Coronavirus - advice for health and social care organisations

We know that health organisations across the UK are working quickly, flexibly and under extraordinary pressure. The ICO can help by offering reassurance over data protection matters during the coronavirus pandemic.

The UK’s data protection laws do not prevent health organisations from providing the information that’s needed; whether that’s to protect people from coronavirus, or to provide the care that’s needed to help patients.

We’re working with NHS colleagues in England, Scotland, Northern Ireland and Wales to help ensure data is shared legally and quickly, so they can concentrate on tackling the pandemic.

During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?

No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.

We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.

The ICO has published a document setting out our regulatory approach during the coronavirus pandemic.

As a healthcare organisation, can we contact individuals in relation to coronavirus without having prior consent?

Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing. Nor do they stop you using the latest technology to facilitate safe and speedy consultations and diagnoses.

Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. View our statement for health and care professionals here.

As a healthcare professional, I have to share people’s personal data quickly. Should I wait to check if I’m breaking data protection law first?

Data protection law allows for these extraordinary circumstances. For example, there are provisions in the Data Protection Act 2018 that allow data sharing where it supports necessary and proportionate action.

In addition, the Secretary of State has issued COPI notices (control of patient information), directing healthcare organisations in England and Wales to share confidential patient information for purposes relating to the coronavirus pandemic, such as providing care services and managing risks to public health. These notices are designed to give assurance to healthcare organisations that intend to share data, so they can look after their patients or allocate resources effectively.

The Welsh government has issued additional information in support of the COPI notices, emphasising the relevant directions for Wales. The COPI notices do not apply in Scotland or Northern Ireland.

I’m a clinician under pressure on the frontline, what if I make a mistake sharing personal data? I’m worried the ICO will take action against me or my organisation.

It would be very difficult to think of a scenario where the ICO would take action against healthcare workers clearly trying to save lives during this public health emergency. For further reassurance, we have set out how we will regulate during coronavirus.

Can I share employees’ health information with authorities for public health purposes?

Yes. It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law will not stop you from doing so.

As a manager of a care home, can I tell a resident or their family if another resident or member of staff may have contracted coronavirus?

Yes. Data protection doesn’t prevent you exercising your duty to ensure the health and safety of your residents. But you shouldn’t disclose the identity of any individuals unless you really have to. For example, a simple notice that there is a virus case on the premises, with instructions about what isolation precautions should be followed, would usually suffice.

Can I use video conferencing software with my patients to help them communicate with their families?

Yes. Data protection law doesn’t stop you from using video conferencing software with your patients. NHSX advice states that video conferencing can be used to support individual care and to facilitate conversations between patients and their families. More information on this can be found on the NHSX pages.

What happens once the pandemic is over? Is this the new way of working and do we continue to share data without question?

Once the pandemic is over, you will have to review whether it is still necessary to share this data and whether you still have a lawful basis for processing this information. If you can’t identify a relevant lawful basis, you will have to stop sharing and processing confidential patient information.

If you are an organisation in England and Wales that has been issued with a COPI notice, you will only be able to share data under the direction of that notice during the active period of the notice. The notices apply during the period of the public health emergency and are currently set to be reviewed in September 2020.

The ICO recognises that it may take some time for healthcare organisations to recover from the pandemic, and we will take a proportionate approach in looking at data sharing issues. Details on our regulatory approach during and after the pandemic have been published on our website. Data protection law is never a barrier to sharing data where it’s necessary and proportionate.

I am a health or social care professional. If a patient or  client is unable to give consent, can I share their personal data with those close to them?

Yes. Data protection is not a barrier to data sharing, as long as you take a fair and proportionate approach. It may be more harmful not to share data in some circumstances.

If the patient or client has informally documented their wishes in advance, you can share personal data on the basis of consent. If the patient has not done this or if they have withdrawn their consent, it may be necessary to consider other  avenues. These will differ throughout the UK.

In all cases, you should only share the necessary information. You should also make a record of the data you shared and to whom, as well as the risks to the individual if the data was not shared.

The General Medical Council’s (GMC) Confidentiality Guidance contains provisions that you may find useful.

England and Wales

  • Some patients or clients may have a Power of Attorney or a Deputyship in place. This creates an obligation to share personal data as necessary to enable an Attorney or Deputy to fulfil their role. If the requester is unable to show that they are acting as an Attorney or a Deputy, you can check with the OPG (Office of the Public Guardian). The OPG have created a process to handle urgent, COVID-19 related requests.

  • If the patient or client has lost capacity without either documenting their wishes or appointing a Power of Attorney or Deputyship, you should consider what is in the best interests of the individual. This follows the principle at the heart of the Mental Capacity Act 2005.

Northern Ireland

  • General Enduring Power of Attorney creates an obligation to share data with an Attorney to enable them to carry out their function in relation to property and affairs. Specific Enduring Power of Attorney relates to certain aspects that an Attorney has been authorised to deal with. The Office of Care and Protection oversees Powers of Attorney

  • If the patient or client has lost capacity without arranging an Enduring Power of Attorney or documenting their wishes, then you should consider what is in the best interests of the individual. This principle is at the heart of the Mental Capacity Act (Northern Ireland) 2016.

Scotland

  • If the patient or client has lost capacity without arranging Power of Attorney or Guardianship or documenting their wishes, you need to be “satisfied that the intervention will benefit the adult and that such benefit cannot reasonably be achieved without the intervention” (Adults with Incapacity (Scotland) Act 2000 Section one, paragraph two).