Guidance

Toolkit 2: summary of health protection legislation

Published 21 January 2025

This toolkit provides a summary of some of the health protection legislation which supports the management of outbreaks and incidents. The toolkit should be read along with the overarching legislation.

Legislation guiding roles and responsibilities

The Civil Contingencies Act 2004, provides a framework for civil protection in the UK, including local arrangements for civil protection (Part 1); and emergency powers (Part 2). 

The Food Standards Act 1999, sets out a duty of the Food Standards Agency (FSA) to have responsibility for the protection of public health in relation to risks which may arise in connection with food and animal feed stuff. This includes the duty of the FSA to develop food and feed safety policies and provide advice, information or guidance to public authorities, and in particular, issue general guidance to local authorities or other public authorities on the management of outbreaks or suspected outbreaks of food-borne disease.

The Health and Safety (Enforcing Authority) Regulations 1999, sets out responsibilities of the Health and Safety Executive (HSE) and the local authorities for enforcement of the Health and Safety at Work Act 1974. Further information can be found in the Health and Safety (Enforcing Authority) Regulations. In England, HSE and local authorities are the lead regulator for worker health and safety. The Care Quality Commission (CQC) is the lead regulator for patient or service user health and safety (in CQC-registered premises).

The Health Security (EU Exit) Regulations 2021 ensures all parts of the UK coordinate on data sharing, epidemiological surveillance, and their approach to the prevention and control of serious cross‑border threats to health.

The Health and Social Care Act 2012 sets out the duty of Directors of Public Health (DsPH) in upper tier and unitary authorities to prepare for and lead the local authority public health response to incidents.

The Health and Social Care Act 2022 sets out a duty for Integrated Care Boards (ICBs) to plan and commission most NHS services within a designated Integrated Care System (ICS), including primary care and pharmacy services, and an overarching duty to improve population health.

The Health Protection (Notification) Regulations 2010 (HPNR), place a statutory duty on registered medical practitioners (such as doctors) in England to notify the relevant local authority if they treat a patient they know, or suspect to be, infected or contaminated with a specific infectious disease. These regulations also place a statutory duty on all diagnostic laboratories that test human samples in England to notify the UK Health Security Agency (UKHSA) if they identify a notifiable causative agent.

The Local Government Act 1972 sets out a duty of local authorities to provide a range of services including environmental health, public health, emergency preparedness and response, housing, food safety, food export certificates and water sampling services.

The National Health Service (NHS) Act 2006 (as amended) sets out a range of responsibilities on organisations in relation to the delivery of health protection, including:

• UKHSA has a duty to protect the health of the public in England and powers to provide microbiological services in England and undertake collection of confidential patient information for disease and vaccine surveillance purposes
• Local authorities have a duty to ensure appointment of a Director of Public Health role and establish a Health and Wellbeing Board and Health Scrutiny Committee
• NHS England has a duty to lead the mobilisation of NHS resources, the commissioning of some public health services, including immunisation programmes as outlined under section 7A, and public health services in secure and detained settings (NHS regional teams), and assure the quality of ICBs commissioning through an annual assessment process, and ensure the NHS in England is properly prepared to respond to emergencies. This responsibility is exercised in part through the delivery of the Emergency Planning Resilience and Response (EPRR) Annual Assurance process

The Private Water Supplies Regulations 2016, and The Water Industry Act 1991, define the requirements for drinking water in respect of private water supplies and the powers and responsibilities of local authorities in relation to private water supplies. This includes a duty on local authorities to carry out a risk assessment of each private water supply in their area (except supplies to single untenanted dwellings).

The Public Health (Control of Disease) Act 1984 sets out statutory duties of port health authorities, including responsibilities to protect the public, environmental, and animal health in the UK, this includes responsibility for checks on imported food, inspecting ships and aircraft for food safety and infectious disease control, and general public and environmental health checks.

The Official Controls (Plant Health and Genetically Modified Organisms) (England) Regulations 2019 and the Animal Welfare Act 2006, outline the statutory role of Animal and Plant Health Agency (APHA) and local authorities in the control and eradication of animal and plant diseases and pests, plant, and bee health, and improving animal welfare, as well as reducing the risk of new and emerging threats.

Legislation guiding public health response powers

The Assimilated EU law Regulations No. 178/2002 include a duty on the FSA to exchange information internationally via the International Food Safety Authority Network (INFOSAN) and communicate food safety risk to the general public where relevant.

The Corporate Manslaughter and Corporate Homicide Act 2007 includes legislation relating to death within a workplace.

The Food Law Code of Practice (England) gives instructions that local authorities must consider when enforcing food law.

The Food Safety and Hygiene (England) Regulations 2013, lay down standards relating to the control and management of steps critical to food safety. They place responsibilities and powers with local authorities including:

• monitoring and enforcing health and hygiene legislation
• investigation of incidents such as pest infestation or an outbreak of food poisoning

The legislation also places duties with the FSA to make emergency control orders on behalf of the Secretary of State. The Food Standards Act 1999 outlines a statutory enforcement role for the FSA with respect to meat, primary dairy production and wine establishments approved by the FSA. This includes enforcement of public health, hygiene, and animal welfare according to slaughter legislation.

The General Food Regulations 2004 designate competent authorities and enforcement authorities and makes provision for offences and penalties and provides enforcement powers in respect of new obligations relating to food and food businesses.

The Health and Safety at Work Act 1974, and associated regulations, provide the legal powers for the investigation of non-food related outbreaks and the implementation of necessary control measure to protect the public, and where appropriate legal sanctions.

The International Health Regulations 2005, provide an international legal framework to prevent, protect against, control, and provide a public health response to the international spread of disease. It does so in ways that are proportionate with, and restricted to, public health risks. It avoids unnecessary interference with international traffic and trade.

The Trade and Cooperation Agreement (TCA) sets out that the FSA may implement necessary emergency measures for imported food in response to serious risks to human or animal health, with or without prior notice for the protection of human or animal health.

The following legislation:

• Public Health (Ships) Regulations 1979 (under review)
• Public Health (Ships) (Amendment) (England) Regulations 2007
• Public Health (Aircraft) Regulations 1979
• Public Health (Aircraft) (Amendment) (England) Regulations 2007

provides powers to local and port authorities with respect to the notification of possible infection or contamination on board a ship or an aircraft. This includes a risk assessment of people, including medical examination, and detention for that purpose if necessary, and risk assessment, including inspection, of a ship or an aircraft (and anything on board).

The following legislation:

• Public Health (Control of Disease) Act 1984 (as amended)
• Health Protection (Local Authority Powers) Regulations 2010
• Health Protection (Part 2A Orders) Regulations 2010

provides health protection powers to local authorities for use where voluntary measures are insufficient and legal powers are needed to respond to infections or instances of contamination that present a significant risk to human health. The powers available to unitary and lower tier authorities include those that can be exercised by the local authority without judicial oversight. They also include powers that involve an application to a Justice of the Peace (JP). The Public Health (Control of Disease) Act 1984 (as amended) also outlines responsibilities in the appointment of a Proper Officer, whose powers include the receipt of notifications of notifiable disease, infection, or contamination.

Legislation guiding the care of individuals and data

The Care Act 2014 outlines the duties of local authorities on safeguarding adults, aged 18 or over, who have needs for care and support and are experiencing, or at risk of, abuse or neglect.

The Data Protection Act 2018 (and the UK General Data Protection Regulation (UK GDPR)), outlines how personal information can be used by organisations, businesses, and the government.

The Equality Act 2010 sets out duties on public bodies to eliminate discrimination, harassment and victimisation, advance equality of opportunity, and foster good relations between different parts of the community within its actions and decision making.

The Health and Social Care Act 2008: code of practice on the prevention and control of infections and related guidance sets out requirements of registered providers of all health and adult social care in England. This includes infection prevention and control. It also includes the notification of health care associated infection and antimicrobial resistant outbreaks to UKHSA

The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 9A aims to make sure people staying in a care home, hospital, or hospice can receive visits from people they want to see and people living in a care home are not discouraged from taking visits outside the home.

The Health Service (Control of Patient Information) Regulations 2002 (as amended) (the COPI Regulations) make provision for the processing of patient information. This includes confidential patient information. In relation to outbreak management and in particular, enhanced surveillance, UKHSA has the power to process confidential patient information without consent (under Regulation 3 of the COPI Regulations) for the recognition, control and prevention of communicable disease and other risks to public health.

The Privacy and Electronic Communications Regulations 2003 sits alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications. This includes:

• specific rules on marketing calls, emails, texts and faxes, cookies (and similar technologies)
• keeping communications services secure
• customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings

The public sector equality duty (Equality Act 2010, Section 149) is a legal duty under the Equality Act 2010 that requires publicly funded organisations to:

• pay due regard to eliminate unlawful discrimination, harassment, victimisation, and any other conduct that is prohibited by or under the Equality Act 2010
• advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it
• foster good relations between persons who share a relevant protected characteristic and persons who do not share it