COVID-19 Information Governance advice for staff working in health and care organisations

The health and social care system is going to face significant pressures due to the COVID-19 outbreak. In the current circumstances it could be more harmful not to share health and care information than to share it. The Information Commissioner has assured NHSX that she cannot envisage a situation where she would take action against a health and care professional clearly trying to deliver care. You can read the statement from the Information Commissioner's Office, alongside their Q&A resource. Health regulators have also published a joint statement.

Information is critical to support health and social care services, protect public health, research, monitor, track and manage the outbreak and incidence of exposure. A new notice has been issued using existing regulations which ensures that when you use confidential patient information for purposes relating to COVID-19, you can be confident that you are doing so lawfully.

We will need to work in different ways from usual and the focus should be what information you share and who you share it with, rather than how you share it. The following advice sets out some of the tools that you can use to support individual care, share information and communicate with colleagues during this time. This includes communications tools where data is stored outside of the UK.

This advice is endorsed by the Information Commissioner’s Office, the National Data Guardian and NHS Digital.  

Mobile messaging

It is absolutely fine to use mobile messaging to communicate with colleagues and patients/service users as needed. It is also fine to use commercial, off-the-shelf applications such as WhatsApp and Telegram where there is no practical alternative and the benefits outweigh the risk.

The important thing, as always, is to consider what type of information you are sharing and with whom. And as much as possible limit the use of personal/confidential patient information.

Video conferencing

We encourage the use of video conferencing to carry out consultations with patients and service users. This could help to reduce the spread of COVID-19. It is fine to use video conferencing tools such as Skype, WhatsApp, Facetime as well as commercial products designed specifically for this purpose.

The consent of the patient or service user is implied by them accepting the invite and entering the consultation. But you should safeguard personal/confidential patient information in the same way you would with any other consultation.

Home working

You may well need to work from home - for example, when self-isolating without symptoms.

If you are working from home and using your own equipment you should check that your internet access is secure (e.g. use a Virtual Private Network and/or if possible avoid public wi-fi) and that any security features are in use.

If you are taking any physical documents home with you that contain personal/confidential patient information, you should also ensure the security of these documents at your home and when travelling.

Using your own device

You can use your own devices to support video conferencing for consultations, mobile messaging and home working where there is no practical alternative.

Reasonable steps to ensure this is safe include: setting a strong password; using secure channels to communicate e.g. tools/apps that use encryption; and not storing personal/confidential patient information on the device unless absolutely necessary and appropriate security is in place.

Information should be safely transferred to the appropriate health and care record as soon as it is practical to do so.

Communication between health and social care colleagues

It is essential that during the COVID-19 outbreak health and social care professionals are able to talk to each other. You will need to share appropriate information about the people in your care including with social care, where possible using secure mail, NHSmail and MS Teams. Where these tools aren’t available you should use this guidance to suggest ways that you can speak to your colleagues.

Further information

If your Data Protection Officer or Caldicott Guardian is unsure of appropriate action to take, you can direct Information Governance questions to the NHSX IG team.