News and comment

Dame Fiona Caldicott on COVID-19 and Data Sharing

 

 

04 April 2020

The Government has published National Data Guardian, Dame Fiona Caldicott's statement on the use of data during the current crisis.

The full text is quite long, but here are a some of extracts that may be of interest to those working in the health and care sector.

"Information sharing must be done differently to support the fight against COVID-19 and to protect citizens compared to ordinary times. Information may need to be shared more quickly and widely across organisations than normal, or different types of information may need to be collected and used...

 

... The National Data-Opt Out has an exemption built in which means that it does not apply when there is an overriding public interest in the use of data, such as there is now. The GDPR has provisions to allow personal data to be used appropriately and lawfully at such a time. The Information Commissioner has clearly announced that data protection concerns should not stand in the way of appropriate information sharing; a statement which I fully endorsed...

 

... It is with gratitude that in the thick of everything I have still heard colleagues cite the importance of protecting confidentiality. Practical steps are also being taken to ensure that trust is not undermined. For example, my panel and I have been pleased this week to support NHSX with the drafting of a template privacy notice, which will be sent out to NHS organisations next week to support them to tell patients and service users about what might be different in the handling of their health and care data during the outbreak. It is heartening to note that even at this unprecedented crisis, trust and confidentiality still matter."

 

Government Information Notices

 

 

01 April 2020

The Government today issued four notices under the Health Service Control of Patient Information Regulations 2002 requiring certain organisations to process information.

The organisations affected are:

• NHS Digital
• NHS England and NHS Improvement
• Health organisations
• Arm’s length bodies
• Local authorities
• GPs

These notices require that data is shared for purposes of coronavirus (COVID-19), and give health organisations and local authorities the security and confidence to share the data they need to respond to coronavirus (COVID-19).

For patients, this means that their data may be shared with organisations involved in the response to coronavirus (COVID-19), for example, enabling notification to members of the public most at risk and advising them to self-isolate.

These notices will be reviewed on or before 30 September 2020 and may be extended by further notice in writing. If no further notice is sent, they will expire on 30 September 2020.

In its covering press release, the Government stated

"... the health and care system is facing an unprecedented challenge and we want to ensure that health organisations, arm’s length bodies and local authorities are able to process and share the data they need to respond to coronavirus (COVID-19), for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.

 

Compliance with data protection standards Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries.

 

The General Data Protection Regulations (GDPR) allow health data to be used as long as one or more of the conditions under articles 6 and 9 are met. There are conditions under both articles that can be relied on for the sharing of health and care data, including ‘the care and treatment of patients’ and ‘public health’.

 

We would expect any organisation to share information within legal requirements set out under GDPR."