The Promise and Peril of Sharing Health Data in the UK
Health data is one of the most powerful resources in the modern world. When ethically and securely harnessed, it holds the key to groundbreaking medical research, the development of life-saving AI diagnostics, and more efficient public health services. For small businesses in med-tech, academic researchers, and NHS innovators, access to this data is the fuel for progress.
However, this potential is matched by significant legal and ethical responsibilities. Health data is deeply personal, and its misuse can cause profound harm. The UK General Data Protection Regulation (UK GDPR) establishes a strict framework for its handling, creating a complex landscape for any organisation wanting to engage in the process of sharing health data.
Many organisations, from tech start-ups to NHS Trusts, feel caught between the drive for innovation and the fear of non-compliance. This guide provides a clear, practical roadmap for navigating the rules. We will demystify the legal requirements, explore the role of consent, and provide a real-world case study to translate complex principles into actionable steps.
Understanding the Legal Foundations for Sharing Health Data
Under UK GDPR, information about someone’s health is classed as ‘special category data’. Because it is particularly sensitive, it receives stronger legal protection. A good intention or worthwhile project is not enough on its own — you must meet specific legal requirements before you process or share it.
To process health data lawfully, you must meet two tests:
A lawful basis under Article 6 UK GDPR
This applies to all personal data. For NHS organisations, the most common basis is ‘public task’. Private organisations may rely on ‘legitimate interests’, but this requires a documented balancing test against the individual’s rights.An additional condition under Article 9(2) UK GDPR
Because health data is special category data, you must identify a specific condition. Common examples include:Health or social care purposes
Public interest in public health
Scientific or statistical research purposes (with appropriate safeguards)
Crucially, every step of the process must adhere to the core ICO Data Protection Principles. These mandate that data processing must be lawful, fair, and transparent. You must be clear about why you are collecting the data (purpose limitation), collect only what is necessary (data minimisation), and ensure it is kept secure.
The Consent Dilemma: Is It Always the Best Option?
There is a common misconception that explicit consent is the only legitimate route for sharing health data. While consent is one valid approach, it is not always the most practical or appropriate for large-scale research projects. Relying solely on consent can introduce significant challenges.
For instance, researchers may face 'consent bias', where the group of people who agree to share their data is not representative of the wider population, potentially skewing study results. Furthermore, seeking fresh consent for every new research question that arises from a dataset is often unfeasible. Understanding the nuances of this is key, as highlighted in our clear guide to UK GDPR consent requirements.
The UK GDPR recognises these challenges and provides other legal gateways. For research, the Article 9 condition for ‘scientific or historical research purposes or statistical purposes’ is often more suitable. This allows for processing without explicit consent, provided appropriate safeguards are in place to protect individuals' rights and freedoms. These safeguards include technical measures like pseudonymisation and organisational controls like robust governance and oversight.
Reducing Risk: The Power of Anonymisation and Pseudonymisation
A core principle of data protection is to minimise risk to individuals. Two key techniques are central to achieving this when sharing health data: anonymisation and pseudonymisation.
Anonymisation is the process of removing personal identifiers so that the data can no longer be linked to a specific individual. If data is truly and irreversibly anonymised, it falls outside the scope of UK GDPR entirely. However, achieving genuine anonymisation can be difficult, as re-identification can sometimes be possible by combining datasets.
Pseudonymisation offers a more practical and widely used alternative. This technique involves replacing direct identifiers (like a name or NHS number) with a pseudonym or a key-coded reference. The data is still considered personal data because the organisation holding the 'key' can re-identify the individual if necessary. However, it is a highly effective security measure that significantly reduces the privacy risk. For the researcher or innovator receiving the data, they can perform their analysis without ever knowing the real-world identity of the subjects. This method is strongly recommended by the Information Commissioner's Office (ICO) in its ICO Security Guidance.
A Practical Case Study: Sharing Health Data for a New Medical Device
To illustrate how these principles work in practice, let’s consider a common scenario. An NHS hospital trust is collaborating with a technology company to validate a new AI-powered medical device designed to predict patient deterioration.
The Challenge: To train and validate the AI model, the company needs access to a large, historical dataset of patient observations held by the trust. Seeking explicit consent from tens of thousands of former patients is not a viable option.
Here is the step-by-step governance process the trust followed:
Step 1: Establishing the Legal Basis. The trust determined its lawful basis under Article 6 was 'public task' (part of its role is to improve healthcare) and the Article 9 condition was for 'scientific research purposes'.
Step 2: Conducting a Data Protection Impact Assessment (DPIA). A comprehensive DPIA was performed to identify risks to patient privacy and confidentiality. This process assessed the necessity of the data sharing, the potential impact on individuals, and the measures needed to mitigate any risks.
Step 3: The Common Law Duty of Confidentiality. UK GDPR compliance is not the only hurdle. The trust also has a common law duty to protect patient confidentiality. Without consent, sharing identifiable data would breach this duty. This is where a specific legal gateway is needed.
Step 4: Seeking Section 251 Support. The trust applied to the Health Research Authority's Confidentiality Advisory Group (CAG). Under Section 251 of the NHS Act 2006, the CAG can advise on using identifiable patient information without consent for medical research where it is in the public interest. This provides the necessary legal basis to set aside the common law duty of confidentiality.
Step 5: Approval and Governance. The CAG approved the application, satisfied that the public benefit of validating the new device outweighed the privacy intrusion. The trust then put a robust Data Sharing Agreement in place with the tech company. This agreement specified exactly what pseudonymised data could be shared, how it must be secured, and that it could only be used for the agreed research purpose. This process aligns with best practices outlined in our practical guide to UK GDPR data sharing.
The Outcome: The trust successfully shared the necessary data, allowing the AI model to be validated. The project moved forward, potentially improving patient outcomes, all while operating within a strong legal and ethical framework that protected patient confidentiality.
Beyond Compliance: Why Public Trust is Non-Negotiable
Achieving legal compliance is only the starting point. The long-term success of health research and innovation depends entirely on public trust. Patients must have confidence that their data is being used responsibly and for the public good.
Transparency is paramount. Organisations must be open about how they use data. This includes having clear and accessible privacy notices that explain that pseudonymised data may be used for approved research purposes. In England, organisations must also respect the National Data Opt-Out, which allows individuals to prevent their confidential patient information from being used for research and planning.
Engaging patients and the public in conversations about data use is also crucial. This practice, known as Patient and Public Involvement and Engagement (PPIE), ensures that research priorities and governance frameworks reflect public values. When people feel they are partners in the process, trust is built, and the entire ecosystem of health innovation becomes more robust and sustainable. This is especially vital when developing new technologies, as a secure approach is fundamental to safeguarding patient data in AI healthcare applications.
Navigating the requirements for sharing health data is undoubtedly complex, but it is not impossible. By understanding the legal basis, using risk-reduction techniques like pseudonymisation, and following established governance pathways like the Section 251 process, organisations can unlock the immense value of health data. Prioritising transparency and public trust ensures that this innovation is not only legally compliant but also ethically sound, paving the way for a healthier future for everyone in the UK.