In the UK there are laws that protects personal data. 

Organisations must store confidential information securely. 

• A health professional, such as a GP or a consultant, can only access limited information on a patient. They must be involved in the care of that patient to access this data. They don't necessarily have access to the full health record. Records are not always shared between primary care, secondary care and speciality clinics. 
• There are laws that protect the confidentiality of personal information. For example, the GDPR, the Data Protection Act 2018 and Freedom of Information Act 2000. 
• NHS organisations and local councils must keep people’s health and care information safe. If they provide social services, they must have a Caldicott Guardian. This is a senior person who ensures the information is used properly. 

• Patients must consent to their data used in this way. This consent must be given when the data is first collected. This consent must also be explicit. 
• Where data is shared with a third party, legal contracts are required. These contracts set out strict rules about what the organisation can or cannot do with data. 
• Public health services, charities, academics and private companies may also have access to NHS data. This data may have details removed to protect the identity of those it relates to.