Anonymising NHS Patient Electronic Health Record Extracts – UK GDPR-compliant anonymisation per UK GDPR Art. 9
NHS Electronic Health Record (EHR) extracts contain special-category health data under UK GDPR Art. 9: patient names, NHS numbers, diagnoses, prescriptions, and care pathways. anonym.legal pseudonymises these identifiers across structured and free-text fields, preserving clinical codes, dates, and care pathways for audit, research, or quality-improvement purposes without exposing individual patient identities.
When this applies
This task applies when EHR extracts are shared with clinical auditors, NHS Informatics teams, or research partners who require the clinical substance of the records — diagnosis codes, episode dates, referral pathways — but have no lawful basis to process identifiable patient data.
How anonym.legal handles it
- Upload the EHR extract (CSV, XML, or HL7 FHIR JSON) to anonym.legal; the engine preserves record structure and clinical coding.
- The engine detects patient-identifiable fields across 285+ entity categories: NHS numbers, full names, dates of birth, postcodes, GP surgery codes linked to named practitioners, and free-text clinical narratives.
- Each patient is assigned a consistent pseudonym and synthetic NHS number applied uniformly across all records in the extract.
- Clinical codes (SNOMED CT, ICD-10, OPCS-4), episode dates, and care-pathway sequences are preserved in clear text.
- Named clinicians referenced in the extract receive separate pseudonyms, maintaining the clinician–patient relationship without exposing practitioner identities.
- A reversible mapping table is generated with UK data residency, enabling re-identification by authorised Data Controllers only.
- The pseudonymised extract is released for the approved purpose; the mapping table is retained under the Data Controller's access-control policy.
What you provide
- EHR extract file (CSV, XML, HL7 FHIR JSON, or XLSX)
- Data dictionary or field specification for the extract
- List of free-text clinical narrative fields requiring entity detection
Limitations & cautions
- anonym.legal pseudonymises personal data but does not constitute the data-anonymisation required for research exemptions under DPA 2018 — a formal anonymisation risk assessment may still be required.
- Rare disease presentations with very small patient populations may remain re-identifiable even after pseudonymisation; obtain a statistical disclosure-control review for small cohorts.
- HL7 FHIR resources with deeply nested patient references require field-mapping configuration before processing.
FAQ
Does pseudonymisation satisfy the NHS Records Management Code of Practice 2021 requirements for sharing records?
The Code of Practice sets out retention and access standards; pseudonymisation supports the data-minimisation principle when sharing for secondary purposes. However, whether a specific sharing activity is lawful requires a Data Protection Impact Assessment and legal review against the relevant condition in DPA 2018 Schedule 1.
Are NHS numbers replaced with synthetic numbers or removed entirely?
By default, each NHS number is replaced with a consistent synthetic pseudonym that preserves the number format, allowing records for the same patient to be linked across the pseudonymised dataset without revealing the real NHS number.
Can the engine handle multi-episode extracts spanning several years?
Yes. The engine tracks patient entities across all episodes in the batch and applies consistent pseudonyms throughout, preserving longitudinal care-pathway information.
What happens to postcode data, which can be re-identifying?
Full postcodes are pseudonymised by default. If your analysis requires geographical granularity, you can configure the engine to preserve the sector portion of the postcode (the first four characters) while removing the unit, reducing re-identification risk.