NHS England has been granted a six-month exemption to allow patient-identifiable data to flow to commissioners.

Health secretary Jeremy Hunt has conditionally approved the national board’s application to transfer personal confidential data from the Health and Social Care Information Centre to commissioning organisations.

Section 251 of the NHS Act 2006 allows the health secretary to set aside the common law duty of confidentiality for organisations to process patient identifiable information without consent.

The partial approval to use s.251 has been granted on the advice of the Confidentiality Advisory Group. It runs until October this year and is conditional upon a satisfactory interim report to be considered by the group in June.

The permitted data flows include Choose and Book referrals data, radiology data, paediatric critical care data sets, community health data sets and commissioning data sets from the Secondary Uses Services or Hospital Episode Statistics.

Traditionally, the s.251 exemption was held by the NHS Information Centre so it could send SUS data to primary care trusts.

When PCTs ceased to exist in the April NHS shake up, there was no longer a legal basis for the data flow. NHS England applied to the CAG for an exemption to allow it to continue sending personal confidential data to commissioners in March.

Last month, it was granted a three-month “breathing space” allowing commissioners to handle SUS data while the group considered its full application.

A six-month extension has now been granted while NHS England continues to work on an “end state” that reduces the need to process and handle personal confidential data.

A recommendation of Dame Fiona Caldicott’s second review of information governance in the NHS is that only Accredited Safe Havens can receive patient identifiable data and only the HSCIC is currently an ASH.

However, CAG’s letter to NHS England’s director of data and information management systems, Ming Tang, acknowledges that because safe haven accreditation is a “developing process” there is a need for existing NHS bodies to receive patient information to support existing commissioning purposes.

Commissioning support units and a number of clinical commissioning groups can therefore continue to receive patient-identifiable data as long as they can, “provide evidence of completion of level 2 of the Information Governance Toolkit or have a suitable robust improvement plan with timely deadlines to bring them up to level 2”, a guidance note says.

The final details for accreditation as an ASH are yet to be determined.

Tang told EHI earlier this month that NHS England was working towards the recommendations of the Calidcott review.

Caldicott2 states that most commissioning can be done without patient identifiable data. A full government response to the report is expected this summer.

The guidance note explains that NHS England will be working with CSUs and the HSCIC to look at how they can reduce the need for personal confidential data.

NHS England must submit an interim report, including a roadmap of future plans, to the CAG in June.

Phil Booth, co-founder of medConfidential, a campaign fighting for confidentiality and consent, described a blanket s.251 exemption as a serious risk to patients.

“There is a way of engaging a proper information governance agreement for the NHS, but section 251 is like putting a plaster on an open wound. Do the services the commissioning bodies have to provide necessitate the need for identifiable data?” he asked.

The letter to Tang says, “patient right of opt-out must be publicised, and respected, and the steps taken to ensure this takes place will be reviewed by the CAG at the June and October meetings”.