Terms of release - COVID-19 therapeutics medication data

NHS Digital has been requested by NHS England and Improvement (the Requestor) to share certain confidential patient information with Care Commissioning Groups and COVID-19 Medicine Delivery Units (CMDUs) regarding patients who may be eligible for the COVID-19 treatment as part of the COVID-19 Therapeutics Medications programme as explained in more detail below in this letter as the Agreed Purposes.

The information to be shared is identified in this letter below as the Disclosed Data.

The purpose of the COVID-19 Therapeutics Medications programme is to provide treatment in the community so that people can get treatment quickly to relieve their COVID-19 symptoms. The Chief Medical Officer for England (CMO), along with senior clinicians at NHS England, has set out the clinical conditions (clinical criteria) to identify people who are more at risk at getting seriously ill with COVID-19 and who would be suitable for treatment.

The COVID-19 Therapeutics Medications Programme is being rolled out by the NHS in England. Care Commissioning Groups are responsible for commissioning NHS medication delivery services in the persons area for their care. NHS COVID-19 medicine delivery services are delivered by the Care Commissioning Groups or a health service provider commissioned by the Care Commissioning Group, such as the local Trust, GP or community services and will be delivered via Integrated Care Systems COVID-19 Medicine Delivery Units (CMDUs).

Care Commissioning Groups and their COVID-19 Medication Delivery Unit commissioned service providers (the Recipients) are Controllers (as defined in UK GDPR) for the above purposes.

NHS Digital is the Controller for the data which is to be shared with the Recipients.

The data is identifiable patient information and is comprised of information that has been obtained by the NHS and NHS Digital, in confidence. It also provides information about the health of the patients. The data is, therefore, confidential information and subject to a duty of confidence under the common law (Duty of Confidence).

The purposes for sharing the requested data are set out below (Agreed Purposes):

NHS Digital has agreed to share the data below (the Disclosed Data) about patients’ resident or registered in each CCG area:

• NHS number
• name
• sex
• address
• postcode
• date and time of positive polymerase chain reaction (PCR) test or positive rapid lateral flow test (LFT)
• registered GP practice
• date of birth
• contact information, mobile number and email address, provided by the patient or their representative/carer at the point of booking their PCR test or registering their LFT
• contact information mobile number and email address from the patients’ medical record
• clinical condition group

The Recipients will only receive the Disclosed Data for patients registered or resident in its own CCG area. 

Recipients will use the Disclosed Data for the purpose of contacting patients to arrange a clinical assessment for the COVID-19 treatment. Once identified as suitable, the Recipients will be entitled to process the Disclosed Data for the purposes of providing direct care and treatment to those patients (Further Processing). The Further Processing is permitted but is outside of the Agreed Purposes for which the Disclosed Data is shared and the Recipients will be solely responsible for such Further Processing. Accessing or sharing this data for any other purposes is not permitted.

The Recipients will access the Disclosed Data via a secure web viewer on the NHS Digital Population Health Platform for Review patients for COVID-19 Therapeutics (NHS Digital Web Viewer).

NHS Digital is able to share Disclosed Data with the Recipients for the Agreed Purposes under a notice issued to NHS Digital by the Secretary of State for Health and Social Care under Regulation 3(4) of the Health Service Control of Patient Information Regulations (COPI)  dated 27 August 2021 (the NHSD COPI Notice), as the Recipients are organisations covered by Regulation 3(3) of COPI and the Agreed Purposes for which the Disclosed Data is being shared is covered by Regulation 3(1) of COPI. 

Under GDPR, NHS Digital is relying on Article 6(1)(c) – Legal Obligation, to share the Disclosed Data with the Recipients for the Agreed Purposes above. As this is health information and therefore special category personal data NHS Digital is also relying on Article 9(2)(g) – substantial public interest and para 6 of Schedule 1 DPA – statutory purpose, to share the Disclosed Data for the Agreed Purposes. NHS Digital considers it is in the substantial public interest to share the Disclosed Data for the Agreed Purposes as part of the co-ordinated NHS and Government response to manage the COVID-19 outbreak and to protect public health.

NHS Digital will publish details about the sharing of the Disclosed Data with the Recipients in its Data Release Register.

The Recipients are able to receive and process the Disclosed Data under a notice issued to the Recipients by the Secretary of State for Health and Social Care under Regulation 3(4) of COPI dated 27 August 2021 (the Recipients COPI Notice). 

Under GDPR, the Recipients can rely on Article 6(1)(c) – Legal Obligation, to receive and process the Disclosed Data from NHS Digital for the Agreed Purposes under the legal authority set out above. As this is health information and therefore special category personal data the Recipient can also rely on Article 9(2)(h) – healthcare purposes, plus Part 1 Sched 1 DPA18, para 2 health or social care purpose.

1. Each Recipient will ensure that it and any of its Processors who process the Disclosed Data comply with the GDPR, the Data Protection Act 2018, all applicable law concerning privacy or the processing of personal data and the Duty of Confidence when processing the Disclosed Data.

2. Recipients may process the Disclosed Data for the Agreed Purposes only.

3. NHS Digital will share the Disclosed Data securely with the Recipients daily via the NHS Digital Web Viewer.

4. The Recipients are only permitted to store and process the Disclosed Data securely within the UK and the EEA or any country outside the EEA where there is a compliant legal transfer under the UK GDPR.

5. The Recipients and their Processor/s will on completion of the processing activity for purpose of contacting patients to arrange a clinical assessment in accordance with the Agreed Purposes securely destroy the Disclosed Data (including any copies it was necessary for it take for the Agreed Purposes) and on the request of NHS Digital shall provide a data destruction certificate signed by the Recipient’s and Processor’s Data Protection Officers.

6. The Recipients may only process the Disclosed Data for as long as is necessary to identify their patients to contact for clinical assessment in accordance with the Agreed Purpose. Recipients may process the Disclosed Data about their patients on the NHS Digital Web Viewer for as long as it is necessary to do so for the purposes of the individual care and treatment of those patients.

7. Each Recipient will notify NHS Digital as soon as reasonably practicable after it becomes aware of any Personal Data Breach (as defined in GDPR) by the Recipient concerning the Disclosed Data.

8. The Disclosed Data is confidential patient information and is provided by NHS Digital in confidence to the Recipients and to their Processors. The Disclosed Data must be maintained by the Recipients and their Processors as confidential in accordance with the Duty of Confidence. In particular, the Recipients must comply with their legal responsibilities under COPI when processing the Disclosed Data, including the restrictions laid down in Regulation 7 of COPI. This requires the Recipients when processing the Disclosed Data under COPI:

a. not to process the Disclosed Data more than is necessary to achieve the purposes for which the Recipients are permitted to process that information under Regulation 3(1) of COPI and the Agreed Purposes;

b. so far as it is practical to do so, to remove from the Disclosed Data any particulars which identify the person to whom it relates which are not required for the purposes for which it is, or is to be, processed;

c. not allow any person access to that information other than a person who, by virtue of their contract of employment or otherwise, is involved in processing the information for one or more of those purposes and is aware of the purpose or purposes for which the information  may be processed;

d. not allow any person to process the Disclosed Data unless that person is a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional; and

e. to ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of the Disclosed Data.

9. The Recipients must ensure that their Privacy Notices are updated as required to reflect that they are processing the Disclosed Data for the Agreed Purposes.

10. NHS Digital (and any auditors of or other advisers to NHS Digital) will be entitled to audit the Recipients’ compliance with these terms of release and the Recipients will provide all co-operation and assistance to NHS Digital in relation to any such audit, including providing access to personnel, premises and where necessary, equipment. NHS Digital will provide reasonable notice of its intention to carry out an audit and shall comply with all visitor rules and regulations applicable when attending at the Recipients’ premises for this purpose.

11. If a Recipient materially or persistently breach the terms of release, NHS Digital shall be entitled to terminate the data sharing arrangement by providing written notice to the Recipient, which will include the date of termination, which will be considered the End Date above.

12. Any dispute in respect of these terms or their subject matter will be escalated to appropriately senior officers of the Recipient and NHS Digital for resolution.

13. The contact details for the parties respective Data Protection Officers are:

•       NHS Digital: Jon Moore, [email protected] 
•       NHS England: Carol Mitchel, [email protected]
•       Recipients: see each recipient's website  

14. NHS Digital may also collect outcomes data, inputted onto the CMDU Web Viewer, by CMDUs based upon Section 259 of the Health and Social Care Act 2012.