How personal data is used and shared during the NHS continuing healthcare process
Published 8 May 2026
Applies to England
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/nhs-continuing-healthcare-giving-consent-for-information-sharing/how-personal-data-is-used-and-shared-during-the-nhs-continuing-healthcare-process
This is an overview of the rules and legal basis for using and sharing personal data during the NHS continuing healthcare process.
Summary
Personal information is shared only when necessary and for lawful reasons, such as:
- providing care
- meeting legal obligations
- in the exercise of an organisation’s official authority
The confidentiality of personal information is a priority, and safeguards are in place to protect this information, both for living individuals and the deceased.
Consent is typically required for sharing information with family members, friends and representatives, unless, for example:
- there is a legal obligation to share
- if, in the opinion of a responsible professional, sharing information would be in the best interest of an individual who lacks the capacity to consent
Sharing information with family, friends and representatives
In some cases, personal information may be shared with individuals such as family members, friends and/or other representatives who are helping with the NHS continuing healthcare process. The legal basis for sharing such information is typically consent (see UK General Data Protection Regulation (GDPR) Article 6 and UKGDPR Article 9).
Responsible professionals should obtain consent before sharing information with trusted individuals involved in the care or decision-making process. This ensures that information is only shared with those who are authorised to be involved.
Personal data
Personal data is processed in accordance with data protection laws and relevant regulations. The primary legal basis for processing personal data in NHS continuing healthcare is governed by GDPR.
GDPR Article 6: public task or official authority
Personal data may be processed if it is necessary for the performance of a task in the public interest, or in the exercise of an organisation’s official authority, or statutory functions.
NHS continuing healthcare assessments are part of public healthcare services. A relevant body, that is, an integrated care board, is required to take reasonable steps to ensure that an assessment of eligibility is carried out. This is outlined in the National Health Service Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012.
GDPR Article 6: legal obligation
Information may be processed to comply with a legal obligation.
The Health and Social Care Act 2012 (Section 251B) requires that health and care professionals share information in order to provide appropriate care and support.
GDPR Article 9: health or social care
Health information may be processed where necessary for medical diagnosis, care provision or management of healthcare services.
NHS continuing healthcare assessments are necessary for determining an individual’s care needs and managing healthcare provision, as defined in paragraph 2 of Schedule 1 of the Data Protection Act 2018.
Common law duty of confidentiality
There is a duty to maintain the confidentiality of personal information, which applies to both living and deceased individuals.
Information can only be shared:
- with consent
- when required by law
- in circumstances where there is a significant public interest - this includes where a responsible professional considers it in the best interests of an individual who lacks the capacity to consent
The common law duty of confidentiality acts as a safeguard to protect personal data. In the context of NHS continuing healthcare, this duty is balanced with statutory requirements that allow for the sharing of information where necessary, such as under the Health and Social Care Act 2012.
Patient level data set
NHS England and integrated care boards collect and analyse data to improve the NHS continuing healthcare process, ensuring it meets the needs of patients and optimises the use of resources. The data may include personal information, but it is ‘pseudonymised’ for analysis purposes. This means that patients’ information is altered by replacing real details with fictitious identifiers to protect patient identities.
The legal basis for data collection is:
- data is processed with consent or for lawful reasons, such as meeting legal obligations related to NHS continuing healthcare, or in the exercise of an organisation’s official authority
- data is processed with consent or it otherwise aligns with the need to manage or provide healthcare services (see UKGDPR Article 9)
Resources
Information on the use of individual’s identifiable data is publicly available:
- General Data Protection Regulation (GDPR) - information and register of processing activities
- National framework for NHS continuing healthcare and NHS-funded nursing care
- Disclosing patients’ personal information: a framework, on the General Medical Council (GMC) website
- Consent to using and sharing patient information
- Looking after your data