The health and social care system is taking action to manage and mitigate the spread and impact of COVID-19.
This action requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak.
To support the healthcare response to COVID-19, NHS Digital has been directed by NHS England under the COVID-19 Directions to both:
- establish information systems to collect and analyse data in connection with COVID-19; and
- develop and operate IT systems to deliver services in connection with COVID-19
Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation, and we are allowed to do this under Article 6 (1)(c) of UK GPDR.
NHS England is directing NHS Digital to process personal data as part of their statutory functions. This is part of their public task and are allowed to do this under Article 6(1)(e) of UK GDPR.
Where we need to process health data and other special categories of personal data, we will only do this where it is necessary as part of our statutory functions. Under UK GPDR we are allowed to do this where it is necessary for substantial public interest reasons (Article 9(2)(g)), and where it is necessary for healthcare purposes (Article 9(2)(h)).
We are also allowed to share your personal data under GDPR where it is necessary for us to do so for one of the purposes explained above.
More information can be found in the 'Who we share your personal data with' section below.