Our ref: DE00000752534 
Dear Ms Wilkinson-Makey,
Thank you for your correspondence of 19 and 21 January to the Department of Health about guidance issued to the NHS Commissioning Board and other organisations, and also your correspondence about private patients in NHS hospitals.  Please accept this as a response to both emails. 

You requested your correspondence to be treated under the Freedom of Information Act.  However, as your correspondence asked for general information, rather than requesting recorded information or documentation, I should advise you that on this occasion the Department has not considered your correspondence under the provisions of the Act.


Regarding your correspondence about guidance issued to the NHS Commissioning Board and other organisations, the Department has not issued any specific guidance in relation to the ‘National Health Service (Venereal Diseases) Regulations 1974’.  However, as you may be aware, the Department’s guidance ‘Confidentiality: NHS Code of Practice’ does include some information for the NHS on legal restrictions on disclosure of personal information related to sexually transmitted infections (STIs).


The Department has also not developed specific guidance on restrictions on the disclosure of personal information about individuals detained under the Mental Health Act.  The Health and Social Care Information Centre (HSCIC) is not permitted to disclose confidential personal information about any person unless there is a legal basis for the disclosure under the arrangements covered by Section 251 of the NHS Act 2006. 


In future, it will be the responsibility of the NHS Commissioning Board or the HSCIC to publish such guidance.  I should also note that anonymised data maybe used for secondary purposes without consent.


The Department does not require the HSCIC to publish a list of the organisations to which it has disclosed personal information under the Section 251 arrangements.  However, the Ethics and Confidentiality Committee ( ) of the National Information Governance Board (NIGB) is required to maintain an online register of activities that have received approval under the Section 251 arrangements.  You can access the register at www.nigb.nhs.uk/s251/registerapp.


It is the responsibility of the HSCIC to ensure that it has established appropriate arrangements to ensure it meets the requirements of the Data Protection Act 1998.


In addition, the Department has not developed specific guidance about Data Protection Act requirements in relation to correcting errors and deleting inaccurate records.  This includes guidance on compliance with Section 10 of the Act.  It is a matter for each of these organisations to develop policies for handling requests under Section 10 of the Act and to establish policies on the arrangements to notify organisations to which inaccurate personal information has been disclosed.    


With regard to your correspondence regarding private patients using NHS hospitals, I should explain that the Department does not require the NHS to submit personal information about private patients to the .  However, local NHS organisations that provide private healthcare and independent sector providers providing private healthcare may choose to submit data to in order to access the associated analytical services.  Private patients would need to discuss the arrangements for opting out with their healthcare providers.


The Department does not require healthcare providers to submit data about private patients to .  Healthcare providers may submit data about NHS patients under arrangements established under Section 251 of the NHS Act 2006.  However, in relation to private patients it is a matter for healthcare providers to decide whether they submit data to .


NHS patients can opt out from having data that identifies them from being submitted to .  However, they would need to discuss how this would be managed with their healthcare provider.  Opt-out arrangements will differ at each organisation.  However, patients have no right to opt out of anonymised data being used.


Local NHS organisations are responsible for complying with legal requirements.  It is also the responsibility of GPs to ensure that they do not disclose personal information about a private patient to General Practice Extraction Service if the patient has objected. 


Information about private patients is submitted to at the discretion of their healthcare providers, however the Health and Social Care Act 2012 provides the Information Centre with a power to obtain information in defined circumstances.


In addition, there is no legislative requirement that GP must confirm a patient's identity before they can be registered at their practice.  Equally, there is nothing to prevent them from doing so.  A GP may take reasonable steps to confirm the identity of a patient in order to ensure they are entitled to NHS care or to prevent multiple registrations by those seeking fraudulent access to prescriptions.


Unless there are significant concerns that a lack of anonymity might discourage patients from presenting for care, it is generally in the best interests of patients and their safety that records about them can be linked together.  This requires the use of the same identity each case.  Similarly, the NHS may need to contact patients and therefore an accurate address is required.

I hope this reply is helpful.

Yours sincerely,
Neil Achary
Ministerial Correspondence and Public Enquiries
Department of Health

Please do not reply to this email. To contact the Department of Health, please visit the 'Contact DH' page on the Department’s website, where you can also view our performance against quarterly service targets.