Search for:

In brief

NHSX recently launched a brand new information governance portal providing a ‘one-stop shop’ for NHS policies and guidance. The new portal covers everything from GDPR in research to record management. But even with the new portal, navigating NHS guidance on data isn’t easy.

We’ve picked out six essential items to have on your radar if your organization accesses or uses NHS data:

The Caldicott Principles

  • The Caldicott Principles apply to the use of confidential information within health and social care organizations and when shared with third parties, such as service providers to the NHS.
  • There are eight broad principles for the protection of people’s medical confidentiality, including justifying the purpose for using confidential information and using the minimum necessary confidential information.
  • The National Data Guardian recently added an eighth Caldicott principle, which makes clear that patients’ and service users’ expectations must be considered and informed when confidential information is used.

Data Security and Protection (DSP) Toolkit

  • The DSP Toolkit is an online self-assessment tool that allows organizations to measure their performance against the National Data Guardian’s 10 data security standards and ensure that their data practices are in line with the GDPR.
  • All organizations that have access to NHS data must use this to determine whether they are practicing good data security and that personal information is being handled correctly.
  • The DSP Toolkit focuses on data security, and organizations are required confirm a range of assertions and support these using evidence. Organizations can choose to publish these results, which acts as an accountability mechanism.
  • Organizations can also use the NHS DSP Toolkit to report security breaches and data protection incidents.

UK Data Protection Act 2018

  • Organizations must comply with the UK Data Protection Act 2018 (DPA). The DPA sets out the framework for data protection law in the UK and incorporates the UK GDPR, which will apply from the end of the Brexit transition period on 1 January 2021.
  • The DPA covers processing personal data and requirements for handling special category data, which includes health data. This should be one of the first considerations for organizations planning on contracting with the NHS.

NHS guidance on off-shoring and use of public cloud services

  • NHS guidance on cloud security good practice encourages cloud storage of NHS data in the EEA or a country deemed adequate by the European Commission.
  • The guidance presents a framework for assessing and managing the risk around the use of public cloud technologies in the health and social care sectors in England.

National data opt-out

  • The national data opt-out is a service allowing patients to opt out of their confidential patient information being used for research and planning. The information includes that collected in the course of publically funded, commissioned or coordinated health and adult social care, as well as private care given in NHS settings.
  • The national data opt-out does not apply where data is shared for a patient’s care.
  • All health and care organizations that process health and social care information as a controller must be compliant with the national opt-out policy by 31 March 2021 . They must ensure there are systems in place to facilitate a patient’s opt-out and processes to ensure that patients’ data is not used for research and planning purposes.

The records management code of practice

  • The records management code of practice (2016) sets out what people working with or in NHS organizations in England must do to correctly manage records. These are based on the legal requirements and professional best practice published by the Information Governance Alliance (IGA) in 2016.
  • This guidance covers data retention guidelines, setting out how long records should be retained by an organization in possession of NHS data.
  • A consultation for a new records management code of practice 2020 recently concluded, so a new version is in the works. The revised version of the code will be published once NHSX have analyzed the responses and updated the code. The 2016 version is still valid until the new code has been finalized.

For more information please contact Lilli Meldrum or Jaspreet Takhar of our London office.


Jaspreet advises market-leading tech and healthcare companies on issues at the cutting-edge of digital health. She focuses on the development and regulation of healthcare technology. This includes assessing how digital health solutions can comply with the legal framework for data privacy, medical research and medical devices / pharmaceuticals.