Below is a list of the key concepts described in this document or that you may come across when planning access to health and care data.
Information governance guidance and training can be found on the Information Governance portal: Information governance - NHS Transformation Directorate (nhsx.nhs.uk). These include guidelines setting out the circumstances in which health and care organisations might share confidential patient or service user information, the rights individuals have to object or opt-out of data sharing, as well as on Artificial intelligence (AI).
Contents
Common Law Duty of Confidentiality
Confidential Patient Information
Data Access Request Service (DARS)
Data Protection Act (DPA) 2018
Data Protection Impact Assessment (DPIA)
Patient or service user information
Anonymous data
Anonymous (otherwise known as effectively anonymised) data is data that is no longer personally identifiable. Anonymised data is not considered as personal data under the UK GDPR. This means it is not subject to the same restrictions as personal data.
Anonymous data may be presented as general trends or statistics. For example, by removing direct identifiers such as NHS number and name, and translating e.g. age into an age range (25-40) and grouping postcodes together. However, information about small groups or people with rare conditions could potentially allow someone to be identified and so would not be considered anonymous.
On the other hand, reidentification risk does not have to be eliminated completely for data to be considered anonymous, provided that the risk is mitigated sufficiently so that in the hands of the recipient it meets anonymisation requirements. Any onward transfer of (or remote access to) the data may change its status to be personal data again, depending on any additional information and means available to the onward recipient. (Sources: ICO and Understanding Patient Data)
Anonymisation
Anonymisation is a process through the application of one or more anonymisation techniques to render personal information anonymous. When done effectively, the anonymised information cannot be used by the recipient to identify the data subject either directly or indirectly, taking into account ‘all the means reasonably likely’ to be used by them. This is otherwise known as a state of being rendered anonymous in the hands of the recipient. (Source: ICO)
Caldicott Principles
Eight principles created by the National Data Guardian applied widely across the field of health and social care information governance to ensure patient information is kept confidential and used appropriately.
Common Law Duty of Confidentiality
In Common (judge made) Law, there is a duty of confidentiality which means that when a patient or service user shares information in confidence, it must not be disclosed without some form of legal authority or justification. A duty of confidence arises when one person discloses information to another (e.g. patient to clinician or service user to social care staff) in circumstances where it is reasonable to expect that the information will be held in confidence. It –
(Source: Confidentiality: NHS Code of Practice 2003).
Confidential Patient Information
The term 'confidential patient information' (also known as ‘confidential patient and service user’ information) is a legal term defined in section 251 (11) of the National Health Service Act 2006. Patient or service user information is “confidential patient information” where (1) the identity of the individual in question is ascertainable from that information, or from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information; and (2) that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual. It encompasses health and care information, both clinical and demographic (such as name and address), related to the context of, or in connection with, an identified or identifiable individual’s past or present use of services (NHS or adult social care).
Controller
A data protection legal term denoting a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (Source: Article 4(7) UK GDPR; Controllers and processors | ICO.).
In health and care research, it is expected to be the research sponsor (Controllers and personal data in health and care research - Health Research Authority (hra.nhs.uk)).
Data Access Request Service (DARS)
The Data Access Request Service (DARS) is the application process for accessing data held by NHS Digital.
Data Flow Diagram
A data flow diagram is a tool that can be created by organisations to show and help describe the flows of data and controllership across different processing activity stages, including as part of data sharing collaborations.
Data Management Plan
A data management plan is a useful resource that can be created to describe the data processing and management activities throughout the lifecycle of a research study.
Data Processing Agreement
A legally binding agreement in writing between a controller and a processor appointing the processor to process personal data on behalf of the controller. It must contain the specific terms required under UK GDPR.
Data Protection Act (DPA) 2018
The DPA 2018 supplements the UK GDPR, which sets out the data protection framework in the UK.
Data Protection Impact Assessment (DPIA)
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. (Source: Article 35 UK GDPR; Data Protection Impact Assessments (DPIAs) | ICO.).
In health and care research, see Data Protection Impact Assessments - Health Research Authority (hra.nhs.uk).
Data Sharing Agreement (DSA)
A DSA is a written agreement put in place to govern the sharing of personal data between two or more independent data controllers.
Data Protection Law
The UK data protection regime is set out in the UK GDPR and supplemented by the DPA 2018.
National Data Opt-Out
The national data opt-out is a service that allows patients to opt out of their confidential patient and service user information being used for research and planning.
Patient or service user information
Any information (however recorded) that relates to the physical or mental health or condition of an individual, to the diagnosis of a condition, or to their care, or treatment. This definition applies to any information (however recorded) which is to any extent derived, directly or indirectly, from such information, whether or not the identity of the individual in question is ascertainable from the information. (Source: Section 251(10) of the National Health Service Act 2006). For the purposes of this document, ‘service users’ encompass users of either NHS or (adult) social care services in England.
Processor
A data protection legal term denoting a natural or legal person, public authority, agency, or other body which processes personal data on behalf of a controller. (Source: Article 4(8) UK GDPR; Controllers and processors | ICO).
In health and care research, see Controllers and personal data in health and care research - Health Research Authority (hra.nhs.uk).
Pseudonymisation
Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately, and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. (Source: Article 4 (5) and Recital 26 UK GDPR).
As a privacy-enhancing process, it is typically applied before information is shared with a third party (recipient) in circumstances where the link between individuals and the data that relates to them needs to be reduced but not removed entirely. For example, it could involve replacing an NHS number, a name, or an address, with a unique number or code (a pseudonym). This has the effect that the recipient cannot identify an individual directly from that data without access to this additional information held separately and securely elsewhere. Pseudonymisation on its own does not change the status of the data as personal data. However, if the pseudonymised data is held by a different organisation that has put in place relevant contractual arrangements and measures to prevent reidentification, then the data may not be personal data to the receiving organisation. (Source: ICO)
Section 251
Section 251 of the NHS Act 2006 is the statutory provision that allows for regulations to be made for the common law duty of confidentiality to be set aside in specific circumstances where obtaining consent to share confidential patient and service user information is not practicable. This allows such information to be disclosed for purposes beyond an individual’s individual (direct) care without breaching the duty of confidentiality.
The Health Service (Control of Patient Information) Regulations 2002 (SI 2002/ 1438) (“COPI Regulations”) were made under Section 251 by the Secretary of State for Health and Social Care. The COPI Regulations enable the disclosure of confidential patient and service user information without consent, and without there being a breach of the common law duty of confidentiality, as long as the requirements of the Regulations are met.
In health and care research, Regulation 5 imposes specific requirements on those who apply under it (also known as an application to obtain section 251 support) to access confidential patient and service user information without consent for medical research purposes. The person responsible for the information and its recipient must still also comply with all other relevant legal obligations including data protection legislation.
Secure data environment
This is the term for data storage and access platforms which allow approved users to analyse data with the highest standards of privacy and security. Key existing examples include NHS Digital's Trusted Research Environment Service for England.
Secure Data Environments will be the default way to use NHS health and social care for research and analysis, a core commitment in the Data Saves Lives strategy. Further guidance and advice to support the research community transition to the use of Secure Data Environments will be published in due course, including guidance about exceptions (such as for consented research studies). (Source: Secure data environment for NHS health and social care data - policy guidelines - GOV.UK (www.gov.uk)).
Special categories of personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. (Source: Article 9 UK GDPR)
Synthetic data
Synthetic data is information that is artificially created (algorithmically) rather than generated by real-world events. It can simulate synthetic populations that resemble the characteristics as well as diversity of actual people. It can also be generated to be statistically consistent with a real data set, which it may then replace or augment.
UK GDPR
The UK GDPR is the United Kingdom General Data Protection Regulation, which became effective on 1 January 2021. It is the UK enactment of EU GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), which was previously in force in the UK from May 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The law covers the key principles along with rights and obligations when processing personal data in the UK and it is supplemented by the Data Protection Act 2018.
(Source: Regulation 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)]
More information on the application of UK GDPR in a health and care research context can be found at: GDPR guidance - Health Research Authority (hra.nhs.uk).
The ICO has also published general guidance on the UK GDPR: Guide to the UK General Data Protection Regulation (UK GDPR) | ICO.