Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what his Department's policy is on the sharing of personal health data with organisations outside the NHS (a) with and (b) without a person's permission.

The use of patient information must comply with data protection legislation and the common law duty of confidence, where appropriate. Personal health data can only be used for purposes beyond individual care and treatment in specific circumstances and there must be a legal basis for any disclosure.

Confidential patient information can only be shared for non-health purposes where an individual has provided consent, where there is an over-riding public interest, where the information is required by law, or where there is a legal gateway which sets aside the common law duty of confidence. Any disclosure of patient data held within NHS Digital must comply with section 261 of the Health and Social Care Act 2012. Applications for access to patient data held by NHS Digital is made to its Data Access Request Service.

The National Data Opt-Out introduced in 2018 allows patients, in specified circumstances, to opt-out of their information being used for research or planning purposes and has been mandatory since 31 July 2022.