News / Blog

NHS number to be national ID mandated in Children’s Wellbeing and Schools Bill

Blog / June 14, 2025

There are three key things going on in parallel about the Single Unique Identifier (“SUI”) ID mandated in Children’s Wellbeing and Schools Bill and children’s NHS number:

1. The Government has confirmed in the House of Lords, that they intend for the NHS number to be the Single Unique Identifier mandated in the Children’s Wellbeing and Schools Bill.

2. The Government confirmed that Wigan is [at least one of] the pilot(s) using the SUI across “multi-agency working”.

This might include services like children’s social care and health and Looked After Children (in state care)  ‘joined up’ service provision. As it is explained in this article it would appear to be only for the direct care of children, adding the NHS number into existing children’s social care records [and this *might* be, if you are going to use an ID across care, how it *should* be done right, were it on an individual basis as needed, though we are yet to see any of the background underpinnings in detail and how residual risks have been addressed, for example, of expanding the data held on every child unnecessarily, or risk of revealing a new home address in cases of domestic violence or details of adoption that are confidential].

This however is likely to run the same risks as ContactPoint as was, and raised in Lords’ debate this week by making an every expanding database that is open to scope creep and ever wider distribution to unlimited persons, of the unique ID, as your NHS number stays with you for life.

3.Wales was added last minute to the scope of the Children’s Wellbeing and Schools Bill.

There, a rather different pilot is underway. The Welsh Government has instructed the NHS number to be extracted from local shared service NHS Partnerships (not GPs directly) and sent to Local Authorities,  who are not using it for the direct care of all those children about whom the data is collected, but as dataset to cross match with education records (state and private) to identify any child in NHS records but not already on the Local Authority registers of children in school (anywhere), or in Elective Home Education, or already recorded as known to be not in receipt of suitable education (“Children Missing Education” or “CME”).

Then, according to the documents available, the Local Authority staff will delete the NHS number from the matched personal data on the vast majority of children (those found in state or otherwise suitable education) keeping only the children’s data who have been found in health, but not found in education. The NHS number, name, home address data about the majority is being to find those who are not in other data, and not to benefit the vast majority of children whose data is being processed at all.

While noting that the pilot in Wigan and pilot in Wales are distinct with very different aims and approach, there is a shared risk well documented in the Wales 2024 consultation including in responses from the BMA and the GMC — that the expanded reuse of data about children and families coming out of medical records into wider circulation, means some families may perceive this as a risk for increased state interventions, and this perceived threat results in their disengagement with children’s health and public health services.

How all of this relates to the new national and local government powers under Clause 31 in the Bill for the dataveillance of families and education providers in both England, and for Wales, remains to be debated and needs some significant amendments. Our briefing on this is from page 6, including the Delegated Powers and Regulatory Reform Committee statement that affirmative procedures must always required for several of the related powers in the Bill.

 

Background detail and Response to debate remarks

Reference: Children’s Wellbeing and Schools Bill, Volume 846: debated on Thursday 22 May 2025

1. The NHS number to be the Single Unique Identifier mandated in the Children’s Wellbeing and Schools Bill

In the Lords on May 22nd, the government confirmed, “we are currently piloting the NHS number as a consistent identifier”[…]

“we are not piloting a whole range of different options here; we are piloting the NHS number to see that it works, with all the provisos that I have said, and to make sure that it achieves the desired outcomes before mandating its use.” (Baroness Smith of Malvern, the Minister) 

Where are these pilots, and will the findings be made available to scrutinise as part of the Bill? The Minister went on to explain this (in public for the first time, col 429)

“As I think noble Lords know, with Wigan local authority we are currently exploring the suitability of using the NHS number as the consistent identifier, and that process will take several months. This first phase of work will explore whether success rates of linking children’s records can be improved within a local authority by using the NHS number provided by the NHS Personal Demographics Service. This work will inform future tests and pilots. These pilots will inform us on how to incrementally increase coverage across the datasets used to manage safeguarding and welfare. If our initial pilot over the summer is successful, then, at this stage, we anticipate being able to begin giving children’s social care teams within local authorities access to NHS numbers during 2026 while, in parallel, we test its ability to be used within wider areas such as local authority data feeds. The point here is that we will not need to wait for a big bang to introduce it. Assuming that this is the appropriate way to proceed, we will be able to do it on an incremental basis as quickly as possible in different areas and with different agencies.”

It is unclear when the pilot began, and if the pilot had already begun in January when Minister Catherine McKinnell described it in the Commons Committee Stage in both present and future tenses and did not answer MPs questions on its location(s):

“As I mentioned, the Department will pilot the implementation of the consistent identifier and introduce it nationally at a later point. We will test its ability to facilitate the linking of data across datasets.”

“On timelines, I appreciate the urgency with which Members wish to see the consistent identifier come into play. Obviously, it is not yet legislated for—we very much hope it will be. But we are piloting the use of the NHS number, which is assigned to all UK-born children at birth or, for children born outside the UK, when contacting the NHS, so we deem it to be universal. The exact services, systems and data shares that store and move the number will have to be developed during the piloting.” (See on page in print in context pp151-152 p86 of 232)

The DfE published in March that, “the department will conduct a regional pilot to test the feasibility of using the NHS number,” (end of page 20). Baroness O’Neill asked about it this week.

“I know the Minister said the other day that the findings of the pilots would be published in spring 2025, but we are about to go into summer, and they have not been seen yet. That means that the model has not been fully tested and has no research to back its veracity. Surely that has to be done before the Bill comes into effect?”

What overlap there is with the two “pathfinder regions”, where there is joint work by Departments of Education, Health and Justice systems remains to be confirmed. Those are costing quite a lot.

It is remarkable that the costs remains unscrutinised for something that will require a long term project in Local Authorities where budgets have been under extreme pressure with a staggering scale of cuts for children and youth provision over the last decade. The government suggested, it has only a guesstimate of this impact and will not know until after the Bill is passed: “it is likely to be the most cost-effective choice. By building on an existing system, we would avoid the complexity and expense of creating a new identifier from scratch, which I know will be welcomed by practitioners, the public purse and Members of your Lordships’ House.” Whether this the best use of funding at all, over say, staff training or additional staff to reduce workload in social services has not been analysed.

2. The Department for Education commissioned report identified Department for Health assurances and risks that seem to have been ignored

The DfEs own commissioned 2016 report, A Consistent Identifier in Education and Children’s Services,” pointed out that the NHS has given assurances around the NHS number only being used for direct *health* care and not as a general purpose secondary identifier for services beyond health. The researchers found that if the NHS number were to be mandated despite this, the structural costs of the system to make it interoperable would be substantive (the data infrastructure will all need adapted, tested and staff training costs) and needs a long time, saying:

“Those consulted pointed out that adopting a consistent identifier for children would require a considerable investment of time and money. It would be a long-term project requiring extensive planning, robust piloting and incremental scale up.

That 2016 report suggested that although the NHS number is already used in Child Protection Information Sharing (CP-IS) systems introduced to connect local authorities’ children social care IT systems with those used by the NHS in unscheduled care settings, this should not mean its reuse as a “universal” identifier:

“The Department for Health has given an undertaking to the Information Commissioner that the NHS number will be used for health and social care only, in response to the ICO’s concerns about the NHS number being used for other purposes.” (p.26)

In the same report, La Valle et al., found a wide range of literature that points to the harms from loss of public trust in reuse of data from heath records and its intangible as well as financial costs — these are not assessed in this Children’s Wellbeing and Schools Bill impact, because what the number has remained undefined, and therefore cannot be scrutinised.

The detail of Clause 4 has had no scrutiny at all, or of its costs left at zero for Local Authorities, because what it is to be, is left to regulations and there has been no debate of this for Wales, as the bill  was only expanded to include Wales at the final day of report stage. And it has had no scrutiny of these tangible risks to children who might be kept away from NHS providers, and is a widely recognised unintended consequence of the new powers.

3. The Reuse of the NHS number creates new Safeguarding risks for children

The pilot currently being run in Wales, extracting data from children’s NHS records to pass and match in Local Authorities, we are told is *not* the national pilot. This is about Wales expanding its Children Missing Education databases (that it already has a duty to maintain under s436A of the Education Act 1996 and already sends to the Department for Education (DfE)). Local authorities must make arrangements to identify children of compulsory school age in their area who are not registered pupils at a school and are not receiving suitable education other than at school (e.g. are in Elective Home Education, already recorded by Local Authrities and also already sent to the DfE) and they all already do this.

In the consultation about this Welsh pilot, carried out in 2024, the BMA, the RCGP, and a wide range of others raised precisely that same risk that was included in the Welsh Government’s own pilot impact assessment, that this may push some of the most marginalised to even further remove themselves from interactions either the state and not attend public health intervention such as child vaccination clinics.

These known risks of its use where patients do not expect it are not new, and  widely recognised and accepted. (see 83, page 18). The BMA raised a wide range of concerns in the Wales 2024 consultation on Children Missing Education databases that will extract ID from health records and worth reading in full.

In 2024, the GMC raised the same concerns with the impact on patient confidentiality and trust in healthcare services in Wales:

“We believe that, if health boards are required to share personal information about children and young people that they legitimately hold, for purposes not related to the child’s health and welfare, doing so risks undermining public trust in the confidentiality of health services. We are concerned that some families, and some older children and teenagers, who do not want to be known to the local authority, may choose not to register with a GP when moving locations or may avoid seeking help from other local health services. Putting their health and wellbeing at risk, to try to avoid local authority engagement.”

it does not seem to have addressed the risk that early opportunities to identify safeguarding concerns might be lost, if vulnerable children and young people and their families choose not to register with GP surgeries or to present to hospital for healthcare.”

In 2020, the GMC had also previously objected to the Welsh proposals, stating that non-clinical data in health records should be treated with the same confidentiality as clinical records. You also predicted harm to families and to public health, saying:“Requiring doctors to share information about children and young people and their parents could cause some to disengage with health services, affecting not only their health but also potentially the health of their local communities.”

This known effect has been recognised and accepted by the Welsh Government, yet they have gone ahead anyway. In 2018, the then Education Minister Kirsty Williams in Wales, on introducing these proposals, said of putting a mandate onto parents instead of Local Authorities:

“I suspect this element of compulsion could have the unintended consequence—the very real unintended consequence—of driving those parents further away from engagement with statutory services”. ( 30/01/2018, para 395)

Despite these evidenced concerns, the 2025 pilot began in 7 Welsh authorities, and afterwards the Legislation, Justice and Constitution Committee in the Senedd complained in writing over the shortage of time for proper consideration of the issues given that:

“the provision being made for Wales in the Bill covers significant policy matters but, with proceedings in the House of Commons complete, minimal time is being left for Senedd Committees to scrutinise the Welsh Government’s actions and the provisions for Wales being added to the Bill.”

The Welsh Government Data Protection Impact Assessment published only recently, admitted that it would be done in secret, in what it calls “invisible processing” and that,

“parents of the child(ren) will not necessarily be aware of the data processing as it is being undertaken“,
and again found the risk that,

Parents / carers choose not to register their child with a GP to avoid detection by authorities, or fail to seek medical help for their child.” (p29)

In the 2024 Wales consultation, its Child Rights Impact Assessment found that, proposals may challenge article 12 and article 16 (Children’s UNCRC right to be heard, and right to privacy and family life), if the child stated they didn’t want their personal data shared with the local authority by the health board. And most importantly, it could do them harm because the proposals may result in a child not receiving their article 24 right to health, if families fail to register their children with health practitioners if didn’t want their personal data shared.

The government claims this is not sensitive because the actual medical data is not being extracted, only ID data from the health data. However, the GMC addressed this in its consultation reponse.

“In our understanding, all patient information attracts the common law duty of confidentiality. We don’t set different standards for protecting clinical or medical information and other personal information, recognising the sensitivity of all information that is shared between a patient and doctor.” (page 2)

In England, there has been no consultation with children, or mitigations made in the Bill for these same potential harms to them or their rights. Will we repeat those same mistakes in Wigan or at scale?

This is not about what *is* done but what families think *might* be done once they lose their trust in the confidentiality of any of their information given to health services and expectations it stays only there, and is not made available to Local Authorities or for any shared “multi agency response” that may include the police. This risk of substantive harm to perhaps the very children the policy-makers may consider are those the Bill seeks to identify, is being ignored over unproven expectations that there will be new evidence of better outcomes as a result. In the recent cases of awful things done to children and child deaths, they were all known to social services, often police and multi agency teams. There was no lack data but of of suitable intervention.

4. The assurances made on confidentiality in the Bill Explanatory Memorandum are false

The Memorandum from the Department for Education to the Delegated Powers and Regulatory Reform Committee (page 7, para 26) makes false claims and assurances about the new powers with regard to the governance of the planned consistent identifier being similar to the governance model of the NHS number, saying its “approach is consistent with the Health and Social Care Act 2012 (Consistent Identifier) Regulations 2015”, but this omits two substantive differences. The powers relied on in this Bill explicitly remove safeguards provided in Section 251A12 of the Health and Social Care Act 2012, and that Act states:

  1. (6)(b) “The relevant person need not comply if the individual objects, or would be likely to object, to the inclusion of the consistent identifier in the information (251A(6))
  2. (7)(b) “It does not permit the relevant person to do anything which would be inconsistent with a common law duty of care or confidence (251A(7)).” [our emphasis]

Whereas on the face of this Bill in the mandatory 16LA(7) Duty to share information (page 7, line 6), the opposite is made law:

“A disclosure of information under this section does not breach any obligation of confidence owed by the person making the disclosure,”  and on page 8 “A designated person’s compliance with subsection (4) does not breach any obligation of confidence owed by the designated person.”

It is therefore also not quite correct of the Minister to suggest this in debate, when she said,

“It is consistent with the approach taken for the adult identifier in the Health and Social Care Act 2012, which provided the legislative framework for the NHS number to be specified via regulations.” (Baroness Smith of Malvern, the Minister)

5. Who will the users be and what safeguards exist to mean wider sharing or constraints on scope creep?

The Minister mentioned the weakness of definition herself on May 22nd, saying there was lack of clarity over the, “breadth and interpretation of the term “safeguarding and promoting the welfare of children” and what the test should be.”

The reuse of the identifier is closely connected with the Clause 31, power for registers not in school since the reasons why the NHS number might be used are loosely defined around safeguarding and welfare, and can very likely be assumed that every prescribed person will automatically include the SUI in CNIS records, which are assumed to be about safeguarding when in fact they are not.

We are concerned not only about the known harms this may cause, but about the scope creep of the single unique ID (NHS number) reuse which should be restricted to direct care of a child not secondary other purposes or other, eg wide distribution to commercial third parties. At Committee Stage in the Commons (Jan 23, 2025), the Schools MinisterCatherine McKinnell suggested ID scope creep was not only inevitable, but desirable:

“We have purposely prioritised linking use of the consistent identifier with safeguarding and welfare functions, and will be testing the benefits and implementation of that through our pilot. If additional benefits are realised, we can obviously explore the provisions further.” (our emphasis) source: Committee Stage, January 23rd, 2025, Children’s Wellbeing and Schools Bill (Fourth sitting)

Lord Hogan-Howe further raised concerns about the police being included in the shared user teams by default. And who else might be the designated users of the Single Unique Identifier?

Can the government confirm or correct who the designated persons are and how many they are expected to be under various references under page 8, line 11, the Secretary of State will set out who designated persons are by Regulations and (11) listed in section 11(1) and 16E. Under 11(1) reference to the Care Standards Act 2000, Section 2, Independent hospitals includes facilities such as dentists, women’s reproductive health clinics and tattoo parlours for example. Additionally, the Children’s Act and the Care Standards Act reference a wide range of local authorities, health authorities, independent hospitals etc., and educational institutions, particularly in Wales, as outlined in Schedules 2A and 2B. These include county councils, county borough councils, community councils, health authorities, local health boards, NHS trusts, further and higher education corporations, and governing bodies of schools. However, it is just not easy to follow it all and conclude clearly who is definitely going to be the users of the NHS number, set out in the Bill, who do not already use it today.

6. Other organisations’ related views abut the SUI

Many other organisations see substantive risks and unintended consequences for example as submitted to the commons evidence committee (before Wales was added to the bill, before the government published the bill impact assessments, and before the NHS number was mentioned as potentially the unique ID) including Coram, that argues for safeguards in the Bill on how the families’ data are not to be used, as well as its stated planned reuse. The “Support not separation / disabled mothers rights campaign” said they are, “Totally opposed” to the single unique ID.

7. Data Protection law cited as safeguard is worthless unless enforced

The Minister continued to use in her assurances that, “data protection legislation includes key principles such as lawfulness, transparency and, crucially, accountability, which require organisations to demonstrate compliance with data protection obligations”. It does have those requirements, but it doesn’t mean anyone in charge of these sensitive data are complying with it and it offers no safeguard at all unless the ICO will enforce the law. To label data protection law as a “safeguard” for excessive intrusion by the state into family life, is patently untrue.

The Wales CME pilot has failed in this disastrously with its “invisible processing” to families.

The Westminster Department has failed to demonstrate compliance with data protection law in the ICO 2020 audit. Nearly 5 years later, it still refuses to publish that audit in full, and the ICO has done nothing to enforce any fair processing, continuing the status quo as we found in a 2018 poll, parents have not been informed that the Department for Education may give their child’s information to third parties, and have no idea they can make a Subject Access Request or express a Right to Object [UIN 50978, tabled on 8 May 2025], or even know what their rights are, and do not know that the DfE holds and gives away their child’s identifying lifetime pupil record. Data Protection law is not useful unless you know your data is being processed.

  • “The Commercial department do not have appropriate controls in place to protect personal data being processed on behalf of the DfE by data processors.”
  • “There is an over reliance on using public task as the lawful basis for sharing which is not always appropriate and supported by identified legislation.”
  • “the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.”
  • The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR.”
  • “There is no formal proactive oversight of any function of information governance, including data protection, records management, risk management, data sharing and information security within the DfE which along with a lack of formal documentation means the DfE cannot demonstrate accountability to the GDPR.”