The NHS collects information about us every time we make use of one of their services. They use this information to help provide the best clinical care for us. The information from patient records is also very valuable to help researchers understand more about disease, to develop new treatments, to monitor safety, and to answer other questions that can improve care.

It is essential that everyone who has access to information about NHS patients understands and meets appropriate information security standards. If public confidence in how their data is used is lost, there can be serious consequences for research.

It is also very important that patients and members of the public understand how their personal data is protected and used, and what their rights and responsibilities are.

This page provides some general information on the regulations, definitions, processesand organisationsinvolved in the use of health data for research. Click on the links for more detail.


The use of ALL personal data in the UK is regulated by the Data Protection Act 1998 (DPA). Under the DPA, personal data, whether in written or electronic form, must be collected, held, processed and transferred in very specific ways and with appropriate safeguards.

Click for more details on the DPA, including how data should be handled and the rights of those whose personal data is being stored.

Under the Common Law duty of confidentiality, the general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

Click for more details on the Common Law duty of confidentiality

The UK Policy Framework for Health and Social Care Researchregulates the use of personal health data for research.  This document lays out the 19 principles of good practice in research are for those who manage and conduct health and social research in the UK..

Click for more details on the UK Policy Framework


When discussing this topic, there are a number of terms that have quite specific legal meanings that might be slightly different to the meanings we give them in every day speech. It is important to understand and use them correctly.

Confidential information, in the context of healthcare, is personal information given on the understanding that it will not be disclosed to others without consent.

Personal data has a narrower definition than personal information. It is information about a living person which may lead to the identification of the person

Data subject is an individual who is the subject of personal data

Data controller is a person, company or organisation who determines the purposes for which and the manner in which any personal data are, or are to be, processed

Processing means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including – organisation, adaptation or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; alignment, combination, blocking, erasure or destruction of the information or data

Personal information is all information about individuals, living or dead.

Sensitive information is information about individuals which could cause some sort of harm if it is disclosed inappropriately. It includes all information about physical or mental health or condition, or sexual life, as well as information about race or ethnicity, political opinions, religious or similar beliefs, Trade Union membership, and Criminal Offences.


The best way to make use of data without causing harm or infringing the rights of the data subject is to ensure that the person cannot be identified. There are a number of types of “de-identification”, some of which are stronger than others.

Identifiable data is information that allows a specific individual to be identified without any other steps being required.

De-identified or pseudo-anonymised data still refers to a specific individual, but that person cannot be immediately identified because the identifiers have been removed or coded/encrypted in some way.

  • Coded data uses a code to disguise identifiers but this can easily be broken by whoever controls the data
  • Linked Anonymised data uses a code to replace identifiable information such as a name. It is anonymous to the people who receive and hold it (e.g. a research team), but contains information or codes that would allow others (e.g. those responsible for the individual’s care) to identify people from it.

Unlinked Anonymised data describes the situation where the link between the data and the person to whom it refers has been irreversibly broken. No one could use this data to identify a specific individual.


General principles

It is paramount that all information about an individual is treated as confidential and held with strict security and access measures in place, especially when this information can identify an individual. It is a requirement of the Data Protection Act that the level of security, and the cost and effort involved, should reflect the nature of the information and the harm that might result from a breach of confidentiality through unauthorised disclosure or loss. Where identifiable data is required from the NHS (e.g. for data linking purposes) confidentiality should be maintained through the use of Safe Havens (see ORGANISATIONS-data repositories and services below).

It is also necessary in some circumstances (i.e. when using data and/or tissue samples without consent) that these samples are anonymised in order to comply with legislation (i.e. transfer of data under the Data Protection Act, Human Tissue Act consent exemptions)

When patients seek health care they are informed through a Privacy Notice made publicly available by the NHS that when they consent to treatment their data will be processed for the purpose of their health care, including research.  The Data Protection Act also permits the use of “sensitive personal data” for medical purposes (including medical research) without consent, provided the user is subject to the same duty of confidentiality as a healthcare professional.

Despite these provisions, it is generally held that explicit consent should be obtained to use identifiable personal data for medical research, particularly for multicentre or secondary research when people who are not part of the original clinical team need access to the data. However, explicit consent cannot always be gained for new research uses of pre-existing data.

Study design

When you are designing a study, remember that access to identifiable data must be restricted to the smallest number of researchers that will allow the study to be done effectively. Members of the research team who have access to identifiable data should be placed under a duty of confidentiality equivalent to that of a health professional.

Some data may not be obviously identifiable; however there may be the potential to deduce individuals’ identities through combinations of information, either by the people handling the data or by those who see published results.

The most important potential identifiers are:

  • Rare disease or treatment, especially if an easily noticed illness or disability is involved
  • Partial postcode or partial address 
  • Place of treatment or health professional responsible for care 
  • Rare occupation or place of work 
  • Combinations of birth date, ethnicity, place of birth and date of death.

Researchers should always consider whether data contain combinations of information which might lead to the identification of individuals or very small groups when designing studies; before passing information to others; and before publishing. Exactly how much of this potentially identifiable information can be included in a dataset that is presumed to be “unidentifiable” can only be judged on a case-by-case basis. Of course, with the appropriate consent these activities are possible.

Researchers who do not need to access identifiable information should work either with a completely anonymised dataset or samples; or with pseudononymised dataset or samples (also known as linked or coded data or samples) which are anonymous to the researcher but not irreversibly unlinked.

Some studies may have Intellectual property or commercial implications. Where data is effectively anonymised, then an ordinary level of security to protect intellectual property should be sufficient.

Research results may contribute to a commercial patent and access to such data should be restricted to members of the research team only. Staff should also be aware that no results should be discussed outside the research team, unless they are notified otherwise.

Applying for review/approval

Projects considered research within the NHS (ie, not service evaluation, audit or surveillance) will normally require review by an NHS Research Ethics Committee and R&D approval by every health Board taking part. If the participants consent to any use of identifiable data, then further review is not usually required. Always check with your local NHS R&D office when putting together a project, for confirmation of the reviews that will be required.

If the project involves access to identifiable information prior to or without consent, or if it not considered research within the NHS, then one of two reviews will probably be required:

  • For access to patient information held within one NHS board in Scotland, advice should be sought from the local Caldicott Guardian.
  • Access to patient information in more than one NHS Board in Scotland requires an application to the Public Benefit and Privacy Panel for Health and Social Care. Note that PBPP review is required for studies that will be using data linkage from bodies such as the Information Services Division (ISD) or National Records Scotland, even if participants have consented to use of their individual data. Applications to PBPP are made via the electronic Data Research and Innovation Service (eDRIS)

ORGANISATIONS-review and approval

NHS Research Ethics Committees review research proposals and act as the participants’ advocate. This review is intended to confirm that everyone involved in the research is properly protected and that the benefits outweigh the risks. In most cases, a single REC Favourable Opinion covers all research sites across the UK

NHS R&D approval Each Health Board taking part in the research must review the study to confirm their local capacity and capability to take part. They will issue formal approval when it is determined that the site will definitely take part. NHS R&D approval must be obtained separately from each NHS site, although there are centralised review processes to reduce duplication of effort.

Public Benefit and Privacy Panel for Health and Social Care Panel to review applications to use NHS Scotland originated data.

electronic Data Research and Innovation Service (eDRIS) Single point of contact to assist in the completion of applications to the Public Benefit and Privacy Panel.

 ORGANISATIONS-data repositories and services

Information Services Division(ISD) ISD provides health information, health intelligence, statistical services and advice that support the NHS

National Data Catalogue (NDC) The NDC details the full list of datasets that are held by ISD (Information Services Division - Scotland).

National Records of Scotland(NRS) The purpose of NRS is to collect, preserve and produce information about Scotland's people and history and make it available to inform current and future generations.

Scottish Primary Care Information Resource(SPIRE) is a service which will simplify and standardise the process for extracting data from GP practice systems for a number of purposes SPIRE also assists GPs by providing tools for practices.

SHARE is an NHS Research Scotland initiative created to establish a register of people interested in participating in health research and who agree to allow SHARE to use the coded data in their various NHS computer records to check whether they might be suitable for health research studies.

Safe Havens: NHS data for research is maintained within either the national or one of four regional “Safe Havens”. Working to agreed principles and standards these Safe Havens provide access to health data and services to enable research while protecting the confidentiality of the data.  Data remains under the control of the NHS and complies with legislative and NHS policies.

 If you have any questions or concerns about using personal data for research, please contact the Information Governance Adviser, ext 35194 (


We have placed cookies on your computer to improve your experience here. If you do not want us to use cookies you can change your settings at any time.