1. Identifying information is removed wherever possible

The simplest way to protect someone’s information is to remove identifying details. Anyone wanting to use patient data will only be given access the minimum information necessary to answer a question. Wherever possible, the data will be anonymised in line with guidance given by the Information Commissioner’s Office (ICO Code of anonymisation). This code sets out what details must be removed or disguised, and the safeguards that must be followed to protect data.

If it is not possible to anonymise the data, there are strict controls on how personally identifiable data can be used and stored. It can only be used if you give your permission (consent) or where required by law, and then only with robust safeguards.

Find out more

• When does the law allow personally identifiable information to be shared without consent
• What laws control how personally identifiable data is used

2. An independent review process

Any request to use patient data must first be assessed by an independent review committee. All organisations that look after patient data will have a clear review process to ensure data is only used appropriately.

There are three things that will be checked before approval is given:

Find out more

• NHS Digital

  The Independent Group Advising on the Release of Data (IGARD) reviews applications for sensitive NHS

• HRA

  Confidentiality Advisory Group

3. Strict legal contracts

If a request to use data is approved, a data sharing contract must be signed before the data can be transferred. This is a legal agreement which sets out strict rules about what an organisation can do with the data and what they must never do.

A data sharing contract sets out:

• What data will be provided, and how
• The purpose for which the data can be used
• When and how data must be destroyed after use
• The data security requirements that must be followed
• What an organisation must not do with the data:
  • data cannot be used in any way to re-identify an individual
  • data cannot be linked with any other data, unless explicitly approved in the application
  • data cannot be passed to anyone else, unless explicitly approved in the application
• The organisation can be audited to check data is being used appropriately

4. Robust data security standards

IT systems have high standards of data security to keep data safe, and must be kept up-to-date. Technology can be used to protect data in a number of ways, for example by restricting access (using passwords or swipe cards to control access to data), or using encryption so the data cannot to be read without a code.

Anyone accessing data must provide evidence that they have appropriate technical security, and there must be an audit trail that records every time that personally identifiable data is accessed and used.