The Health Protection Agency (HPA) must keep your personal health information confidential. It is your right. These pages, and the accompanying leaflet, explain how we do this.

This information is primarily aimed at the general public.
Information for Health Care Professionals.

Leaflets have been distributed to all GP surgeries in England to inform the public about how we (the Health Protection Agency) use patient information to protect public health.

Information and the Health Protection Agency (PDF, 856 KB)
This leaflet describes how the Health Protection Agency uses information to protect your health and protect your identity.

These web pages aim to:

• Show how the Health Protection Agency takes seriously its responsibilities to Data Protection, and the Caldicott guidance adopted by the NHS
• Give further detail about permission under arrangements arising from Section 60/61 of the Health and Social Care Act 2001 and the annual Patient Information Advisory Group applications
• Indicate other websites to obtain information about consent and confidentiality.
• Provide supplemental information to the leaflet Safeguarding the confidentiality of information about patients while also protecting public health

Questions and Answers

Q  How is information used in the NHS?

A  It is expected that health care professionals have certain details about their patients - GP files include where you live, what illnesses you have had, immunisations, etc. If you are referred to hospital some of these details may be covered in the referral letter. However, many patients do not realise that information on them may be may be used in other ways. We only know how the NHS is functioning with regard to issues such as hospital waiting lists, medicines used, numbers of patients seen in outpatients departments, etc. if such information is collected. We know about infectious diseases and other threats to public health through various reporting mechanisms. In order to better inform patients about these public health uses of data, a leaflet has been written and is being distributed to clinics, outpatients and GP surgeries.

Q  What is this leaflet about?

A  This leaflet was produced in order to keep patients informed about how their data are being processed.

Information and the Health Protection Agency (PDF, 856 KB)
This leaflet describes how the Health Protection Agency uses information to protect your health and protect your identity.

It explains the Health Protection Agency's commitment to the confidentiality of patient data, what data are collected, whom it is collected from, why it is collected, how the data are processed, who can access it and what procedures govern how the data are handled. The leaflet aims to:

• Explain how we monitor and control disease, and investigate the risks posed to health by hazards at work or the environment.
• Set out why this information benefits the public and doctors.
• Discuss consent to the use of patient information for monitoring infectious diseases and chemical incidents.
• Explain that the confidentiality of patients is always respected.

Q   Why does the HPA need patient identifiable data?

A  The HPA exists to reduce the impact of infectious disease and other health hazards, and may involve identifying the source of an outbreak of disease or to look at disease trends. Communicable disease surveillance relies heavily on patient identifiable information (PII) in order to perform its public health functions effectively.

It is essential therefore to ensure that data are handled in accordance with the recommendations of the Caldicott Committee, the requirements of the Data Protection Act, Human Rights Act and Section 60 of the 2001 Health and Social Care Act. These especially relate to data with Personal Identifiable Information (PII). Further details of the justification for the need of PII for protecting public heath are dealt with in our original 2001 PIAG application.
PIAG application 2001 (PDF, 343 KB)
PIAG application 2001

Recent data protection legislation and concerns about patient consent make it even more important that everyone knows how information about them is being used.

Q  What is patient identifiable information (PII)?

A  It is information that could identify you. It includes things like your NHS number, NI number, date of birth or postcode, or data which can indirectly link to an individual by combining information (for example, country of birth and age and laboratory name and PCT). For a smaller number of infections this information may include the patient's name.

Q  How and where is my personal health information kept?

A  All records are kept securely in compliance with the Caldicott Guidelines . PII are securely destroyed after a defined period of retention. We have frameworks in place to safeguard the security of the PII we hold, transfer or store.

Q  How does the HPA keep my personal health information confidential?

A  

• All staff within the HPA have a legal duty to keep information about you confidential.
• The HPA stores your personal health information securely.
• Only relevant information is shared inside the NHS on a strict need to know basis.
  
  
• Information which has identifiers is not shared with anyone other than those who provided the information.

Q  How does the HPA use information about my health?

A  The HPA uses relevant information about your health to help improve the general public's health, for example:

• By monitoring cases of disease, levels of immunisation and reports of side effects, we can assess how effective and safe a vaccine is.
• To identify the source of an outbreak.
• To look at disease trends or links to prevent further cases from occurring.
• Wherever possible, your name, postcode and other information that identifies you is removed as soon as possible and in many instances such "high level" identifiers are not collected at all.

Q  Will patients always be asked if their information can be used in this way?

A  Although informed consent is desirable and will be increasingly sought, it is often not practical for healthcare professionals to seek consent for reporting every time they take a specimen. It is therefore important to ensure that patients know about health protection actions such as an outbreak or incident detection and control, and how their specimen and results can help.

Q  What if a patient asks for their information not to be passed on for public health monitoring?

A  Some diseases are notifiable, which means that they are required to be reported by law, for example meningitis.  
See list of notifiable diseases

For other sources of information, if a patient asks for their personal information to be withheld we will respect this. However, we hope that an explanation of why we require this information has been sufficient to allow its use to help us protect public health. If every patient 'opts out' of having information about them reported to the Health Protection Agency we would have very little detail of how infectious disease spreads within the UK and who is getting infections. This in turn would mean we would be less able to prevent future spread of infections. The leaflet gives examples of why we need such information and further examples are given in the original Public Health Laboratory Service (predecessor organisation to the Health Protection Agency) application to the Patient Information Advisory Group (PIAG).
PIAG application 2001 (PDF, 343 KB)
PIAG application 2001

How to find out more

Health Protection Agency Patient Information Leaflet
Information and the Health Protection Agency (PDF, 856 KB)
This leaflet describes how the Health Protection Agency uses information to protect your health and protect your identity.

Information for Health Professionals
www.hpa.org.uk/caldicott

Information from the Department of Health
www.dh.gov.uk/PolicyAndGuidance/InformationPolicy/PatientConfidentialityAndCaldicottGuardians/fs/en

Data Protection Act 1998
www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm

Human Rights Act 1998
www.hmso.gov.uk/acts/acts1998/19980042.htm

Statutory Instrument 2002 No. 1438
www.legislation.hmso.gov.uk/si/si2002/20021438.htm

Patient Information Advisory Group (PIAG) website
www.advisorybodies.doh.gov.uk/piag/

Scottish Centre for Infection and Environmental Health (SCIEH) patient leaflet
www.show.scot.nhs.uk/scieh/documents/protecting_personal_health_information.pdf

NHS Scotland Confidentiality and Data Protection Website
www.show.scot.nhs.uk/confidentiality/

• The Caldicott Report
  Added/updated: 9 September 2008
  
• Confidentiality of Personal Information - Related Legislation
  Data Protection Act, the Human Rights Act, the Common Law Duty of Confidence and Section 60 of the Health and Social Care Act
  Added/updated: 8 June 2010