Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps he is taking to ensure that medical data available to (a) private and (b) overseas companies is used only for the purposes for which that use was granted.

Only approved researchers are able to access data for legitimate purposes. This will involve a three-step process where the researcher, their organisation, and their specific project all have to be approved separately before allowing any access. Independent committees, including members of the public, oversee these decisions. For complete transparency, all approvals will be published openly so the public can see exactly who is using health data and for what purposes.

Where an organisation requests access to patient data it must adhere to strict rules, including obtaining approval from a Health Research Authority (HRA) Research Ethics Committee. If processing confidential patient information without patient consent, support is needed from the Confidentiality Advisory Group, along with approval from the HRA.

These research approval processes ensure that only legitimate organisations or individuals are able to use the data, for an appropriate purpose, and that safeguards are in place to protect people’s data.

When NHS England shares patient data with appropriate organisations it does so under a formal data sharing agreement, and it carries out audits and other assurance reviews to ensure that the organisations accessing the data comply with legal and contractual obligations, including international data access processes and compliance with UK General Data Protection Regulation.