Patient health records: Access, sharing and confidentiality

Patients have a right to access their own health records and for their records to be kept private, although there are some exceptions (such as when sharing health records is required by law to keep people safe or to help manage healthcare services).

There is no central record of patient data in the NHS; for example, hospitals and GP surgeries will independently keep data about patients treated there. Furthermore, data sharing practices vary across the country, there is no consistency in what data is held where and why. Reviews of this system have found that this fragmentation can cause challenges for people’s care as well as for health research. The government intends to create a “single patient record” through the NHS App. The public generally supports better data sharing where it benefits themselves or society, but some have concerns about third party access to patient data.

This briefing relates to England unless otherwise stated.

Accessing health records

Individuals have a right to access their own health records and, in limited circumstances, to access information about other people. Since 25 May 2018 this has been governed by the Data Protection Act 2018. Record holders cannot charge patients for accessing their own records, unless requests are “manifestly unfounded or excessive”. In these cases, the data controller can charge a fee to cover administrative costs or refuse to act on the request.

There are also certain circumstances in which full access to a patient’s health record may be denied, such as where the release is likely to cause serious harm to the physical or mental health of the individual or another person.

A deceased patient’s health records are protected under the Access to Health Records Act 1990 and someone can only access a deceased person’s records if:

• they are a personal representative of the patient who has a role set out in law (such as the person who holds the probate documentation or is named as executor in the deceased’s will), or
• they have a claim resulting from the death.

Sharing confidential patient information

Patients have the right to privacy and confidentiality and to expect the NHS to keep their confidential information safe and secure. Patients also have the right to request that their confidential information is not used beyond their own treatment.

Health and social care professionals involved in the direct care of a patient have a legal duty to share patient information where they consider it to be in the patient’s best interests. Patient information should not be shared if a patient objects, unless it is in the “overriding public interest”, such as if not sharing would put other staff members at risk of harm.

There are certain circumstances in which a health professional is required by law to disclose medical information, regardless of a patient’s consent. For example, a health professional must notify local authorities and the UK Health Security Agency about any person suspected of having certain contagious diseases.

For the most part, the law on confidentiality applies in the same way to patients detained under the Mental Health Act 1983 as to any other type of patient. However, under the act, there are some situations where information can be shared without the patient’s consent. For example, if the patient does not have mental capacity to give or withhold consent, medical information may need to be shared with relatives, friends and carers for health professionals to determine their best interests.

Public perceptions of sharing health records

The Sudlow review, published in November 2024, found that in the last 15 to 20 years “people in the UK overwhelmingly support the use of their health data to benefit themselves and others”. The review said most people want to know how their data is used and stored, how their privacy will be protected, and how to opt out of data sharing for reasons other than their direct care, such as research.

A report by the Health Foundation published in December 2024, found that people’s willingness to share their data to help develop AI systems varied depending on the type of data.

The report showed there is some public mistrust in the role of private technology companies within the NHS, particularly over whether this will erode their privacy or if their data will be exploited for profit. Some research institutes have highlighted the importance of the government explaining clearly to the public how the NHS uses people’s data, and the protections in place to keep it confidential.

Electronic health records

Since 2014 the NHS has committed to making patient records largely paperless with the introduction of various online records and ways to share relevant information across organisations. As of May 2025, 91% of secondary care trusts have an electronic patient record system. The government said it aims for all trusts to have an electronic patient record system in place by March 2026.

In October 2024, the government announced plans to create a “single patient record” summarising patient health information, test results and letters in one place electronically through the NHS App. In its 10-year health plan published in July 2025, the government said the single patient record would be introduced via the NHS App from 2028.

Recent policies and reviews

When patients move within the health system, NHS organisations can face challenges sharing data because it is often spread across multiple sources. For example, a person’s GP record is held by their GP surgery. If a person has treatment in a hospital, that hospital would hold the record of the treatment they had. Data sharing practices can vary across the country, and there is no consistency about what data is held where and why.

The Sudlow review, published in November 2024, and the Darzi report (PDF), published in September 2024, have found that the health data system in the UK is fragmented and complex. The reviews have highlighted a need for more efficient data sharing practices to improve care as well as planning and research that could benefit the public.

The Health and Care Act 2022 aimed to improve sharing and more effective use of data across the health and adult social care system by enabling the Department of Health and Social Care and NHS England to publish mandatory information standards.

The Data (Use and Access) Act 2025 received royal assent on 19 June 2025. The act ensures that information standards can apply to IT providers, IT services, or information processing services used in health or adult social care in England. The government has said that this could address challenges around NHS data being fragmented by giving staff quicker access to it and reducing duplication of lab tests and data entries.

NHS data and cyber-security

There have been various cyberattacks to NHS systems in recent years. The 2025 National Risk Register says the NHS continues to be a target for cybercriminals.

The Cyber-security Strategy for Health and Adult Social Care: 2023 to 2030 by the former Conservative government set out plans to increase cyber resilience across adult social care, primary care, secondary care and supply chains of technologies used in care settings.

In the briefing notes to the King’s Speech in July 2024, the government committed to introducing a Cyber-security and Resilience Bill. It said the bill will strengthen the UK’s existing cyber regulatory framework and enable more public sector organisations, such as NHS trusts, to be in the scope of regulations.

Artificial intelligence (AI) and health records

There are various trials with artificial intelligence (AI) and health records in the NHS to:

• analyse health records, such as patient records, and make them accessible for hospitals
• convert words into text for patient records to reduce time staff spend on administration
• predict future disorders, symptoms, medications and procedures for patients based on anonymised NHS health records