We know that people can be concerned about information from their health and care records being shared, in particular about:
- their personal details being shared or revealed to others
- data being shared outside the NHS
- data being lost because of data breaches, cyberattacks or hacking.
NHS and social care services take respecting your privacy and keeping your information and data safe and secure very seriously.
You can see how we do this in the animation below.
Data protection legislation
The way information from your health and care records is shared is controlled by two main pieces of legislation. These are the Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (GDPR). Together these laws:
- control how personal information can be used and your rights to ask for information about yourself.
- set out the rules to ensure that your information is used fairly, lawfully and transparently.
NHS and social care services also follow the national Caldicott Principles to ensure people's information is kept confidentially and used appropriately.
Everyone within a health and care organisation is responsible for managing information appropriately. Each organisation will have a Caldicott Guardian, who is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly.
The organisation also has to assess and report on how it is complying with data security and protection annually. You can check online to see when the most recent assessment took place.
NHS and social care services are liable to sanctions, including very heavy fines, from the Information Commissioners’ Office (ICO) for any loss or misuse of data.
Protecting your information
Strict rules and processes are followed to protect your information and data. Legal agreements must be in place before any information or data is shared or accessed by another organisation.
Information and data is shared using secure IT systems which follow industry security standards and are kept up to date against the latest cybersecurity threats.
There are clear rules on who can access your information and data and regular checks are carried out. Anyone accessing or sharing information or data must be approved by their organisation and have completed the right training on how to do this.
Where data from health and care records is used for planning or improving services or for research into new cures and treatments it is normally anonymised and does not contain details which people can be identified from. Only the minimum amount of data that is required will be shared.
In a small number of cases where patient data is shared, some identifiable information needs to be used. This is strictly controlled, and you can object to your data being shared for this particular purpose.