Anonymous data

Anonymous (otherwise known as effectively anonymised) data is data that is no longer personally identifiable. Anonymous data is not considered as personal data under UK GDPR, nor as confidential patient information under the common law duty of confidentiality. This means it is not subject to the same restrictions as data to which these regimes apply.

Anonymous data may be presented as general trends or statistics. For example, by removing direct identifiers such as NHS number and name, and translating e.g. age into an age range (25-40) and grouping postcodes together. However, information about small groups or people with rare conditions could potentially allow someone to be identified and so would not be considered anonymous. (Sources: ICO and Understanding Patient Data)

On the other hand, reidentification risk does not have to be eliminated completely for data to be considered anonymous, provided that the risk is mitigated sufficiently so that in the hands of the recipient it meets anonymisation requirements. Any onward transfer of (or remote access to) the data may change its status to be personal data again, depending on any additional information and means available to the onward recipient.


Anonymisation involves the application of one or more anonymisation techniques to personal information. When done effectively, the anonymised information cannot be used by the recipient to identify the data subject either directly or indirectly, taking into account all the means reasonably likely to be used by them. This is otherwise known as a state of being rendered anonymous in the hands of the recipient. (Source: ICO)

Care Team

Care teams may include doctors, nurses, and a wide range of staff on regulated professional registers, including social care professionals. Relevant information should be shared with them when they have a legitimate relationship with the patient or service user. Care teams may also contain members of staff, who are not registered with a regulatory authority. (Source: Information: To share or not to share? The Information Governance Review, National Data Guardian).

Common law duty of confidentiality

A duty of confidentiality arises when one person discloses information to another (e.g. patient to clinician or service user to social care staff) in circumstances where it is reasonable to expect that the information will be held in confidence. It –

(Source: Confidentiality: NHS Code of Practice 2003).

Confidential patient information

The term 'confidential patient information' (also known as ‘confidential patient and service user’ information) is a legal term defined in section 251 (11) of the National Health Service Act 2006. Patient or service user information is “confidential patient information” where (1) the identity of the individual in question is ascertainable from that information, or from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information; and (2) that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.

It encompasses health and care information, both clinical and demographic (such as name and address), relating to, or in connection with, an identified or identifiable individual’s past or present use of services (NHS or adult social care).

Data-driven technologies

Technologies that work by collecting, using, and analysing patient and service user data to support the care of individuals, NHS services, public health, or medical research and innovation. (Source: Our data-driven future in healthcare, Academy of Medical Sciences.)

Data protection legislation

This is an overarching term that encompasses the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018. See section 3(9) DPA 2018.


To put into therapeutic use.

Direct care

A clinical, social, or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high-quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care. (Source: Information: To share or not to share? The Information Governance Review, National Data Guardian).

Health Research Authority (HRA) approval

HRA approval is the approval needed prior to the conduct of health or social care research in the NHS (including in independent providers of NHS commissioned primary care services) in England.

Implied consent

Implied consent is applicable only within the context of direct care of individuals (and local clinical audit undertaken by members of the care team). It refers to instances where the consent of the individual patient or service user is implied without having to make any positive action, such as giving their verbal agreement for a specific aspect of sharing information to proceed. Examples of the use of implied consent include doctors and nurses or social care professionals sharing personal confidential data during handovers without asking for the patient’s or service user’s consent. Alternatively, a physiotherapist may access the record of a patient who has already accepted a referral before a face-to-face consultation on the basis of implied consent. Implied consent should only be used if it is reasonable to expect the patient understands how the information will be used (Source: Information: To share or not to share? The Information Governance Review, National Data Guardian).

Indirect care

Activities that contribute to the overall provision of services to a population as a whole or a group of patients or service users with a particular condition, but which fall outside the scope of direct care. It covers health and/or care services management, preventative medicine, and medical research. Examples of activities would be risk prediction and stratification, service evaluation, needs assessment, financial audit. (Source: Information: To share or not to share? The Information Governance Review, National Data Guardian).

Legitimate relationship

The legal relationship that exists between an individual and the health and social care professionals and staff providing or supporting their care. (Source: Information: To share or not to share? The Information Governance Review, National Data Guardian. For further information on the appropriate criteria for determining whether the health or social care professional has a legitimate relationship with the patient or client, see section 3.6 of this report.)

Medical Device

According to the Medical Devices Regulations 2002 (SI 2002 No 618, as amended) (UK MDR 2002), a medical device is described as any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnosis or therapeutic purposes or both and necessary for its proper application, which is intended by the manufacturer to be used for human beings for the purpose of:

diagnosis, prevention, monitoring, treatment or alleviation of disease

diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap

investigation, replacement or modification of the anatomy or of a physiological process, or

control of conception

A medical device does not achieve its main intended action by pharmacological, immunological or metabolic means although it can be assisted by these.

A medical device includes devices intended to administer a medicinal product or which incorporate as an integral part a substance which, if used separately, would be a medicinal product and which is liable to act upon the body with action ancillary to that of the device.

(Source: Medical devices: how to comply with the legal requirements in Great Britain - GOV.UK (

National Data Opt-Out

The national data opt-out is a service that allows patients to opt out of their confidential patient and service user information being used for research and planning in specified circumstances.

Personal data

Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. (Source: Article 4 (1) UK GDPR)


Pseudonymisation can be defined by considering Article 4 (5) and Recital 26 of the UK GDPR, whereas the assessment of identifiability may be considered from the perspective of the recipient of the data that has undergone pseudonymisation:

● Article 4 (5) UK GDPR - The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

● Recital 26 UK GDPR – The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

As a privacy-enhancing process, pseudonymisation is typically applied before information is shared with a third party (recipient) in circumstances where the link between individuals and the data that relates to them needs to be reduced – to offer protection against accidental disclosure - but not removed entirely. For example, it could involve replacing an NHS number, a name, or an address, with a unique number or code (a pseudonym). This has the effect that the recipient cannot identify an individual directly from that data without access to this additional information held separately and securely elsewhere using appropriate technical and organisation measures. (Source: ICO)

Post-market surveillance

Once a medical device has been placed on the UK market, the manufacturer is required to submit vigilance reports to the MHRA when certain incidents occur in the UK that involve their device. They must also take appropriate safety action when required. The manufacturer must ensure their device meets appropriate standards of safety and performance for as long as it is in use.


Research is defined as the attempt to derive generalisable or transferable new knowledge to answer or refine relevant questions with scientifically sound methods. This excludes audits of practice and service evaluations. It includes activities that are carried out in preparation for or as a consequence of the interventional part of the research, such as screening potential participants for eligibility, obtaining participants’ consent and publishing results. It also includes non-interventional health and social care research (i.e. projects that do not involve any change in standard treatment, care, or other services), projects that aim to generate hypotheses, methodological research, and descriptive research. Projects whose primary purpose is educational to the researcher, either in obtaining an educational qualification or in otherwise acquiring research skills, but which also fall into the definition of research, are included in this definition. (Source: UK Policy framework for Health and Social Care Research).

Service evaluation

Service evaluation is designed and conducted solely to define or judge current care and should answer the question: "What standard does this service achieve?" It should measure current service without reference to a standard and involve an intervention in use only. The choice of treatment is that of the clinician and patient or social care professional and service user according to guidance, professional standards, and/or patient or service user preference, and this should happen before service evaluation. Service evaluation usually involves analysis of existing data but may include administration of interview or questionnaire. There should be no randomisation. (Source: HRA decision tool).

Special categories of personal data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. (Source: Article 9 UK GDPR).

Synthetic data

Synthetic data is information that is artificially created (algorithmically) rather than generated by real-world events. It can simulate synthetic populations that resemble the characteristics as well as diversity of actual people. It can also be generated to be statistically consistent with a real data set, which it may then replace or augment.


The United Kingdom General Data Protection Regulation (UK GDPR) became effective on 1 January 2021. The law covers the key principles along with rights and obligations when processing personal data in the UK and is a regulation under the Data Protection Act 2018. More information on the application of UK GDPR in a healthcare research context can be found at: GDPR guidance - Health Research Authority ( The ICO has also published general guidance: Guide to the UK General Data Protection Regulation (UK GDPR) | ICO.

Back to legal requirements for using health and care data