The Secretary of State has issued 4 notices under the Health Service Control of Patient Information Regulations 2002 requiring the following organisations to process information:
- NHS Digital
- NHS England and Improvement
- health organisations
- arm’s length bodies
- local authorities
There is also a specific requirement related to the UK Biobank project. These notices require that data is shared for purposes of coronavirus (COVID-19), and give health organisations and local authorities the security and confidence to share the data they need to respond to coronavirus (COVID-19).
For patients, this means that their data may be shared with organisations involved in the response to coronavirus (COVID-19), for example, enabling notification to members of the public most at risk and advising them to self-isolate.
These notices will be reviewed on or before 30 September 2020 and may be extended by further notice in writing. If no further notice is sent, they will expire on 30 September 2020.
The health and care system is facing an unprecedented challenge and we want to ensure that health organisations, arm’s length bodies and local authorities are able to process and share the data they need to respond to coronavirus (COVID-19), for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.
Compliance with data protection standards
Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries.
The General Data Protection Regulations (GDPR) allow health data to be used as long as one or more of the conditions under articles 6 and 9 are met. There are conditions under both articles that can be relied on for the sharing of health and care data, including ‘the care and treatment of patients’ and ‘public health’.
We would expect any organisation to share information within legal requirements set out under GDPR.