The legal framework governing access to health data for research in the UK

This article accompanies a more detailed paper on the legal and governance framework for health data access across the UK.

The Government’s Health Bill places NHS data infrastructure at the centre of health reform. Its proposals for a national single patient record are primarily aimed at improving information sharing for direct patient care. But the same systems, datasets and governance arrangements will also shape how health data is accessed and used for research.

The UK is in a distinctive position because our health system holds some of the most comprehensive longitudinal population data in the world. Decades of NHS records spanning primary care, hospitals, screening programmes, registries and population cohorts create significant opportunities for research, innovation and public health improvement.

Yet researchers consistently describe the process of accessing that data for studies in the public interest as slow, inconsistent, expensive, frustrating and, at times, impossible. The framework governing research use spans common law confidentiality, data protection law and organisational governance, and is often fragmented and unclear even to specialists.

As the Government reforms NHS data infrastructure, this is a timely moment to examine the barriers affecting research access and what could be done to address them. This is not an argument for weakening patient confidentiality or reducing protections around sensitive health information. Those protections exist for good reason and reflect legitimate public expectations. But improving clarity, consistency and coordination across the system would support both accountability and high-quality research in the public interest.

There is more detail available in an accompanying paper, written to support the Sudlow Review and updated since, if you want to find out more. What follows is an introduction to the main issues.

Why health data access is shaped by more than UK GDPR

Debate about health data research often focuses on UK GDPR as the main barrier. In practice, the picture is more complex.

There are three overlapping sources of difficulty:

• Common law confidentiality: information shared with doctors is confidential, and disclosure normally requires consent or a statutory basis.
• Data protection law: primarily UK GDPR and the Data Protection Act 2018, which govern how personal data is processed.
• Organisational governance: the approvals, risk assessments and access processes operated by NHS England, NHS trusts, universities, charities and other data custodians.

These layers interact, but they are not the same. Some barriers arise from legislation or legal uncertainty. Others come from how organisations interpret and apply the same rules in different ways.

A further issue runs through all three. “Health data sharing” is often treated as a single activity, when in practice it covers very different uses. Sharing data for direct patient care raises different legal and ethical considerations from using it for research, planning or AI development. Yet these activities increasingly depend on the same datasets and systems, meaning decisions in one area can affect others in ways that are not always anticipated.

Layer one: common law confidentiality

Long before UK GDPR, English common law established that information shared with doctors is confidential. That duty still applies today and continues after a patient has died.

For research, the key question is whether confidential patient information can ever be used without explicit consent.

In England and Wales, the answer is sometimes yes. The Health Service (Control of Patient Information) Regulations 2002, commonly known as the COPI Regulations, provide a legal route allowing confidential patient information to be used for approved medical research without consent in defined circumstances. Many large-scale research projects rely on this mechanism, alongside approvals from the Confidentiality Advisory Group and the Health Research Authority.

The position elsewhere in the UK is less consistent. Northern Ireland has equivalent primary legislation, but the regulations needed to make it operational were never enacted, meaning consent is still required for most research uses of confidential patient information. Scotland has no direct equivalent to the COPI framework, although the Public Benefit and Privacy Panel performs a broadly similar role in practice.

For researchers working across multiple UK nations, this creates a fragmented legal landscape. A study linking equivalent health data from England, Wales, Scotland and Northern Ireland may be subject to different legal routes depending on where the data originates. In practice, this can mean parallel approval processes for the same project, creating duplication, delay and uncertainty.

There are several ways government could address this, including more consistent use of existing legal gateways or legislative reform to create clearer UK-wide mechanisms for approved research access. Reform of the COPI framework is already under discussion within government as part of wider NHS data reform and the transfer of NHS England functions. None of these options are straightforward, and any move towards greater consistency would require careful public engagement.

The wider policy context is also shifting. The Health Bill and broader reforms to NHS data infrastructure are primarily focused on supporting direct care, but they will also influence how confidential patient information is governed and accessed for research.

Layer two: data protection law

UK GDPR and the Data Protection Act 2018 govern how personal data can be processed. Health data receives additional protection because it is classified as special category data.

Public debate often treats data protection law as a barrier to research, but the position is more nuanced. UK GDPR includes provisions that support scientific research and allows health data to be processed without consent in certain circumstances, provided appropriate safeguards are in place.

Data protection law operates alongside the common law duty of confidentiality. Compliance with UK GDPR does not remove the need to meet confidentiality requirements, and vice versa.

Two aspects of data protection law continue to create practical difficulties for researchers.

Anonymisation

Whether health data counts as personal data depends on whether individuals can be identified, directly or indirectly. For modern research, particularly work involving linked, longitudinal datasets, that assessment is rarely straightforward.

Much of this work takes place within secure data environments (SDEs). These are controlled platforms that allow analysis of sensitive data without data being extracted or downloaded. Direct identifiers such as names, NHS numbers and dates of birth are usually removed, but that alone does not determine whether data is legally anonymous.

The Information Commissioner’s Office updated its anonymisation guidance in 2025 and confirmed that individual-level data can, in some circumstances, be treated as anonymous. The assessment depends not only on the data itself, but also on the environment in which it is used and the risk of re-identification through linkage.

In practice, interpretations still vary across the sector. Some organisations treat data in highly controlled environments as anonymous for certain uses. Others take a more cautious approach and continue to treat similar datasets as personal data.

These differences have real consequences. Similar studies can face different approval requirements depending on how organisations interpret the same guidance. More practical guidance and examples from the ICO focused on research use in secure environments would help reduce this variation.

International data transfers

Modern health research is increasingly international. Large-scale genomics, AI and rare disease studies often depend on collaboration across multiple countries.

UK GDPR restricts transfers of personal data outside the UK unless an adequacy decision applies or appropriate safeguards are in place. Even where data remains within a secure data environment and is accessed remotely from abroad, this may still constitute an international transfer.

One safeguard is the use of Standard Contractual Clauses. These are designed to provide a standard legal mechanism for enabling international collaboration while maintaining data protection standards.  In practice, they can be difficult to use in research collaborations involving overseas public institutions and publicly funded bodies. The clauses must be used in a prescribed form, and some organisations are unable to accept terms governed by UK law or subject to UK courts.

As a result, international collaboration can become difficult even where privacy risks are tightly controlled. More tailored transfer mechanisms designed specifically for public interest research could help reduce unnecessary friction while maintaining safeguards.

Layer three: fragmented governance

Even where the legal basis for sharing health data is clear, researchers often face a third barrier: fragmented governance processes.

Across the UK, NHS trusts, registries, research databases, charities, universities and other data custodians have developed their own systems for reviewing and approving access requests. Researchers linking datasets from multiple sources are frequently required to complete overlapping forms, navigate multiple governance panels and negotiate bespoke agreements with each organisation separately.

These challenges are not solely legal. They also reflect how organisations interpret and apply the same rules in different ways, often without coordination across the system. In practice, these processes can become as significant a barrier to research as the law itself.

The impact is uneven. Larger institutions may have the capacity to navigate complex governance systems, while smaller organisations, charities and early-stage innovators often do not.

There is increasing support for greater standardisation. Common governance frameworks, interoperable review processes and regulator-supported templates could reduce duplication while maintaining appropriate safeguards.

The institutional landscape is also changing. The Health Bill and wider NHS reforms will reshape responsibility for NHS data infrastructure and access governance, while the Health Data Research Service is intended to improve access for research.  As these structures evolve, consistency and coordination will be critical. New infrastructure alone will not resolve the underlying issues if governance remains fragmented.

What could change

The barriers described across these three areas reflect both legal constraints and how the system operates in practice. Addressing them would require changes in legislation and in how parts of the system are implemented.

One priority is reform of the legal routes for using confidential patient information for research across the UK, including COPI and equivalent arrangements. Researchers working with equivalent datasets should not face different legal requirements depending on where in the UK the data originates.

Clearer regulatory guidance on anonymisation within secure data environments would also help. Modern research increasingly relies on linked datasets where direct identifiers have been removed, yet organisations continue to take different approaches to their legal status. Practical guidance and case examples from the ICO would reduce uncertainty.

International collaboration also requires more workable mechanisms for research access. Existing transfer tools can be difficult for overseas public institutions and publicly funded bodies to use, even where privacy risks are tightly controlled.

Governance processes need to become more aligned. Researchers should not have to navigate entirely separate systems for each data custodian. Greater standardisation would reduce duplication and make access more predictable.

None of these changes require weakening confidentiality or data protection safeguards. The issue is whether they are applied in a coherent and proportionate way.

Reform requires trust

Debates about the single patient record, the Health Bill and wider NHS data reform are ultimately debates about trust as much as the law.

The vision of a longitudinal health record that supports both direct care and safe, transparent research is compelling. But it depends on more than infrastructure. It depends on whether people trust how data is accessed, used and governed, and whose interests that use serves.

Previous health data programmes, including care.data and the GP Data for Planning and Research programme, underline how easily that trust can be undermined. The greatest barrier to wider use of health data is not the existence of safeguards; it is the risk of losing public confidence in how decisions are made. Once lost, that confidence is difficult to rebuild.

As government reshapes NHS data infrastructure, transparency, accountability and meaningful public engagement cannot be treated as optional additions to reform. They are central to whether reform succeeds.

Read the full paper