[withdrawn] Coronavirus (COVID-19): notice under regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 – NHS Digital
Updated 30 June 2022
To:
Simon Bolton
Interim Chief Executive
NHS Digital
7 and 8 Wellington Place
Leeds
LS1 4AP
10 February 2022
Dear Simon,
The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of COVID-19. Action to be taken will require the sharing of confidential patient information amongst health organisations and other appropriate bodies for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.
I am therefore writing to you to serve notice on the Health and Social Care Information Centre, known as NHS Digital, under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 (COPI) to require NHS Digital to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI (insofar as those purposes relate to the current outbreak of COVID-19).
Purpose of this notice
The purpose of this notice is to provide NHS Digital with the necessary statutory power to disseminate confidential patient information to organisations permitted to process confidential patient information under Regulation 3(3) of COPI for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to COVID-19 (COVID-19 purpose).
I consider this notice is necessary so that NHS Digital can lawfully and efficiently disseminate confidential patient information to those organisations set out in Regulation 3(3) of COPI being persons employed or engaged for the purposes of the health service or other persons employed or engaged by a government department or other public authority in communicable disease surveillance in connection with the health and social care system’s management of the response to COVID-19.
Requirement to disseminate confidential patient information
I hereby provide NHS Digital with notice under Regulation 3(4) that, for the purposes set out above, I require NHS Digital to disseminate confidential patient information in respect of which it is a controller,[footnote 1] including that which it has obtained by complying with a direction made under section 254 or a request made under section 255 of the Health and Social Care Act 2012 (2012 Act), to a person or organisation permitted to process confidential information under Regulation 3(3) of COPI.
NHS Digital is only required to disseminate such confidential patient information where it is:
- requested to do so by an authorised officer of the Department of Health and Social Care acting on my behalf or requested to do so by another organisation permitted to process confidential information under Regulation 3(3) of COPI (the Requestor)
- reasonably satisfied that the confidential patient information to be disclosed pursuant to the request is required by the requestor for a COVID-19 purpose and will be processed by the requestor or by a processor[footnote 2] on behalf of the requestor, solely for that COVID-19 purpose and in accordance with the restrictions set out in Regulation 7 of COPI
- from the date of this notice for the period up to 30 June 2022 (which includes a case where the dissemination of the information in question was authorised by a previous regulation 3(4) notice and began before the date of this notice but which continues on or after that date)
Notification to requesters
NHS Digital is requested when sharing confidential patient information under this notice:
- to remind recipients of confidential patient information of their responsibilities under COPI when processing the confidential patient information, including the restrictions which apply to their processing of it under Regulation 7 of COPI
- to publish details of the organisations with whom it has shared confidential patient information under this notice and the purposes for which it was shared in the NHS Digital Data Release Register[footnote 3]
Review and expiry of this notice
If no further notice is sent to you by me, this notice will expire on 30 June 2022.
I am grateful for your continued support at this critical time.
Yours sincerely,
Simon Madden
On behalf of:
Secretary of State for Health and Social Care
-
As defined in Article 4(7) of the UK General Data Protection Regulation (GDPR). The UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)). ↩
-
As defined in Article 4(8) of the UK GDPR. ↩