Adopters - Understanding laws that regulate the use of health and care data

Reviewed by: Health and Care IG Panel

In the UK, the UK General Data Protection Regulation (UK GDPR), supplemented by the Data Protection Act 2018 (DPA 2018), governs the processing of ‘personal data’ (a defined legal term). The UK GDPR mirrors the provisions of the EU General Data Protection Regulation that came into effect in 2018, before the UK left the EU. The UK GDPR and DPA 2018 only apply to the processing of data that relates to identifiable living people.

The common law duty of confidentiality governs the disclosure of confidential patient and service-user information. It applies to information that can identify either living or deceased people.

In this guide, we use the terms as they apply under each framework. When we refer to:

• data protection legislation, we will use ‘personal data’
• the common law duty of confidentiality, we will use ‘confidential patient and service-user information’

These laws exist to make sure you use people’s data in a legal, fair and transparent way, and that data is only processed or disclosed in ways that a person would reasonably expect. ‘Processing’ under article 4 of UK GDPR means any operation or set of operations that is performed on personal data such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

These laws also aim to make data sharing possible for a range of purposes, including research and the development of AI and digital technologies.