Skip to main content
hpa logo
Topics A-Z:
Search the site:
Home Topics Infectious Diseases Infections A-Z Surveillance Safeguarding the confidentiality of patient information

Safeguarding the confidentiality of patient information

Information for patients

  • Collecting information
  • Sharing with care
  • Keeping information safe
  • Confidentiality
  • Protecting public health

The Health Protection Agency (HPA) must keep your personal health information confidential. It is your right. These pages, and the accompanying leaflet, explain how we do this.

This information is primarily aimed at the general public. Information for Health Care Professionals is also available.

A leaflet has been distributed to all GP surgeries in England to inform the public about how the Health Protection Agency uses patient information to protect public health.

Information and the Health Protection Agency (PDF, 856 KB) 

Questions and Answers

Q  How is information used in the National Health Service (NHS)?

A  It is expected that health care professionals have certain details about their patients - GP files include where you live, what illnesses you have had, immunisations, etc. If you are referred to hospital some of these details may be covered in the referral letter. Patient information is also used in other ways. We only know how the NHS is functioning with regard to issues such as hospital waiting lists, medicines used, numbers of patients seen in outpatients departments, etc. if such information is collected. We know about infectious diseases and other threats to public health through various reporting mechanisms. In order to better inform patients about these public health uses of data, a leaflet has been written anddistributed to clinics, outpatients and GP surgeries.

Q  What is this leaflet about?

A  This leaflet was produced in order to keep patients informed about how their data are being processed. The leaflet describes how the Health Protection Agency uses information to protect health and protect personal data.

Information and the Health Protection Agency (PDF, 856 KB)

The leaflet aims to:

  • Explain how we monitor and control disease, and investigate the risks posed to health by hazards at work or the environment.
  • Set out why this information benefits the public and doctors.
  • Discuss consent to the use of patient information for monitoring infectious diseases and chemical incidents.
  • Explain that the confidentiality of patients is always respected.

Q   Why does the HPA need patient identifiable data?

A  The HPA exists to protect the health of the public from infectious disease and other health hazards. Our work involves identifying the source of an outbreak of disease and looking for trends in infectious disease. It may involve follow-up of contacts of infectious disease if prophylaxis (e.g. vaccines or antibiotics) needs to be given. Communicable disease surveillance relies on patient identifiable information (PII) in order for the health of the public to be protected.

It is essential therefore to ensure that data are handled in accordance with the recommendations of the Caldicott Committee, the requirements of the Data Protection Act, Human Rights Act and Section 251 of the NHS Act 2006

Recent data protection legislation and concerns about patient consent make it even more important that everyone knows how information about them is being used.

Q  What is patient identifiable information (PII)?

A  It is information that could identify you. It includes things like your NHS number, National Insurance (NI) number, date of birth or postcode, or data which can indirectly link to an individual by combining information (for example, country of birth and age and laboratory name).

Q  How and where is my personal health information kept?

A  All records are kept securely in compliance with the Data Protection Act and the Caldicott Guidelines. Patient data is securely destroyed after a defined period of retention. We have frameworks in place to safeguard the security of the patient data we hold, transfer or store.

Q  How does the HPA keep my personal health information confidential?


  • All staff within the HPA have a legal duty to keep information about you confidential.
  • The HPA stores your personal health information securely.
  • Only relevant information is shared inside the NHS on a strict need to know basis.
  • Information which has identifiers is not shared with anyone other than those who provided the information.

Q  How does the HPA use information about my health?

A  The HPA uses relevant information about your health to help improve the general public's health, for example:

  • By monitoring cases of disease, levels of immunisation and reports of side effects, we can assess how effective and safe a vaccine is.
  • To identify the source of an outbreak of disease.
  • To look at disease trends or links to prevent further cases from occurring.
  • Wherever possible, your name, postcode and other information that identifies you is removed as soon as possible and in many instances such "high level" identifiers are not collected at all.

Q  Will patients always be asked if their information can be used in this way?

A  We try to obtain consent from patients wherever possible. However, it is often not possible for healthcare professionals to seek consent for reporting every time they take a specimen or if they are following up contacts of cases of infectious disease and vaccines or antibiotics need to be given. It is therefore important to ensure that patients know about health protection actions such as a control of an outbreak and how use of their data can help.

Q  What if a patient asks for their information not to be passed on for public health monitoring?

A  Some diseases are notifiable, which means that they are required to be reported by law, for example meningitis.  

For other sources of information, if a patient asks for their personal information to be withheld we will respect this. However, we hope that an explanation of why we require this information is sufficient. If every patient 'opts out' of having information about them reported to the Health Protection Agency we would have very little detail of how infectious disease spreads within the UK. This in turn would mean we would be less able to prevent future spread of infections.