NHSX recently launched a brand new information governance portal, providing a ‘one-stop shop’ for NHS policies and guidance. The new portal covers everything from GDPR in research to records management. But even with the new portal, navigating NHS guidance on data isn’t easy.

We’ve picked out 6 essential items to have on your radar if your organisation accesses or uses NHS data:

1. The Caldicott Principles
  • The Caldicott Principles apply to the use of confidential information within health and social care organisations and when shared with third parties, such as service providers to the NHS.
  • There are eight broad principles for the protection of people’s medical confidentiality, including justifying the purpose for using confidential information and using the minimum necessary confidential information.
  • The National Data Guardian recently added an eighth Caldicott principle, which makes clear that patients’ and service users’ expectations must be considered and informed when confidential information is used.
2. Data Security and Protection (DSP) Toolkit
  • The DSP Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 Data Security Standards and ensure that their data practices are in line with the GDPR.
  • All organisations that have access to NHS data must use this to determine whether they are practicing good data security and that personal information is being handled correctly.
  • The DSP Toolkit focuses on data security, and organisations are required confirm a range of assertions and support these using evidence. Organisations can choose to publish these results, which acts as an accountability mechanism.
  • Organisations can also use the NHS DSP Toolkit to report security breaches and data protection incidents.
3. UK Data Protection Act 2018
  • Organisations must comply with the UK Data Protection Act 2018 (DPA). The DPA sets out the framework for data protection law in the UK and incorporates the UK GDPR, which will apply from the end of the Brexit transition period on 1 January 2021.
  • The DPA covers processing personal data and requirements for handling special category data, which includes health data. This should be one of the first considerations for organisations planning on contracting with the NHS.

4. NHS guidance on off-shoring and use of public cloud services

  • NHS guidance on cloud security good practice encourages cloud storage of NHS data in the EEA or a country deemed adequate by the European Commission.
  • The guidance presents a framework for assessing and managing risk around the use of public cloud technologies in the health and social care sectors in England.
5. National data opt-out
  • The national data opt-out is a service allowing patients to opt out of their confidential patient information being used for research and planning. The information includes that collected in the course of publically funded, commissioned or coordinated health and adult social care, as well as private care given in NHS settings.
  • The national data opt-out does not apply where data is shared for a patient’s care.
  • All health and care organisations that process health and social care information as a controller must be compliant with the national opt-out policy by 31 March 2021. They must ensure there are systems in place to facilitate a patient’s opt-out and processes to ensure that patient’s data is not used for research and planning purposes.
6. The records management code of practice
  • The Records Management Code of Practice (2016) sets out what people working with or in NHS organisations in England must do to correctly manage records. These are based on the legal requirements and professional best practice published by the Information Governance Alliance (IGA) in 2016.
  • This guidance covers data retention guidelines, setting out how long records should be retained by an organisation in possession of NHS data.
  • A consultation for a new Records Management Code of Practice 2020 recently concluded, so a new version is in the works. The revised version of the code will be published once NHSX have analysed the responses and updated the code. The 2016 version is still valid until the new code has been finalised.


Jaspreet is a Senior Associate, and advises clients on complex issues at the intersection of healthcare, data and technology. Her practice has a particular focus on accessing and using patient data, innovative collaborations with hospitals, and the use and regulation of AI in the healthcare space.