This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Find out more here.

I’d like to use patient data

Last updated on 19 Feb 2019

It’s important that when using patient data to develop apps or software, developers and NHS organisations work together to build and maintain patient trust in their use of their data. Understanding the different laws and approvals surrounding access to patient data is crucial, as is working with patients and the public.

It is vital that you establish the purpose of processing the data before any data is transferred. Is the data being used for direct care or is it being used for research?

Direct care is defined in the Information Governance Review as:

A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. 

It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.

The Information Governance Review, March 2013

Use of patient data in research

If you’re using confidential patient information to develop a new technology or product which is not for direct care, this is classed as research and should conform to the UK Policy Framework for Health and Social Care Research. It must also meet the standards and criteria for research undertaken in the NHS, including information governance standards.

Joint guidance from the HRA, MHRA, Department of Health and Social Care and NHS Digital summarises the key data protection, data governance and medical device regulatory requirements for data driven technology in the NHS and adult social care.

Using patient data without consent

If it is not feasible to obtain patient consent to the use of their confidential data and your research is of public benefit, you need to apply to the Confidentiality Advisory Group (CAG) for support to access this data.

CAG has a tool to help you decide whether you need to make an application for support. Any research applications made to CAG also require approval from a Research Ethics Committee (REC).

Back to how we're supporting data-driven technology