NHS Digital Statutory Authority for Collection and Analysis of Data
Are NHSD a Controller or Processor of this Data?
Controller. Data obtained and system delivery function designed and operated under COVID-19 Public Health Directions 2020.
The Service is both an information system under section 254 of the 2012 Act and a system delivery function under Regulation 32 of the National Institute for Health and Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013, to be established and operated for COVID-19 research purposes, specifically research into COVID-19 vaccine treatments.
This is part of managing the response to COVID-19 through recruiting patients to take part in urgent priority COVID-19 vaccine trials to develop a vaccine which will be made available within the UK. The service will be developed and it is anticipated that other opportunities to sign up to be contacted for other COVID-19 research will be made available in the future.
For Devolved Nations, this is a service provided under section 270 of the 2012 Act and the data collected and analysed is an information system requested under the respective COVID-19 Section 255 Requests:
NB Should any of the Devolved Nations revoke their S255 letters the functionality to allow their residents to use the service would be removed. In addition, further Directions (and S255 letters as appropriate) would be needed to develop any other PtC services for other COVID-19 research and for any non-Covid19 research.
Are NHS Digital Sole or Joint Controller?
Joint.
NHS Digital is a joint controller by law with:
- The Secretary of State for Health and Social Care in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service under the COVID-19 Directions
- National Services Scotland in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Scottish residents under their request for NHS Digital to make the Service available to Scottish residents set out in the letter dated 9 July 2020 under the NSS Section 255 COVID 19 Request
- The Department of Health - Northern Ireland in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Northern Ireland residents under their request for NHS Digital to make the Service available to residents in Northern Ireland set out in the letter dated 10 July 2020 under the DH and PHA COVID-19 Section 255 Request
- Public Health Wales in relation to determining the overarching COVID-19 purposes for the collection, analysis and dissemination of the data collected through the Service about Welsh residents under their request for NHS Digital to make the Service available to residents of Wales set out in the letter dated 2 July 2020 under the PHW COVID-19 Section 255 Request
The joint controller arrangement, setting out roles and responsibilities, is further set out in a table at Appendix B.
NHS Digital is the sole Controller who processes the personal data collected, analysed, stored and deleted through the Service and is the sole Controller for the means of processing and is responsible for disseminating the personal data to be shared with the COVID-19 vaccine clinical trials and for ensuring Data Subject rights are met.
Statutory Authority for NHSD to collect and analyse the data requested.
Direction: COVID-19 Public Health Directions 2020. The purpose of collecting this data is for COVID-19 Purposes as above.
Section 255 Requests: In relation to residents in Wales, Northern Ireland and Scotland as explained above.
Compliance with Common Law Duty of Confidentiality By NHSD on Collection and Analysis
Express consent.
GDPR Compliance for Collection and Analysis
Article 6
6(1)(e) – public task – by virtue of COVID-19 Public Health Direction under S254 of 2012 Act in relation to residents in England and Section 270 of the 2012 Act and COVID-19 Section 255 Requests from each of the Devolved Nations referenced above in relation to residents in the DNs:
- collection and analysis of personal data
- analysis for dissemination or processing to produce anonymous data for publication
- contacting individuals in relation to the vaccine studies and developments in the service
Article 9
Article 9(2)(g) – substantial public interest, plus Part 2 Sched 1 DPA18, para 6 statutory and governmental purpose regarding COVID-19 Public Health Direction and Section 255 Requests from each of the Devolved Nations referenced above. Relates to collection, analysis, dissemination and contacting individuals about the service.
Article 9(2)(j) - necessary for scientific research and statistical purposes where we are analysing personal information we have obtained through the Service for these purposes, plus Part 2 Schedule 1 of the DPA18, paragraph 4, scientific research and statistical purposes.
We have in place an appropriate policy document for this Service, which is required under the DPA18 in order to process the information we collect about health and ethnicity (or special category data) for this purpose. This provides information about our procedures for complying with the data protection principles under GDPR and explains how long we will retain your information for. This is attached at Appendix D.
Transparency Notice - Article 13 and 14
NHS Digital has drafted a specific transparency notice, which is published and referenced on the service.
NHS Digital Statutory Authority to Disseminate the Data and Recipient Statutory Authority to receive the Data
NHS Digital - Section 261 Of the Health and Social Care Act 2012
Section 261(2)(c) of the Health and Social Care Act 2012 – as the individual has consented to the disclosure.
Section 261(1) and 2(e) in relation to dissemination of anonymous data.
Section 260(1) in relation to publication of anonymous data.
Recipient
Case by Case Assessment as part of DARS.
Compliance with Common Law on Dissemination by NHSD and Recipient
We are relying on express consent.
Recipient will be replying on express consent.
GDPR Compliance for NHSD dissemination by NHSD, use by recipient
Article 6
NHS Digital - Case by Case Assessment as part of the DARS process. This is likely to be Article 6(1)(e) – public task.
Recipient – Case by Case assessment as part of the DARS process. This is likely to be:
- Article 6(1)(e) – public task
- Article 6(1)(f) – legitimate interests
Article 9 and relevant DPA Schedule 1 Condition
NHS Digital – Case by Case Assessment as part of the DARS process. This is likely to be:
- Article 9(2)(g) – substantial public interest, plus Part 2 Sched 1 DPA18, para 6 statutory and governmental purpose regarding COVID-19 Public Health Direction and Section 255 Requests from each of the Devolved Nations referenced above
Recipient – Case by Case Assessment as part of the DARS process. This is likely to be:
- Article 9(2)(g) – substantial public interest. DPA Schedule 1 Part 2 conditions to be assessed at time
- Article 9(2)(j) - processing is necessary for scientific research purposes in accordance with Article 89(1) which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests for the data subject. Also Part 1 of Sched 1 DPA18, para 4
NHSD as a Processor
NHS Digital may act as a processor on behalf of a researcher to send emails out to participants recruiting them into their trials. This will be done relying on NHS Digital’s powers under section 270 of the 2012 Act.
NHSD will require the researcher to enter into a standard form data processing agreement for this activity in the form below: