if you are unable to view this email please click here to view online.

National Data Opt-out update and COPI Notice COVID-19

Dear Colleague,

The health and social care system is going to face significant pressures in the coming months due to the COVID-19 outbreak. Staff will need to work in different ways than usual and we want to ensure that they can focus on responding to these events. NHSX and NHS Digital have therefore made the decision to extend the compliance deadline for the national data opt-out and the final date for submission of the Data Security and Protection Toolkit (DSPT) to 30 September 2020.

Please see National Data Opt-Out Letter to Trusts at link.

The Secretary of State for Health and Social Care has directed NHS Digital to collect and analyse data from providers and other organisations involved in managing the COVID-19 response and then disseminate information and analysis to other bodies for the purpose of planning and managing the response. NHS England and NHS Improvement have been given legal notice to support the processing and sharing of information to help the COVID-19 response under Health Service Control of Patient Information Regulations 2002.

Individual healthcare organisations, Arm’s Length Bodies (except NHS Digital and NHS England and NHS Improvement which have been separately notified) and Local Authorities have now also been given legal notice under the same regulations to support the processing and sharing of information to help the COVID-19 response. This is to ensure that confidential patient information can be used and shared appropriately and lawfully for purposes related to the COVID-19 response.

Please see link to the COPI Notice

This notice applies to:

•        All providers of healthcare
•        All GP practices
•        All Department of Health and Social Care's Arm's Length Bodies
•        Local Authorities

Under COPI Regulations 2002, processing means:

•        the recording and holding of information;
•        the retrieval, alignment and combination of information;
•        the organisation, adaption or alteration of information;
•        the blocking, erasure and destruction of information.

It also includes the dissemination of information to other organisations that require it for the same purposes.These Notices will be reviewed on or before 30 September 2020 and may be extended by further notice in writing. If no further notice is sent they will expire on 30 September 2020. 

Data controllers are still required to comply with relevant and appropriate data protection standards and to ensure within reason that they operate within statutory and regulatory boundaries.  The General Data Protection Regulations (GDPR) allow health data to be used as long as one or more of the conditions under Art. 6 and Art. 9 are met. There are conditions under both Articles which can be relied on for the sharing of health and care data – including ‘the care and treatment of patients’ and ‘public health’. We would expect any organisation to disseminate information within legal requirements set out under GDPR.

NHSX is building up information governance resources and information on this section of the NHSX website where there will soon be specific information for IG professionals and social care staff. Please check back regularly and help us to spread the word. IG advice for social care can be seen here in the interim. This advice sets out temporary measures to improve communication between health and social care during COVID-19.

This distribution list was used for the previous National Data Opt-out Programme newsletters and as explained in the last newsletter in September 2019 we kept your contact details in case of any urgent or important updates on this work.