How the NHS handles your data

Health data and information are safeguarded not only by the duty of confidentiality of the medical profession, but also by data protection laws. These laws are changing and evolving so that your personal data can still be secure in the ever-advancing digital age in which we live. Most recently, General Data Protection Regulation (GDPR) came into force in the UK in May 2018, as did the 2018 update to the Data Protection Act.

Data protection laws keeping data secure

The NHS holds data on everyone who uses the service. It is obliged to maintain confidentiality and keep the data safe. It is also obliged to share that information in certain circumstances – for example, with other health professionals looking after you. It is important that this information is stored and shared securely and according to law. A number of laws and regulations help to keep data secure, including:

  • General Data Protection Regulation (GDPR). This is a new EU directive which came into force in May 2018, to help keep data safe in the digital age. The basic principles of the way the NHS handles your data are unchanged by this new regulation. Information must be handled and processed in a way which is secure, accurate and lawful. GDPR adds that data breaches must be reported promptly and they lead to large penalties (fines).
  • The Data Protection Act. This is the law for data protection in the UK, which sets out how GDPR is applied to the UK specifically. The 1998 Act was updated in 2018 in order to be in line with the EU regulation.

Organisations and individuals who help to keep data secure

  • Data controllers. This applies to the health organisation as a whole and the GP practices, community services and hospitals, etc, who work within it. All have to handle and process data under strict guidelines.
  • NHS Digital. The organisation now known as NHS Digital calls itself the national information and technology partner to the health and care system. NHS Digital collects, publishes and processes data and information from across the health and social care system in England. It has systems in place for ensuring this to-and-fro of information is secure and appropriate. Similar organisations operate in Scotland (Information and Statistics Division of the NHS in Scotland), Northern Ireland (The Health & Social Care Board, N. Ireland) and Wales (NHS Wales Informatics Service).
  • The Caldicott Guardian. This is the name for the ‘National Data Guardian’ who works with the government and the NHS to provide advice to professionals on keeping healthcare information secure. In 2014, Dame Fiona Caldicott became the first such guardian. She provides guidance and challenge to the government on data issues such as patient confidentiality, information sharing and avoiding abuse of public trust in how health and care data are used The latest guidance on how to achieve data standards is called The Data Security and Protection (DSP) Toolkit.

Accessing your own data and health information

You have the right to see the information the NHS holds on you personally. You can do this via GP online systems or by asking to see or have copies of part or all of your records. You will not be charged for this, within limits.

If your child is thought to be able to understand about sharing information then they will need to give consent before you can access any information about them. This varies but is usually thought to apply to children from the age of 12 years or so.

You have no right to access health information on your ‘next of kin’ unless they request this and consent to it.

Sharing your health data and information

Some of the information the NHS holds about you is administrative – your name, gender, date of birth, address, etc. Other information is highly sensitive personal health information about you. This includes medical conditions and medications. It can be shared in a way which is identifiable, anonymous, or somewhere in between, depending on the purpose. At times, the NHS may need to share your data or health information, sometimes for your personal benefit, other times in the public interest. Other than when there is a danger to others or yourself involved, you have the option to ‘opt out’ and not to allow sharing of this information.

Some of the situations where data or information is shared are briefly explained below.

  • Summary Care Record (SCR). The idea of the SCR is that basic health information about you personally is available electronically across health settings. So if you found yourself unconscious in an A&E department, for example, the doctors there would be able to see any medication, allergies or medical conditions which might be crucial to them looking after you. Only authorised staff who are directly involved in caring for you can see it. Your SCR is created automatically by your GP practice, unless you have chosen to opt out. If you choose to opt out, tell your GP or fill in an opt-out form and give it to your GP practice. (The forms are usually available on the practice website).
  • Other sharing between other health professionals. Your GP will need to share basic health information about you when referring you to another NHS service – for example, a specialist hospital clinic, A&E, a district nurse, podiatrist, physiotherapist, etc. They are obliged to only share the relevant information within your records. Likewise, if you are seen in a hospital clinic, the doctor there will write back to your GP telling them the outcome.
  • NHS Digital. Health and administrative information (patient data) about you is used directly for your care but is also put to another ‘secondary’ use. This includes planning the way health service resources are allocated and organised, research into new and existing treatments, and improving the way in which conditions are diagnosed. Usually the way in which this information is used is non-identifiable or anonymous, but sometimes it is used in a way which can be traced to specific people. NHS Digital, which manages this flow of information, has undertaken not to pass any information on to firms trying to sell you products or services, or to insurance companies. It is also committed to keeping that information as securely as possible. You have the choice to allow this flow of information, to help with research and NHS planning, or to ‘opt out’ if you are concerned about the security or secondary use of information about you. In May 2018, along with GDPR, the ‘National Data Opt-out’ was introduced. Adults and teenagers from the age of 13 years have the right to opt out. To read more about what patient data are used for, and how to opt out, visit NHS Digital or the NHS page about your data.
  • Insurance company requests. When you apply for insurance (eg, for a mortgage or critical illness cover), the company will often want medical information from your GP. Your GP will only give this information if you have agreed (consented). However, unfortunately if you do not agree, you may not be able to get the insurance. The insurance company can only ask for relevant information, and you or your GP can object if they request your full records if this is not relevant.