Data Security in the NHS depends not so much on technical controls as on compliance with the data controller and by all those who use the data/information. The data controller/sponsor organisation is responsible for looking after patient’s information and using it properly. The data controller will hold identifiable information about patients however their rights to access, change or move this patient information are limited. Researchers need to manage patient information in specific ways in order for research to be reliable and accurate.

Patient data is not only vital for managing research studies, it also plays an important role in other ways: planning health services, improving diagnosis and treatment and evaluating the effectiveness of policy. Secondary uses of data offer significant opportunities to improve care, especially if advances in technology and data analysis can be harnessed. However, public confidence in data-sharing has been tested by several high-profile breaches of data security and confidentiality. Nevertheless, the public trust NHS organisations and researchers to manage patient data, and there is strong support for data being shared to improve care and for further research.

Data protection legislation gives data subjects the right to data portability: to move, copy or transmit personal data easily from one IT environment to another. The right applies where:

  • the data was given directly to the controller by the data subject; and
  • Processing is on the basis of either consent or contract.

The transfer of data between one legal entity to another must be done with the explicit consent of the data subject. The subject must have been told what data will be transferred, where their data will be transferred to and by what means. However, this right does not apply where the legal basis for processing the data is ‘task in the public interest’ or ‘legitimate interests’ (HRA).

Why do researchers collect information?

They collect information to help provide patients with the best possible care. The information they collect could include a patient’s name, date of birth, NHS number, contact details and notes and correspondence about their health and care.

This information helps researchers to plan and improve local services and contributes to medical research. For research purposes, they remove any information that identifies patients personally.

What are the legal duties of The Newcastle upon Tyne Hospitals NHS Foundation Trust?

The law allows researcher to use patient information for patient care, for service improvement and for research. They are bound by the General Data Protection Regulation to use information fairly and lawfully. 

In certain circumstances, there may be other reasons why researchers would use patient’s information – for example, to share information with the police in order to prevent a serious crime – but it will always be in line with The Newcastle upon Tyne Hospitals NHS Foundation Trusts legal duty.

How is research information kept secure?

The Newcastle upon Tyne Hospitals NHS Foundation Trust has a legal duty to keep patient information secure. Their staff undertake annual training about information security and have regular audits and independent reviews to make sure that they do keep information safe. If researchers use other organisations to help process information. They make sure these organisations also comply with the trusts legal obligations to keep patient information secure, including when they are based outside of the UK.