The HRA is the Health Research Authority. Currently, (February 2013) it is undergoing a major reorganisation as Janet Wisely undertakes to ‘Make the UK a Great Place to do Research’.

Early in 2013, several members of CRP and ICPV were invited to attend a stakeholder event looking at the use of non- anonymised patient data without consent under Section 251 of the new Health and Social Care Bill. Not something JG is in favour of, but as this will be implemented, the next best thing is to make sure that use is well policed and audited. This is an account of the day:

HRA Workshop s251 Stakeholder Event.
Monday 14 January 2013 Manchester

Why the event?

Patients and the public are stakeholders in health research, and in that capacity, members of ICPV were invited to this event, which aimed to test ideas to put in place to make the UK a good place to do research – this in context of the requirements to allow researchers to have access to identifiable patient data.

The day was focussed on making research easier, and part of the morning was set aside for a hair-raising presentation of a researcher who described her travails when asked to define a security policy for research performed totally by NHS staff within NHS premises, on NHS computers. There was no need for this, as she was and is covered by the national NHS Security Policy already in force.

The law and the use of medical data:
Section 251 of the NHS Act 2006
Section 251 of the NHS Act 2006 re-enacted Section 60 of the Health and Social Care Act 2001. The terms Section 60 and Section 251, when used in relation to use of patient information therefore refer to the same powers. These powers allow the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for medical purposes where it is not possible to use anonymised information and where seeking individual consent is not practicable. Under the Health and Social Care Act 2008, responsibility for administering these powers was transferred from the Patient Information Advisory Group to the National Information Governance Board.

The issue here are the regulations under s251, which may be amended from time to time to allow access to identifiable data in specific situations. Previously, the regulations allowed for identifiable data to be used in specific and exceptional circumstances, such as pandemic situations, the recording of cancer data, public health, and situations where there is a threat to society.

Government knows that the NHS is the repository of a wealth of patient data within medical records. These records have been opened up to researchers for the public good and to benefit society.

Governance of this issue is being transferred to HRA from NIGB, and this will enable the use of patient identifiable data for the purposes of medical research in England and Wales, without consent. It is acknowledged that this is a significant thing to do, so the place for independent advice is acknowledged. Janet Wisely is attempting to make the change as acceptable and efficient as possible.

Patients and the public were represented by Maggie Wilcox, James Ashton, Christine Allmark, and Jacqui Gath.
This was very high level stuff, and at first, somewhat daunting. Janet Wisely (Chief Executive HRA) introduced the day, and outlined the law governing the disclosure of identifiable information, highlighted some of the work already done, and showed how some functions were transferring in full from NIGB to HRA so as not to disrupt the smooth functioning of well established teams – such as the advice function.

Janet also explained how the regulations will work in concert with the Data Protection Act, and that a Confidentiality Advisory Group (CAG) is being appointed (Mark Taylor as Chair), whose role is to consider and approve applications for research.

After two further sessions, we were aware of the fact that studies using data must conform to certain requirements, for example:

• Does the research have REC approval?
• Are there any practical alternatives to non-consented disclosure of identifiable data?
• Is the public interest sufficient to justify the breach of confidence?
• Is there evidence of PPI?
• Each study is subject to a security review.

Significantly, Janet told us that the reliance on these regulations is only temporary, and that the aim is to obtain full consent in due course.

This data will be used for example in cancer registries – full details of diagnoses, treatments, and outcomes will be recorded – and communicable disease surveillance will be conducted.

There are annual reviews of the use of this data, and the CAG checks that research activities have been carried out in an appropriate manner. Light touch regulation is to be implemented.

The use of medical data in conjunction with data from the Office of National Statistics (ONS), police databases, benefits databases, and similar is envisaged.

Mechanisms are in place for the resolution of difference of opinion, and non- authorisation of studies, all approved studies are listed.

Issues raised:

Delegates were split into 4 tables, and asked to raise and discuss issues which needed to be addressed.

1 Integrity of data brokers. Putting together data from many sources increases the risk of data becoming identifiable.

There is oversight to minimise this risk, and people in external (non-NHS) research establishments need to work to the same high standards used in (NHS) research. (But does this conflict with the objective of light touch regulation?)

2 Public Interest. At his table, James Ashton reported that it was discussed that the PPI in research applications helps the applicant demonstrate the relevant public interest in the research taking place. He highlighted that there are instances where reviews of PPI (which is self regulated) can evidence great disparity between intentions laid out in applications, and how the PPI was ultimately used / its impact. For instance

He enquired whether the NIGB ECC / HRA CAG has any independent PPI embedded. He pointed out that the soundness of this process of measuring the degree of public interest in the application could perhaps be bolstered by building in another, independent, look at the PPI outlined in applications.

3 Duplication. Where roles are duplicated, how can they be identified and dealt with?
James remarked that another point that seemed very sensible was a comment from Jonathan Sheffield in his group work, about the large degree of duplication, and that this was not the best use of an expert advisory committee. This was interpreted as if the CAG are busy repeating more menial work, that ultimately this could delay other applications – surely this undermines the aim of making the UK a great place to do research?

4 Publication of refused applications.
This is not done currently, but need will be assessed.

5 Outside organisations.
Governance of outside organisations is being addressed. The same high standards will be looked for as in the NHS. National security standards will be set for organisations holding data, and these will be set by an appropriate IT body.
It was noted that transparency is essential in order to maintain the confidence of the public.

Standards for applications must be high, and there will be ongoing improvements to raise them.

6 Security policies for NHS are already in place, all bodies should sign up to the same policies to ensure the same level of data security.

7 There is potential for difference of opinion between HRA, CAG, and Secretary of State. Could a Memorandum of Understanding be part of the resolution process?

8 Medical notes of deceased patients – there needs to be a process of approval for use of these.

9 Data passports for researchers.
Should researchers and the research studies have (separate) Data Passports authorising the use of patient data, and to enable the researcher to access any government database appropriate to and specified in the research. (To remove the onerous requirement to obtain consent from several organisations.) Subject to appropriate training and certification on similar lines to the GCP?


A rewarding day, and ICPV were able to contribute sensible suggestions and comments to the process. The discussion moderators and scribes at each table were skilled at their job, and on my table at least, all views were treated with equal importance and of equal value. Later, Jonathan Sheffield approached members of ICPV so we took the opportunity to engage in a discussion about the need to engage the enthusiasm of the public in the research process, how the public might be informed of results of research via lay summaries, and a mechanism for budgeting for it. (Following on from his piece in the Observer, Sunday 6th January 2013).

Further reading:

For more information about s251:

the role of HRA:

General Medical Council website – guidance for doctors:

Approved studies: