NHSX is now part of the NHS Transformation Directorate

Moving our content to its new home will take time. All information on this site remains valid and will continue to be maintained until further notice.

IG question time

Take a look at our bitesize advice, short videos and answers to common information governance queries.

Questions about amending a patient’s name on their health and care record

Why might individuals ask for a name change on their health record in order to travel overseas?

The government has advised that the first name and surname on an individual’s NHS COVID Pass must match the names on their passport for international travel, which may mean an increase in name change requests GPs have to respond to. You should explain to individuals that name change requests should only be made when absolutely necessary, and suggest a time frame which gives you sufficient opportunity to respond to the request whilst dealing with your other duties.

How should individuals request a name change?

Individuals are free to change their name on their health record at any time they choose. They must provide you with a written request which is signed and dated. You may choose to provide a specific form patients can use for requesting a change of name.

What documentation must individuals provide when requesting a name change?

It is recommended by Primary Care Support England (PCSE) that individuals provide documentation displaying their correct name, so that their GP practice can assure themselves of the identity of the requester. It is up to you to determine what information you might reasonably request to verify a person’s identity. This could be a passport, marriage certificate or deed poll.

How do you change a person’s name on their health and care record?

Whichever IT system you use, you will be able to change a person’s name directly on your system. If you are unsure how to do this, you can contact the helpdesk of your system provider who will be able to explain the process step-by-step.

When you amend the name of a patient on your clinical system, a message is sent through GP links to the database maintained by PCSE and National Health Application and Infrastructure Services (NHAIS). If there are signs of a data quality issue, PCSE will seek assurances from you about the name change. Therefore, it is best practice for you to attach a supporting note in the first instance when amending name details on the system. You should explain the reason for the change and which documentation, if any, has been provided by the patient.

Questions on protecting confidentiality and privacy on the telephone

What steps should I take to ensure people’s privacy on all telephone calls?

We encourage the use of telephone communications with patients and service users to support the delivery of care. When making or receiving telephone calls, for example, to set up an appointment, you need to follow simple safety precautions to ensure the privacy of the person you are calling. You should:

  • Double check the number before dialling.
  • Check your location: make sure that your telephone conversation cannot be overheard, and that the person you are calling cannot overhear other confidential matters in the background.
  • Verify the person’s identity: check the identity of the person you are speaking to by asking for two or three details such as their date of birth, postcode, and the first line of their address.
  • Once you have verified their identity: let the person know the service you are calling from and the purpose of the call.
  • In case the call goes to voicemail: before calling, check your organisation's local policy regarding voicemails and the person’s care record to see if they have opted into receiving voicemails. Even if the policy and care record allow you to leave a voicemail, make sure it doesn’t contain any confidential information.
How can I protect a person’s privacy when calling a landline number?
  • When your call is answered: give your full name and the name of the organisation you are calling from, without specifics about the service or purpose of the call. Ask to speak to the relevant person by their full name.
  • When the relevant person answers or comes to the phone: use the simple verification process described above to check their identity. Once you are satisfied you are speaking to the right person, tell them the service you are calling from and the purpose of the call.
  • When someone else answers the phone: give your full name and the name of the organisation you are calling from, but not the service or purpose of the call. Ask if there is a better time to speak with the person and end the call, even if the recipient applies pressure to extend it. Try calling again, at the suggested time if possible. Set a limit on the number of attempts made to call at different days and times and record them, before you consider sending a letter.
How can I protect a person’s privacy when calling a mobile number?
  • Don’t assume that mobile devices are more secure than landline telephones.
  • Verify the person’s identity using the simple verification process described above, before offering any details about the service you are calling from or purpose of the call.
  • Check if you have called at an appropriate time and consider adjusting your questioning style to maintain privacy.
What if the person I am calling asks for proof of identity?

If the person you are calling on the telephone challenges you and asks for proof of your identity: advise them to hang up, call your organisation switchboard, and ask for your extension number. You can then perform the simple identity verification checks described above. However, if you are calling from a potentially confidential or sensitive service, or have cause to be suspicious of the person’s identity, consider using an alternative form of communication.

Series of short videos

In these videos, Andrew Hughes, Director of Health and Wellbeing System Improvement at the Local Government Association, answers some of the key questions on managing and sharing information in social care.

Has the pandemic impacted on how information is shared in social care?

Andrew explains how the COVID-19 pandemic has affected how information is shared in social care

Why is there a barrier sharing information between health and care?

Andrew talks about the barriers sharing information between health and care

In terms of managing information, what change would make the biggest difference for social care?

Andrew discusses the importance of sharing information between health and care

In a series of short videos, Dawn Monaghan, Head of Information Governance Policy, addresses some of the common questions people have about information governance.

Why is it important to be transparent?

Dawn explains why it is important for organisations to be transparent about how they use data.

What should I consider when sharing data?

Dawn talks about what health and care workers should consider when sharing data.

Why is information governance important?

Dawn talks about why information governance is important.

Is data used differently because of COVID-19?

Dawn talks about the use of data during the COVID-19 pandemic.

What are we doing to simplify information governance?

Dawn talks about what we are doing to simplify information governance.

General questions

What are the IG requirements when setting up Integrated Care Boards?

ICS implementation guidance: due diligence, transfer of people and property from CCGs to ICBs and CCG close down’ provides a due diligence checklist for CCGs and ICBs to consider as part of transition arrangements.

There is a tab on the checklist (tab 5) which covers IG requirements. Many of the requirements in this tab align with the DSPT, however, it is important organisations complete these during the transition phase as ICBs are being established.

The FutureNHS platform also has guidance for CCGs on website changes which must be implemented by 31 July 2022, including archiving web pages and redirecting people to the new ICB website.

Does the national data opt-out impact Summary Care Records?

No. The national data-opt out only applies to a person’s confidential patient information and its use for purposes other than individual care, such as planning and research.

The purpose of the Summary Care Record (SCR) is to provide basic health and care information to a health and care professional. It is used when the individual’s local detailed health and care record is not available. For example, to provide emergency treatment while a person is on holiday in another part of the country. As the SCR is needed to support the provision of individual care, the national data opt-out doesn't apply. A different opt-out process is available to those who do not want to have an SCR.

Is there an opt-out of Shared Care Records?

No. Local areas providing Shared Care Records (ShCR) do not need to offer an opt-out for information that is being used and shared for individual care. However, the UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.

If an individual does not want their information shared through a ShCR for their individual care, they may raise an objection in accordance with their rights under UK GDPR. Each ShCR group should agree its own arrangements for managing objections and to communicate it to patients and service users.

The organisations holding their data have a duty to consider the objection. They should only override that objection if there is a compelling reason to do so. The impact of the objection should be discussed with the person and alternatives sought where possible.

Does the national data opt-out impact on Shared Care Records?

No. The national data opt-out does not impact on Shared Care Records when information is shared for individual care. However, if a local area decides to use confidential patient information for purposes beyond individual care, then the national data opt-out should be applied. Examples could include research, service design and planning.

Can data flow from the EU to the UK following EU Exit?

Yes.  The EU has formally recognised the UK's high data protection standards through an 'adequacy decision'. This means that data can continue to flow from the EU to the UK and there should be no interruption in the data received by health and care organisations from the EU.  The adequacy decision is in place for four years until June 2025. During this time it can be relied upon as a legal basis for transfers of personal data from the EU to the UK.

Can data flow from the UK to the EU following EU Exit?

Yes. There are currently no changes  to the way personal data is sent to the EU.

Is it still safe to use off-the-shelf messaging apps? I have heard that some changes to terms and conditions of service may mean that messages can be accessed, and information shared with other companies.

While we would advise against the use of off-the-shelf applications for the routine sharing of confidential patient information, it remains appropriate to use them when there is no practical alternative and the benefits outweigh the risks. For example, in emergency situations where an app on your phone is the only way of sharing patient data and a person might suffer serious harm if you fail to share information.

The important thing, as always, is to consider what type of information is being shared and with whom, and as much as possible limit the use of personal or confidential patient information. 

If your organisation is going to process personal or confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), for example using WhatsApp, then a short high level DPIA should be carried out. The DPIA should set out:

  • the activity being proposed
  • the data protection risks
  • whether the proposed activity is necessary and proportionate
  • the mitigating actions that can be put in place
  • a plan or confirmation that mitigation has been put in place

With regards to recent reports about the changes to terms and conditions of certain apps, users have been assured that the content of messages will remain encrypted from end to end. This means that messages can only be viewed by the sender and the recipient. Changes to terms and conditions might result in the sharing of personal information about the users of its service with other companies, for example, profile information, device data and other metadata. However, the app suppliers have given assurances that the data sharing practices remain compliant with UK data protection legislation.

For further information see our guidance on mobile messaging.

Is it okay to use digital solutions which allow patients to control who has access to their GP record?

Yes. Relevant information can be shared for individual care on the basis of implied consent. Some digital solutions allow patients to be involved in these decisions, for example, they are sent a text message asking them if they are happy to share information from their GP record with someone else caring for them for a time limited period. There should be no barrier to using this type of solution from an IG perspective, however, the GP practice, as data controller, should check they are happy with what is proposed. If the GP practice is happy then, relevant information should be available to other health and care professionals who wish to use the solution.

Is the NHS number an identifier or not?

It depends on the context and situation it is used.

All patients have an NHS number which is unique to them. This is usually allocated when you register with a GP.

The number by itself does not identify the person it relates to as it is just a number, for example: 012 345 6789. However, if a person has access to the systems that can reveal the identity of the individual who the NHS number is assigned to, then it should be considered an identifier.

For example, the Personal Demographics Service (PDS) - the national electronic database of NHS patient details includes NHS numbers as well as names and addresses. It is used by many staff across the NHS to provide care and can be used to check the NHS number. Where access to PDS or a similar system is possible, the NHS number should be considered as an identifier. 

Very careful consideration therefore needs to be applied when using the NHS number as a way of pseudonymisation because to one recipient of the number, it may be classed as anonymous (as they do not have the means to identify the person from it), but a different recipient may have access to systems which they can use to find out who the number belongs to.

What is the Centre for Improving Data Collaboration (CIDC) and will it be producing IG guidance and advice?

The CIDC is a new business unit that has been created to support the health and care sector to enter into data sharing partnerships that benefit the NHS, patients, and the public. You can find out more about the CIDC or read this blog post by Matthew Gould.

The Health and Care Information Governance Panel is responsible for producing IG guidance and advice. Our IG team however, will work closely with the CIDC to provide support where any IG issues arise to ensure a consistent approach.

COVID-19 questions for health and care organisations

Can I work from home for example if I have to self-isolate?

To help underpin staff working from home, your organisation should have an agreed policy for you to refer to which covers this. If your organisation considers it is suitable for you to work at home, then this should be possible if you: 

  • use the IT equipment issued by your organisation wherever possible as this should have the appropriate security protection
  • use a secure network connection, for example home Wi-Fi that requires a password so information is not sent or received over a public Wi-Fi network
  • ensure any applications or software solutions you use have appropriate security, such as using strong passwords
  • ensure the security of any physical documents you take home, particularly those that contain personal or confidential patient information
  • lock print outs and devices away at the end of the working day if possible, to avoid loss or theft of personal or confidential patient information

If you are using your own device, you should contact your IT department and see if they can install programs on your own equipment or send you links to software to download to secure your own equipment. If that’s not possible you should keep your software up to date to make it more difficult for an attacker. You should also avoid mixing your organisation’s information with your own personal information to avoid accidentally keeping hold of information for longer than is necessary.

The Information Commissioner's Office (ICO) has published its own guidance on home working. See the question below regarding the additional precautions you should take when accessing or using confidential patient information (CPI) when working from home. 

Can I access or use confidential patient information (CPI) when working from home?

When accessing and using CPI at home you should protect it in the same way you would normally. You should follow the recommendations set out in the question above on homeworking and take the following additional precautions when accessing or using CPI:

  • If you need to share CPI with others then choose NHS Mail, a secure messaging app or online document sharing system.
  • If you do not have access to these and need to use an alternative email account, which may not be secure, consider password protecting documents and sharing the passwords via a different channel, like text.
  • Consider who else is in the household, and if they can access CPI accidentally or inappropriately, such as looking over your shoulder.
  • CPI should be used for the minimum time necessary for your purpose, and in a way that minimises disclosure.
  • Once the reason for accessing CPI at home has passed, then any CPI that is stored must either be returned to the organisation as soon as possible, or if it is duplicated then your copies must be destroyed.
What about if I’m overseas and I cannot return, can I still work?

This will depend on your role and your organisation agreeing it is appropriate. The requirements are the same as working from home (see above). However, in addition you should discuss it with your Data Protection Officer (DPO). 

Can I share information with a health and care professional based at another health and care organisation if they are supporting the individual care of a patient or service user?

Information should be shared to support individual care. For example, a radiologist in Birmingham could view and report on an image of a patient from Kettering because Kettering temporarily has a reduced number of radiologists. You should ensure that your DPO is aware so that they can update your organisation’s privacy notice as appropriate.

Can I use video conferencing and other tools with patients who are critically ill to communicate with their family members?

Where a patient is critically ill due to COVID-19 you can use mobile devices in order to facilitate communication between patients and their families. We encourages the use of video conferencing between health and care professionals and patients to support individual care and to reduce the spread of COVID-19. This can be extended to facilitating conversations between health and care professionals and the family of critically ill patients.

Can we carry out group sessions with patients and service users using video conferencing tools?

Using video conferencing tools may mean you can continue to provide group sessions for patients and service users safely during the COVID-19 period. For example antenatal classes or physiotherapy sessions.

You should ensure patients and service users understand that they are joining a group session and any information they share during the session will be seen or heard by others in the group. You should also consider setting out some terms of use for patients or service users. For example, do not take screenshots or record the session. The consent of the patient or service user, under common law, is then implied by them accepting the invite and entering the consultation. There should be no compulsion to sign up or use the service, but services need to make sure they have provided as much information as possible so patients and service users can make an informed choice.

You should use a video conferencing tool that has been approved by your organisation and follow any advice set out in your organisation's policy on video conferencing with patients and service users.

COVID-19 questions for IG professionals

We are concerned that we may not be able to respond to Subject Access Requests (SARs) and Freedom of Information Act (FOIA) requests within the set time limits. What should we do?

Statutory timescales under which information access requests (such as SARs and FOIAs) must be responded to remain unchanged. However, during the current COVID-19 situation the ICO recognises that organisations may not be able to respond within these timeframes and have stated that they will take a pragmatic approach to issues raised with them. See the ICOs data protection and coronavirus information hub. Whilst accepting it may be difficult to comply with requests within the timeframe, you cannot refuse to accept a request or take an organisational decision to stop all new requests for information. You must try to deal with it as quickly as possible, even if this takes you over the timeframe allowed.

We recommend that when you receive an FOIA or SAR you inform the individual that there may be a delay in providing them with the information they have asked for due to the COVID-19 situation. As requests are processed updates should be provided where there are any delays. You should also inform them that they have the right to complain to the Information Commissioner if they consider their information rights not to have been met. You can include this information in a supplementary privacy notice which covers the COVID-19 period. Here is an example supplementary privacy notice.

Can we contact staff on their personal phones where they don’t have a work phone?

If a member of staff provides their personal mobile phone number or home phone number and agrees you can use it to contact them for work purposes, you can do so. This may already be set out in your business continuity plan. It may be possible for staff to divert their work phone to their home phone or mobile which would remove the need for sharing personal numbers.

Where we are linking data for integrated care, can this data be used for secondary uses to support the COVID-19 response?

This would be covered by the Control of Patient Information (COPI) notices provided that the organisations which are processing the data are in scope of the notice. The GDPR principles would apply. For example only the minimum amount of data should be processed, and the data should only be used for the COVID-19 response. The COPI notice will only provide legal cover during the COVID-19 period. After this time, the processing will need to stop, or another legal basis will be required e.g. explicit consent or section 251 support. 

Is there more than one shielded patient list?

NHS Digital has developed the NHS Shielded Patient List (SPL) of patients in England with pre-existing medical conditions which doctors have identified will make those patients clinically extremely vulnerable to COVID-19 and who it is recommended take shielding measures. The SPL (formerly known as the vulnerable patient list) means that the NHS and other organisations, including local authorities and the Cabinet Office who run the government’s clinically extremely vulnerable person service, can identify and contact those patients who need specific advice about their circumstances and offer them help and support. NHS Digital have published further information about the Shielded Patient List including a SPL transparency notice.

NHS Digital has shared confidential patient information from the Shielded Patient List with clinical commissioning groups (CCGs) to support them in their local response to the COVID-19 situation. The SPL is one list that is shared for different purposes. A copy of the list was shared with the government’s clinically extremely vulnerable person service. This information is used to identify individuals who are entitled to support and to proactively contact them. Once contact has been made, information necessary to administer the government’s service is collected. This is separate from the NHS Shielded Patient List.

How do I connect with other IG professionals?

There are regional information governance networks across England, which provide a network of local and regional groups that are part of the National Health and Social Care Strategic Information Governance Network (National SIGN). Many of these have been in existence for many years. They are attended by professionals in the field of information governance and are designed to help and support other professionals in the field with best practice and sharing of resources. Issues identified locally are frequently escalated to the National SIGN, so the SIGN Network can support centralised organisations with feedback, helping to influence the structure of their advice and guidance.

Get in touch with your nearest group for support and advice: 

Ambulance - Chair: Chris Kerr Chris.Kerr@wmas.nhs.uk

Cheshire and Merseyside - Chair: Cora Suckley Cora.Suckley@wales.nhs.uk

East of England - Chair: Barry Moult Barry.Moult1@nhs.net

East Midlands - Chair: Anne Woodhouse Anne.Woodhouse1@nhs.net

Greater Manchester - Chair: Jenny Spiers Jenny.Spiers@nhs.net

Kent and Medway Chair: Jamie Sheldrake Jamie.Sheldrake@nhs.net

Lancashire and Cumbria Chair: Yvonne Salkeld Yvonne.Salkeld@ncic.nhs.uk

Local Authorities - Lead Rep: Ranisha Dhamu Ranisha.Dhamu@brent.gov.uk

North Central London - Chair: Joseff Eynon-Freeman Joseff.Eynon-Freeman@nhs.net

North East - Chair: Lisa Nattrass L.Nattrass@nhs.net

North East London - Chair: Bill Jenks Bill.Jenks@nhs.net

North West London - Chair: Caroline Law Caroline.Law3@nhs.net

South Central - Chair: Heidi Doubtfire-Lynn Heidi.Doubtfire@nhs.net

South East London - Chair, David Bennett D.Bennett@nhs.net

South West - Chair: Penny Taylor Penny.Taylor1@nhs.net

South West London - Chair: Alan Ball Alan.Ball@nhs.net

Surrey - Chair: Louis Lau Louis.Lau@sabp.nhs.uk

Sussex - Chair: Andrew Harvey Andrew.Harvey7@nhs.net

West Midland - Chair: Raz Edwards Raz.Edwards@nhs.net

West of England - Chair: Adam Horton-Tuckett Adam.Tuckett@nhs.net

Yorkshire and Humber - Chair: Sue Meakin Susan.Meakin6@nhs.net

COPI Notice questions

Why are you doing this?

The health and care system is facing an unprecedented challenge and we want to ensure that healthcare organisations, arms length bodies and local authorities are able to process and share the data they need to respond to COVID-19 for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.

As part of a wider package of measures, including guidance and directions, the Secretary of State has issued a range of notices which require that data is shared for purposes of COVID-19. They will help give healthcare organisations and local authorities the confidence to share the data needed to respond to COVID-19.

What are COPI notices?

The Health Service (Control of Patient Information) Regulations 2002 allow the processing of Confidential Patient Information (CPI) for specific purposes. Regulation 3 provides for the processing of CPI in relation to communicable diseases and other threats to public health and in particular allows the Secretary of State to require organisations to process CPI for purposes related to communicable diseases.

The Secretary of State has issued four of these notices requiring NHS Digital, NHS England & Improvement, all healthcare organisations, arms length bodies, local authorities and GPs (including a specific requirement related to the UK Biobank project) to process CPI for the purposes related to communicable diseases.

What does processing mean?

Under COPI Regulations 2002, processing means:

  • the use, dissemination and obtaining of information
  • the recording and holding of information
  • the retrieval, alignment and combination of information
  • the organisation, adaption or alteration of information
  • the blocking, erasure and destruction of information
What purposes are covered?

The COPI notices cover a range of purposes related to diagnosing, managing, and controlling the spread of communicable diseases. For COVID-19 purposes this could include but is not limited to:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
  • identifying and understanding information about patients or potential patients with or at risk of COVID-19
  • delivering services to patients, clinicians, the health services
  • research and planning in relation to COVID-19
What type of data is covered?

The notice covers confidential patient information so any data regardless of its identifiability, which is being used for the purposes set out above is covered. It will all be treated in line with the principles of GDPR: fairly, lawfully and securely.

How long will the notices be in place?

COPI notices have now been extended until 30 June 2022 to help give healthcare organisations and local authorities the confidence to share the data needed to respond to COVID-19.

What if I’m unsure about sharing data?

If you are unsure about the appropriate action to take, please contact datapolicyhub@nhsx.nhs.uk.

What about GDPR?

Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries. The General Data Protection Regulations (GDPR) allow health and care data to be used as long as one or more of the conditions under Article 6 and Article 9 are met. There are conditions under both articles which can be relied on for the sharing of health and care data. This includes the care and treatment of patients, and public health. We would expect any organisation to disseminate information within legal requirements set out under GDPR.

What if I have opted-out of my data being used (national data opt-out)?

The national data opt-out does not apply to disclosure of confidential patient information if it is being used to protect public health, for example to:

  • diagnose communicable diseases
  • control or prevent their spread
  • deliver and monitor vaccination programmes
  • manage risks of infection from food or water supplies or the environment

Read a full explanation of the lawful basis of such disclosures in para 6.2 (Communicable diseases and risks to public health) in the operational policy guidance document.