Skip to main content

Guidance for organisations on processing of confidential patient information when the COPI Notices expire

Health Service (Control of Patient Information) Regulations 2002 (COPI) COPI Notice Exit Guidance for organisations on processing of Confidential Patient information when the COPI Notices expire. 

Background

The Secretary of State for Health and Social Care has issued Notices under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) which required organisations to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes (COPI Notices).

The COPI Notices have provided organisations with the confidence they need to share and use data to respond to Covid-19.

The COPI Notices require the processing of confidential patient information (CPI)1 to take place for the purpose of managing the response to the COVID-19 pandemic (the public health emergency). They give health professionals the security and confidence to share data to support the response to the pandemic. The COPI Notices are due to expire on the 30th June 2022. We are aware that the Notices have been used by a wide range of organisations to require the processing of CPI for a varied range of COVID-19 purposes.

As we move beyond the initial response to the pandemic it is important to ensure that there is a sustainable legal basis for the ongoing processing of CPI that is necessary for COVID-19 purposes and that processing ends where it is no longer justified.

The ending of the COPI Notices does not mean that information can no longer be processed. However, the requirement to process for specified purposes will end. Any continued processing will need to be on a sustainable legal basis. This may be under regulation 5 or 3 of the Health Service (Control of Patient Information) Regulations 2002 or another legal basis.

The step by step guide is intended to support organisations currently relying on the COPI Notices to prepare for 30 June 2022 when the notices are due to expire.

This step by step guide does not relate to processing for COVID-19 purposes that

  • is undertaken by members of the direct care team/those with legitimate access with no onwards identifiable disclosure
  • is required under the NHS Digital,COVID-19 Public Health Directions 2020 or COVID-19 NHS England Directions 2020 issued to NHS Digital to require the processing of data and establishment of system for the COVID purposes defined within those Directions
  • relies on another legal basis, for example where Directions are in place

Whilst this step by step guide is intended to support organisations to make decisions about the ongoing processing of CPI for COVID-19 purposes all organisations should also seek the advice of their Data Protection Officer and Caldicott Guardian before making decisions about whether, and on what basis, CPI can continue to be processed for COVID-19 purposes.

Organisations must take steps to inform the public of any changes to processing and such changes should be reflected in organisations’ privacy notices2

The processing of personal data must also continue to be compliant with UK Data law such as UK GDPR and the Data Protection Act 2018. This guidance is iterative and we will add to it as appropriate as we move towards 30 June 2022.


Step by step guidance

1. Will the processing of confidential patient information (CPI) for the specified 'COVID-19 purposes' defined in the COPI Notice continue beyond the 30 June 2022?

Where there is no longer a legal basis for processing CPI, data should be deleted in line with the requirements of data protection law4. The COVID-19 Inquiry5 may require sight of CPI and so consideration should be given as to whether CPI should be retained until clarification on this has been received.

Yes go to question 2.

No

Where there is no longer a legal basis for processing CPI,data should be deleted in line with the requirements of data protection law.

The Department has contacted the Cabinet office regarding guidance on retention of data for the purposes of the UK COVID- 19 Inquiry team which will be published shortly. As soon as we have further instructions we will update the COPI guide. Each organisation's DPO and Caldicott Guardian should be consulted on any deletion of this data or retention of CPIfor the purpose of future disclosure to the COVID-19 Inquiry.

2. Is this research as defined through the UK policy framework for health and social care research?

No go to question 3. 

Yes

Relevant research will have a favourable ethical opinion. 

You should consider another legal basis for processing CPI for COVID-19 purposes. If support under regulation 5 of the COPI regulations 2002 (for example where the processing is for medical purposes in the circumstances set out in the Schedule of COPI Regulations) is considered the most appropriate legal basis, please follow this for steps needed to transition. If no appropriate legal basis is found processing must cease once the COPI Notices end and data deleted in line with data law. 

3. Is this data being processed to diagnose, recognise trends, control and prevent or monitor and manage outbreaks of COVID-19?

Yes, go to question 4. 

No, go to question 5. 

4. Is the data being processed by persons employed or engaged for the purposes of the health service or other persons employed or engaged by a Government Department or other public authority in communicable disease surveillance?

No, go to question 5.

Yes

You may still be able to process data under regulation 3 of the Control of Patient Information Regulations. To do this you must ensure that:

  • the processing falls within a purpose set out in regulation 3(1) of the COPI regulations
  • your Caldicott guardian is informed of, and consulted on, the proposed use
  • all processing is in line with regulation 7 of the COPI Regulations
  • all processing is in line with UK GDPR, the DPA and the 8 Caldicott Principles
  • all reasonable steps are taken to ensure that patients are aware of the use of their data and their rights under data protection law
  • records of all processing under regulation 3 are kept to ensure that organisations are able to provide information that may be required by the Secretary of State under regulation 3(5) or any other person under regulation 7(1)(e)

5. Is the data being processed for a purpose other than one already mentioned?

Yes

You need to consider another legal basis for processing. Other legal bases could be obtaining patient consent or applying to CAG for Regulation 5 support. These are the 2 most likely legal bases where the purpose is research.

You should consult your DPO and Caldicott guardian to identify an alternative legal basis.

For further information on alternative legal bases please contact copienquiries-datapolicy@nhsx.nhs.uk

If no appropriate legal basis is found, processing must cease once the COPI Notices end. Please refer to QUESTION 1. regarding the deletion of data. 

Footnotes

1. Confidential patient information is information that both identifies the patient, and includes some information about their medical condition or treatment.

2. Organisations should note that following the end of the COPI Notices they will need to re-evaluate their Article 6 and 9 UK GDPR legal basis. This guidance does not provide advice on this and organisations should consult their DPO on an appropriate UK GDPR basis.

3. Confidential Patient Information is defined in section 251 of the National Health Service Act 2006 . 

4. UKGDPR and Data Protection Act 2018

5. The terms of reference for the Covid-19 Inquiry

6. We understand that Regulation 3 may be used as a legal basis for processing CPI for diagnosing communicable diseases, recognising trends, controlling, and preventing the spread and monitoring and managing communicable disease (Regulation 3(1)). However, as we move out of the pandemic period, our view is that increasingly fewer research projects will meet the requirements of Regulation 3(1) and, as such, Regulation 5 is more likely to be the appropriate legal basis for ongoing and future COVID-19 research.

7. UK Policy Framework for health and social care. The HRA also has a decision tool to direct those who are unsure if their activity is research


Further information

external

Last edited: 26 May 2022 2:29 pm