Ask the IG Professional: FAQs

Why is Information Governance important?

Is data used differently because of COVID-19?

What is NHSx doing to simplify Information Governance?

COVID-19 FAQs: Health and Care Organisations

Can I work from home for example if I have to self-isolate?

To help underpin staff working from home, your organisation should have an agreed policy for you to refer to which covers this. If your organisation considers it is suitable for you to work at home, then this should be possible if you: 

  • Use the IT equipment issued by your organisation wherever possible as this should have the appropriate security protection.  
  • Use a secure network connection, e.g. home wifi that requires a password so information is not sent or received over a public wifi network.  
  • Ensure any applications or software solutions you use have appropriate security (such as using strong passwords).
  • Ensure the security of any physical documents you take home, particularly those that contain personal/confidential patient information.
  • Lock print outs and devices away at the end of the working day if possible, to avoid loss or theft of personal/confidential patient information.

If you are using your own device, you should contact your IT department and see if they can install programs on your own equipment or send you links to software to download to secure your own equipment. If that’s not possible you should keep your software up to date to make it more difficult for an attacker. You should also avoid mixing your organisation’s information with your own personal information to avoid accidentally keeping hold of information for longer than is necessary.  

The Information Commissioner's Office (ICO) has published its own guidance on home working here. See question below regarding the additional precautions you should take when accessing and /or using confidential patient information (CPI) when working from home. 

Can I access and/or use confidential patient information (CPI) when working from home?

When accessing and using CPI at home you should protect it in the same way you would normally. You should follow the recommendations set out in the question above on homeworking and take the following additional precautions when accessing and /or using CPI: 

  • If you need to share CPI with others then choose NHS Mail, a secure messaging app or online document sharing system
  • If you don’t have access to these and need to use an alternative email account, which may not be secure, consider password protecting documents and sharing the passwords via a different channel, like text
  • Consider who else is in the household, and if they can access CPI accidently or inappropriately (such as looking over your shoulder)
  • CPI should be used for the minimum time necessary for your purpose, and in a way that minimises disclosure
  • Once the reason for accessing CPI at home has passed, then any CPI that is stored must either be returned to the organisation as soon as possible, or if it is duplicated then your copies must be destroyed
What about if I’m overseas and I cannot return, can I still work?

This will depend on your role and your organisation agreeing it is appropriate.  The requirements are the same as working from home (see above) however, in addition you should discuss it with your Data Protection Officer (DPO). 

Can I share information with a health & care professional based at another health and care organisation if they are supporting the individual care of a patient/service user?

Information should be shared to support individual care.  For example, a Radiologist in Birmingham could view and report on an image of a patient from Kettering, because Kettering temporarily has a reduced number of Radiologists. You should ensure that your DPO is aware so that they can update your organisation’s privacy notice as appropriate.  

Can I use video conferencing and other tools with patients who are critically ill to communicate with their family members?

 Where a patient is critically ill due to COVID-19 you can use mobile devices in order to facilitate communication between patients and their families.  NHSX encourages the use of video conferencing between health and care professionals and patients to support individual care and to reduce the spread of COVID-19. This can be extended to facilitating conversations between health and care professionals and the family of critically ill patients. See full guidance here.

Can we carry out group sessions with patients and service users using video conferencing tools?

Using video conferencing tools may mean you can continue to provide group sessions for patients and service users safely during the COVID-19 period. For example antenatal classes or physiotherapy sessions.

You should ensure patients and service users understand that they are joining a group session and any information they share during the session will be seen or heard by others in the group. You should also consider setting out some terms of use for patients/service users, e.g. do not take screenshots or record the session. The consent of the patient or service user, under common law, is then implied by them accepting the invite and entering the consultation. There should be no compulsion to sign up or use the service, but services need to make sure they have provided as much information as possible so patients and service users can make an informed choice.

You should use a video conferencing tool that has been approved by your organisation and follow any advice set out in your organisation's policy on video conferencing with patients and service users.

COVID-19 FAQs: IG Professionals

We are concerned that we may not be able to respond to Subject Access Requests (SARs) and Freedom of Information Act (FOIA) requests within the set time limits. What should we do?

Statutory timescales under which information access requests (such as SARs and FOIAs) must be responded to remain unchanged. However, during the current COVID-19 situation the ICO recognises that organisations may not be able to respond within these timeframes and have stated that they will take a pragmatic approach to issues raised with them. The ICO statement can be found here. Whilst accepting it may be difficult to comply with requests within the timeframe, you cannot refuse to accept a request or take an organisational decision to stop all new requests for information. You must try to deal with it as quickly as possible, even if this takes you over the timeframe allowed.

We recommend that when you receive an FOIA or SAR you inform the individual that there may be a delay in providing them with the information they have asked for due to the COVID-19 situation. As requests are processed updates should be provided where there are any delays. You should also inform them that they have the right to complain to the Information Commissioner if they consider their information rights not to have been met.  You can include this information in a supplementary privacy notice which covers the COVID-19 period. NHSX has published an example supplementary privacy notice example here

Can we contact staff on their personal phones where they don’t have a work phone?

If a member of staff provides their personal mobile phone number or home phone number and agrees you can use it to contact them for work purposes, you can do so. This may already be set out in your Business Continuity Plan.  It may be possible for staff to divert their work phone to their home phone/mobile which would remove the need for sharing personal numbers.

Where we are linking data for integrated care, can this data be used for secondary uses to support the COVID-19 response?

This would be covered by the Control of Patient Information (COPI) notices provided that the organisations which are processing the data are in scope of the notice. The GDPR principles would apply for example only the minimum amount of data should be processed, and the data should only be used for the COVID-19 response. The COPI notice will only provide legal cover during the COVID-19 period.  After this time, the processing will need to stop, or another legal basis will be required e.g. explicit consent or section 251 support. 

Can staff use WhatsApp for communicating with colleagues and patients?

It is fine to use applications such as WhatsApp where there is no practical alternative and the benefits outweigh the risk. The important thing, as always, is to consider what type of information is being shared and with whom. And as much as possible limit the use of personal/confidential patient information.  In relation to WhatsApp, it is now a secure service with end-to-end encryption, and the encryption keys are stored solely on the client device. The encryption also covers off the offshore processing, as the data is encrypted and thus not identifiable other than by the sender /recipient.

If your organisation is going to process personal/confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), e.g. using WhatsApp, then a short high level DPIA should be carried out. The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. 

For further information see our guidance on mobile messaging

Is there more than one shielded patient list?

NHS Digital has developed the NHS Shielded Patient List (SPL) of patients in England with pre-existing medical conditions which doctors have identified will make those patients clinically extremely vulnerable to COVID-19 and who it is recommended take shielding measures. The SPL (formerly known as the vulnerable patient list) means that the NHS and other organisations, including local authorities and the Cabinet Office who run the government’s clinically extremely vulnerable person service can identify and contact those patients who need specific advice about their circumstances and offer them help and support. NHS Digital have published further information about the Shielded Patient List including a SPL transparency notice.  

NHS Digital has shared confidential patient information from the Shielded Patient List with Clinical Commissioning Groups (CCGs) to support them in their local response to the COVID-19 situation. You can read more about this here. The SPL is one list that is shared for different purposes; a copy of the list was shared with the government’s clinically extremely vulnerable person service. This information is used to identify individuals who are entitled to support and to proactively contact them. Once contact has been made, information necessary to administer the government’s service is collected. This is separate from the NHS Shielded Patient List. 

COPI Notice: FAQs

Why are you doing this?

The health and care system is facing an unprecedented challenge and we want to ensure that healthcare organisations, Arms Length Bodies and local authorities are able to process and share the data they need to respond to COVID-19 for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.

As part of a wider package of measures, including guidance and directions, the Secretary of State has issued a range of Notices which require that data is shared for purposes of COVID-19. They will help give healthcare organisations and local authorities the confidence to share the data needed to respond to COVID-19.

What are COPI notices?

The Health Service (Control of Patient Information) Regulations 2002 allow the processing of Confidential Patient Information (CPI) for specific purposes. Regulation 3 provides for the processing of CPI in relation to communicable diseases and other threats to public health and in particular allows the Secretary of State to require organisations to process CPI for purposes related to communicable diseases.

The Secretary of State has issued four of these notices requiring NHS Digital, NHS England & Improvement, all healthcare organisations, Arms Length Bodies, Local Authorities and GPs (including a specific requirement related to the UK Biobank project) to process CPI for the purposes related to communicable diseases.

What does processing mean?

Under COPI Regulations 2002, processing means:

  • the use, dissemination and obtaining of information
  • the recording and holding of information
  • the retrieval, alignment and combination of information
  • the organisation, adaption or alteration of information
  • the blocking, erasure and destruction of information
What purposes are covered?

The COPI notices cover a range of purposes related to diagnosing, managing, and controlling the spread of communicable diseases. For COVID-19 purposes this could include but is not limited to:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
  • identifying and understanding information about patients or potential patients with or at risk of COVID-19
  • delivering services to patients, clinicians, the health services
  • research and planning in relation to COVID-19
What type of data is covered?

The notice covers confidential patient information so any data regardless of its identifiability, which is being used for the purposes set out above is covered. It will all be treated in line with the principles of GDPR i.e. fairly, lawfully and securely.

How long will the notices be in place?

COPI notices have now been extended until the end of March 2021 to help give healthcare organisations and Local Authorities the confidence to share the data needed to respond to COVID-19. The notices will be reviewed on or before 31 March 2021 or may be extended. If no further notices are issued, the notices will expire on 31 March 2021.

What if I’m unsure about sharing data?

If you are unsure about the appropriate action to take, please contact

What about GDPR?

Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries. The General Data Protection Regulations (GDPR) allow health and care data to be used as long as one or more of the conditions under Article 6 and Article 9 are met. There are conditions under both Articles which can be relied on for the sharing of health and care data – including ‘the care and treatment of patients’ and ‘public health’. We would expect any organisation to disseminate information within legal requirements set out under GDPR.

What if I have opted-out of my data being used (National Data Opt-Out)?

The national data opt-out does not apply to disclosure of confidential patient information if it is being used to protect public health, for example to:

  • diagnose communicable diseases
  • control or prevent their spread
  • deliver and monitor vaccination programmes
  • manage risks of infection from food or water supplies or the environment

Read a full explanation of the lawful basis of such disclosures in para 6.2 (Communicable diseases and risks to public health) in the operational policy guidance document.