1. Confidential patient information is defined in section 251(10) and (11) of the National Health Service Act 2006 as information that both identifies the patient, and includes some information about their medical condition or treatment.
2. Where a COPI notice has previously been used as the legal basis for any processing which falls within this paragraph organisations must ensure they are transparent about the legal basis for any ongoing processing.
3. Organisations should note that following the end of the COPI Notices they will need to re-evaluate their Article 6 and 9 UK GDPR legal basis. This guidance does not provide advice on this and organisations should consult their DPO on an appropriate UK GDPR basis.
4. Processing is defined under Regulation 2(2) of the Health Service (Control of Patient Information) Regulations 2002.
5. The terms of reference for the Covid-19 Inquiry.
6. We understand that Regulation 3 may be used as a legal basis for processing CPI for diagnosing communicable diseases, recognising trends, controlling, and preventing the spread and monitoring and managing communicable disease (Regulation 3(1)). However, as we move out of the pandemic period, our view is that increasingly fewer research projects will meet the requirements of Regulation 3(1) and, as such, Regulation 5 is more likely to be the appropriate legal basis for ongoing and future COVID-19 research.
7. UK Policy Framework for health and social care. The HRA also has a decision tool to direct those who are unsure if their activity is research.
8. See Regulation 4 of the Health Service (Control of Patient Information) Regulations 2002.