Skip to main content

Data Governance

What is a section 251 exemption?

19 February 2026
Data Accelerator Team

Data Accelerator Team

Oh, wait, I’m confusing interests again. The Section 251 discussed herein has nothing to do with Star WarsTM, nor is it to be confused with a similarly imaginatively named US Air Force base in the Nevada desert known for its alleged extraterrestrial activities. More’s the shame…

Section 251; and the patient information consenting paradox

James Ellaway – Data Lead, Cardiff Experimental Cancer Medicine Centre (ECMC)

Section 251 as we are concerned relates to the very much Earth-bound Section 251 of the NHS Act 20061. A shorthand for a specific section of this act which allows a temporary lifting of the common law duty of confidentiality to enable the disclosure of confidential patient information for medical purposes.

So, what does that mean in practice?

First, let’s talk about confidentiality. As regards patient information specifically, confidentiality – rather confidential patient information – is a term legally defined in Section 251 as patient information where:

“…the identity of the individual in question is ascertainable—

  • from that information, or
  • from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and

(b) that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.”2

Importantly, this applies to both living persons, that is ‘natural persons,’ and the deceased. More on that in my riveting read on DPIAs, here (insert link).

Keeping up? Confidential patient information is any information which may lead to the identification of a patient. These could include NHS numbers, patient name, home address, a date of birth, a patient’s diagnosis – particularly if a rare disease type or may denote information as to a patient’s physical or mental condition, and/or their specific care and/or treatment.

This information is usually given where an expected duty of confidence applies. Think patient-doctor confidentiality as our rule of thumb. This information, under the common law duty of confidentiality3 cannot be disclosed without a patient’s consent. That is, unless a Section 251 support is invoked.

Why?

Well, it has been determined that there are several vital activities within the NHS, including certain medical research, whereby access to his kind of confidential information is necessary. Moreover, that de-identified (anonymised) versions of said information might make certain activities impossible – the identifiable information is required, or whereby individual patient consent for this information is determined unobtainable.

What constitutes ‘Medical Purposes?’

 

“… “medical purposes” means the purposes of any of—

(a) preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health and social care services, and

(b) informing individuals about their physical or mental health or condition, the diagnosis of their condition or their care and treatment.”4

Who determines what is eligible for Section 251 support?

 

That would be the independent body of the Confidentiality Advisory Group (CAG)5. This group reviews non-research and research-based, and data dissemination requests for Section 251 support on a case-by-case basis, against the framework outlined in the Health Service (Control of Patient Information) Regulations 20026.

Once the CAG has determined whether the temporary disclosure of requested confidential information is in the public interest, it is up to one of three bodies to ultimately decide whether Section 251 support will be granted. These bodies are:

  • The Health Research Authority7 (for, you guessed it, research activities).
  • The Secretary of State for Health and Social Care8 (for non-research purposes).
  • And NHS England9 (for data dissemination/sharing purposes only). *

*In Wales, these duties are transferred to Welsh Ministers under The Welsh Ministers (Transfer of Functions) Order 201810.

If you have some time to kill, and quite literally nothing else at all to do, you can view all past and present CAG approvals for regulations 2 and 5 (more on that to follow) using the CAG Registers11.

What might that look like in real terms?

 

If Section 251 support is granted, the designated person (i.e. You, the researcher, clinician, etc…) – the person responsible for the information can disclose confidential patient information without their consent without being in breach of the common law duty of confidentiality – providing strict adherence to the requirements of the given regulation, and compliance with the Data Protection Act 2018, and the Human Rights Act 199812.

Right… and that means?

 

For example, Regulation 2:

“…permits confidential patient information relating to patients referred for the diagnosis or treatment of cancer to be processed for the medical purposes set out in the regulation.”13

Regulation 3:

“…provides specific support for identifiable patient information to be processed to diagnose, control or prevent, or recognise trends in, communicable diseases and other risks to public health. Regulation 3 applications are managed by Public Health England.”14 *

*Public Health Wales15 in… Wales.

Or Regulation 5:

“…used to permit processing for a range of medical purposes, broadly defined to include ‘preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health and adult social care services.”16

However, there is a caveat, at least in England with the introduction of the National Data Opt-Out (NDOO)17. This doesn’t apply for statistical, de-identified data, but when Section 251 support is relied upon to access confidential patient information, where the patient has opted-out of consenting for their confidential patient information to be shared for research and non-research medical purposes, access shall not be granted dictated by the patient’s choice to opt-out. This does not, however, stop patients from providing consent to individual/specific research studies of their choosing on a case-by-case basis. *

*There is currently no national data opt-out service in Wales, and so the NDOO has no impact on patients in Wales.

Well, then why consent?

Firstly, consent isn’t needed for de-identified data – the clue is in the name. Consent isn’t actually needed for confidential patient information data provided the collection and processing of the data is ‘in the public interest’ – as this forms the legal basis for the collection and processing of said data.

Indeed, as far as UK GDPR (as part of the Data Protection Act 201818) is concerned:

“…consent would not be appropriate as a legal basis under this legislation where there is an imbalance of power in the relationship between the controller and the data subject, e.g. where the controller is a public authority and the data subject depends on their services…”19 *

 

*Psst! We’re talking about the NHS here, and patients in the care of the NHS, if that wasn’t obvious!

 

In fact:

 

“…the legal basis for processing data for health and social care research should NOT be consent. This means that requirements in the GDPR relating to consent do NOT apply to health and care research.”20

 

BUT! Whilst consent does not constitute the legal basis for processing personal (confidential) data for research, researchers must always adhere to the common law duty of confidentiality – taking measures to minimise the personal information required, and the necessary precautions to protect the data (again, see my blog on DPIAs).

 

Consent is, however, still required for people external to the primary care team (let’s say those running the clinical trial, including, the researcher, clinicians, research nurses, etc.), e.g., third-party data processors to access and use confidential patient information for research. Unless, of course, you’ve been approved for Section 251 support by the CAG, as mentioned earlier.

Summary

Phew! That’s a lot to take into consideration. I’m sure you’ll agree. To summarise:

  1. Consent is not required for the processing of confidential patient information provided its use is in the public interest – thus forming its legal basis.
  2. The legal definition of confidential patient information as defined in Section 251 of the NHS Act 2006 applies to both living persons and the deceased and is information which can lead to the direct identification of said persons.
  3. This information is given under confidence and governed by the common law duty of confidentiality. It cannot be disclosed, unless a Section 251 support is granted by the Confidentiality Advisory Group for medical purposes vital to NHS activities contingent upon this confidential information.
  4. A section 251 support may be given based upon set regulatory requirements which determine specific uses of the disclosure of this confidential information.
  5. A section 251 support may face hinderance by the NDOO in England, whereby patients can opt-out of sharing their confidential information. However, patients in England are free to opt-in to specific research and trials whereby confidential information may be given on a case-by-case basis. This is not applicable in Wales.

References

  1. https://www.legislation.gov.uk/ukpga/2006/41/part/13/crossheading/patient-information
  2. https://www.legislation.gov.uk/ukpga/2006/41/part/13/crossheading/patient-information#:~:text=(10),information%E2%80%9D%20means%E2%80%94
  3. https://www.ukcgc.uk/duty-of-confidentiality
  4. https://www.legislation.gov.uk/ukpga/2006/41/part/13/crossheading/patient-information#:~:text=In%20this%20section%20%E2%80%9Cmedical%20purposes%E2%80%9D%20means%20the%20purposes%20of%20any%20of%E2%80%94
  5. Confidentiality Advisory Group – Health Research Authority
  6. The Health Service (Control of Patient Information) Regulations 2002
  7. Health Research Authority
  8. Secretary of State for Health and Social Care – GOV.UK
  9. NHS England
  10. The Welsh Ministers (Transfer of Functions) Order 2018
  11. CAG registers – Health Research Authority
  12. Human Rights Act 1998
  13. https://digital.nhs.uk/services/data-access-request-service-dars/how-the-national-data-opt-out-affects-data-released-by-nhs-digital/national-data-opt-out-guidance-for-researchers/appendix-1-section-251-of-the-national-health-service-act-2006#:~:text=Rights%20Act%201998-,Regulation%202,-permits%20confidential%20patient
  14. https://digital.nhs.uk/services/data-access-request-service-dars/how-the-national-data-opt-out-affects-data-released-by-nhs-digital/national-data-opt-out-guidance-for-researchers/appendix-1-section-251-of-the-national-health-service-act-2006#:~:text=in%20the%20regulation.-,Regulation%203,-provides%20specific%20support
  15. Privacy Notice – Public Health Wales
  16. https://digital.nhs.uk/services/data-access-request-service-dars/how-the-national-data-opt-out-affects-data-released-by-nhs-digital/national-data-opt-out-guidance-for-researchers/appendix-1-section-251-of-the-national-health-service-act-2006#:~:text=Public%20Health%20England.-,Regulation%205,-can%20be%20used
  17. National Data Opt-Out – NHS England Digital
  18. Data Protection Act 2018
  19. Consent in research – Health Research Authority
  20. https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/what-law-says/consent-research/#:~:text=the%20legal%20basis%20for%20processing%20data%20for%20health%20and%20social%20care%20research%20should%20NOT%20be%20consent.%20This%20means%20that%20requirements%20in%20the%20GDPR%20relating%20to%20consent%20do%20NOT%20apply%20to%20health%20and%20care%20research.