UK & Europe
Reassurance about sharing patient data during COVID-19
The Information Commissioner's Office (ICO) has issued guidance for organisations which confirms the legal position about the use of personal data during the COVID-19 pandemic, and describes the ICO's current expectations and approach to data protection.
A pragmatic approach
In times of crisis, it is well-recognised that healthcare organisations will need to gather and share specific personal information, over and above what would be usual, for the purposes of protecting against a serious threat to public health. The ICO says they do not need to worry that they will fall foul of Data Protection requirements by doing so. The ICO has made it clear that nothing within the current Data Protection and electronic communication laws, will prevent the Government, the NHS or any health professional from using the latest technology, to facilitate consultation and diagnosis, or from communicating public health messages to protect the public. As long as organisations adopt a proportionate approach, do not collect any more data than they need, and treat any personal information with appropriate safeguards, they will not be subject to regulatory action.
Even if technical breaches do occur during this time, the ICO, as a 'reasonable and pragmatic regulator', has pledged to take into account the 'compelling public interest' created by the current pandemic.
Breaches and the need to prioritise
Where breaches occur due to the prioritisation of resources elsewhere for the purposes of dealing with situations which have arisen out of the COVID-19 pandemic, again, the ICO will adopt a pragmatic approach. For example, whilst the ICO is not in a position to extend or waive statutory deadlines for information requests, they will encourage people making Subject Access Requests to show understanding, if they have to wait longer for their request to be fulfilled in the current circumstances. They have also stated that they will not take regulatory action against organisations which are unable to comply with statutory timescales, because they have had to adapt their procedures or prioritise resources elsewhere.
Conclusion: keeping things in proportion
Whilst the ICO expects, as always, organisations to take adequate steps to safeguard personal data and to comply with the existing regime, this is a reassuring indication that organisations should not let a concern about data protection compliance prevent swift action. Further, their guidance makes clear that the existing Data Protection regime does allow for increased collection and use of personal data, where there is a serious threat to the health of the nation.
If you have a question or comment in relation to the use of patient data, please contact: