HES data storage, sharing and destruction

In light of recent events around the breach of personal and confidential information from HM Revenue and Customs, we would like to take this opportunity to remind all users of HES data of the critical importance of protecting and securely handling all information which relates to, or could be used to identify, individuals.

While the IC wishes to promote access and use of health and social care information to support decision making, it must also ensure that there is no unauthorised or inadvertent release of information which could identify an individual, either directly or by inference (eg through small numbers, or combining data from a number of sources).

The HES Protocol sets out measures and ways of working to ensure that HES data is accessed in accordance with the law. When applying for a HES extract, your organisation signs up to working within the rules set out in the Protocol.

The conditions for which you are granted access to HES data that contains sensitive and/or personally identifiable data are set by the Database Monitoring Sub Group (DMSG), formerly the Security and Confidentiality Advisory Group (SCAG). The data must only be used for the purposes specified and must be destroyed in accordance with the security methods set out and agreed by the committee in the original application.

If you have any concerns regarding your use, sharing and destruction of your HES Extract please contact a member of the Information Centre's Information Governance team ([email protected]).