The legal requirements and justifications for collecting patient-identifiable data without patient consent were examined. The impetus for this arose from legal and ethical issues raised during the development of a population-based disease register. Numerous commentaries and case studies have been discussing the impact of the Data Protection Act 1998 (DPA1998) and Caldicott principles of good practice on the uses of personal data. But uncertainty still remains about the legal requirements for processing patient-identifiable data without patient consent for research purposes. This is largely owing to ignorance, or misunderstandings of the implications of the common law duty of confidentiality and section 60 of the Health and Social Care Act 2001. The common law duty of confidentiality states that patient-identifiable data should not be provided to third parties, regardless of compliance with the DPA1998. It is an obligation derived from case law, and is open to interpretation. Compliance with section 60 ensures that collection of patient-identifiable data without patient consent is lawful despite the duty of confidentiality. Fears regarding the duty of confidentiality have resulted in a common misconception that section 60 must be complied with. Although this is not the case, section 60 support does provide the most secure basis in law for collecting such data. Using our own experience in developing a disease register as a backdrop, this article will clarify the procedures, risks and potential costs of applying for section 60 support.