COVID-19 IG advice
The health and social care system is going to face significant pressures due to the COVID-19 outbreak. In the current circumstances it could be more harmful not to share health and care information than to share it. The Information Commissioner has assured NHSX that she cannot envisage a situation where she would take action against a health and care professional clearly trying to deliver care. You can read the statement from the Information Commissioner's Office, alongside reading their information hub. Health regulators have also published a joint statement.
Information is critical to support health and social care services, protect public health, research, monitor, track and manage the outbreak and incidence of exposure. A new notice has been issued using existing regulations which ensures that when you use confidential patient information for purposes relating to COVID-19, you can be confident that you are doing so lawfully.
We will need to work in different ways from usual and the focus should be what information you share and who you share it with, rather than how you share it. The following advice sets out some of the tools that you can use to support individual care, share information and communicate with colleagues during this time. This includes communications tools where data is stored outside of the UK.
This advice is endorsed by the Information Commissioner’s Office, the National Data Guardian and NHS Digital.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Guidance for patients and service users
As a patient or service user, you will be aware that information needs to be shared between staff who are responsible for your care. This guidance advises staff on the communications tools that can be used to support your care and to communicate with each other, whilst ensuring that staff are mindful of handing people's information safely and securely.
Guidance for healthcare workers
It is absolutely fine to use mobile messaging to communicate with colleagues and patients/service users as needed. It is also fine to use commercial, off-the-shelf applications such as WhatsApp and Telegram where there is no practical alternative and the benefits outweigh the risk.
The important thing, as always, is to consider what type of information you are sharing and with whom, and as much as possible limit the use of personal/confidential patient information.
We encourage the use of video conferencing to carry out consultations with patients and service users. This could help to reduce the spread of COVID-19. It is fine to use video conferencing tools such as Skype, WhatsApp, Facetime as well as commercial products designed specifically for this purpose.
The consent of the patient or service user is implied by them accepting the invite and entering the consultation. But you should safeguard personal/confidential patient information in the same way you would with any other consultation.
You may well need to work from home - for example, when self-isolating without symptoms.
If you are working from home and using your own equipment you should check that your internet access is secure (e.g. use a Virtual Private Network and/or if possible avoid public wi-fi) and that any security features are in use.
If you are taking any physical documents home with you that contain personal/confidential patient information, you should also ensure the security of these documents at your home and when travelling.
Using your own device
You can use your own devices to support video conferencing for consultations, mobile messaging and home working where there is no practical alternative.
Reasonable steps to ensure this is safe include: setting a strong password; using secure channels to communicate e.g. tools/apps that use encryption; and not storing personal/confidential patient information on the device unless absolutely necessary and appropriate security is in place.
Information should be safely transferred to the appropriate health and care record as soon as it is practical to do so.
Communication between health and social care colleagues
It is essential that during the COVID-19 outbreak health and social care professionals are able to talk to each other. You will need to share appropriate information about the people in your care including with social care, where possible using secure mail, NHSmail and MS Teams. Where these tools aren’t available you should use this guidance to suggest ways that you can speak to your colleagues. Read our guidance on video conferencing tools.
If your data protection officer or Caldicott Guardian is unsure of appropriate action to take, you can direct IG questions to the NHSX IG team.
Also see our information governance FAQs.
Guidance for IG professionals
The legal framework has flexibility when it comes to the processing of information. Information relating to the COVID-19 outbreak should be shared as needed to support individual care and to help tackle the disease through research and planning during the COVID-19 situation. The focus should be to ensure the risk of damage, harm or distress being caused to individual patients and service users is kept to a minimum and that data is only processed where it is necessary to do so and in an appropriate manner.
Confidential patient information/common law duty of confidentiality
The Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the COVID-19 response and then disseminate information to other bodies for the purpose of planning and managing the response. NHS England and NHS Improvement have been given legal notice to support the processing and sharing of information to help the COVID-19 response under Health Service Control of Patient Information Regulations 2002.
Individual healthcare organisations, arms length bodies (except NHS Digital and NHS England and NHS Improvement which have been separately notified) and local authorities have now also been given legal notice under the same regulations to support the processing and sharing of information to help the COVID-19 response.
This is to ensure that confidential patient information can be used and shared appropriately and lawfully for purposes related to the COVID-19 response.
COPI notices have now been extended until the end of September 2021 to help give healthcare organisations and Local Authorities the confidence to share the data needed to respond to Covid-19.
Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries.
General Data Protection Regulation (GDPR)
The GDPR allows information to be shared for individual care, planning and research. Where health and care information (which would be classed as special category data) is shared for either individual care or to help tackle the disease through research and planning then the relevant Article 6 conditions (official authority, compliance with a legal obligation, public interest and on occasion vital interests) and Article 9 conditions (substantial public interest, the delivery of health and care, vital interests or for public health purposes and scientific research) should be relied on as applicable to the situation.
The principles (Article 5 of GDPR) should continue to be followed. They form a framework of good information management with the key criteria enabling justification of actions taken. If you are not certain of an issue, such as a relevant retention time, then the law is flexible enough to allow you to revisit the issue once the answer becomes clearer.
If your organisation is going to process personal/confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), e.g. using videoconferencing for consultations, then a short high level DPIA should be carried out. The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. DPIAs are scalable, and in some instances this might not take more than a couple of pages. The ICO has produced guidance on carrying out DPIAs and a template that you can refer to. You should also update your privacy notice where data is being processed in new ways.