Summary of Legal and NHS Mandated Frameworks

Summary of confidentiality and data privacy legislation.

NHSCFA is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of NHSCFA, who may be held personally accountable for any breaches of information security for which they may be held responsible. NHSCFA shall comply with the following legislation and guidance as appropriate:

GDPR and DPA 2018

Regulate the use of “personal data” and sets out six principles to ensure that personal data is:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. Accurate and where necessary kept up to date
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Caldicott Report (1997)

Together with the subsequent Caldicott or National Data Guardian reviews recommended that a series of principles be applied when considering whether confidential patientidentifiable information should be shared:

  • Justify the purpose for using patient-identifiable information
  • Don’t use patient identifiable information unless it is absolutely necessary
  • Use the minimum necessary patient-identifiable information
  • Access to patient-identifiable information should be on a strict need-to-know basis
  • Everyone should be aware of their responsibilities
  • Understand and comply with the law
  • The duty to share information can be as important as the duty to protect patient confidentiality

Article 8 of the Human Rights Act (1998)

Refers to an individual’s “right to respect for their private and family life, for their home and for their correspondence”. This means that public authorities should take care that their actions do not interfere with these aspects of an individual’s life.

The Computer Misuse Act (1990)

Makes it illegal to access data or computer programs without authorisation and establishes four offences:

  • Unauthorised access to data or programs held on a computer e.g. to obtain or view information about friends and relatives.
  • Unauthorised access with the intent to commit or facilitate further offences e.g. to commit fraud or blackmail.
  • Unauthorised acts with intent to impair, or with recklessness so as to impair, the operation of a computer e.g. to modify data or programs held on computer without authorisation; and
  • Making, supplying or obtaining articles for use in offences 1-3

The NHS Confidentiality Code of Practice (2003)

Outlines four main requirements that must be met in order to provide patients with a confidential service:

  • Protect patient information
  • Inform patients how their information is used
  • Allow patients to decide whether their information can be shared
  • Look for improved ways to protect, inform and provide choice to patients.

Common Law Duty of Confidentiality

Information given in confidence must not be disclosed without consent unless there is a justifiable reason e.g. a requirement of law or there is an overriding public interest to do so.

Administrative Law

Administrative law governs the actions of public authorities. According to well established rules a public authority must possess the power to carry out what it intends to do. If not, its action is “ultra vires”, i.e. beyond its lawful powers.

The NHS Care Record Guarantee

The NHS Care Record Guarantee sets out twelve high-level commitments for protecting and safeguarding patient information, particularly regarding patients’ rights to access their information, how information will be shared both within and outside of the NHS and how decisions on sharing information will be made. The most relevant are:

Commitment 3 - We will not share information (particularly with other government agencies) that identifies you for any reason, unless:

  • You ask us to do so
  • We ask, and you give us specific permission
  • We have to do this by law
  • We have special permission for health or research purposes; or
  • We have special permission because the public good is thought to be of greater importance than your confidentiality and
  • If we share information without your permission, we will make sure we abide by data protection legislation, the NHS Confidentiality Code of Practice and other national guidelines on best practice.

Commitment 9 - We will make sure, through contract terms and staff training, that everyone who works in or on behalf of the NHS understands their duty of confidentiality, what it means in practice and how it applies to all parts of their work. Organisations under contract to the NHS must follow the same policies and controls as the NHS does. We will enforce this duty at all times.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!