Long Read: The Single Patient Record: what the legislation does – and what it will take to deliver it

The NHS Single Patient Record

The government’s proposed legislation for a Single Patient Record (SPR) marks a significant moment in the long-running effort to make health and care information work better across England. 

For years, patients, clinicians and policymakers have described the same problem: health and care information is fragmented across organisations and systems, meaning people often have to repeat their story, clinicians make decisions with incomplete information, and care can become slower, less coordinated and less safe. 

The new legislation is intended to create the legal framework for a national Single Patient Record – one that allows health and care information to be brought together and made available to patients and to professionals involved in their direct care. 

But while the political announcement may sound definitive, the reality is more nuanced. The legislation creates powers and direction; it does not itself create the operational system. Much of what matters most – public confidence, governance, safeguards, implementation, workforce buy-in and technical delivery – still lies ahead. 

And importantly, this is not starting from scratch. 

Building on foundations already laid

As we explored in our earlier long-read on the future of single patient records, England has spent years building the foundations for more connected care through Summary Care Records, Shared Care Records, interoperability standards, electronic patient records and increasing digitisation across the NHS and social care system. Summary Care Records already provide a limited national view of key patient information, while Shared Care Records have demonstrated the value of richer joined-up information across local systems and regions. Our research shows that 61% of people think that a single patient record already exists – reflecting both public expectation and the extent to which digital connectivity has already developed in parts of the system. 

Those earlier programmes matter because they have already shown both what is possible – and what remains difficult – when trying to deliver joined-up care across organisational and technical boundaries.

The current proposals are therefore less a sudden shift in direction than an attempt to move from partial and locally variable connectivity towards a more nationally consistent model. The SPR is better understood not as a replacement for GP systems, hospital electronic patient records or local Shared Care Records, but as an attempt to connect and scale what already exists nationally.

The government itself is clear that GP records, hospital electronic patient records and local systems will continue to exist. The SPR is intended to sit across them, bringing together information from different sources rather than replacing them with one giant database. 

That distinction matters – especially given the history of NHS digital transformation programmes. 

Previous attempts at large-scale national records programmes, including aspects of the National Programme for IT, struggled partly because they attempted to impose very large-scale solutions without sufficient flexibility, local ownership or clinical confidence. More recent progress – including Shared Care Records – has generally been more incremental and locally led. 

The challenge now is whether the NHS can scale the benefits of local integration nationally without losing the trust and collaboration that made many local programmes work.

What the legislation actually does

The proposed legislation would give the Secretary of State powers to create regulations establishing and operating a Single Patient Record system. 

In practical terms, the legislation would allow regulations to: 

• require or authorise organisations to share relevant patient information into the SPR; 

• define who can access health data and for what purposes; 

• allow patients to access their information; 

• create enforcement mechanisms, including potential financial penalties for organisations that fail to comply; 

• lift the common law duty of confidentiality for specific processing required to establish and operate the SPR for direct care purposes. 

The government argues this is necessary because current arrangements are inconsistent and fragmented. 

At present, data sharing for direct care often depends on a patchwork of legal interpretations, local agreements, differing information governance approaches and varying organisational confidence about what is permitted. In some areas this works well; in others, uncertainty and risk aversion slow or prevent information sharing altogether. 

One reason the legislation matters so much is that it changes the balance between voluntary participation and national obligation – particularly for general practice, where responsibilities for records are already embedded in longstanding professional, legal and contractual arrangements.

Why clinicians – especially GPs – matter so much

GPs are not only custodians of some of the NHS’s most sensitive and complete patient records; they are also often seen by patients as the trusted front door of the health system. Many clinicians have argued that this trust depends on patients believing their information will be handled safely, proportionately and predictably. 

That has created longstanding tension in national data programmes. Practices have often found themselves carrying significant legal and ethical responsibility as data controllers, while having limited visibility or control over what happens once data moves into wider systems. 

Questions about who is accountable for inappropriate access, mistakes, breaches, or information being seen out of context have therefore not simply been technical concerns. For some clinicians, they are directly connected to patient safety and trust – including fears that vulnerable people may avoid seeking care or being fully open with their GP if they are uncertain how their information may later be used or shared. 

Recent reports that the British Medical Association may consider collective action around GP data sharing underline how sensitive this area remains. There is also a risk here that ongoing disputes about workload, contracts - and the future role of general practice - become folded into debates about the Single Patient Record itself.

This is not the first time GP resistance has significantly shaped NHS digital policy. Earlier national programmes around citizen access to records and secondary uses of GP data also faced pushback from sections of the profession. That history matters because GPs are not simply one stakeholder among many. Research by Understanding Patient Data has shown that people often expect their GP practice to be the place where decisions about health data use are explained – even when data flows far beyond general practice itself. 

That creates a difficult position for GPs. Patients may continue to see them as responsible for protecting confidentiality and explaining how information is used, even where decisions are being made nationally or across multiple organisations. 

In practice, public trust in wider NHS data initiatives has often depended not only on legal safeguards, but also on whether frontline clinicians themselves feel confident explaining and supporting them. 

The proposed legislation is, in part, an attempt to resolve some of this uncertainty by creating a clearer national framework for how information is shared for direct care, who can access it, and under what safeguards. 

The government is clearly signalling that participation will no longer be optional. But what remains less clear is how responsibility and controllership will operate in practice once information flows into the Single Patient Record. 

Who is responsible once data enters the system?

Many of the practical questions about controllership, accountability and liability appear likely to depend on the detailed regulations and the eventual technical architecture chosen for the programme. 

For example, different governance questions may arise depending on whether the SPR operates primarily as: 

• a federated system connecting existing records; 

• a centrally held national record; 

• or a hybrid model combining both approaches. 

The legislation itself does not appear to fully resolve who will ultimately act as controller –  or joint controller – for different forms of processing once data is brought together within the SPR environment, particularly where information may later be accessed or reused under separate legal powers for planning, commissioning or research. 

That uncertainty matters because responsibility shapes trust. Clinicians are likely to want clarity not only about who can access information, but who is accountable when errors occur, inappropriate access happens, or information is used in ways patients do not expect. 

The government has indicated that further detail will follow through regulations, governance frameworks and technical design. But for many stakeholders, these questions are not peripheral to the programme – they are central to whether confidence in the SPR can be sustained over time. 

What the legislation does not do

One of the most important – and potentially misunderstood – aspects of the proposals is what they do not change. 

The legislation does not create new legal powers for using patient data for research, planning or other secondary purposes. 

Instead, it explicitly states that if SPR data is used for secondary purposes, organisations must still rely on existing legal gateways and safeguards – for example, under existing legislation such as Control of Patient Information (COPI) regulations* or other statutory powers. That distinction is likely to become central to public and professional debate. 

The government is trying to frame the SPR primarily as a direct care initiative: improving care coordination, reducing duplication and helping clinicians access the information they need. But because the SPR would inevitably become a major source of linked health and care information, questions about secondary uses – including planning, research, AI development and commercial access – will inevitably follow. 

This matters because the NHS has been here before. Both care.data and the later GP Data for Planning and Research (GPDPR) programme encountered major resistance, not simply because of technical issues, but because many patients and professionals felt the purpose, safeguards and public benefit case had not been explained clearly enough – and because trust had not yet been established. 

The government appears keen to avoid repeating that history by emphasising that the SPR legislation itself is about direct care. But separating “direct care” from wider uses of data may prove harder in practice than in principle, particularly as linked data increasingly underpins service planning, research and AI-enabled healthcare.

Governance, centralisation and public trust

Another challenge for the government is that the Single Patient Record is unlikely to be debated purely on its own terms. Public and professional concerns about health data increasingly overlap with wider debates about the role of large technology suppliers in the NHS, the future use of AI, global data sovereignty, commercial access, and the concentration of power within national platforms. That means the SPR may become associated – fairly or unfairly – with broader anxieties about government intent, scope creep and who ultimately controls access to health information. 

The timing of the legislation matters. The SPR proposals are emerging alongside those to enable abolition of NHS England and the transfer of many national data and technology responsibilities into the Department of Health and Social Care. For some stakeholders, this risks becoming part of a wider debate about how much control over NHS data should sit directly with central government. 

That does not mean the SPR is intended to create unrestricted government access to health records, nor does the legislation itself create new powers for secondary uses of data. Existing legal safeguards, data protection requirements and confidentiality obligations still apply. 

However, governance structures remain key, as public trust in health data is shaped not only by what organisations can legally do, but by what people believe could happen in future. 

None of this means the underlying goal of better coordinated care lacks support. But it does mean that public and professional responses to the SPR are unlikely to depend solely on the technical design of the programme or the wording of the legislation. 

Previous NHS data initiatives have shown that when multiple unresolved debates become attached to a single programme, the result can be confusion, polarisation and loss of public confidence. The risk is that broader institutional conflicts end up overshadowing the central question many patients care most about: whether information can be used safely and appropriately to improve their care. 

The wider NHS data landscape

The SPR also does not exist in isolation. It sits alongside – and will inevitably interact with – a much broader NHS data and technology landscape, including: 

• local Shared Care Records; 

• Electronic Patient Record programmes; 

• the Federated Data Platform; 

• Secure Data Environments; 

• the emerging Health Data Research Service; 

• the NHS App; 

• AI and population health initiatives; 

• wider NHS interoperability and standards programmes. 

Understanding how these pieces fit together will matter enormously. 

One risk is that the SPR becomes seen as a single “solution” to fragmentation when, in reality, the NHS faces multiple overlapping challenges: technical interoperability, inconsistent data quality, workforce capacity, governance complexity, differing local capabilities and organisational incentives that are not always aligned. As many digital leaders have argued, technology itself is rarely the only barrier. Delivery capability, clinical engagement, training, workflow redesign and long-term support often determine whether digital programmes succeed or fail in practice. 

Shared Care Records themselves illustrate this well. In many places they have delivered meaningful benefits. But they have also shown that interoperability is not just about connecting systems – it is about agreeing standards, workflows, governance and responsibilities across organisations. The SPR may therefore be less a single product than a long-term programme of coordination and integration. 

This is one reason transparency, independent scrutiny and clear governance arrangements will matter so much. The more uncertainty exists about who controls data, who makes decisions, and how future uses will be governed, the easier it becomes for mistrust and speculation to fill the gaps.

Why maternity and frailty first?

The government says the SPR will initially focus on maternity and frailty pathways. That appears to reflect areas where fragmented information can have particularly significant consequences. 

In maternity care, information gaps between services can directly affect safety and continuity of care. Recent maternal mortality reviews have repeatedly highlighted communication failures and fragmented records as contributing factors in poor outcomes. 

For people living with frailty – who may interact with GPs, hospitals, community teams, social care providers and family carers simultaneously – joined-up information can help avoid duplication, unnecessary admissions and unsafe transitions between settings. 

These early pathways are therefore likely intended both to deliver practical benefits and to demonstrate the value of the wider approach. But pilots are not the same as national transformation. Success in targeted pathways will not automatically resolve the wider challenges of scale, governance and operational delivery. 

Patient access and control

The government says patients will eventually be able to access their SPR through the NHS App. That could represent a significant shift in visibility and convenience for many people, particularly if records from multiple settings can genuinely be viewed together in one place. The proposals also talk about patients identifying errors, requesting corrections and eventually contributing information themselves. 

However, many details remain unclear, including: 

• what information patients will actually see; 

• whether access will be phased; 

• how sensitive information will be handled; 

• how corrections and disputes will work; 

• how proxy access for carers and families will operate; 

• how opt-outs for direct care sharing would function in practice. 

The opt-out question is especially sensitive. The government currently says it is still considering its approach to opt-outs for direct care. At the same time, it has reiterated that existing choices around secondary uses of data will continue. 

Balancing patient choice with safe and effective care is unlikely to be straightforward. Too much restriction could undermine care coordination; too little clarity could damage trust. 

What will determine whether the SPR succeeds

The legislation is important, but it is probably the easier part. The real challenge sits with delivery. NHS digital leaders highlight a recurring pattern in major NHS technology programmes: strong national ambition colliding with the realities of frontline capacity, legacy systems, workforce pressures and uneven local capability. 

Many of the conditions required for success are organisational and cultural rather than purely technical: 

• strong clinical leadership; 

• realistic implementation timelines; 

• support for frontline teams; 

• clear accountability; 

• sustained investment after systems go live; 

• interoperability standards that work in practice; 

• public trust and transparency; 

• confidence that safeguards are meaningful and enforceable. 

The inclusion of potential enforcement powers is particularly significant because previous NHS data-sharing programmes have largely depended on persuasion, local agreements and professional cooperation. 

The government now appears to be signalling that national consistency cannot rely solely on voluntary participation. 

As we argued in our recent analysis of international approaches to single patient records and electronic health records, countries that have made the greatest progress have generally been clear about the problem they are trying to solve before deciding on the technology itself. International experience also suggests that implementation, clinical engagement, governance and public confidence are often more decisive than the technical platform alone.   

England is not unique in facing these challenges. Many countries have struggled with fragmented legacy systems, regional variation, interoperability limitations and questions about patient control, governance and secondary uses of data. What differs is how successfully those tensions have been navigated over time.   

But enforcement may also sharpen questions about accountability and trust. If organisations are required to share information into the SPR, clinicians and patients are likely to ask who ultimately carries responsibility when things go wrong – whether that involves inaccurate information, inappropriate access, data breaches or harm caused by incomplete records. 

Legislation can mandate participation. It cannot, by itself, create professional confidence or public trust. The SPR is also likely to be a multi-year transformation rather than a single launch moment. 

Overpromising on speed or simplicity risks undermining confidence later. Even the government’s own timelines describe phased rollout over several years, beginning with specific pathways and incremental connectivity through existing systems.

What Understanding Patient Data thinks

From an Understanding Patient Data perspective, several things are likely to matter most. 

First, there is a strong and legitimate case for improving how information supports patient care.  

Second, trust cannot be assumed. People are often supportive of data use in principle while also wanting meaningful transparency, accountability, security and choice. 

Third, clarity matters. The NHS has repeatedly learned that confusion about purpose, governance and legal basis creates space for mistrust and speculation. 

Fourth, delivery matters as much as legislation. Technical architecture alone will not determine success. Clinical confidence, public engagement, workforce support, governance and operational capability will be just as important. 

And finally, this is unlikely to succeed if it is framed as something being done to the system rather than built with the people who use it – including patients, clinicians, local organisations and care professionals. 

The SPR may ultimately prove to be one of the most significant shifts in NHS information sharing in decades. But whether it becomes a trusted and useful part of care – or another contested NHS data initiative – will depend on what happens next. 

More information

See also: 

• Single Patient Record: Long read 

• Towards a Single Patient Record: What can England learn from abroad? 

• New research: Public attitudes and information needs about GP record data | Understanding patient data 

• What do the public think? 

* COPI regulations – introduced under the Health Service (Control of Patient Information) Regulations 2002 – allow confidential patient information to be shared for specific purposes, including public health, service planning and research, without individual consent in certain circumstances.