Patient data must be looked after carefully in line with the law. This guidance covers data protection legislation and other protections for patient data.
Page contentsIn the UK, the legal frameworks covering how patient data must be looked after and processed are the Data Protection Act (DPA) 2018, which brought the EU General Data Protection Regulation (GDPR) into law, and the Common Law Duty of Confidentiality (CLDC).
Data protection legislation requires that the collection and processing of personal data is fair, lawful and transparent.
This means there must always be a valid lawful basis for the collection and processing of data as defined under data protection legislation, and the requirements of the CLDC must also be met.
Under GDPR, for recording and processing health and care data, both of the following must be satisfied:
Consent under the DPA must meet certain criteria to be valid. Consent must be:
If using consent as a lawful basis for processing, the individual must also be given certain rights, including the rights to erasure and portability, as defined in the DPA.
Because of this, the ICO has advised that using consent as the lawful basis for the recording and processing of data under GDPR should be avoided by public authorities, such as health and care providers. This is because it is unlikely to be able to meet the strict requirements around consent. In particular it cannot be considered freely given if access to health and care services are dependent on it. The ICO recommends that another lawful basis is used.
To meet the requirements of the CLDC there must be one of the following conditions:
Consent under the CLDC falls under two categories:
It is still possible to use consent to satisfy the CLDC when recording or processing health and care data, and there is no need to change consent practices that already meet the CLDC requirements. Consent under CLDC does not need to meet the requirements for consent set out in the DPA.
The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information without patient consent. It provides advice to the Health Research Authority (HRA) for research uses, and to the Secretary of State for Health and Social Care.
Its main purpose is to protect and promote the interests of patients and the public, while also making sure that confidential patient information can be used when it is appropriate, for purposes beyond individual care.
CAG can give Section 251 approval (S251) for the use of confidential patient information without consent for a specific purpose by the HRA or the Secretary of State for Health and Social Care. This would usually only be granted when an organisation requesting the data makes the case that it would be very difficult or impractical to seek consent from every individual whose data they wish to use.
The national data opt-out is a policy offering that exists alongside the DPA and CLDC. It only applies to data being used or disclosed where the CAG has granted section 251 approval, and no specific exemption to the national data opt-out policy has been granted.
As well as having a duty to be fair and a lawful basis for collection and processing of data, all organisations must also be transparent.
Transparency is an important element of data protection. You must make sure your patients know how their data is used and for what purposes it is shared. There should be ‘no surprises’ for a patient in terms of how their data is used.
The ‘transparency’ requirements are set out in full in Articles 12, 13 and 14 of the GDPR. They include making the following information publicly available:
Organisations can use a ‘privacy notice’ or ‘fair processing’ information to inform their patients, or use other methods. By law, the information provided should be concise, easy to understand and easily accessible.
As well as these specific legal requirements, patient data is protected in other ways.
Where personal data is provided from one organisation to another for purposes beyond an individual’s care a data sharing agreement should be put in place. The agreement will confirm who maintains responsibility and control over the data, referred to as the data controller, and should comply with the relevant data protection legislation and the ICO guidance on data sharing agreements. See the ICO's Data sharing code of practice for more information.
The agreement will set out terms and conditions including, for example:
Each organisation’s terms and conditions of employment include strict guidelines on how staff handle and protect patients’ information, with disciplinary procedures in place, including dismissal, for any member of staff who does not comply with those guidelines. Staff must also be regularly trained in information governance responsibilities.
The Data Security and Protection (DSP) Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
Professional bodies such as the General Medical Council and Health and Care Professionals Council also set out standards which their members must meet.
The Information Commissioner regulates and enforces data protection laws. If the ICO identifies that an organisation has not complied with data protection legislation, it can impose fines of up to £17 million or 4% of global turnover (for the most serious data breaches).
Although the national data opt-out is a policy offering, rather than a specific legal requirement, any organisation that does not comply with the national data opt-out policy could be considered to be breaching the requirement to be fair and transparent. See 10.5 Compliance with the national data opt-out: ICO position in the operational policy guidance document.
Last edited: 21 May 2024 2:26 pm