Common law duty of confidentiality
Common law confidentiality is not codified in an Act of Parliament but built up from case law through individual judgments. The key principle is that information confided should not be used or disclosed further, except as originally understood by the confider, or with their subsequent permission.
Although judgements have established that confidentiality can be breached ‘in the public interest’, these have centred on case-by-case consideration of exceptional circumstances. Common law confidentiality can also be overridden or set aside by legislation, such as Section 251 of the NHS Act 2006.
Section 251 of the National Health Service Act 2006
This legislation provides the Secretary of State for Health with the authority to make regulations that set aside legal obligations of confidentiality (though not other legal requirements). Support can be granted for a specific range of activities, for example anonymising information, accessing records to contact people for the purposes of gaining consent for research, geographical analysis, linkage, validation and clinical audit.
The section 251 application process is very rigorous and is managed by the Confidentiality Advisory Group.
The powers under the section 251 regulations only provide relief from the common law duty of confidentiality. Any activity taking place with the support section 251 must still comply in full with the Data Protection Act (2018).
Confidentiality Advisory Group (CAG)
The CAG is an independent body which provides expert advice on the use of confidential patient information. Their purpose is to protect and promote the interests of patients and the public, while at the same time facilitating appropriate use of confidential patient information for purposes beyond direct patient care.
The group looks closely at how the public will be informed of this work, as well as ensuring the applicants involve the public by seeking their advice to set up public trust. Most applications are for medical research projects, with the rest relating to NHS functions and management.
Applications to CAG must show that:
- The aim of processing is in the public interest.
- Anonymised information could not be used to achieve the required results.
- It would not be practical to gain specific consent from each person affected.
For research, the approval of a research ethic committee is also needed.
After reviewing an application, the CAG issues one of the following outcomes:
- Supported: Approved with a legal basis to access patient information, subject to standard and any specific conditions outlined in the outcome letter..
- Provisional: Requires further information before a final decision can be made.
- Deferred: Insufficient detail provided – the application may be resubmitted with additional information
- Rejected: The proposed data use is not supported.
CAG publishes all application outcomes and conditions on the Health Research Authority website.
NHS Mid and South Essex CAG applications
We made an application to CAG for the use of confidential data for risk stratification purposes in 2024, using data from GP records, Secondary Uses Service (SUS) datasets, as well as local ambulance service and 111 data. You can find this application here.
We are now applying to CAG to use confidential patient data for commissioning purposes, which includes population health management and sharing of patient data for analysis by partner health and care organisation with the local system via a process known as sub-licensing. The information provided to you via this website, including the data opt-out options, will feed into that application, showing how we have engaged with the public whose information we wish to use.
Learn more about how your information is used