Skip to main content

Guidance for organisations on processing of confidential patient information when the COPI Notices expire

Health Service (Control of Patient Information) Regulations 2002 (COPI) COPI Notice Exit Guidance for organisations on processing of Confidential Patient information when the COPI Notices expire.

8 June 2022, Version 2

Page contents

This guide does not relate to processing that is undertaken for direct care purposes. 

Specific information on national data sharing through GP Connect and Summary Care Record Additional Information is available: National data sharing GP Connect and Summary Care Record Additional Information - NHS Digital.

The removal of the COPI notice does not affect direct care activities carried out using these applications. 

Background

The Secretary of State for Health and Social Care has issued Notices under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) which required organisations to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes (COPI Notices).

The COPI Notices have provided organisations with the confidence they need to share and use data to respond to Covid-19.

The COPI Notices require the processing of confidential patient information (CPI)1 to take place for the purpose of managing the response to the COVID-19 pandemic (the public health emergency). They give health professionals the security and confidence to share data to support the response to the pandemic. The COPI Notices are due to expire on the 30 June 2022 and as such, organisations relying on them should prepare accordingly. We are aware that the Notices have been used by a wide range of organisations to require the processing of CPI for a varied range of COVID-19 purposes.

As we move beyond the initial response to the pandemic it is important to ensure that there is a sustainable legal basis for the ongoing processing of CPI that is necessary for COVID-19 purposes and that processing ends where it is no longer justified.

The ending of the COPI Notices does not mean that information can no longer be processed. However, the requirement to process for specified purposes will end. Any continued processing will need to be on a sustainable legal basis. This may be under regulation 5 or 3 of the Health Service (Control of Patient Information) Regulations 2002 or another legal basis.

The step by step guide is intended to support organisations currently relying on the COPI Notices to prepare for 30 June 2022 when the notices are due to expire.

This step by step guide does not relate to processing for COVID-19 purposes that2:

  • is undertaken by members of the direct care team/those with legitimate access with no onwards identifiable disclosure
  • is required under the NHS Digital,COVID-19 Public Health Directions 2020 or COVID-19 NHS England Directions 2020 issued to NHS Digital to require the processing of data and establishment of system for the COVID purposes defined within those Directions
  • relies on another legal basis, for example where Directions are in place

Whilst this step by step guide is intended to support organisations to make decisions about the ongoing processing of CPI for COVID-19 purposes all organisations should also seek the advice of their Data Protection Officer (DPO) and Caldicott Guardian before making decisions about whether, and on what basis, CPI can continue to be processed for COVID-19 purposes. Where separate guidance on specific issues (such as staff vaccination) has been published, organisations must also consider this.

Organisations must take steps to inform the public of any changes to processing or the legal basis being relied upon and such changes should be reflected in organisations’ privacy notices3

The processing of personal data must also continue to be compliant with UK Data law such as UK GDPR and the Data Protection Act 2018. This guidance is iterative and we will add to it as appropriate as we move towards 30 June 2022.

Step by step guidance

1. Will the processing4 of confidential patient information (CPI) for the specified 'COVID-19 purposes' defined in the COPI Notice continue beyond the 30 June 2022?

Yes - go to question 2.

No

Where there is no longer a legal basis for processing CPI under data protection legislation and the common law duty of confidentiality, processing should cease except for the retention of information in accordance with the Records Management Code of Practice (refer to Appendix 3 - pandemic records).

Please note that the COVID-19 Inquiry5 may require sight of CPI and so consideration should be given as to whether CPI should be retained until clarification on this has been received.

The Department has contacted the Cabinet Office regarding guidance on retention of data for the purposes of the UK COVID-19 Inquiry which will be published shortly. As soon as we have further instructions we will update the COPI guide. Each organisation's DPO and Caldicott Guardian should be consulted on any deletion of this data or retention of CPI for the purpose of future disclosure to the COVID-19 inquiry.

2. Is this research6 as defined through the UK policy framework for health and social care research?

Yes

Relevant research will have a favourable ethical opinion. 

You should consider another legal basis for processing CPI for COVID-19 purposes. If support under regulation 5 of the COPI regulations 2002 (such as where the processing is for medical purposes in the circumstances set out in the Schedule of COPI Regulations) is considered the most appropriate legal basis, please follow the HRA's COPI notice transition applications advice for steps needed to transition. If no appropriate legal basis is found processing must cease once the COPI Notices end and data deleted in line with data law. 

No - go to question 3. 

3. Is this data being processed with a view to:

  • diagnosing COVID-19
  • recognising trends in COVID-19 and risks
  • controlling and preventing the spread of COVID-19 and risks

Or is this data being processed with a view to monitor and manage:

  • outbreaks of COVID-19
  • incidents of exposure to COVID-19
  • the delivery, efficacy and safety of COVID-19 immunisation programmes
  • adverse reactions to COVID-19 vaccines and medicines
  • the giving of information to persons about the diagnosis of COVID-19 and risks of acquiring such disease?

Yes - go to question 4. 

No - go to question 5. 

4. Is the data being processed by persons employed or engaged for the purposes of the health service or other persons employed or engaged by a government department or other public authority in communicable disease surveillance?

Yes

You may still be able to process data under regulation 3 of the Control of Patient Information Regulations. To do this you must ensure that:

  • the processing falls within a purpose set out in regulation 3(1) of the COPI regulations
  • the use of CPI is necessary for processing under 3(1)8
  • your Caldicott guardian is informed of, and consulted on, the proposed use
  • all processing is in line with regulation 7 of the COPI Regulations
  • all processing is in line with UK GDPR, the DPA and the 8 Caldicott Principles
  • all reasonable steps are taken to ensure that patients are aware of the use of their data and their rights under data protection law
  • records of all processing under regulation 3 are kept to ensure that organisations are able to provide information that may be required by the Secretary of State under regulation 3(5) or any other person under regulation 7(1)(e)

No - go to question 5

5. Is the data being processed for a purpose other than one already mentioned?

Yes

You need to consider another legal basis for processing. Other legal bases could be obtaining patient consent or applying to CAG for Regulation 5 support. These are the 2 most likely legal bases where the purpose is research.

You should consult your DPO and Caldicott guardian to identify an alternative legal basis.

For further information on alternative legal bases please contact [email protected]

If no appropriate legal basis is found, processing must cease once the COPI Notices end. Please refer to Question 1 regarding the deletion of data.

Footnotes

1. Confidential patient information is defined in section 251(10) and (11) of the National Health Service Act 2006 as information that both identifies the patient, and includes some information about their medical condition or treatment.

2. Where a COPI notice has previously been used as the legal basis for any processing which falls within this paragraph organisations must ensure they are transparent about the legal basis for any ongoing processing.

3. Organisations should note that following the end of the COPI Notices they will need to re-evaluate their Article 6 and 9 UK GDPR legal basis. This guidance does not provide advice on this and organisations should consult their DPO on an appropriate UK GDPR basis.

4. Processing is defined under Regulation 2(2) of the Health Service (Control of Patient Information) Regulations 2002.

5. The terms of reference for the Covid-19 Inquiry

6. We understand that Regulation 3 may be used as a legal basis for processing CPI for diagnosing communicable diseases, recognising trends, controlling, and preventing the spread and monitoring and managing communicable disease (Regulation 3(1)). However, as we move out of the pandemic period, our view is that increasingly fewer research projects will meet the requirements of Regulation 3(1) and, as such, Regulation 5 is more likely to be the appropriate legal basis for ongoing and future COVID-19 research.

7. UK Policy Framework for health and social care. The HRA also has a decision tool to direct those who are unsure if their activity is research.

8. See Regulation 4 of the Health Service (Control of Patient Information) Regulations 2002.

Further information

external

Last edited: 6 March 2024 12:03 pm