The term secondary purposes encompasses uses of data which are separate to patient care. It includes, for example, medical research, health service planning or commissioning and national audits.
Requests for data for secondary uses may be presented in different formats, for example:
- a data sharing agreement between the GP practice and a third party
- a request from a CCG
- other third party access to GP practice records
- requests from researchers
- requests at a national level for data, for example, from NHS Digital.
Below are principles to consider when sharing patient information.
Could it be anonymised?
Disclosure of anonymous data will often satisfy a number of secondary uses and must be used in preference to confidential patient information. Consent is not required.
If you feel that anonymised data would suffice, the requestor should clarify why identifiable data are required. This is other than where mandated by law, for example disclosures to NHS Digital under the Health and Social Care Act 2012.
When consent is needed
Explicit patient consent is needed for the use of confidential patient information for secondary purposes.
Patients can register a national data opt-out to prevent the use of their data for secondary purposes i.e. medical research and health service planning.
The opt-out will apply unless:
- the information is required by law
- there is an overriding public interest in disclosure
- the disclosure is required for the monitoring and control of communicable diseases or other risks to public health.
When consent is not needed
Confidential patient information may be disclosed for secondary uses without explicit consent if:
- the disclosure of confidential patient information has been authorised by the Health Research Authority’s Confidentiality Advisory Group (CAG) under section 251 of the NHS Act 2006 (in England and Wales)
- it is a disclosure made under the ‘Confidentiality and Disclosure of Information Directions 2013’.
This provides a limited statutory basis for some specific disclosures where it is not possible to obtain express consent and where it is not feasible to anonymise data. These specific disclosures include secondary uses relating to the financial and management arrangements of the NHS, eg QOF reviews or investigating complaints
- it is otherwise required by law.
Any disclosure of confidential patient information must also meet the requirements of GDPR:
- data must not be retained longer than is necessary
- the minimum amount of data required for the purpose should be disclosed
- data must be held securely
- information should also be obtained about whether the data will be stored in the UK, EU or outside the EU and GP practices should seek assurances that appropriate security is in place, this is likely to include evidence that the receiving organisation has carried out a Data Protection Impact Assessment
- assurances should be sought (in writing) that information will not be transferred to a third party and it will only be used for the specific purpose for which it was disclosed.
A formal data sharing agreement or protocol may be advisable to ensure that both parties understand the limits and conditions of data sharing. Legal advice and advice from the LMC may be required particularly when the data are being processed by a third party.
If there are doubts, further guidance can be sought from Caldicott Guardians, indemnifying or regulatory bodies.
What the public think
We did research into what the public think about sharing of healthcare data for secondary purposes. We contracted BritainThinks to run a workshop with the public.
We wanted to know more about public awareness and what concerns the public have. We also wanted to know what people thought about levels of consent.