Decision

Coronavirus (COVID-19): notification to organisations to share information

Notification to healthcare organisations, GPs, local authorities and arm's length bodies that they should share information to support efforts against coronavirus (COVID-19).

Documents

Details

The Secretary of State has issued 4 notices under the Health Service Control of Patient Information Regulations 2002 requiring the following organisations to process information:

  • NHS Digital
  • NHS England and Improvement
  • health organisations
  • arm’s length bodies
  • local authorities
  • GPs

There is also a specific requirement related to the UK Biobank project.

These notices require that data is shared for purposes of coronavirus (COVID-19), and give health organisations and local authorities the security and confidence to share the data they need to respond to coronavirus (COVID-19).

For patients, this means that their data may be shared with organisations involved in the response to coronavirus (COVID-19), for example, enabling notification to members of the public most at risk and advising them to self-isolate.

These notices may be extended by further notice in writing. If no further notice is sent, they will expire on 30 June 2022.

The health and care system is facing an unprecedented challenge and we want to ensure that health organisations, arm’s length bodies and local authorities are able to process and share the data they need to respond to coronavirus (COVID-19), for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.

Compliance with data protection standards

Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries.

The UK General Data Protection Regulations (UK GDPR) allow health data to be used as long as one or more of the conditions under articles 6 and 9 are met. There are conditions under both articles that can be relied on for the sharing of health and care data, including ‘the care and treatment of patients’ and ‘public health’.

We would expect any organisation to share information within legal requirements set out under UK GDPR.

Published 1 April 2020
Last updated 30 June 2022 + show all updates
  1. Added a call out to guidance for organisations on processing of confidential patient information when the COPI notices expire on 30 June 2022.

  2. Updated to extend the effect of each of these notices from 31 March 2022 to 30 June 2022. The reference to PHE in the letter has changed to refer to UKHSA.

  3. New notices added to the page which extend the Control Of Patient Information (COPI) notices from 30 September 2021 to 31 March 2022.

  4. Updated to extend the effect of each of these notices from 31 March 2021 to 30 September 2021.

  5. Updated to extend the effect of each of these notices from 30 September 2020 to 31 March 2021. The general notice (1st attachment) has also been updated to include combined authorities and the NHS Test and Trace service. The amendments do not change the extent of the notices but have been made to put beyond doubt the organisations and purposes that are covered.

  6. First published.