FAQs for information governance professionals

Last updated 5 May 2020

We are concerned that we may not be able to respond to Subject Access Requests (SARs) and Freedom of Information Act (FOIA) requests within the set time limits. What should we do?

Statutory timescales under which information access requests (such as SARs and FOIAs) must be responded to remain unchanged. However, during the current COVID-19 situation the ICO recognises that organisations may not be able to respond within these timeframes and have stated that they will take a pragmatic approach to issues raised with them. The ICO statement can be found here. Whilst accepting it may be difficult to comply with requests within the timeframe, you cannot refuse to accept a request or take an organisational decision to stop all new requests for information. You must try to deal with it as quickly as possible, even if this takes you over the timeframe allowed.

We recommend that when you receive an FOIA or SAR you inform the individual that there may be a delay in providing them with the information they have asked for due to the COVID-19 situation. As requests are processed updates should be provided where there are any delays. You should also inform them that they have the right to complain to the Information Commissioner if they consider their information rights not to have been met.  You can include this information in a supplementary privacy notice which covers the COVID-19 period. NHSX has published an example supplementary privacy notice example here

Can we contact staff on their personal phones where they don’t have a work phone? 

If a member of staff provides their personal mobile phone number or home phone number and agrees you can use it to contact them for work purposes, you can do so. This may already be set out in your Business Continuity Plan.  It may be possible for staff to divert their work phone to their home phone/mobile which would remove the need for sharing personal numbers.

Where we are linking data for integrated care, can this data be used for secondary uses to support the COVID-19 response?

This would be covered by the Control of Patient Information (COPI) notices provided that the organisations which are processing the data are in scope of the notice. The GDPR principles would apply for example only the minimum amount of data should be processed, and the data should only be used for the COVID-19 response. The COPI notice will only provide legal cover during the COVID-19 period.  After this time, the processing will need to stop, or another legal basis will be required e.g. explicit consent or section 251 support.  To read more about the COPI notices see our COPI notices FAQs

Can staff use WhatsApp for communicating with colleagues and patients?

It is fine to use applications such as WhatsApp where there is no practical alternative and the benefits outweigh the risk. The important thing, as always, is to consider what type of information is being shared and with whom. And as much as possible limit the use of personal/confidential patient information.  In relation to WhatsApp, it is now a secure service with end-to-end encryption, and the encryption keys are stored solely on the client device. The encryption also covers off the offshore processing, as the data is encrypted and thus not identifiable other than by the sender /recipient.

If your organisation is going to process personal/confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), e.g. using WhatsApp, then a short high level DPIA should be carried out. The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place.  

Is there more than one shielded patient list?

NHS Digital has developed the NHS Shielded Patient List (SPL) of patients in England with pre-existing medical conditions which doctors have identified will make those patients clinically extremely vulnerable to COVID-19 and who it is recommended take shielding measures. The SPL (formerly known as the vulnerable patient list) means that the NHS and other organisations, including local authorities and the Cabinet Office who run the government’s clinically extremely vulnerable person service can identify and contact those patients who need specific advice about their circumstances and offer them help and support. NHS Digital have published further information about the Shielded Patient List including a SPL transparency notice.  

NHS Digital has shared confidential patient information from the Shielded Patient List with Clinical Commissioning Groups (CCGs) to support them in their local response to the COVID-19 situation. You can read more about this here. The SPL is one list that is shared for different purposes; a copy of the list was shared with the government’s clinically extremely vulnerable person service. This information is used to identify individuals who are entitled to support and to proactively contact them. Once contact has been made, information necessary to administer the government’s service is collected. This is separate from the NHS Shielded Patient List.