The Confidentiality Advisory Group (CAG) advises the HRA whether there is sufficient justification to process confidential patient information without consent in England and Wales. Support under the relevant regulations (Health Service (Control of Patient Information) Regulations 2002) sets aside the common law duty of confidentiality. It does not set aside the need to comply with other legislation or the principles of data protection.
This means that there also still needs to be a legal basis under the GDPR, as set out in previous sections above, and that appropriate transparency information should be provided and safeguards implemented. CAG sets certain additional expectations in relation to safeguards (eg the opportunity for patients to opt out) and transparency (eg patient notification arrangements), which are a condition of the approval for research. You need to ensure that any additional safeguards or transparency requirements to meet GDPR are also implemented.
Similarly, where agreement has been obtained for use of confidential patient information without consent by the Public Benefit and Privacy Panel in Scotland, or equivalent arrangements in Northern Ireland, there must still be a GDPR legal basis for the processing, and transparency information should be provided (where appropriate) and safeguards implemented.