House of Commons Library briefing on access to patient health records, electronic patient records, NHS data security, and the use of confidential information by the NHS.

Individuals have a right to access their own health records, and in limited circumstances, access to the records of other people. The Government has made a commitment that patients should gain access to their health records within 21 days following a request. Access to health records may also be granted in limited circumstances for relatives or in the case of deceased patients.

This paper has been updated to include relevant information on sharing patient information during the coronavirus outbreak. The Secretary of State for Health and Social Care, Matt Hancock, issued new guidance on 20 March 2020 under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002, allowing NHS England to process confidential information relating to patients if it is for a “Covid-19 Purpose and will be processed solely for that Covid-19 Purpose”. This is in force until 30 September 2020. 

This briefing describes how patients may request access to their records, and the circumstances in which access to the records of others may be allowed, including new requirements introduced by the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It also describes statutory and public interest disclosures of patient information; information sharing rules for people who lack mental capacity; and access to information on hereditary conditions for relatives.

The Government has encouraged the NHS to make better use of technology, so that patients can manage their own healthcare needs, whilst ensuring that data remains safe at all times. It has also committed to all patients accessing their own care plan and communications from care professionals via the NHS app by 2020/21, and by 2023/24 patients will have access to digital-first primary care.

This briefing also outlines safeguarding arrangements for confidential patient information. In 2013, a review was carried out by the National Data Guardian for Health and Care, Dame Fiona Caldicott, to ensure that there is an appropriate balance between the protection of patient information and the use and sharing of information to improve care.

In 2016, a subsequent review by Dame Fiona Caldicott looked at data security and patient opt-outs for the use of their data.

Recommendations from this review led to a number of changes in NHS data security policy, and the launch in May 2018 of a new national data opt-out program. In December 2018, the UK Parliament passed an Act placing the role of the National Data Guardian (NDG) for Health and Social Care on a statutory footing. This allows the NDG to issue statutory guidance about the processing of health and adult social care data.

The paper also details the recent treatment of patient data between the NHS and third-party groups such as Google and Amazon, and debates over the place of patient data in trade agreements after the UK’s departure from the EU.

This briefing relates to the NHS in England, unless otherwise stated.