation or eligibility determination is carried out by a third party solely for the purpose of finding potential participants for research and all of the following apply:

1. the identities of potential participants are only revealed to someone with a legitimate relationship,
2. pseudonymisation or eligibility determination is undertaken using Privacy Enhancing Technologies (PETs) as set out in the Information Governance Review (2013)[2],
3. the process does not involve bulk extraction of data to the third party (such as to onto an external database),
4. in line with patients’ reasonable expectations, the processing must be carried out entirely within an existing clinical system whose primary purpose stays care, and
5. only the minimum necessary information should be accessed.[3]

In relation to PETs that pseudonymise information or determine potential research participants:

‘fully automated’ means that identifiable confidential patient information has identifiers removed by machine without the need for human checks that the de-identification has been successful. Unless the process has been tested on synthetic data, the method must have been initially tested on a small sample of identifiable confidential patient information, with human checks that the information does not allow individuals to be found (including when linked with other information that is intended to be used together). The early testing that involves human checks would need a legal basis for access under the common law duty of confidentiality on a temporary basis until successful fully automated processing was achieved.

‘Bulk extraction of data’ to an external database involves the transfer of identifiable confidential patient information to another organisation or company so that PETs can be used to remove identifiers or screen the data for eligibility purposes. A legal basis under the common law duty of confidentiality is needed for all such bulk transfers of identifiable confidential patient information.

There is no breach of the common law duty of confidentiality where identifiable confidential patient information has already been made anonymous at source prior to extraction to a third party.

Digital intermediaries working within NHS systems are more likely to be acceptable to patients where the intermediary already has access to identifiable confidential patient information for care purposes. This approach aligns with the narrow provisions described in section 6.8 of the Information Governance Review (2013), which anticipated the use of PETs within existing clinical systems to support the identification of potential research participants, provided strict safeguards are met. This encompasses use of AI-enabled systems - only for the purpose of identifying potential participants in research relevant to their health condition - provided they operate entirely within the electronic patient record (EPR) or other existing clinical systems whose primary purpose remains care. Moreover, they must be subject to robust NHS oversight, managed in-house, designed to avoid accessing more information than is necessary for matching participants, and be implemented in line with clear criteria agreed with Research Ethics Committees to prevent patients being surprised when invited to a study.

If the process of contacting patients uses a third party, then a separate and specific legal basis for access under the common law duty of confidentiality is also needed, even if the information being transferred is contact information, as confidential patient information about suitability for research will be included in the letter or message to patients.

Where these safeguards cannot be met, there is still the option to rely on an alternative legal basis, such as support under The Health Service (Control of Patient Information) Regulations 2002 (more commonly known as ‘section 251 support’) in England and Wales.

Currently, in the absence of these standards, individual research projects wishing to use a digital intermediary need to include reference to the service in their application for Research Ethics Committee review, or make a substantial amendment to add in the use of a digital intermediary.

Individuals found through such searches can only be contacted for research recruitment purposes if either:

a) the unique code for each suitable patient is returned to an individual within the organisation who already has access to identifiable information about the patients, so the individual can contact the suitable patients, or

b) the unique code for each suitable patient can be linked to contact information, and a message to the patient can be sent, using only fully automated means within the organisation holding the identifiable information, with no need for such information to be viewed by its staff, or

c) the unique code for each suitable patient is linked to contact information, and the identifiable information is given by the organisation to a third party to send a message to the patient about the research choice. Where consent is not obtained, an alternative legal basis to allow information access by the third party under the common law duty of confidentiality is needed in this case.[1]

In all cases (a-c), digital intermediaries must have processes in place to check that patients being contacted have not died, and that contact details are up to date.

For option a) where a unique code is returned to an individual who can then re-identify them as they already have access to the identifiable information about the patients, it is not necessary or appropriate for that individual to perform further checks on physical or mental health before contacting potential participants. Such checks add a gatekeeping function. The message should be appropriately worded to address any concerns that patients may have. This makes sure that research is made available to the full diversity of potential participants, whilst also reducing burden on clinical teams.

Option b) would apply where the organisation holding the identifiable confidential patient information (even if it is only contact details) uses an in-house electronic or postal mailing system, or an automated third-party system that it already routinely uses for contact with its patients.

Option c) would apply where a digital intermediary is engaged by an organisation solely for the purposes of running searches on patient records, or sending messages to people about research.

Patients who have signed up to registers to be offered the option to take part in research would expect to receive invitations about research through the register. There is an opportunity to explore whether there are mechanisms for digital intermediaries to extend their privacy-protective methods to search for potential research participants by setting up secure links to registers. This would give a route for contact via register channels that patients would be expecting, and would reduce burden on the clinical teams that digital intermediaries might otherwise rely on to contact participants.

There have been frequent calls from researchers for secondary care data in England to be enriched by primary care data. However, earlier attempts to do so have not been successful for a variety of reasons. The Clinical Practice Research Datalink (CPRD) is a UK-wide digital intermediary that is hosted by the regulator MHRA and uses de-identified data from GP practices for a variety of uses, including a specific service for finding potential participants for research. It already receives some secondary care data from some nations, which it further enriches. However, the authors understand that this secondary care data cannot be used when searching for potential participants. The project was informed that CPRD currently works with GP practices across the UK, but is limited in terms of expansion by the cost-recovery model it operates under. Evidence suggests that its model is widely trusted by GPs, and there is demand from GPs to be involved in finding potential participants for research as it offers an income stream as well as a low-burden way to support research. However, CPRD currently uses an opt-in approach for GPs, with expectations for GPs to actively take part in finding and contacting potential participants by undertaking checks on patients found through research searches. As noted above, the report concludes that such checks are not necessary or appropriate. A clinician within CPRD who can review search methodology might give useful reassurance to GPs.

CPRD is currently reliant on GPs to contact potential participants using the contact details that they hold, as CPRD only uses de-identified patient information to find potential participants. There is an opportunity for CPRD to explore the potential of offering a service to directly contact potential participants, using linkage to contact information. This would only be possible using legal options other than consent, such as section 251 support through the Confidentiality Advisory Group in England and Wales.

The authors have heard suggestions that in England, Secure Data Environments could be a suitable route for finding potential research participants. The report agrees that models that allow searching of medical records without use of identifiable confidential patient information should be the primary way of finding potential participants. Where data held in Secure Data Environments are used for this purpose, there are advantages to these being operated within the NHS rather than by commercial operators, following a model such as CPRD where any re-identification and contact is carried out separately by those directly involved in the patient’s care pathway. However, it is crucial to distinguish these two uses of de-identified information:

1. to find people to take part in research
2. to analyse health information for research.

The first use links the search of de-identified records with individuals so that they can be contacted. Even if the researcher does not see any identifiable confidential patient information during this process, from the patient’s perspective it involves being identified.

The second use does not involve identifying an individual, even if the Secure Data Environment host retains access to additional information enabling data linkage related to the same person. The term ‘Secure Data Environment’ was designed to describe the use of health and care information in ways that secure the identity of individuals and keep their privacy.

DHSC defines Secure Data Environments as:

“Secure data environments are data storage and access platforms, which uphold the highest standards of privacy and security of NHS health and social care data when used for research and analysis. They allow approved users to access and analyse data without the data leaving the environment.”[6]

The Secure Data Environment guidelines include the requirement that:

“outputs from a secure data environment must be assessed and approved and must not identify individuals”.

It is likely that the public would not expect infrastructure that is described as a Secure Data Environment to be used to contact them - unless it is made explicit that re-identification is carried out entirely by those providing, supporting or advising on the patient’s individual care, not by researchers or commercial operators. As Secure Data Environments are presented to the public as platforms where researchers handle anonymous data, it is therefore important to make clear not only whether re-identification forms part of the process, but also how it is done – for example, ensuring it can only be undertaken via a code issued to those in a legitimate care relationship with the patient.

4.5. Use of patient information when finding potential participants

In general, researchers want most of the potential participants they contact to be eligible for their research. This means that they try to search for people matching their eligibility criteria as closely as possible, so that the minimum number of people are excluded at final eligibility checks. Researchers often assume that they should check as much data as possible to match eligibility criteria, without necessarily considering the accuracy or relevance of the data available to them.

However, this starts from the wrong premise. If the search limits the people contacted to those who meet the maximum number of eligibility criteria, it is possible that people who are eligible are never invited, because their medical records do not show they are eligible. Information may be more likely to be missing or inaccurate across the diversity of eligible patients. Researchers should consider the original sources of data fields, the accuracy and relevance of data held in different data sources, and whether it is likely to be up to date. Although a data field may exist in the dataset being used, it may for example, be many months out of date when the search is done, or it may be poorly completed. The most disadvantaged patients are more likely to have missing test results or diagnoses. An integrated approach is therefore needed to extend options to take part in research, and to design research to best reflect the population that will benefit from the results of the research.

Researchers should balance the importance of reaching out to a diverse population against the risk of causing misunderstanding or raising false expectations by approaching people who are not actually eligible to take part.

It is important to note that maximising diversity through right use of search criteria is not about setting broad eligibility criteria for the research itself. Even where eligibility criteria need to be narrow for scientific or regulatory reasons, the search criteria can be set broader to make sure that eligible participants are not missed.