Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, pursuant to the Answer of 23 December 2022 to Question 111586, on Medical Records: Data Protection, how many legal gateways there are which set aside the common law duty of confidence.

Health and care organisations must ensure there is a lawful basis for sharing confidential patient information from a person's medical records for purposes beyond their individual care and treatment. This will generally mean that the person has provided their consent; there is a statutory or other legal requirement to disclose information; or there is an overriding public interest justification.

When using personal data, health and care organisations must comply with UK General Data Protection Regulation (UKGDPR) requirements and are guided by the eight Caldicott principles which state that confidential patient information should only be used when it is lawful, necessary and there is a clear purpose for doing so.

There are a limited number of legal gateways that set aside the common law duty of confidentiality, such as the powers of NHS Digital under the Health and Social Care Act 2012 to require or request data- for example for purposes directed by the Secretary of State for Health and Social Care. In addition, where it can be demonstrated that it is impracticable to obtain patient consent or work with anonymised data, the Health Service (Control of Patient Information) Regulations 2002 permit personal information to be used for cancer registries, communicable diseases and other threats to public health and enable the approval of the use of confidential patient information for other ‘medical purpose’s such as research, clinical audit and service planning by the Health Research Authority (HRA), for research, or the Secretary of State, for other medical purposes. Before approving such applications, the HRA and Secretary of State must be advised by the Confidentiality Advisory Group, an independent body which considers all applications, balancing patient and public interest with appropriate use of confidential patient information without consent.

Both the UKGDPR and Caldicott principles include specific principles related to transparency and it is the responsibility of each health and care organisation to make a range of information materials readily available to patients and members of the public about what, why, how, when and where confidential patient information might be shared.