Skip Navigation
Search site

This is our old website. Most information can now be found on our new NHS Digital website. Let us know what you think.

What we collect

We collect information from the records health and social care providers keep about the care and treatment they give. We collect from a wide range of providers across England ranging from hospitals to general practices.

We can only provide access to identifiable information if it will be used to promote health or support improvements in the delivery of care services in England or the government decides it's an emergency or in the public interest.

The care information we collect is used for purposes such as:

  • working out what care services are needed - and where and when
  • planning for health emergencies such as epidemics
  • helping to improve medicines and treatments
  • finding better ways to prevent illness and treat conditions
  • calculating how much general practitioners and other care providers need to be paid

For details about how care records can help with research see the National Institute for Health Research's leaflet Your health records save lives.

Types of information

HSCIC can provide access to several different types of information:

  1. identifiable - containing details that identify individuals
  2. pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code
  3. anonymised - about individuals but with identifying details removed
  4. aggregated - anonymised information grouped together so that it doesn't identify individuals

For full definitions and details about types of information see the Data Protection Act 1998 and the Information Commissioner's Office publication Anonymisation: managing data protection risk code of practice.

Legal responsibilities

We have different legal responsibilities for the different types of information we collect. Some of these rules are set out in the Health and Social Care Act 2012, the Health and Social Care Act 2014, the Data Protection Act 1998, the Freedom of Information Act 2000 and the common law duty of confidence.


  • publish anonymised information so that it's freely available to everyone
  • use anonymised information internally to test our IT system designs
  • follow the rules for identifiable information as set out in the Data Protection Act 1998 and the common law duty of confidence

We only collect or give access to identifiable information if:

  • we have people's permission or the law allows us to
  • it's used to promote healthcare or support the delivery of care services in England 
  • the organisation requesting the information has demonstrated to assurance bodies that it will be looked after according to the law and good Information Governance (IG) practice

There are different rules for the organisations that play different roles in collecting and handling identifiable information.

  • Data controller - this is any organisation responsible for providing access to, or using, identifiable information. The data controller must keep it safe at all stages, explain to people what it's being used for and are legally accountable.
  • Data processor - this is any organisation involved in collecting or processing information. The data processor must follow the data controller's instructions and meet high IG standards.

Data controllers are sometimes also data processors.


We make a number of different types of information collection. Some are regular and others we make a few times or just once. We collect information by using our IT systems to communicate securely with other health and care organisations' systems.

We use some of the information we collect to produce:

Example collections 

Close iCM Form