COVID-19 Information governance advice for IG professionals
The legal framework has flexibility when it comes to the processing of information. Information relating to the COVID-19 outbreak should be shared as needed to support individual care and to help tackle the disease through research and planning during the COVID-19 situation. The focus should be to ensure the risk of damage, harm or distress being caused to individual patients and service users is kept to a minimum and that data is only processed where it is necessary to do so and in an appropriate manner.
Confidential patient information and common law duty of confidentiality
The Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the COVID-19 response and then disseminate information to other bodies for the purpose of planning and managing the response. NHS England and NHS Improvement have been given legal notice to support the processing and sharing of information to help the COVID-19 response under Health Service Control of Patient Information Regulations 2002.
Individual healthcare organisations, arms length bodies (except NHS Digital and NHS England and NHS Improvement which have been separately notified) and local authorities have now also been given legal notice under the same regulations to support the processing and sharing of information to help the COVID-19 response.
This is to ensure that confidential patient information can be used and shared appropriately and lawfully for purposes related to the COVID-19 response.
COPI notices have now been extended until the end of September 2021 to help give healthcare organisations and local authorities the confidence to share the data needed to respond to COVID-19.
Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries.
General Data Protection Regulation (GDPR)
The GDPR allows information to be shared for individual care, planning and research. Where health and care information (which would be classed as special category data) is shared for either individual care or to help tackle the disease through research and planning then the relevant Article 6 conditions (official authority, compliance with a legal obligation, public interest and on occasion vital interests) and Article 9 conditions (substantial public interest, the delivery of health and care, vital interests or for public health purposes and scientific research) should be relied on as applicable to the situation.
The principles (Article 5 of GDPR) should continue to be followed. They form a framework of good information management with the key criteria enabling justification of actions taken. If you are not certain of an issue, such as a relevant retention time, then the law is flexible enough to allow you to revisit the issue once the answer becomes clearer.
If your organisation is going to process personal or confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), such as using videoconferencing for consultations, then a short high level DPIA should be carried out. The DPIA should set out:
- the activity being proposed
- the data protection risks
- whether the proposed activity is necessary and proportionate
- the mitigating actions that can be put in place
- a plan or confirmation that mitigation has been put in place
DPIAs are scalable, and in some instances this might not take more than a couple of pages. The ICO has produced guidance on carrying out DPIAs and a template that you can refer to. You should also update your privacy notice where data is being processed in new ways.
You can direct further Information Governance questions to the NHSX IG team.