Identify what you plan to achieve by accessing data and what it will mean for your project. Accessing data should be approached purposefully and with data privacy (the confidentiality and protection of personal information) as key. While it may not always be apparent what data will uncover, there are ways to mitigate against accessing more data than you require.
Consider whether you can achieve your research purposes using anonymous or synthetic data (that is, data without information relating to an identified or identifiable individual). Processing such data is not subject to the same regulatory requirements, such as under UK GDPR.
Anonymisation vs. Pseudonymisation
Anonymous data is data that is no longer identifiable of the person to whom it relates. This means that it cannot be reidentified on its own, or using reasonable means together with other data, by someone who accesses the data. Applying anonymisation techniques to personal data such that it is rendered anonymous can be distinguished from applying pseudonymisation.
Pseudonymisation is a privacy-enhancing process that replaces information in a data set that directly identifies an individual (such as name, address, or NHS number). While it removes the ability to attribute the information to a data subject without access to additional information kept separately, by itself it does not render personal data anonymous. ICO call for views: Anonymisation, pseudonymisation and privacy enhancing technologies guidance | ICO
Where identifiable data needs to be used, it should be minimised to the amount of data needed to carry out the project purpose and no more. Designing your project to minimise processing of identifiable data to what is needed is not only a legal requirement but will also help your project to get started quicker. Research that understands and justifies the data it needs therefore has a better chance of succeeding.
Where it is possible to conduct your research with pseudonymised data, you should do so. If the data you use has already been pseudonymised, and you do not have access to other information or reasonable means to make the information identifiable, then the data may not be personal data in your hands. However, if you are pseudonymising the data yourself or you have the potential to re-identify data, then the data would be classed as personal data. It is still worth pseudonymising the data in this situation in order to enhance privacy, and reduce the risk of a harmful data breach, in compliance with health and care sector-wide information governance rules (as set out in guidelines and the Caldicott Principles).
The UK GDPR defines pseudonymisation as:
'…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.' ICO: What is personal data?
Where processing identifiable data is integral to your study and it is not practical to obtain consent, there is statutory provision under Section 251 of the NHS Act 2006 that may be used under certain circumstances. It requires an application under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations) to the Confidentiality Advisory Group (CAG), commonly referred to as obtaining ‘section 251 support’.
Identifiable health and care data (both clinical and demographic, such as name and address, related to the context or, or in connection with, someone’s past or present use of NHS or adult social care services) is subject to the ‘Common Law Duty of Confidentiality’ (sometimes described as CLDC).
Section 251 support to lift the Common Law Duty of Confidentiality is obtained by making an application to CAG under the COPI Regulations (either Regulation 2 for non-research medical purposes, or Regulation 5 for medical research purposes). If approval is given by the Health Research Authority (HRA) under Regulation 5, it allows disclosure of confidential patient or service user information for medical research purposes without consent and without the data provider being in breach of the Common Law. This legal approval route requires additional governance checks, and use of identifiable data without consent must be justified against several criteria. There must also be transparency around the disclosure. For these reasons, using this approach can take longer than other approaches.
Common Law Duty of Confidentiality and Data Protection Law (the UK GDPR and the DPA 2018)
The Common Law Duty of Confidentiality applies to the sharing of confidential patient or service user information. The legal basis to justify disclosure for research is usually on the basis of consent. It can also be on the basis of legislation, such as where approval is obtained under Regulation 5 of the COPI Regulations. Less common, the Regulations permit direct reliance on a COPI Notice introduced temporarily to permit accessing confidential information in response to a public health emergency (under Regulation 3).
Data Protection Law requires a legal basis for processing personal data in addition to the legal basis required under the Common Law Duty of Confidentiality. Controllers must be able to state which lawful basis in Article 6 UK GDPR they will use, and also what Article 9 will be relied on to justify handling health and care data. In practice, personal data must not be processed for research unless it can first be demonstrated that it satisfies the requirements of being in performance of a Public Task, or passes a Legitimate Interests test.
Section 251 support is also only given when there are no practicable alternatives. Researchers using this approach should be mindful that a decision not to provide support could mean significant delays to starting your project.
Further guidance on obtaining section 251 support and the application process to CAG under Regulation 5 of the COPI Regulations is available from the HRA website (see Confidentiality Advisory Group - Health Research Authority hra.nhs.uk).
Section 251 support is also only given when there are no practicable alternatives. Researchers using this approach should be mindful that a decision not to provide support could mean significant delays to starting your project.
Further guidance on obtaining section 251 support and the application process to CAG under Regulation 5 of the COPI Regulations is available from the HRA website (see Confidentiality Advisory Group - Health Research Authority hra.nhs.uk).