The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19).
Action to be taken requires collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. This notice describes how we may use your information to protect you and others during the COVID-19 outbreak.
The controller of your personal data
Under the General Data Protection Regulation 2016 (GDPR), NHS digital is the controller of your personal data where we are directed or requested to process personal data for COVID-19 purposes. We are also a joint controller with the person who has directed or requested us to do this work. This may be the Secretary of State for Health and Social Care, NHS England or an NHS body in Scotland, Northern Ireland or Wales.
Our legal basis under GDPR
Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation and we are allowed to do this under Article 6 (1)(c) of GDPR. Where we process personal data as part of our statutory functions, including where requested by other bodies, for example by the NHS in Scotland, Wales or Northern Ireland, this is part of our public task. We are allowed to do this under Article 6 (1)(c)of GDPR. Where we need to process health data and other special categories of personal data, we will only do this where it is necessary as part of our statutory functions. Under GDPR we are allowed to do this where it is necessary for substantial public interest reasons (Article 9 (2)(g)), where it is necessary for healthcare purposes (Article 9 (2)(h)), where it is necessary for public health purposes (Article 9 (2)(j)) or where necessary for scientific research or statistical purpose (Article 9 (2)(j)). We are also allowed to share your personal data under GDPR where it is necessary for us to do so for one of the purposes explained above.
Types of personal data we process
The types of personal data we may process in response to COVID-19 include:
- demographic data – your name, date of birth, sex, NHS number and your contact details such as your address, telephone numbers and email address
- health information – information relating to your health and the care you have been provided – this may include information about medical conditions, treatments, prescription information, care episodes, hospital admission and discharge information, test results, including tests relating to COVID-19, information on whether you are self-isolating
- information collected as part of our online services which we need to help maintain the security and performance of our website and also to help us understand how our services are used so that we can make improvements. This may include information such as your IP address, technical log events, the type of browser you are using and the actions you took when using these services.
We will only process the minimum data necessary to achieve our purposes.
How we obtain your personal data
Collecting personal data from you directly
We may collect personal data from you directly, in which case we will tell you at the time the purposes for which we will use your data in a privacy or transparency notice.
Collecting personal data from other organisations
We may also collect personal data from other organisations, including health and social care organisations, for example from Public Health England, NHS Trusts, GP Practices, Local Authorities, NHS England, the Department of Health and Social Care and other government departments. Usually we do this by issuing the organisation with a Data Provision Notice. This requires or requests those organisations to provide us with data where this is necessary for us to perform our functions under the Health and Social Care Act 2012.
Types of organisation we may share your data with
- the Department of Health and Social Care and other government departments, as part of the government response to coronavirus
- NHS England
- Public Health England
- Clinical Commissioning Groups
- Local Authorities
- other NHS, health, or social care organisations
- NHS bodies in Scotland, Wales and Northern Ireland
- research bodies, such as universities and hodspitals
How long we keep your personal data for
We will only retain your personal data for as long as is necessary for the purposes for which we obtained it and in accordance with the following
- Records Management Code of Practice for Health and Social Care 2016
- NHS Digital’s Record Management Policy