Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Panel, including the Information Commissioner’s Office (ICO) and National Data Guardian (NDG).

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at

Consent and confidential patient information

NHSX COVID-19 Information Governance guidance

The word ‘consent’ means giving permission or agreement for something to happen. This guidance only covers what consent means in relation to using and sharing confidential patient information. An example of confidential patient information is a letter from the hospital to a patient’s GP setting out what treatment the patient received during a hospital stay. This guidance does not cover advice on issues related to consent to treatment.

Guidance for patients and service users

The staff caring for you do not need your consent to record information about your care and treatment. This is because there are important medical and legal reasons why it is necessary for health and care records to be kept. The law requires all organisations to make information readily available to you that explains this. This will include the legal reasons for keeping health and care records, how and why information will be used, who might be able to access information, and your rights in relation to those records.  

In most circumstances health and care staff will rely upon consent as the basis for accessing and using confidential patient information. This should not be confused with an individual right in Data Protection law. Consent can be implied or explicit.

Implied consent: if your confidential patient information is accessed and used for your individual care then your consent is implied, without you having to explicitly say so. This is because it is reasonable for you to expect that relevant confidential patient information will be shared with those caring for you on a need to know basis. If you wish to withdraw consent for information about you to be used to support your individual treatment, you should let your health and care professional know. This may mean that it isn’t possible to continue providing you with care or treatment but your health and care professional will explain this to you.

Explicit consent: if your confidential patient information is used for purposes beyond your individual care, for example a research project, then it will normally be necessary for staff to obtain your explicit consent. This is a very clear and specific statement of consent. It can be given in writing, verbally or through another form of communication such as sign language.  

As stated in the NHS Constitution for England you have the following rights about how your confidential patient information is used beyond your own individual care:

  • To request that confidential information is not used beyond your individual care
  • Where your wishes cannot be followed by health and care staff, to be told the reasons why, including the legal basis; and
  • For objections to information sharing to be considered by heath and care organisations

You can find out more about your options on how your confidential patient information is used beyond your own individual care on the 'Your NHS Data Matters' guidance page.

Guidance for healthcare workers

This guidance covers what consent means in relation to using and sharing confidential patient information. Please also see guidance from the General Medical Council on ‘decision making and consent’ in relation to involving patients in decisions about their care and treatment.

As a health and care professional you should know the difference between implied consent and explicit consent (see patient and service user section for further information).  

Health and care professionals have a duty to share information to support individual care. Implied consent can be used when sharing relevant information with those who are directly involved in providing care to a patient or service user, unless a patient has indicated an objection. Implied consent can also be used for local clinical audit by staff who were involved in providing health and care services to a patient/service user.

When using confidential patient information for purposes other than individual care, such as commissioning or research, you must always consider whether confidential patient information is actually needed. If confidential patient information is essential, then explicit consent is normally required for purposes beyond individual care. If it is not practicable to either work with anonymous data or to obtain explicit patient consent, then support under the Health Service (Control of Patient Information) Regulations 2002 is required. This is often known as 'section 251 support' (see section for IG professionals and HRA guidance for more detailed information).

Your organisation is legally obliged to be transparent about how information is used and shared. It should make information readily available to patients and service users explaining how their information will be used, and their right to object. This is provided in an organisation's Privacy Notice. This information could be made available in waiting areas, in-patient welcome packs, on notice boards and on your organisation’s website. In addition, you may also need to talk to patients and service users about information sharing, for example you might say ‘is it ok if I look at your record’ or ‘I’m going to let my physio colleague know about what we discussed.’

Patients and service users may ask further questions and it is important you are able to answer their questions or point them to further guidance or someone who can help. See the section for IG professionals or speak to your IG Team or your Caldicott Guardian if you need further advice. 

Guidance for IG professionals

The law relating to consent is complex and often leads to confusion.  Both UK GDPR and the common law must be satisfied and these cover two definitions of consent in law.  

Common law 

Common law is the case law developed by courts making decisions on legal points in specific cases. It is different from statutory law which is determined by Acts of Parliament. In common law, there is a duty of confidentiality which means that when a patient/service user shares information in confidence it must not be disclosed without some form of legal authority or justification. In practice, this usually means that the information cannot be disclosed without that person’s consent. For individual care, this can usually be implied consent. For purposes beyond individual care, explicit consent is generally required. There are exemptions, for example when required by law or when there is an overriding public interest.

If it is not practicable to seek consent for purposes beyond individual care, approval for sharing for medical research or health service planning can be sought from the Health Research Authority or the Secretary of State for Health and Social Care under the Health Service (Control of Patient Information) Regulations 2002. This is often known as 'section 251 support'. Section 251 enables the common law duty of confidentiality to be lifted for a period of time, subject to review, so that confidential patient information can be used without breaching the duty of confidentiality. Refer to HRA guidance for further information. 

It is important to note that when you are referring to implied consent for the use of confidential patient information for individual care and seeking explicit consent for planning or research, you are referring to consent under common law not UK GDPR. 

UK GDPR, Data Protection Act 2018

Under UK GDPR there is a high threshold for consent; there is no such thing as implied consent under UK GDPR. For UK GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. 

Consent is one of a number of conditions for processing to meet UK GDPR requirements. Under UK GDPR, you should not rely on this condition for individual care or medical research. The most appropriate bases for lawful processing that is available to publicly funded and/or statutory health and social care organisations in the delivery of their functions are:

  • Article 6(1)(c): processing is necessary for compliance with a legal obligation 
  • Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 9(2)(h): processing is necessary for the purposes of preventative or occupational medicine...medical diagnosis, the provision of health or social care or the management of health or social care systems and services…’
  • Article 9(2)(i): processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices...
  • Article 9(2)(j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes...
  • Data Protection Act 2018, Schedule 1: Part 1 describes conditions for processing personal data for health, public health, social care and research purposes; Part 2 sets out the conditions for processing personal data on the grounds of substantial public interest

The Information Commissioner has strongly recommended that consent should NOT be used by health and care organisations as a condition for processing under UK GDPR. Consent under UK GDPR should be ‘freely given, specific, informed and unambiguous’. It is difficult to provide care without processing information and doing so could be detrimental to a patient’s care; therefore, consent is rarely ‘freely given’ in the health and care setting.

Transparency information

It is essential that clear and accessible information is available to patients and service users about how their health and care information is used and shared. This must be included in Privacy Notices which may be made available in leaflets and on organisations’ websites. To rely on implied consent, there should be no surprises for patients therefore the information should set out clearly which health and care organisations information may be shared with. Privacy notices should be updated regularly to reflect any changes in how information is used and shared.

Be careful when using the word ‘consent’ as you do not wish to give patients the impression that their explicit consent will be sought in all circumstances. You may not need to mention consent at all (e.g. you may mention in information leaflets that information will be shared with GP practices, hospitals and social care organisations in the area). If you need to refer to consent in relation to individual care, you should refer to ‘implied consent’ and provide advice to patients on what they should do if they wish to object to information sharing.

When referring to the use of confidential patient information for purposes beyond individual care (e.g. planning and research) you can refer to ‘explicit consent’. Do not refer to consent under UK GDPR. 

Do not make blanket statements such as “your consent will always be sought” - there are exceptions, for example where the law requires it or where there is an overriding public interest.

NHSX COVID-19 Information Governance guidance