COVID-19 UK: Healthcare - Sharing patient data during the pandemic

Reassurance about sharing patient data during COVID-19

The Information Commissioner's Office (ICO) has issued guidance for organisations which confirms the legal position about the use of personal data during the COVID-19 pandemic, and describes the ICO's current expectations and approach to data protection.

A pragmatic approach

In times of crisis, it is well-recognised that healthcare organisations will need to gather and share specific personal information, over and above what would be usual, for the purposes of protecting against a serious threat to public health.  The ICO says they do not need to worry that they will fall foul of Data Protection requirements by doing so.  The ICO has made it clear that nothing within the current Data Protection and electronic communication laws, will prevent the Government, the NHS or any health professional from using the latest technology, to facilitate consultation and diagnosis, or from communicating public health messages to protect the public.  As long as organisations adopt a proportionate approach, do not collect any more data than they need, and treat any personal information with appropriate safeguards, they will not be subject to regulatory action. 

Even if technical breaches do occur during this time, the ICO, as a 'reasonable and pragmatic regulator', has pledged to take into account the 'compelling public interest' created by the current pandemic.

Breaches and the need to prioritise

Where breaches occur due to the prioritisation of resources elsewhere for the purposes of dealing with situations which have arisen out of the COVID-19 pandemic, again, the ICO will adopt a pragmatic approach.  For example, whilst the ICO is not in a position to extend or waive statutory deadlines for information requests, they will encourage people making Subject Access Requests to show understanding, if they have to wait longer for their request to be fulfilled in the current circumstances.  They have also stated that they will not take regulatory action against organisations which are unable to comply with statutory timescales, because they have had to adapt their procedures or prioritise resources elsewhere. 

Conclusion: keeping things in proportion

Whilst the ICO expects, as always, organisations to take adequate steps to safeguard personal data and to comply with the existing regime, this is a reassuring indication that organisations should not let a concern about data protection compliance prevent swift action.  Further, their guidance makes clear that the existing Data Protection regime does allow for increased collection and use of personal data, where there is a serious threat to the health of the nation.

Key points

• If you need to collect and use more personal data for a reason related to the pandemic, the existing data protection regime allows for this.
• Where information rights requests can't be fulfilled within statutory timescales, the ICO will not take regulatory action, if this is a result of scarce resources during the pandemic.
• If you need to adapt your usual approach to data protection and information governance to prioritise resources due to the pandemic, you will not be penalised.
• If you are making changes to the way you deal with personal information, or are concerned you may be in breach due to a situation arising out of the COVID-19 pandemic, make a record about this. Changes may be required during the pandemic, but they must be justifiable within this context.
• Likewise, whilst the ICO will be as understanding as possible where it comes to breaches which occur for a reason connected to the COVID-19 pandemic, they are unable to change the statutory requirements, so you must still be able to show that you have taken all reasonable steps to comply.
• The key consideration is that your actions must be proportionate i.e. not excessive from the public's perspective.

If you have a question or comment in relation to the use of patient data, please contact:

Gemma Brannigan