If you handle information about people's health and medical affairs, we've collected together the relevant guidance here.

Workforce minimum data set

The Health and Social Care Information Centre (HSCIC) has been directed to undertake a collection of workforce data from providers of NHS services such as GP practices and hospitals. This collection is referred to as the Workforce Minimum Data Set (WMDS) and requires the NHS services providers to supply information which includes personal data of all the staff.

The ICO has received concerns that this was considered to be excessive and unlawful and there were concerns that supplying the information to HSCIC would breach the DPA.

HSCIC has been directed to collect this information. Section 259 of the Health and Social Care Act 2012 then provides HSCIC with the power to require and request the information to fulfil its obligation under that direction.  Subsequently it is the ICO’s view that the NHS service providers would not be in breach of the DPA in disclosing this information to HSCIC as it is a disclosure required by law under Section 35(1) DPA.

However, in providing this information to HSCIC, the NHS service providers will still be required to provide fair processing information to its staff to explain what it will be doing with their information and detailing what information will be shared.

The Information Governance Oversight Panel's annual report

The Independent Information Governance Oversight Panel’s (IIGOP) first annual report to the Secretary of State for Health was published on 2 January 2015.  The IIGOP’s role is to advise, challenge and report on the state of information governance across the health and care system in England.

The report examines the progress made by the health and care sector in implementing the recommendations made in the Information Governance Review, carried out by Dame Fiona Caldicott in 2013, which have been accepted by the government.  The recommendations were mostly around safe, sensible and secure information sharing.


In 2013, the NHS Commissioning Board (NHS England) announced plans to introduce a new system for collecting and analysing data called care.data.

Under the scheme, information on people’s GP records will be brought together in a central database.

Information from people’s hospital records is already brought together in a similar way, and this information will be linked to the information from GP records.

The scheme was due to begin in spring 2014, but was delayed after concerns that the public didn’t fully understand how it would work, and how they could opt out.

The scheme has now moved into what is being called a ‘pathfinder’ stage. This will take place in four regions of the country, testing different types of communication with patients.

Personal data remains central to the scheme, and the ICO’s role has been to consider how the Data Protection Act (DPA) applies. We've written a blog that explains this furtherWe continue to advise the key organisations to make sure patients’ information will be looked after in line with the law.

The ICO has produced an infographic explaining how the care.data scheme works.

As the organisation with primary responsibility for their patients’ data, GP surgeries have an obligation to ensure that information about the use of their data is actively communicated to patients. They should satisfy themselves that any awareness programme organised by NHS England, when combined with the local GP practice’s own proactive communication, ensures that, as far as practically possible, all patients are aware of these changes. This is covered in more detail in our FAQs for GPs

Changes to the health and care system

On 1 April 2013 there were significant changes in the NHS. We've written some FAQs for bodies involved in the transition to process the information they hold in accordance with the Data Protection Act and the Freedom of Information Act.

Data protection – looking after the information you hold about patients

If you handle and store information about identifiable, living people – for example, about patients – you are legally obliged to protect that information.

Under the Data Protection Act, you must:

  • only collect information that you need for a specific purpose;
  • keep it secure;
  • ensure it is relevant and up to date;
  • only hold as much as you need, and only for as long as you need it; and
  • allow the subject of the information to see it on request.

Requests for personal information

Your patients have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.

Medical records of the deceased

Health organisations often get freedom of information requests relating to the medical records of the deceased. There are no special exemptions under the Act about the deceased, but you do need to consider whether the information is sensitive.

Data breaches in the health and care system

The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after. It is important that all IG SIRI (Serious Incident Requiring Investigation) which occur in health, public health and adult social care services are reported at the earliest opportunity, and are handled effectively.

All health service organisations in England must now use the IG Toolkit Incident Reporting Tool. This will report IG SIRIs to the Health and Social Care Information Centre (HSCIC), Department of Health, ICO and other regulators.


Health service bodies in Scotland, Wales and Northern Ireland should submit a report to the ICO using our Security breach notification form

Freedom of information – making public information available

The Freedom of Information Act means that public authorities must disclose official information when people ask for it (unless there is a good legal reason not to), and they must reply within 20 working days.

If you work for a public authority, the Freedom of Information Act says you must produce a publication scheme, which outlines the information you will routinely make available to the public - such as minutes of meetings, annual reports or financial information. To help you do this, we have produced definition documents.


Find out about the obligations of health practitioners:

Health and safety

Some information may be exempt from release under the Freedom of Information Act if it would be likely to endanger people’s health and safety.

Audits, advisory visits and overview reports

See the latest reports detailing some of the good practice and areas for improvement we have seen in both the NHS, and the health sector at large.


See the latest monetary penalties, enforcement notices, undertakings and prosecutions we have issued in the health sector.


Further reading