The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Coronavirus - advice for health and social care organisations

We know that health organisations across the UK have been working quickly, flexibly and under extraordinary pressure. The ICO can help by offering reassurance over data protection matters during the coronavirus pandemic.

The UK’s data protection laws do not prevent health organisations from providing the information that’s needed; whether that’s to protect people from coronavirus, or to provide the care that’s needed to help patients.

As a healthcare organisation, can we contact individuals in relation to coronavirus without having prior consent?

Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email, as these messages are not direct marketing. Nor do they stop you using the latest technology to facilitate safe and speedy consultations and diagnoses.

Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. View our statement for health and care professionals here.

As a healthcare professional, I have to share people’s personal data quickly. Should I wait to check if I’m breaking data protection law first?

Data protection law allows for these extraordinary circumstances. For example, there are provisions in the Data Protection Act 2018 that allow data sharing where it supports necessary and proportionate action.

In addition, the Secretary of State has issued COPI notices (control of patient information), directing healthcare organisations in England and Wales to share confidential patient information for purposes relating to the coronavirus pandemic, such as providing care services and managing risks to public health. These notices are designed to give assurance to healthcare organisations that intend to share data, so they can look after their patients or allocate resources effectively.

The Welsh government has issued additional information in support of the COPI notices, emphasising the relevant directions for Wales. The COPI notices do not apply in Scotland or Northern Ireland.

As a manager of a care home, can I tell a resident or their family if another resident or member of staff may have contracted coronavirus?

Yes. Data protection doesn’t prevent you exercising your duty to ensure the health and safety of your residents. But you shouldn’t disclose the identity of any individuals unless you really have to. For example, a simple notice that there is a virus case on the premises, with instructions about what isolation precautions should be followed, would usually suffice.

Can I use video conferencing software with my patients to help them communicate with their families?

Yes. Data protection law doesn’t stop you from using video conferencing software with your patients. NHSX advice states that video conferencing can be used to support individual care and to facilitate conversations between patients and their families. More information on this can be found on the NHSX pages. Our blog on what to watch out for when using video conferencing may help.

I am a health or social care professional. If a patient or  client is unable to give consent, can I share their personal data with those close to them?

Yes. Data protection is not a barrier to data sharing, as long as you take a fair and proportionate approach. It may be more harmful not to share data in some circumstances.

If the patient or client has informally documented their wishes in advance, you can share personal data on the basis of consent. If the patient has not done this or if they have withdrawn their consent, it may be necessary to consider other  avenues. These will differ throughout the UK.

In all cases, you should only share the necessary information. You should also make a record of the data you shared and to whom, as well as the risks to the individual if the data was not shared.

The General Medical Council’s (GMC) Confidentiality Guidance contains provisions that you may find useful.

England and Wales

  • Some patients or clients may have a Power of Attorney or a Deputyship in place. This creates an obligation to share personal data as necessary to enable an Attorney or Deputy to fulfil their role. If the requester is unable to show that they are acting as an Attorney or a Deputy, you can check with the OPG (Office of the Public Guardian). The OPG have created a process to handle urgent, COVID-19 related requests.

  • If the patient or client has lost capacity without either documenting their wishes or appointing a Power of Attorney or Deputyship, you should consider what is in the best interests of the individual. This follows the principle at the heart of the Mental Capacity Act 2005.

Northern Ireland

  • General Enduring Power of Attorney creates an obligation to share data with an Attorney to enable them to carry out their function in relation to property and affairs. Specific Enduring Power of Attorney relates to certain aspects that an Attorney has been authorised to deal with. The Office of Care and Protection oversees Powers of Attorney

  • If the patient or client has lost capacity without arranging an Enduring Power of Attorney or documenting their wishes, then you should consider what is in the best interests of the individual. This principle is at the heart of the Mental Capacity Act (Northern Ireland) 2016.

Scotland

  • If the patient or client has lost capacity without arranging Power of Attorney or Guardianship or documenting their wishes, you need to be “satisfied that the intervention will benefit the adult and that such benefit cannot reasonably be achieved without the intervention” (Adults with Incapacity (Scotland) Act 2000 Section one, paragraph two).