Usual limitations relaxed as organisations across the NHS are told to share data in fight against coronavirus
Credit: Kirsty O’Connor/PA
Health and social care secretary Matt Hancock has implemented a six-month order for organisations across the NHS to share confidential patient information in the fight against the coronavirus pandemic.
Under Health Service Control of Patient Information Regulations, Hancock has issued four emergency notifications covering all national and local NHS entities, arm’s-length government bodies, and local authorities.
The first has been sent to all GP surgeries, local councils, executive agencies of the DHSC, and any other “organisations providing health services” throughout England.
The notice informs them that, until 30 September, they are required to “process confidential patient information… to support the secretary of state’s response to Covid-19”.
It effectively clears the way for the sharing of any patient data with any relevant organisation, providing the purpose of doing so is solely “for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure”.
- Data-protection regime relaxed for coronavirus response as ICO pledges no GDPR action
- Data science taskforce to support NHS with rapid research
- Why the NHS needs to ‘take the lead’ on sharing data with the private sector
In a separate notification, GPs using one of the two main patient records systems – EMIS or TPP SystmOne – are required to immediately provide all relevant care data on consenting participants in the UK Biobank project.
First launched in 2006, Biobank is a long-term clinical study of about 500,000 adult volunteers who are allowing researchers to track their health over many years in order to better understand a number of a serious illnesses.
The project is already receiving regular updates from Public Health England on confirmed covid-19 cases. But Hancock said that incorporating primary-care data will further assist in understanding the virus.
“As the situation worsens, it is likely that many presumed cases will not be tested, especially among the elderly, and many individuals will remain at home – even when their symptoms are severe,” the notification said. “Consequently, the ability of UK Biobank to be able also to incorporate primary care data into its resource is likely to be of enormous value to obtain a more complete assessment of the determinants of covid-19 outcomes. This is something that we need to do now.”
A notification has also been issued to NHS Digital, in which the health secretary assures the organisation it can now “lawfully and efficiently” share confidential patient data with any organisation that has been asked by NHS or central government to conduct “communicable diseases surveillance”.
In the fourth notification, for NHS England and NHS Improvement, Hancock said that the organisation will, in the coming weeks, be required to process confidential patient information as directed to do so “by an authorised officer of the Department of Health and Social Care acting on my behalf or [as] requested to do so by another organisation permitted to process confidential information”.
In all four cases, the order lasts until 30 September. This could be extended, but will expire unless further explicit orders are given by Hancock.
“The health and care system is facing an unprecedented challenge and we want to ensure that health organisations, arm’s length bodies and local authorities are able to process and share the data they need to respond to coronavirus, for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks,” the health secretary said.
“For patients, this means that their data may be shared with organisations involved in the response to coronavirus, for example, enabling notification to members of the public most at risk and advising them to self-isolate.”
Despite the more relaxed approach to confidentiality, Hancock said that “data controllers are still required to comply with relevant and appropriate data-protection standards and to ensure within reason that they operate within statutory and regulatory boundaries”
The General Data Protection Regulation allows for the sharing of health data in the interest of patient care and protecting public health, according to the health secretary.
“We would expect any organisation to share information within legal requirements set out under GDPR,” he added.