All parts of the NHS instructed to share information as required to support coronavirus response
The order from health secretary Matt Hancock for NHS organisations to share confidential patient data in support of coronavirus response has been extended to 31 March 2021.
The instruction to bypass usual restrictions and share information under Control of Patient Information (COPI) regulations was first issued by Hancock in March of this year. At that time, a deadline of 30 September was set on the order, with the stipulation that it would expire unless explicit instructions were issued to the contrary by Hancock prior to that date.
With little public fanfare, in late July the health secretary wrote to all organisations covered by the COPI notice – including all national and local NHS entities, arm’s-length bodies, and local authorities – to extend until 31 March 2021 the instruction to share data as directed to do so by the government. This includes what would otherwise have been confidential personal citizen data.
Four versions of the letter were sent, the first of which went out to all GP surgeries, local councils, and NHS arm’s-length bodies.
The letter said: “Action to be taken will require the processing and sharing of confidential patient information amongst health organisations and other bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.”
Hancock instructs recipients of the letters that they are only required to process such confidential information in cases where the “information to be processed is required for a Covid-19 purpose and will be processed solely for that Covid-19 purpose”.
These purposes could include conducting public-health research, delivering services, supporting the NHS Test and Trace programme, studying “incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19”, better understanding citizens’ access to health and social-care services, tracking public organisations’ response to the virus, and planning future activities.
The DHSC said: “For patients, this means that their data may be shared with organisations involved in the response to coronavirus, for example, enabling notification to members of the public most at risk and advising them to self-isolate.”
All sharing and processing must be recorded, and the Department of Health and Social Care said that “we would expect any organisation to share information within legal requirements set out under GDPR”.
In addition to the letter sent to GPs, councils and ALBs, three other missives were sent by Hancock. One went to the NHS England and NHS Improvement, and another to NHS Digital.
The fourth contained further instructions for GPs. Practices using one of the two main patient records systems, EMIS or TPP SystmOne, are asked by the DHSC to provide all relevant care data on consenting participants in the UK Biobank project.
First launched in 2006, Biobank is a long-term clinical study of about 500,000 adult volunteers around the country who are allowing researchers to track their health over many years in order to better understand a number of a serious illnesses.
As with the original notice, in the extension letters, which were published by the government last month, Hancock stipulates that the order to share confidential info will expire on 31 March 2021 unless further explicit instruction is issued before that date.
The DHSC said: “The health and care system is facing an unprecedented challenge and we want to ensure that health organisations, arm’s length bodies and local authorities are able to process and share the data they need to respond to coronavirus, for example by treating and caring for patients and those at risk, managing the service and identifying patterns and risks.”