Data will undergo an anonymisation process before I use it to run my study

Please read the guidelines below and then assess the level of anonymisation of the data resulting from the anonymisation process.

You have indicated that data will be anonymised to some degree before you can use it in your study. There are a few guidelines to follow to safely proceed with data anonymisation.

Before data is anonymised, individual people can be identified from the dataset, such data is considered ‘personal data’ and is subject to the UK General Data Privacy Regulation (UK GDPR). Furthermore, medical data is confidential. The process of anonymising medical data is therefore subject to the common law duty of confidentiality, as is social care service-user data.

If the data is anonymised by the care team of the provider of health data

The care team are staff working in a health and care service provider organisation who the patient / service user would reasonably expect to have access to their record for individual care.

Members of the care team can proceed with the anonymisation of confidential information they are already privy to in their care team member role, without breaching the common law duty of confidentiality.

If the data is anonymised by someone else (e.g. someone outside the care team)

A service provider can apply to lift the common law duty of confidentiality if it decides that it wants to provide those without existing access to confidential information (e.g. someone outside their care team) with access to the data, including for the specific purposes of conducting anonymisation or doing research. The provider (as data controller) bears the risk of determining whether it would be in breach of the law in such scenarios.

England and Wales

The provider needs to obtain approval by the Confidentiality Advisory Group (CAG) where patients are not being approached for consent.

A pre-application checklist is available here: CAG_pre-application_checklist

Scotland

A Caldicott Guardian can provide a legal avenue to access confidential patient information from a single Board. Information sharing and disclosure - UKCGC

The HSE Public Benefit and Privacy Panel (PBPP) can provide a legal avenue on behalf of multiple Board Caldicott Guardians. Public Benefit and Privacy Panel for Health and Social Care - NHSS HSC-PBPP

Northern Ireland

There is currently no legal basis to process patient identifiable data outside the care team. You will need to gain agreement from the local care team to support activity. For further information please visit Health and Social Care Northern Ireland. Full guidance is available on the Integrated Research Application System (IRAS) Website. For further advice, contact the HSC R&D Office (details of offices are available via the HSC website) or the Gateway (phone: (028) 7161 1126; email: research.gateway@hscni.net).

Continue

Explore anonymisation techniques

• Introduction to anonymisation – guide by the Information Commissioner’s Office (ICO)
• Anonymisation: code of practice – guide by the ICO
• Protecting patient data - NHS Digital
• Information governance - NHS Transformation Directorate
• Anonymisation, pseudonymisation and privacy enhancing technologies guidance
• Data Anonymisation & Risk Assessment – Process Map and Automation Efforts