Information governance FAQs

On this page you will find a series of short videos and information addressing some of the common questions health and care professionals have about information governance.

In these latest videos, Andrew Hughes, Director of Health and Wellbeing System Improvement at the Local Government Association, answers some of the key questions on managing and sharing information in social care.

Has the pandemic impacted on how information is shared in social care?

Andrew explains how the COVID-19 pandemic has affected how information is shared in social care

Why is there a barrier sharing information between health and care?

Andrew talks about the barriers sharing information between health and care

In terms of managing information, what change would make the biggest difference for social care?

Andrew discusses the importance of sharing information between health and care

In a series of short videos, Dawn Monaghan, Head of Information Governance Policy at NHSX, addresses some of the common questions people have about information governance.

Why is it important to be transparent?

Dawn explains why it is important for organisations to be transparent about how they use data.

What should I consider when sharing data?

Dawn talks about what health and care workers should consider when sharing data.

Why is information governance important?

Dawn talks about why information governance is important.

Is data used differently because of COVID-19?

Dawn talks about the use of data during the COVID-19 pandemic.

What is NHSX doing to simplify information governance?

Dawn talks about what NHSX is doing to simplify information governance.

General FAQs 

Does the national data opt-out impact Summary Care Records?

No. The national data-opt out only applies to a person’s confidential patient information and its use for purposes other than individual care, such as planning and research.

The purpose of the Summary Care Record (SCR) is to provide basic health and care information to a health and care professional. It is used when the individual’s local detailed health and care record is not available. For example, to provide emergency treatment while a person is on holiday in another part of the country. As the SCR is needed to support the provision of individual care, the national data opt-out doesn't apply. A different opt-out process is available to those who do not want to have an SCR.

Is there an opt-out of Shared Care Records?

No. Local areas providing Shared Care Records (ShCR) do not need to offer an opt-out for information that is being used and shared for individual care. However, the UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.

If an individual does not want their information shared through a ShCR for their individual care, they may raise an objection in accordance with their rights under UK GDPR. Each ShCR group should agree its own arrangements for managing objections and to communicate it to patients and service users.

The organisations holding their data have a duty to consider the objection. They should only override that objection if there is a compelling reason to do so. The impact of the objection should be discussed with the person and alternatives sought where possible.

Does the national data opt-out impact on Shared Care Records?

No. The national data opt-out does not impact on Shared Care Records when information is shared for individual care. However, if a local area decides to use confidential patient information for purposes beyond individual care, then the national data opt-out should be applied. Examples could include research, service design and planning.

What is the impact of the European Commission draft data adequacy decision?

The European Commission has published its draft data adequacy decisions. These recognise the UK’s high data protection standards and set out that the UK should be found ‘adequate’. The EU has declared a commitment to complete the technical approval process swiftly, so that we have final data adequacy decisions as soon as possible. This is welcome news because it paves the way for the continued free flow of personal data between the UK and EU. You can find further information, including the government's response and links to the decision, on GOV.UK.

What impact does EU exit currently have on data flows?

As part of the recently signed EU to UK Trade and Cooperation Agreement, a time limited 'bridging mechanism' has been agreed. This will allow personal data to continue to flow from the EEA, whilst EU adequacy decisions for the UK are discussed and hopefully adopted for no more than 6 months. 

As a sensible precaution during the bridging mechanism, organisations should consider putting in place alternative transfer mechanisms. This will safeguard against any interruption to the free flow of EU to UK personal data.

Is it still safe to use off-the-shelf messaging apps? I have heard that some changes to terms and conditions of service may mean that messages can be accessed, and information shared with other companies.

While we would advise against the use of off-the-shelf applications for the routine sharing of confidential patient information, it remains appropriate to use them when there is no practical alternative and the benefits outweigh the risks. For example, in emergency situations where an app on your phone is the only way of sharing patient data and a person might suffer serious harm if you fail to share information.

The important thing, as always, is to consider what type of information is being shared and with whom, and as much as possible limit the use of personal or confidential patient information. 

If your organisation is going to process personal or confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), for example using WhatsApp, then a short high level DPIA should be carried out. The DPIA should set out:

  • the activity being proposed
  • the data protection risks
  • whether the proposed activity is necessary and proportionate
  • the mitigating actions that can be put in place
  • a plan or confirmation that mitigation has been put in place

With regards to recent reports about the changes to terms and conditions of certain apps, users have been assured that the content of messages will remain encrypted from end to end. This means that messages can only be viewed by the sender and the recipient. Changes to terms and conditions might result in the sharing of personal information about the users of its service with other companies, for example, profile information, device data and other metadata. However, the app suppliers have given assurances that the data sharing practices remain compliant with UK data protection legislation.

For further information see our guidance on mobile messaging.

Is it okay to use digital solutions which allow patients to control who has access to their GP record?

Yes. Relevant information can be shared for individual care on the basis of implied consent. Some digital solutions allow patients to be involved in these decisions, for example, they are sent a text message asking them if they are happy to share information from their GP record with someone else caring for them for a time limited period. There should be no barrier to using this type of solution from an IG perspective, however, the GP practice, as data controller, should check they are happy with what is proposed. If the GP practice is happy then, relevant information should be available to other health and care professionals who wish to use the solution.

Is the NHS number an identifier or not?

It depends on the context and situation it is used.

All patients have an NHS number which is unique to them. This is usually allocated when you register with a GP.

The number by itself does not identify the person it relates to as it is just a number, for example: 012 345 6789. However, if a person has access to the systems that can reveal the identity of the individual who the NHS number is assigned to, then it should be considered an identifier.

For example, the Personal Demographics Service (PDS) - the national electronic database of NHS patient details includes NHS numbers as well as names and addresses. It is used by many staff across the NHS to provide care and can be used to check the NHS number. Where access to PDS or a similar system is possible, the NHS number should be considered as an identifier. 

Very careful consideration therefore needs to be applied when using the NHS number as a way of pseudonymisation because to one recipient of the number, it may be classed as anonymous (as they do not have the means to identify the person from it), but a different recipient may have access to systems which they can use to find out who the number belongs to.

What is the Centre for Improving Data Collaboration (CIDC) and will it be producing IG guidance and advice?

The CIDC is a new business unit within NHSX that has been created to support the health and care sector to enter into data sharing partnerships that benefit the NHS, patients, and the public. You can find out more about the CIDC or read this blog post by Matthew Gould.

The Health and Care Information Governance Panel is responsible for producing IG guidance and advice. NHSX’s IG team however, will work closely with the CIDC to provide support where any IG issues arise to ensure a consistent approach.

COVID-19 FAQs: health and care organisations

Can I work from home for example if I have to self-isolate?

To help underpin staff working from home, your organisation should have an agreed policy for you to refer to which covers this. If your organisation considers it is suitable for you to work at home, then this should be possible if you: 

  • use the IT equipment issued by your organisation wherever possible as this should have the appropriate security protection
  • use a secure network connection, for example home Wi-Fi that requires a password so information is not sent or received over a public Wi-Fi network
  • ensure any applications or software solutions you use have appropriate security, such as using strong passwords
  • ensure the security of any physical documents you take home, particularly those that contain personal or confidential patient information
  • lock print outs and devices away at the end of the working day if possible, to avoid loss or theft of personal or confidential patient information

If you are using your own device, you should contact your IT department and see if they can install programs on your own equipment or send you links to software to download to secure your own equipment. If that’s not possible you should keep your software up to date to make it more difficult for an attacker. You should also avoid mixing your organisation’s information with your own personal information to avoid accidentally keeping hold of information for longer than is necessary.

The Information Commissioner's Office (ICO) has published its own guidance on home working. See the question below regarding the additional precautions you should take when accessing or using confidential patient information (CPI) when working from home. 

Can I access or use confidential patient information (CPI) when working from home?

When accessing and using CPI at home you should protect it in the same way you would normally. You should follow the recommendations set out in the question above on homeworking and take the following additional precautions when accessing or using CPI:

  • If you need to share CPI with others then choose NHS Mail, a secure messaging app or online document sharing system.
  • If you do not have access to these and need to use an alternative email account, which may not be secure, consider password protecting documents and sharing the passwords via a different channel, like text.
  • Consider who else is in the household, and if they can access CPI accidentally or inappropriately, such as looking over your shoulder.
  • CPI should be used for the minimum time necessary for your purpose, and in a way that minimises disclosure.
  • Once the reason for accessing CPI at home has passed, then any CPI that is stored must either be returned to the organisation as soon as possible, or if it is duplicated then your copies must be destroyed.
What about if I’m overseas and I cannot return, can I still work?

This will depend on your role and your organisation agreeing it is appropriate. The requirements are the same as working from home (see above). However, in addition you should discuss it with your Data Protection Officer (DPO). 

Can I share information with a health and care professional based at another health and care organisation if they are supporting the individual care of a patient or service user?

Information should be shared to support individual care. For example, a radiologist in Birmingham could view and report on an image of a patient from Kettering because Kettering temporarily has a reduced number of radiologists. You should ensure that your DPO is aware so that they can update your organisation’s privacy notice as appropriate.

Can I use video conferencing and other tools with patients who are critically ill to communicate with their family members?

Where a patient is critically ill due to COVID-19 you can use mobile devices in order to facilitate communication between patients and their families. NHSX encourages the use of video conferencing between health and care professionals and patients to support individual care and to reduce the spread of COVID-19. This can be extended to facilitating conversations between health and care professionals and the family of critically ill patients.

Can we carry out group sessions with patients and service users using video conferencing tools?

Using video conferencing tools may mean you can continue to provide group sessions for patients and service users safely during the COVID-19 period. For example antenatal classes or physiotherapy sessions.

You should ensure patients and service users understand that they are joining a group session and any information they share during the session will be seen or heard by others in the group. You should also consider setting out some terms of use for patients or service users. For example, do not take screenshots or record the session. The consent of the patient or service user, under common law, is then implied by them accepting the invite and entering the consultation. There should be no compulsion to sign up or use the service, but services need to make sure they have provided as much information as possible so patients and service users can make an informed choice.

You should use a video conferencing tool that has been approved by your organisation and follow any advice set out in your organisation's policy on video conferencing with patients and service users.

COVID-19 FAQs: IG professionals

We are concerned that we may not be able to respond to Subject Access Requests (SARs) and Freedom of Information Act (FOIA) requests within the set time limits. What should we do?

Statutory timescales under which information access requests (such as SARs and FOIAs) must be responded to remain unchanged. However, during the current COVID-19 situation the ICO recognises that organisations may not be able to respond within these timeframes and have stated that they will take a pragmatic approach to issues raised with them. See the ICOs data protection and coronavirus information hub. Whilst accepting it may be difficult to comply with requests within the timeframe, you cannot refuse to accept a request or take an organisational decision to stop all new requests for information. You must try to deal with it as quickly as possible, even if this takes you over the timeframe allowed.

We recommend that when you receive an FOIA or SAR you inform the individual that there may be a delay in providing them with the information they have asked for due to the COVID-19 situation. As requests are processed updates should be provided where there are any delays. You should also inform them that they have the right to complain to the Information Commissioner if they consider their information rights not to have been met. You can include this information in a supplementary privacy notice which covers the COVID-19 period. NHSX has published an example supplementary privacy notice.

Can we contact staff on their personal phones where they don’t have a work phone?

If a member of staff provides their personal mobile phone number or home phone number and agrees you can use it to contact them for work purposes, you can do so. This may already be set out in your business continuity plan. It may be possible for staff to divert their work phone to their home phone or mobile which would remove the need for sharing personal numbers.

Where we are linking data for integrated care, can this data be used for secondary uses to support the COVID-19 response?

This would be covered by the Control of Patient Information (COPI) notices provided that the organisations which are processing the data are in scope of the notice. The GDPR principles would apply. For example only the minimum amount of data should be processed, and the data should only be used for the COVID-19 response. The COPI notice will only provide legal cover during the COVID-19 period. After this time, the processing will need to stop, or another legal basis will be required e.g. explicit consent or section 251 support. 

Is there more than one shielded patient list?

NHS Digital has developed the NHS Shielded Patient List (SPL) of patients in England with pre-existing medical conditions which doctors have identified will make those patients clinically extremely vulnerable to COVID-19 and who it is recommended take shielding measures. The SPL (formerly known as the vulnerable patient list) means that the NHS and other organisations, including local authorities and the Cabinet Office who run the government’s clinically extremely vulnerable person service, can identify and contact those patients who need specific advice about their circumstances and offer them help and support. NHS Digital have published further information about the Shielded Patient List including a SPL transparency notice.

NHS Digital has shared confidential patient information from the Shielded Patient List with clinical commissioning groups (CCGs) to support them in their local response to the COVID-19 situation. The SPL is one list that is shared for different purposes. A copy of the list was shared with the government’s clinically extremely vulnerable person service. This information is used to identify individuals who are entitled to support and to proactively contact them. Once contact has been made, information necessary to administer the government’s service is collected. This is separate from the NHS Shielded Patient List.

How do I connect with other IG professionals?

There are regional information governance networks across England, which provide a network of local and regional groups that are part of the National Health and Social Care Strategic Information Governance Network (National SIGN). Many of these have been in existence for many years. They are attended by professionals in the field of information governance and are designed to help and support other professionals in the field with best practice and sharing of resources. Issues identified locally are frequently escalated to the National SIGN, so the SIGN Network can support centralised organisations with feedback, helping to influence the structure of their advice and guidance.

Get in touch with your nearest group for support and advice: 

Ambulance - Chair: Chris Kerr Chris.Kerr@wmas.nhs.uk

Cheshire and Merseyside - Chair: Cora Suckley Cora.Suckley@wales.nhs.uk

East of England - Chair: Barry Moult Barry.Moult1@nhs.net

East Midlands - Chair: Anne Woodhouse Anne.Woodhouse1@nhs.net

Greater Manchester - Chair: Jenny Spiers Jenny.Spiers@nhs.net

Kent and Medway Chair: Jamie Sheldrake Jamie.Sheldrake@nhs.net

Lancashire and Cumbria Chair: Yvonne Salkeld Yvonne.Salkeld@ncic.nhs.uk

Local Authorities - Lead Rep: Ranisha Dhamu Ranisha.Dhamu@brent.gov.uk

North Central London - Chair: Joseff Eynon-Freeman Joseff.Eynon-Freeman@nhs.net

North East - Chair: Lisa Nattrass L.Nattrass@nhs.net

North East London - Chair: Bill Jenks Bill.Jenks@nhs.net

North West London - Chair: Caroline Law Caroline.Law3@nhs.net

South Central - Chair: Heidi Doubtfire-Lynn Heidi.Doubtfire@nhs.net

South East London - Chair, David Bennett D.Bennett@nhs.net

South West - Chair: Penny Taylor Penny.Taylor1@nhs.net

South West London - Chair: Alan Ball Alan.Ball@nhs.net

Surrey - Chair: Louis Lau Louis.Lau@sabp.nhs.uk

Sussex - Chair: Andrew Harvey Andrew.Harvey7@nhs.net

Thames Valley - Contact: Nuala Buchan Brodie Nuala.Buchan-Brodie@ouh.nhs.uk

West Midland - Chair: Raz Edwards Raz.Edwards@nhs.net

West of England - Chair: Adam Horton-Tuckett Adam.Tuckett@nhs.net

Yorkshire and Humber - Chair: Sue Meakin Susan.Meakin6@nhs.net

COPI Notice: FAQs

Why are you doing this?

The health and care system is facing an unprecedented challenge and we want to ensure that healthcare organisations, arms length bodies and local authorities are able to process and share the data they need to respond to COVID-19 for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.

As part of a wider package of measures, including guidance and directions, the Secretary of State has issued a range of notices which require that data is shared for purposes of COVID-19. They will help give healthcare organisations and local authorities the confidence to share the data needed to respond to COVID-19.

What are COPI notices?

The Health Service (Control of Patient Information) Regulations 2002 allow the processing of Confidential Patient Information (CPI) for specific purposes. Regulation 3 provides for the processing of CPI in relation to communicable diseases and other threats to public health and in particular allows the Secretary of State to require organisations to process CPI for purposes related to communicable diseases.

The Secretary of State has issued four of these notices requiring NHS Digital, NHS England & Improvement, all healthcare organisations, arms length bodies, local authorities and GPs (including a specific requirement related to the UK Biobank project) to process CPI for the purposes related to communicable diseases.

What does processing mean?

Under COPI Regulations 2002, processing means:

  • the use, dissemination and obtaining of information
  • the recording and holding of information
  • the retrieval, alignment and combination of information
  • the organisation, adaption or alteration of information
  • the blocking, erasure and destruction of information
What purposes are covered?

The COPI notices cover a range of purposes related to diagnosing, managing, and controlling the spread of communicable diseases. For COVID-19 purposes this could include but is not limited to:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
  • identifying and understanding information about patients or potential patients with or at risk of COVID-19
  • delivering services to patients, clinicians, the health services
  • research and planning in relation to COVID-19
What type of data is covered?

The notice covers confidential patient information so any data regardless of its identifiability, which is being used for the purposes set out above is covered. It will all be treated in line with the principles of GDPR: fairly, lawfully and securely.

How long will the notices be in place?

COPI notices have now been extended until the end of September 2021 to help give healthcare organisations and local authorities the confidence to share the data needed to respond to COVID-19. The notices will be reviewed on or before 30 September 2021 or may be extended further. If no further notices are issued, the notices will expire on 30 September 2021.

What if I’m unsure about sharing data?

If you are unsure about the appropriate action to take, please contact datapolicyhub@nhsx.nhs.uk.

What about GDPR?

Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries. The General Data Protection Regulations (GDPR) allow health and care data to be used as long as one or more of the conditions under Article 6 and Article 9 are met. There are conditions under both articles which can be relied on for the sharing of health and care data. This includes the care and treatment of patients, and public health. We would expect any organisation to disseminate information within legal requirements set out under GDPR.

What if I have opted-out of my data being used (national data opt-out)?

The national data opt-out does not apply to disclosure of confidential patient information if it is being used to protect public health, for example to:

  • diagnose communicable diseases
  • control or prevent their spread
  • deliver and monitor vaccination programmes
  • manage risks of infection from food or water supplies or the environment

Read a full explanation of the lawful basis of such disclosures in para 6.2 (Communicable diseases and risks to public health) in the operational policy guidance document.