Skip to content

This content is more than five years old

Long read

Using data in the NHS: the implications of the opt-out and GDPR


  • Harry Evans photo

    Harry Evans

Key messages

  • Patient data is not only vital for managing an individual’s care, it also plays an important role in other ways: planning health services, improving diagnosis and treatment and evaluating the effectiveness of policy. These ‘secondary uses’ of data offer significant opportunities to improve care, especially if advances in technology and data analysis can be harnessed.

  • Public confidence in data-sharing has been tested by several high-profile breaches of data security and confidentiality, while the NHS is still recovering from the controversy associated with the programme. Nevertheless, the public trust NHS organisations to manage patient data, and there is strong support for data being shared to improve care and for further research.

  • Safeguards governing the secondary use of patient data have been strengthened in recent years and will be bolstered by the implementation of a new national data opt-out alongside the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018.

  • These changes will not have any impact on depersonalised datasets, so most secondary analysis and research will be unaffected. However, analysis that relies on using confidential patient information – including some of the national patient surveys and specific efforts to evaluate NHS services and conduct research – may be affected.

  • The consequences will depend on opt-out rates. If large numbers of people opt out of allowing confidential patient information to be used for research, this could affect the quality and validity of the data on which this research depends, potentially undermining important work to improve services and treatments.

  • National policy has to keep a balance between responding to legitimate public concern about the security and confidentiality of data and enabling data to be shared and used by NHS organisations and third parties. It is also essential that NHS national bodies are transparent with the public about how patient data is used.

  • NHS England and NHS Digital must ensure that opt-out levels are kept under review and put in place a long-term plan to promote the benefits of NHS organisations and third parties being able to access and use patient data. At the same time, NHS organisations must ensure they are beyond reproach in the way they use patient data.


Every time a patient has an interaction with an NHS organisation, information is collected about them. Clinicians and NHS administrators collect this information on an individual’s care – for instance, so that there is a record of treatments or drugs they are given or so that hospital consultants can share their test results with GPs.

Patient data is also used for purposes that go beyond an individual’s care – to enable NHS organisations to understand the health needs of their local population, to monitor and manage services, and for research. Any use of data that goes beyond what is required for an individual’s care is known as a ‘secondary use’ – secondary to the original reason for collection.

Every time a patient has an interaction with an NHS organisation, information is collected about them. Clinicians and NHS administrators collect this information on an individual’s care – for instance, so that there is a record of treatments or drugs they are given or so that hospital consultants can share their test results with GPs.

The public trust NHS organisations more than any other institution with data (Ipsos MORI and Royal Statistical Society 2014), and there is strong public support for using patient data to further research and improve care (Chan et al 2016; Ipsos MORI 2016). Strict safeguards are in place for storing and managing patient data. These safeguards have been bolstered in recent years, partly in response to public concern about the loss of medical records and criticism of the programme (see below). More broadly, public anxiety about how data is used has grown as a result of high-profile breaches of data security and confidentiality, for example, Facebook and Cambridge Analytica sharing data from online profiles without users’ consent and for unethical purposes (Bowcott and Hern 2018).

The safeguards governing the use of personal data, including patient data, are changing on 25 May 2018. This briefing explains the implications of these changes for the use of patient data. It does not attempt to provide guidance, but some guidance that might be helpful is signposted – for example:

Why is patient data so important for supporting the NHS?

Patient data is used under strict regulation by NHS organisations, academic and commercial partners for a variety of reasons, including:

  • understanding disease

  • improving diagnosis

  • ensuring patient safety

  • planning NHS services

  • evaluating how effective NHS policy is.

Those planning health services or trying to understand the public’s health have been using information collected from patients for decades, if not longer. However, with advances in data analysis and greater availability of patient data in a useable format, there is increasing interest in how patient data might be used to drive improvements in care.

Any organisation using patient data must meet legal requirements and be able to demonstrate a clear benefit to the health and social care system of their work. No data can be shared for purely profit-making purposes (NHS Digital 2018c).

Understanding Patient Data – an organisation set up to support conversations with the public and health care professionals about health data – keeps an online resource of examples of how patient data is used for developing new treatments and improving care. Patient data is also used in the everyday running of the NHS: NHS organisations monitor any variations in the quality and effectiveness of care.

For example, the Haematological Malignancy Research Network collects information from every individual with blood cancer in Yorkshire and links this to various national data sources (Understanding Patient Data 2017a). This partnership between St James’s University Hospital diagnostic service, researchers and other hospitals allows doctors and researchers to better understand diagnosis and treatment of people with blood cancer.

In some cases, the NHS shares patient data with commercial organisations. For example, as part of a study looking at what happens to patients after they have been diagnosed with cancer, Monitor Deloitte (a company with data analytics expertise) was commissioned to analyse linked, depersonalised data from the National Cancer Intelligence Network and hospital data. Extra information governance procedures – such as depersonalising the data following linkage – were put in place to keep the patient data secure. Monitor Deloitte’s analysis found significant differences in survival rates and outcomes between different types of cancer (Understanding Patient Data 2017b).

The system for protecting patient data

Legal obligations for secondary uses of patient data

The Data Protection Act 1998 (DPA) was the primary route for ensuring that organisations look after personal data properly and inform people about how their data is going to be used: well-advertised privacy notices are often considered sufficient for this (Medical Research Council 2017). The DPA was superseded by the General Data Protection Regulations on 25 May (see below).

While consent is often not required to satisfy DPA obligations, it is usually required to satisfy the Common Law Duty of Confidentiality (CLDC). This is case law that has established that certain professionals, including doctors and nurses, have a duty of confidence towards their patients (Medical Research Council 2017). The CLDC ensures that information between a professional and patient will remain confidential, except in specific circumstances, and means that explicit consent should normally be sought to satisfy the duty of confidence for secondary uses.

In clinical settings, implied consent may be relied on for sharing confidential patient information for an individual’s care (National Data Guardian 2013). Where an individual’s care team is involved in local clinical audit (reviewing the care their patients have received and what improvements they might make (General Medical Council 2017), this is considered individual care and can be carried out with implied consent (National Data Guardian 2013).

Confidential patient information can also be disclosed without consent where the use can be shown to meet a public interest test or where there is another mandatory legal requirement for the data, such as a court order.

Guidance on seeking consent can be found in Information Governance Alliance guidance.

Where it is not practical to get explicit consent to satisfy the CLDC, section 251 of the NHS Act permits the CLDC to be set aside for specific secondary uses (Health Research Authority 2018b). This requires organisations to apply to the Health Research Authority’s Confidentiality Advisory Group (CAG), which considers whether the secondary use can be achieved without access to confidential patient information and whether there is a specific medical purpose for the data being shared (Health Research Authority 2018b). This ensures that section 251 cannot be used for obtaining patient data for purely profit-making purposes or for non-health services.

Guidance on section 251 can be found on the Health Research Authority website.

Accessing confidential patient information through section 251

Applications for the use of identifiable confidential patient information under Section 251 are made by a range of organisations; the Health Research Authority keeps a register of approved applications (Health Research Authority 2018a). Under Section 251 organisations can also apply to obtain patients’ addresses; for example, the Cancer Patient Experience Survey, which needs to identify patients and contact eligible patients to ask them about the experience of care they have received.

‘Identifiers’ are not limited to names and addresses – NHS numbers are also considered identifiers. This means that section 251 support is often used when data users want to link datasets together.

If the use of confidential patient information for analysis can be avoided, this protects patients’ privacy and reduces the barriers for obtaining the information. If data is depersonalised to make it unlikely that patients can be identified, approval under section 251 is not required.

Using depersonalised patient data

Most analysis by the NHS and researchers uses depersonalised data. Data that is anonymised to the Information Commissioner’s Office (ICO) standards (Information Commissioner’s Office 2012) is not subject to restrictions in the Data Protection Act or the Common Law Duty of Confidentiality and can be shared more freely (Medical Research Council 2017).

However, there are still safeguards in place. Anyone wanting access to HES data has to submit an application to NHS Digital’s Data Access Request Service (DARS), which requires data users to sign up to a data-sharing agreement and adhere to strict information governance protocols (NHS Digital 2018b). The Care Act 2014 (2014) added legal restrictions requiring NHS Digital (then the Health and Social Care Information Centre) to make information available only if it supports the provision of health and social care or the promotion of health. Data cannot be shared for purely profit-making reasons.

In practice, though, with some detailed datasets complete anonymity is difficult to guarantee without losing some usefulness of the data. The ICO’s current guidance on anonymisation allows for a middle ground, ’depersonalisation’ or ‘pseudonymisation’, where identifiable information is removed (Information Commissioner’s Office 2012) and includes other safeguards, such as minimising the data that is released and keeping any information that could re-identify individuals in the dataset in a separate organisation. Pseudonymisation is a way of effectively reducing the risk of re-identification.

The use of depersonalised data presents a communications challenge for maintaining trust in data-sharing. The public tend to be happier with sharing when it is anonymous (Ipsos MORI 2016), but in practice this is hard to guarantee. The public recognise that data is never completely safe, but more needs to be done to communicate that risks of re-identification are very small when there are other safeguards in place.

Guidance on pseudonymisation and anonymisation can be found in the Information Commissioner’s Office Anonymisation code of practice

Changes to safeguards and

Despite the existing safeguards, new attempts to make patient data available for secondary uses have attracted controversy. In the early 2000s, several accidental data losses attracted attention in the media and caused concern that NHS organisations were not taking data protection seriously.

In 2013, in response to growing unease about information governance, Dame Fiona Caldicott, the National Data Guardian, published her second review of information governance in health and social care (National Data Guardian 2013). Much of the review focused on clarifying principles of how to balance protection of patient data with the need to share information to improve care. It added an additional principle to those described in an earlier review (Department of Health and Caldicott 1997) which highlighted that the NHS has a duty to share information.

The review also recommended that patients should be able to request that their confidential information is not shared, and the Secretary of State accepted this recommendation, confirming that all patients would have the right to opt out of confidential personal information being shared for secondary uses (Digital Health 2013).

The programme, which was announced shortly after the Secretary of State accepted the National Data Guardian’s recommendations, would have allowed data from GP records passed to NHS Digital to be anonymised and shared with NHS and third-party organisations in line with existing safeguards. Academic researchers, commercial organisations and others could request access to the data (Hoeksma 2014), though NHS organisations themselves would have been the biggest users.

Patients could opt out of, but the programme was criticised for not having the right safeguards in place (Mann 2014) and for its public awareness campaign, which sent out information leaflets that resembled ‘pizza leaflets’ (Hoeksma 2014).

In early 2014, concerns about reached their peak and NHS England postponed the plans.

Public awareness and attitudes towards data-sharing represented a particular focal point for public and media scrutiny of patient data-sharing, possibly due to the perceived sensitivity of health information (Ipsos MORI and Joseph Rowntree Reform Trust 2014). Findings from the early 2000s demonstrated general concern and unawareness about how patient data is shared, showing that public fears were deep-rooted (Robling et al 2004).

The nature and ferocity of this distrust has not been limited to health care, as the recent outcry at the Facebook and Cambridge Analytica data-sharing has demonstrated (Bowcott and Hern 2018). While health data is considered by the public as some of the most sensitive data, research has also found that NHS organisations are the most trusted to handle data (Ipsos MORI and Royal Statistical Society 2014).

Despite this trust, many people express concerns about health data being used, especially without consent (Sterckx et al 2016). Putting safeguards in place does help to allay fears, but generally the public feel that all safeguards should be in place anyway (Ipsos MORI 2016). Additional safeguards are unlikely to boost confidence in patient data-sharing, where long-term public awareness and education are sorely needed.

These findings should be read in the context that the public is often very supportive of data-sharing when it is seen to have a public benefit. Patient data-sharing is no exception to this (Chan et al 2016). Other research has found that, when given time and information to consider patient data sharing, the public feel that the individual’s right to privacy should not stop research that benefits patients overall (Tully et al 2018).

Recent Healthwatch (2018) research has found that attitudes have been stable over the past few years. They urge policy-makers to continue a long-term public awareness campaign and remain beyond reproach in their use of health data.

Two different types of opt-outs were introduced under, and their scope was later clarified (NHS Digital 2014):

  • type 1: an objection logged directly with a GP practice to prevent any confidential patient information leaving the practice for secondary uses

  • type 2: prevented any confidential patient information leaving the Health and Social Care Information Centre (now NHS Digital).

There were challenges with these. First, there was no central information about the people who had lodged a type 1 opt-out meaning that NHS Digital would not know the profile of those who were missing from their datasets. Type 2 opt-outs did not apply to information that was appropriately anonymised, meaning that NHS Digital would still be able to share complete depersonalised datasets (Department of Health 2016).

In 2015, the Secretary of State commissioned the National Data Guardian to undertake a third review, which was tasked with recommending a new national opt-out model for health and social care data. Following the publication of the review (National Data Guardian 2016), NHS England announced formally that would be stopped, after being indefinitely paused since 2014.

A year later, after significant delays, the government published its response to the review and accepted the recommendation for a new national opt-out (Department of Health 2017).

How is the way the NHS handles patient data changing?

On 25 May 2018, the national data opt-out will be launched, alongside the new General Data Protection Regulation (GDPR). Both measures add new safeguards to the management of patient data and also explicitly aim to shore up public trust.

The national data opt-out

Patients and the public now have the opportunity to make an informed choice about whether they wish their confidential patient information to be used only for their individual care and treatment or also for research and planning purposes. The opt-out will have the following features.

  • It will be a single mechanism for recording opt-outs in a central database (rather than through GPs).

  • Patients can register their opt-out online or over the phone.

  • The opt-out will not apply to anonymous data or data that has been depersonalised in accordance with the ICO’s managing data protection risk code of practice (Information Commissioner’s Office 2012).

  • Some exemptions will exist where there is an overriding public interest or other legal basis, which aligns with legal exemptions from the Common Law Duty of Confidentiality. For example, the opt-out will not apply to patient data that is required for validating invoices for NHS care or where a court order has been obtained.

  • Two specific registries, one collecting data on all individuals with a cancer diagnosis and one on those with a rare disease, are exempt but they will continue to operate their own opt-outs.

  • Patients who have opted out can still give their consent for a specific use of data, like a specific research trial.

  • Existing type 1 opt-outs (those registered with GP practices) will be upheld until at least 2020. Existing type 2 opt-outs will be transferred to the new national data opt-out; those who have registered a type 2 opt-out will be contacted and informed of the changes (Stevens 2017).

The government’s response to Caldicott did not answer all the questions about the opt-out, for example:

  • What will the format and the wording of the opt-out be?

  • At what point will the opt-out apply?

  • What patient data is in scope of the opt-out?

The first of these questions has been answered in part, as it was confirmed in March that the opt-out would be a single question covering both research and planning (Heather 2018b).

Patients and the public now have the opportunity to make an informed choice about whether they wish their confidential patient information to be used only for their individual care and treatment or also for research and planning purposes.

The second question has also been answered; organisations have been informed that the opt-out will apply when the purpose of the data use changes rather than when the data leaves the NHS organisation that collected the data (NHS Digital 2018e). For example, a trust would need to apply the opt-out to patient data if its use changed from individual care to research (unless the data is going directly to NHS Digital, who apply the opt-out themselves).

The third question is the one with the most wide-ranging implications. Type 2 opt-outs, as well as other guidance for what qualifies as sensitive health information, refer to ‘confidential patient information’, which is defined as: identifiable, relating to a patient’s health or care, and covered by a duty of confidentiality (NHS Digital 2018e). Personal demographic data linked to clinical data, or drawn from a patient’s medical record, is subject to the opt-out but demographic data not drawn from the medical record would not be subject to the opt-out. For example, a name and address on their own, without clinical information, is not classed as confidential patient information.

Guidance on how the new opt-out is applied can be found on the NHS Digital website.

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is designed to modernise data protection law against emerging challenges. These challenges include the growth of advanced machine learning techniques, for instance, which have led to an intensified interest in what these can tools can do with big datasets, like those held by the NHS. The new regulation has a big impact on any large-scale collectors of data (Parliament Street 2018)

GDPR should not change anything fundamental about what the NHS can do with patient data, but some elements are important to highlight.

First, ‘explicit consent’ is harder to achieve under GDPR than under CLDC (Information Governance Alliance 2018). Using explicit consent as a legal basis for sharing data requires organisations to be specific about the purpose for which it is being obtained and to document the consent. This may be possible for data collected for specific research projects, but it is unlikely to be possible for many secondary uses. Guidance from the ICO and IGA suggests that NHS organisations should rely on other alternatives to consent for GDPR purposes (Information Governance Alliance 2018).

The GDPR strengthens rights that individuals have over data about them (Information Commissioner’s Office 2017a). Both the right to object and the opt-out (which are different from each other) must be honoured by health organisations.

Under GDPR, the way in which ‘pseudonymised’ data is processed could require increased safeguards and controls for the use of this data for planning and research, and make using patient data for these reasons more challenging. Some argue that the purpose of GDPR is not to remove the pseudonymised status of data that currently permits many secondary uses (Mourby et al 2018), but the current lack of ICO guidance makes this difficult to assess.

Guidance on the new GDPR can be found on the Information Governance Alliance’s website and the Health Research Authority’s website.

Implications of these changes

The opt-out affects other NHS organisations who may want to use confidential patient information for planning as well as researchers and commercial organisations who use patient data to provide research and analysis expertise to the NHS. Depersonalised datasets will be unaffected by the opt-out, meaning the majority of analyses using patient data will continue. However, some analyses rely on confidential patient information, which is subject to the opt-out.

The consequences will depend on opt-out rates. If they remain low, there will be less impact. This needs be a major motivation for researchers, charities, the NHS and government to act in a way that maintains public trust and keeps down opt-out rates. Clinicians and managers also have a role to play in providing patients with information about how their data is used. (Understanding Patient Data has a range of tools to support these conversations.)

Even a low rate of opt-out has a potentially detrimental impact on some types of analysis. Opt-out numbers have been steadily rising since the original opt-outs were introduced. As of March 2018, 2.4 per cent of the English population had registered a type 2 opt-out (NHS Digital 2018a). Type 1 opt-outs are ostensibly higher; however, as these opt-outs prevent any data from leaving the GP practice, it is impossible to say how many are duplicates or overlap with type 2 figures. Easier online access to the national opt-out may increase opt-outs.

Graph showing number of registered opt-outs since introduction

Source: NHS Digital (2018). Releases after January 2017 changed from monthly to quarterly. Due to the lack of information in type 1 opt-outs, it is impossible to know how many of these are individual people and how many are double-counted in the type 2 figures.

The implications of these changes could be significant. Confidential patient information is used at both national and local level to:

  • monitor the quality of care in NHS organisations

  • allow commissioners to compare the quality of services being offered by different hospitals

  • evaluate and improve treatments and services

  • flag particular problems in how care is being provided in local organisations

  • engage staff in considering how they improve patient care.

If opt-outs are applied to datasets with confidential patient information in, this risks making some kinds of analysis less useful and affects how we use analysis to design and improve services and treatments. Even where usefulness is maintained, confidence in analysis run on incomplete datasets may be undermined.

The opt-out affects other NHS organisations who may want to use confidential patient information for planning as well as researchers and commercial organisations who use patient data to provide research and analysis expertise to the NHS.

The impact on the national patient surveys is of particular concern. National surveys such as the Cancer Patient Experience Survey and the NHS Inpatient Survey are important sources of information about people’s experiences of care that can be used by both national and local NHS organisations for a range of activities, such as identifying unwanted variation in care and monitoring the quality of treatment. The Cancer Patient Experience Survey is believed to be at risk (Brennan 2017).

The reason for this impact on surveys is that some groups are more likely to opt-out than others, introducing variation into identifiable datasets. Picker Europe, an organisation that conducts surveys on behalf of the NHS and others, has said that an opt-out mechanism is likely to have an impact on the representativeness of surveys (Graham 2016). It is crucial that NHS England and NHS Digital work to mitigate this risk, if possible, and, if not, then to put contingencies in place to protect the representativeness and robustness of the patient surveys.

Some surveys should not be affected by the new opt-out. The GP Patient Survey, for example, relies only on demographic data (not confidential patient information) and will not be affected; given the existing dearth of data on primary care (Baird et al 2016), this is positive.

Variation in opt-out rates may also have an impact on other data analysis. Currently, for example, some local CCGs have a higher opt-out rate than others (NHS Digital 2018a). A recent peer-reviewed analysis of opt-out rates (Piel et al 2018) found that some areas have substantially higher levels of opt-outs than others, limiting the ability to measure variation. A statistical solution might be able to adjust for the demographics of people who opt out, but this would not show other, non-demographic differences between those who have opted out and those who have not. This could potentially slow down public health surveillance conducted by academic researchers. Public health analysis allows researchers to understand how disease affects different parts of the population differently, depending on their location or deprivation, for example. Understanding this helps health organisations to support healthy behaviours and reduce the severity of disabling diseases, but this requires high-quality health data. Without access to complete patient data, there is a risk of undermining some of these goals.

Clinicians and managers also have a role to play in providing patients with information about how their data is used.

In the long term, increasing opt-outs might jeopardise other types of analysis that are essential for planning and running the NHS, but it is incredibly difficult to pinpoint precisely what opt-out rate would be damaging. Rising opt-out rates may gradually introduce variation into linked, identifiable datasets, leading to inaccuracies in their findings.

Furthermore, ways of analysing datasets are becoming more advanced and some emerging machine-learning tools are biased against certain demographic groups (Pelzel 2017). With opt-out variation skewing against some ethnic populations (Piel et al 2018), bias could be introduced into machine-learning algorithms built from opt-out-applied datasets. This could lead to services and treatments being designed, unknowingly, with a better understanding of those groups that do not opt out.

The timetable for upholding opt-outs is unclear. We know opt-outs will be recorded from 25 May 2018 but the timetable for when different data releases will have the opt-out applied has not been made clear. Time is clearly needed to understand what the implications might be and mitigate these risks.

If opt-outs are to be phased in, this may create confusion for NHS organisations that are required to apply the opt-out for some forms of data-sharing but not others. It also begs the question of how patients will be told if their opt-opt is only to be applied to some data releases in the first year.

There is also a question of how the enforcement of GDPR interacts with the opt-out, which is dependent on whether the ICO’s code of anonymisation (Information Commissioner’s Office 2012) is changed. Any changes to this code in the future could have an impact on the number of datasets that are subject to the opt-out.


Data from patients is used to improve services, research new treatments and plan for the future of the NHS. The changes we have described should help to rebuild public trust after recent controversies surrounding data in the NHS and in other sectors. However, this area is incredibly complex and includes many legal and policy technicalities. It is worth considering whether people who decide to exercise their opt-out are aware of precisely the purposes and uses of data that the opt-out will apply to.

Most people are happy for their data to be used for improving services and for research (Chan et al 2016), particularly when it is made clear that the research is at risk without data-sharing (Ipsos MORI 2016). Importantly, despite concerns, the public also believe that the individual’s right to privacy should not stand in the way of research that helps patients overall (Tully et al 2018). However, awareness of how the NHS uses data is very low (Stockdale et al 2018; Ipsos MORI 2016); and while there is a clear desire to express preferences for data-sharing, do patients know what they are opting out of and understand the implications of this?

We have presented examples of how the opt-out could put some NHS planning and research at risk. These examples urgently need further study and a comprehensive response from central NHS bodies. At the same time, more needs to be done to understand the long-term implications of an increasing rate of opt-out, including which groups in the population are opting out and how this might impact our ability to build improve care for these groups.

We hope that national bodies and regulators will ensure that staff and researchers handling patient data in the NHS and other organisations will be given the guidance and support they need. Concern and myths about patient data have slowed its use for the common good in recent years (Wellcome Trust 2015) – and this may have an impact on confidence in NHS organisations sharing data for individuals’ care. We welcome the news that applications for patient data have been increasing (Heather 2018a), and we hope that the developments we have described here will not set this back.

Policy in this area is a delicate balance between, on the one hand, responding to public concern about privacy and security, and on the other, being able to realise the potential of making better use of patient data. The key question is whether the implementation of the changes we have outlined here will tip the balance away from the benefits of sharing data.