COVID-19 privacy notice

Print Friendly and PDF

COVID-19 and your information

Supplementary privacy notice on COVID-19 for patients, service users, carers and staff

This notice describes how we may use your information to protect you and others during the COVID-19 outbreak. It supplements our main privacy notice which is available on our website.

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency, it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information about sharing information is available on website and some FAQs on this law are available on the NHSx website.

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information.  This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.  It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals, social care, ambulance services and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency, we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.

Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID-19 response.   

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.  

We have also developed an incident control centre for the Trust which is maintaining data on cases of COVID-19 reported for the patients and staff we are responsible for so that we can ensure we have the right support available at the right time to maintain the highest levels of care and be able to report incidents of COVID-19 to inform both the local and national picture. 

In such circumstances where you tell us you’re experiencing COVID-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

UPDATED DECEMBER 2021 for Mandated Vaccination Status

There is now a Government mandated requirement that NHS trusts can demonstrate they have systems and processes in place to evidence and monitor that all front-line workers as well as non-clinical workers not directly involved in patient care but who nevertheless may have direct, face to-face contact with patients, such as receptionists, ward clerks, porters and cleaners are fully vaccinated against COVID-19.  This includes individuals working in non-clinical ancillary roles who enter areas which are utilised for the provision of a CQC-regulated activity as part of their role and who may have social contact with patients, but not directly involved in patient care.  This will also apply where a regulated activity is delivered through agency workers, volunteers, locums, students or trainees, or contracted to another provider.  This further applies to all students and trainees (over 18) on placement within a healthcare setting, who have face-to-face contact with patients and/or service users and who are deployed, as part of CQC regulated activity, are fully vaccinated against COVID-19.

The Trust is required to maintain a record to confirm that satisfactory evidence has been provided. This record must be kept securely by the Trust in compliance with the UKGDPR and the Data Protection Act 2018.

Legal Justifications and Data Protection

Under the provisions of the COPI notice, issued by the Secretary of State for Health and Social Care, employers are legally required (not just ‘requested’) to provide confidential patient information about staff to support the flu and COVID-19 vaccination programme.

The COPI notice specifically states that confidential patient information can be shared in order to support:

“understanding about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19 and the availability and capacity of those services or that care” and can be relied upon for a number of reasons including:

  • It is critical that any potential flu epidemic is managed when the NHS is already dealing with the coronavirus pandemic.
  • It is important to monitor take-up of the vaccines by staff and the potential impact on staff absences.
  • Ensuring there is an appropriate interval between administering the flu and COVID-19 vaccinations.

This legal justification for sharing confidential patient information is based on the clinical information available to us at the time of publication and may be subject to change as our understanding of COVID-19 and the safe administration of new vaccines becomes available.

The lawful bases under Data Protection for establishing this system and processes are:

  • Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject (with regard to the COPI notice)
  • Article 6(1)(e) (with regard to the Secretary of State for Health and Social Care's public health functions under the NHS Act 2006)
  • Article 9(2)(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services and
  • Article 9(2)(i) (with regard to public health functions under Regulation 3(1) of the Health Service Control of Patient Information) Regulations 2002.

The information regarding vaccination status is being held on a secure database with very restricted access.  The information will only be shared proportionately within the Trust to enable us to continue to deliver our services.

The information will be retained in accordance with national records retention schedules which would normally be to age 75 off the staff member but currently will be in accordance with the “STOP” notice for preservation of records which may be relevant to the Public Covid Inquiry.

We may amend this privacy notice at any time so please review it frequently. The date at the bottom of this page will be amended each time this notice is updated.

These arrangements have now been extended until 31 March 2022 to help give healthcare organisations and local authorities the confidence to share the data needed to respond to the ongoing COVID-19 pandemic. If no further notices are issued, the notices will expire on 31 March 2022.

Updated: 06 January 2022.

Accessibility tools

Return to header