COPI notice - frequently asked questions

Why are you doing this?

COVID health and care system is facing an unprecedented challenge and we want to ensure that healthcare organisations, Arms Length Bodies and local authorities are able to process and share the data they need to respond to COVID-19 for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.

As part of a wider package of measures, including guidance and directions, the Secretary of State has issued a range of Notices which require that data is shared for purposes of COVID-19. They will help give healthcare organisations and local authorities the confidence to share the data needed to respond to COVID-19.

What are COPI notices?

The Health Service (Control of Patient Information) Regulations 2002 allow the processing of Confidential Patient Information (CPI) for specific purposes. Regulation 3 provides for the processing of CPI in relation to communicable diseases and other threats to public health and in particular allows the Secretary of State to require organisations to process CPI for purposes related to communicable diseases.

The Secretary of State has issued four of these notices requiring NHS Digital, NHS England & Improvement, all healthcare organisations, Arms Length Bodies, Local Authorities and GPs (including a specific requirement related to the UK Biobank project) to process CPI for the purposes related to communicable diseases.

What does processing mean?

Under COPI Regulations 2002, processing means:

  • the use, dissemination and obtaining of information;
  • the recording and holding of information;
  • the retrieval, alignment and combination of information;
  • the organisation, adaption or alteration of information;
  • the blocking, erasure and destruction of information.

What purposes are covered?

The COPI notices cover a range of purposes related to diagnosing, managing, and controlling the spread of communicable diseases. For COVID-19 purposes this could include but is not limited to:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks;
  • identifying and understanding information about patients or potential patients with or at risk of COVID-19;
  • delivering services to patients, clinicians, the health services;
  • research and planning in relation to COVID-19.

What type of data is covered?

The notice covers confidential patient information so any data regardless of its identifiability, which is being used for the purposes set out above is covered. It will all be treated in line with the principles of GDPR i.e. fairly, lawfully and securely.

How long will the notices be in place?

These Notices will be reviewed on or before 30 September 2020 and may be extended by further notice in writing. If no further notice is sent, they will expire on 30 September 2020. This means that processing of data will be stopped and information shared for the specific purpose of COVID-19 will be deleted.

What if I’m unsure about sharing data?

If you are unsure about the appropriate action to take, please contact England.IGPolicyTeam@nhs.net.

What about GDPR?

Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries. The General Data Protection Regulations (GDPR) allow health and care data to be used as long as one or more of the conditions under Article 6 and Article 9 are met. There are conditions under both Articles which can be relied on for the sharing of health and care data – including ‘the care and treatment of patients’ and ‘public health’. We would expect any organisation to disseminate information within legal requirements set out under GDPR.

What if I have opted-out of my data being used (National Data Opt-Out)?

The national data opt-out does not apply to disclosure of confidential patient information if it is being used to protect public health, for example to:

  • diagnose communicable diseases;
  • control or prevent their spread;
  • deliver and monitor vaccination programmes;
  • manage risks of infection from food or water supplies or the environment.

Read a full explanation of the lawful basis of such disclosures in 6.2:Communicable diseases and risks to public health in the operational policy guidance document.