Transformation Directorate

IG frequently asked questions (FAQs)

Take a look at our frequently asked questions and answers to common information governance queries.

Questions about sharing information

Can I share information with a health and care professional based at another health and care organisation if they are supporting the individual care of a patient or service user?

Information should be shared to support individual care. For example, a radiologist in Birmingham could view and report on an image of a patient from Kettering because Kettering temporarily has a reduced number of radiologists. However, you should ensure that you restrict your disclosure to the information that is necessary for the purpose. You should ensure that your DPO is aware so that they can update your organisation’s privacy notice as appropriate.

ICB and ICS system coordination centres (SCCs) have been established to relieve Winter pressures. How can data be shared lawfully between them?

If the information is being shared between those who are involved in an individual’s care then you can rely on implied consent.

If the information is being shared with those who are not directly involved in the care of the individual, for example analysts, then you should pseudonymise the data before it is shared for example by replacing the name, address and NHS number with a unique number or code. It is important that the information about which individual has been allocated which pseudonym is kept securely and not shared with the centre.

If you cannot use pseudonymised data then you will need to satisfy the common law duty of confidentiality by obtaining explicit consent from the individual. If it is not possible to seek explicit consent, you will need to apply to the Confidentiality Advisory Group and gain approval from the Secretary of State for Health and Social Care under the Health Service (Control of Patient Information) Regulations 2022. This is often known as ‘section 251 support.’

In all cases you must only share the minimum amount of information for the centre to perform its function.

Can I share information with a private health and care provider?

You should share information that is necessary to support individual care. This includes care that is provided by the independent sector whether for a specific issue or to support a transfer of care. For example, if you are discharging a person to the care of an independent provider such as a private hospital or a nursing home, you should share the information relevant to the support of that person’s care in that setting. Or if, for example, your patient is seeing a private GP, you should share the information necessary to support their care.

Can I share information outside the health system?

You should share information that is necessary to support the provision of individual care, including care provided by those who have not traditionally been considered to be health professionals. For example, you should share relevant parts of a person’s health and care record with a social worker or care home manager where needed to support that person’s care. The person’s consent can be implied because they understand the information is being shared to support their care. In the same way, social care staff should share the relevant parts of a person's social care record with healthcare staff, when needed to support their care.

Questions about staff vaccinations

Is it a requirement for frontline health and care staff to be vaccinated against COVID-19 or flu?

There is currently no requirement from the Department of Health and Social Care (DHSC) or NHS England for you to deploy staff on the basis of their COVID-19 or flu vaccine status. However, there is still a need for you to understand your vaccination rates and promote vaccine uptake for both COVID-19 and flu.

What should we do with the COVID-19 and flu vaccine data we have already collected using the COPI notice as the legal basis?

If the COVID-19 and flu vaccine data relates to staff members who have been vaccinated by your organisation, you should retain the information and share it with NHS England in the same way that you do for any patient your organisation has vaccinated. This is permitted under regulation 3 of the NHS (Control of Patient Information) Regulations 2002. However, generally, organisations should not share confidential patient information about anyone who objects to their information being shared.

When do the COPI notices end?

The COPI notices ended on 30 June 2022. NHS England has therefore withdrawn access to national IT system dashboards which provide details of individual staff vaccinations.

What should we do with any information we have collected about unvaccinated staff?

Generally, it is unlikely that you will need to continue processing information about staff whose vaccination status is unknown. However, if you have already collected this information and wish to retain it, your organisation will need to establish a valid UK GDPR legal basis for continuing to process the data. If a valid legal basis cannot be established, the data must be removed from your system.

How can we continue to legally access data collected by other organisations who have vaccinated our staff members so we can understand vaccination rates?

After 30 June 2022, you will not be able to rely upon the provisions of the COPI notices to access information about the vaccination status of staff members who have not been vaccinated, or who were vaccinated by another organisation. For these individuals, your organisation will need to do its own assessment locally and establish what your legal grounds are for collecting and retaining their vaccine data. It is likely that your organisation will have to rely on consent under common law for staff members to volunteer this information themselves.

Questions about data flows

Can data flow to countries outside of the EU?

Yes – to these countries which are currently deemed ‘adequate’ in relation to international data transfers.

For other countries you would need to use either an International Data Transfer Agreement (IDTA), or an EU standard contractual clause (SCC) alongside the EU Addendum.

Before using either, each Controller must undertake a Transfer Risk Assessment. The ICO have developed a draft Transfer Risk Assessment tool and associated guidance to help you do this.

Can data flow from the UK to the EU following EU Exit?

Yes. There are currently no changes  to the way personal data is sent to the EU.

Can data flow from the EU to the UK following EU Exit?

Yes.  The EU has formally recognised the UK's high data protection standards through an 'adequacy decision'. This means that data can continue to flow from the EU to the UK and there should be no interruption in the data received by health and care organisations from the EU.  The adequacy decision is in place for four years until June 2025. During this time it can be relied upon as a legal basis for transfers of personal data from the EU to the UK.

Questions about video surveillance

What are video surveillance systems?

Video surveillance systems relate to systems that view or record individuals and information about them. Examples include a hospital using Automatic Number Plate Registration (ANPR) to manage parking facilities, or a care home using Closed Circuit TV (CCTV) to manage public spaces of their home.

We are looking to introduce video surveillance activities into our organisation. What do we need to consider?

Use of these systems can be privacy-intrusive, and a Data Protection Impact Assessment (DPIA) must be completed prior to any deployment of video surveillance systems. Efforts must also be made to inform those people whose images or information may be captured by such systems, including updated privacy notices, and posters in prominent places informing people of the use of video surveillance.

Where can I find more information about video surveillance?

More information on video surveillance can be found on the ICO website.

Questions about COPI notices

Non-urgent advice: How long will COPI notices be in place?

The COPI notices expired on 30 June 2022.

You can still use data for COVID-19 purposes where there is a legal basis.

We have published guidance to support organisations to prepare for the end of the COPI notices.

Questions about amending a patient’s name on their health and care record

Why might individuals ask for a name change on their health record in order to travel overseas?

The government has advised that the first name and surname on an individual’s NHS COVID Pass must match the names on their passport for international travel, which may mean an increase in name change requests GPs have to respond to. You should explain to individuals that name change requests should only be made when absolutely necessary, and suggest a time frame which gives you sufficient opportunity to respond to the request whilst dealing with your other duties.

How should individuals request a name change?

Individuals are free to change their name on their health record at any time they choose. They must provide you with a written request which is signed and dated. You may choose to provide a specific form patients can use for requesting a change of name.

What documentation must individuals provide when requesting a name change?

It is recommended by Primary Care Support England (PCSE) that individuals provide documentation displaying their correct name, so that their GP practice can assure themselves of the identity of the requester. It is up to you to determine what information you might reasonably request to verify a person’s identity. This could be a passport, marriage certificate or deed poll.

How do you change a person’s name on their health and care record?

Whichever IT system you use, you will be able to change a person’s name directly on your system. If you are unsure how to do this, you can contact the helpdesk of your system provider who will be able to explain the process step-by-step.

When you amend the name of a patient on your clinical system, a message is sent through GP links to the database maintained by PCSE and National Health Application and Infrastructure Services (NHAIS). If there are signs of a data quality issue, PCSE will seek assurances from you about the name change. Therefore, it is best practice for you to attach a supporting note in the first instance when amending name details on the system. You should explain the reason for the change and which documentation, if any, has been provided by the patient.

Questions on protecting confidentiality and privacy on the telephone

What steps should I take to ensure people’s privacy on all telephone calls?

We encourage the use of telephone communications with patients and service users to support the delivery of care. When making or receiving telephone calls, for example, to set up an appointment, you need to follow simple safety precautions to ensure the privacy of the person you are calling. You should:

  • Double check the number before dialling.
  • Check your location: make sure that your telephone conversation cannot be overheard, and that the person you are calling cannot overhear other confidential matters in the background.
  • Verify the person’s identity: check the identity of the person you are speaking to by asking for two or three details such as their date of birth, postcode, and the first line of their address.
  • Once you have verified their identity: let the person know the service you are calling from and the purpose of the call.
  • In case the call goes to voicemail: before calling, check your organisation's local policy regarding voicemails and the person’s care record to see if they have opted into receiving voicemails. Even if the policy and care record allow you to leave a voicemail, make sure it doesn’t contain any confidential information.
How can I protect a person’s privacy when calling a landline number?
  • When your call is answered: give your full name and the name of the organisation you are calling from, without specifics about the service or purpose of the call. Ask to speak to the relevant person by their full name.
  • When the relevant person answers or comes to the phone: use the simple verification process described above to check their identity. Once you are satisfied you are speaking to the right person, tell them the service you are calling from and the purpose of the call.
  • When someone else answers the phone: give your full name and the name of the organisation you are calling from, but not the service or purpose of the call. Ask if there is a better time to speak with the person and end the call, even if the recipient applies pressure to extend it. Try calling again, at the suggested time if possible. Set a limit on the number of attempts made to call at different days and times and record them, before you consider sending a letter.
How can I protect a person’s privacy when calling a mobile number?
  • Don’t assume that mobile devices are more secure than landline telephones.
  • Verify the person’s identity using the simple verification process described above, before offering any details about the service you are calling from or purpose of the call.
  • Check if you have called at an appropriate time and consider adjusting your questioning style to maintain privacy.
What if the person I am calling asks for proof of identity?

If the person you are calling on the telephone challenges you and asks for proof of your identity: advise them to hang up, call your organisation switchboard, and ask for your extension number. You can then perform the simple identity verification checks described above. However, if you are calling from a potentially confidential or sensitive service, or have cause to be suspicious of the person’s identity, consider using an alternative form of communication.

General questions

What are the IG requirements when setting up Integrated Care Boards?

ICS implementation guidance: due diligence, transfer of people and property from CCGs to ICBs and CCG close down’ provides a due diligence checklist for CCGs and ICBs to consider as part of transition arrangements.

There is a tab on the checklist (tab 5) which covers IG requirements. Many of the requirements in this tab align with the DSPT, however, it is important organisations complete these during the transition phase as ICBs are being established.

The FutureNHS platform also has guidance for CCGs on website changes which must be implemented by 31 July 2022, including archiving web pages and redirecting people to the new ICB website.

Does the national data opt-out impact Summary Care Records?

No. The national data-opt out only applies to a person’s confidential patient information and its use for purposes other than individual care, such as planning and research.

The purpose of the Summary Care Record (SCR) is to provide basic health and care information to a health and care professional. It is used when the individual’s local detailed health and care record is not available. For example, to provide emergency treatment while a person is on holiday in another part of the country. As the SCR is needed to support the provision of individual care, the national data opt-out doesn't apply. A different opt-out process is available to those who do not want to have an SCR.

Is there an opt-out of Shared Care Records?

No. Local areas providing Shared Care Records (ShCR) do not need to offer an opt-out for information that is being used and shared for individual care. However, the UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.

If an individual does not want their information shared through a ShCR for their individual care, they may raise an objection in accordance with their rights under UK GDPR. Each ShCR group should agree its own arrangements for managing objections and to communicate it to patients and service users.

The organisations holding their data have a duty to consider the objection. They should only override that objection if there is a compelling reason to do so. The impact of the objection should be discussed with the person and alternatives sought where possible.

Does the national data opt-out impact on Shared Care Records?

No. The national data opt-out does not impact on Shared Care Records when information is shared for individual care. However, if a local area decides to use confidential patient information for purposes beyond individual care, then the national data opt-out should be applied. Examples could include research, service design and planning.

Is it still safe to use off-the-shelf messaging apps? I have heard that some changes to terms and conditions of service may mean that messages can be accessed, and information shared with other companies.

While we would advise against the use of off-the-shelf applications for the routine sharing of confidential patient information, it remains appropriate to use them when there is no practical alternative and the benefits outweigh the risks. For example, in emergency situations where an app on your phone is the only way of sharing patient data and a person might suffer serious harm if you fail to share information.

The important thing, as always, is to consider what type of information is being shared and with whom, and as much as possible limit the use of personal or confidential patient information. 

If your organisation is going to process personal or confidential patient information in ways not covered by an existing Data Protection Impact Assessment (DPIA), for example using WhatsApp, then a short high level DPIA should be carried out. The DPIA should set out:

  • the activity being proposed
  • the data protection risks
  • whether the proposed activity is necessary and proportionate
  • the mitigating actions that can be put in place
  • a plan or confirmation that mitigation has been put in place

With regards to recent reports about the changes to terms and conditions of certain apps, users have been assured that the content of messages will remain encrypted from end to end. This means that messages can only be viewed by the sender and the recipient. Changes to terms and conditions might result in the sharing of personal information about the users of its service with other companies, for example, profile information, device data and other metadata. However, the app suppliers have given assurances that the data sharing practices remain compliant with UK data protection legislation.

For further information see our guidance on mobile messaging.

Is it okay to use digital solutions which allow patients to control who has access to their GP record?

Yes. Relevant information can be shared for individual care on the basis of implied consent. Some digital solutions allow patients to be involved in these decisions, for example, they are sent a text message asking them if they are happy to share information from their GP record with someone else caring for them for a time limited period. There should be no barrier to using this type of solution from an IG perspective, however, the GP practice, as data controller, should check they are happy with what is proposed. If the GP practice is happy then, relevant information should be available to other health and care professionals who wish to use the solution.

Is the NHS number an identifier or not?

It depends on the context and situation it is used.

All patients have an NHS number which is unique to them. This is usually allocated when you register with a GP.

The number by itself does not identify the person it relates to as it is just a number, for example: 012 345 6789. However, if a person has access to the systems that can reveal the identity of the individual who the NHS number is assigned to, then it should be considered an identifier.

For example, the Personal Demographics Service (PDS) - the national electronic database of NHS patient details includes NHS numbers as well as names and addresses. It is used by many staff across the NHS to provide care and can be used to check the NHS number. Where access to PDS or a similar system is possible, the NHS number should be considered as an identifier. 

Very careful consideration therefore needs to be applied when using the NHS number as a way of pseudonymisation because to one recipient of the number, it may be classed as anonymous (as they do not have the means to identify the person from it), but a different recipient may have access to systems which they can use to find out who the number belongs to.

What is the Centre for Improving Data Collaboration (CIDC) and will it be producing IG guidance and advice?

The CIDC is a new business unit that has been created to support the health and care sector to enter into data sharing partnerships that benefit the NHS, patients, and the public. You can find out more about the CIDC or read this blog post by Matthew Gould.

The Health and Care Information Governance Panel is responsible for producing IG guidance and advice. Our IG team however, will work closely with the CIDC to provide support where any IG issues arise to ensure a consistent approach.

COVID-19 questions for health and care organisations

Can I work from home for example if I have to self-isolate?

To help underpin staff working from home, your organisation should have an agreed policy for you to refer to which covers this. If your organisation considers it is suitable for you to work at home, then this should be possible if you: 

  • use the IT equipment issued by your organisation wherever possible as this should have the appropriate security protection
  • use a secure network connection, for example home Wi-Fi that requires a password so information is not sent or received over a public Wi-Fi network
  • ensure any applications or software solutions you use have appropriate security, such as using strong passwords
  • ensure the security of any physical documents you take home, particularly those that contain personal or confidential patient information
  • lock print outs and devices away at the end of the working day if possible, to avoid loss or theft of personal or confidential patient information

If you are using your own device, you should contact your IT department and see if they can install programs on your own equipment or send you links to software to download to secure your own equipment. If that’s not possible you should keep your software up to date to make it more difficult for an attacker. You should also avoid mixing your organisation’s information with your own personal information to avoid accidentally keeping hold of information for longer than is necessary.

The Information Commissioner's Office (ICO) has published its own guidance on home working. See the question below regarding the additional precautions you should take when accessing or using confidential patient information (CPI) when working from home. 

Can I access or use confidential patient information (CPI) when working from home?

When accessing and using CPI at home you should protect it in the same way you would normally. You should follow the recommendations set out in the question above on homeworking and take the following additional precautions when accessing or using CPI:

  • If you need to share CPI with others then choose NHS Mail, a secure messaging app or online document sharing system.
  • If you do not have access to these and need to use an alternative email account, which may not be secure, consider password protecting documents and sharing the passwords via a different channel, like text.
  • Consider who else is in the household, and if they can access CPI accidentally or inappropriately, such as looking over your shoulder.
  • CPI should be used for the minimum time necessary for your purpose, and in a way that minimises disclosure.
  • Once the reason for accessing CPI at home has passed, then any CPI that is stored must either be returned to the organisation as soon as possible, or if it is duplicated then your copies must be destroyed.
What about if I’m overseas and I cannot return, can I still work?

This will depend on your role and your organisation agreeing it is appropriate. The requirements are the same as working from home (see above). However, in addition you should discuss it with your Data Protection Officer (DPO). 

Can I share information with a health and care professional based at another health and care organisation if they are supporting the individual care of a patient or service user?

Information should be shared to support individual care. For example, a radiologist in Birmingham could view and report on an image of a patient from Kettering because Kettering temporarily has a reduced number of radiologists. You should ensure that your DPO is aware so that they can update your organisation’s privacy notice as appropriate.

Can we carry out group sessions with patients and service users using video conferencing tools?

Using video conferencing tools may mean you can continue to provide group sessions for patients and service users safely during the COVID-19 period. For example antenatal classes or physiotherapy sessions.

You should ensure patients and service users understand that they are joining a group session and any information they share during the session will be seen or heard by others in the group. You should also consider setting out some terms of use for patients or service users. For example, do not take screenshots or record the session. The consent of the patient or service user, under common law, is then implied by them accepting the invite and entering the consultation. There should be no compulsion to sign up or use the service, but services need to make sure they have provided as much information as possible so patients and service users can make an informed choice.

You should use a video conferencing tool that has been approved by your organisation and follow any advice set out in your organisation's policy on video conferencing with patients and service users.

Is it a requirement for frontline health and care staff to be vaccinated against COVID-19 or flu?

There is currently no requirement from the Department of Health and Social Care (DHSC) or NHS England for you to deploy staff on the basis of their COVID-19 or flu vaccine status. However, there is still a need for you to understand your vaccination rates and promote vaccine uptake for both COVID-19 and flu.

When do the COPI notices end?

The COPI notices ended on 30 June 2022. NHS England has therefore withdrawn access to national IT system dashboards which provide details of individual staff vaccinations.

What should we do with the COVID-19 and flu vaccine data we have already collected using the COPI notice as the legal basis?

If the COVID-19 and flu vaccine data relates to staff members who have been vaccinated by your organisation, you should retain the information and share it with NHS England in the same way that you do for any patient your organisation has vaccinated. This is permitted under regulation 3 of the NHS (Control of Patient Information) Regulations 2002. However, generally, organisations should not share confidential patient information about anyone who objects to their information being shared.

What should we do with any information we have collected about unvaccinated staff?

Generally, it is unlikely that you will need to continue processing information about staff whose vaccination status is unknown. However, if you have already collected this information and wish to retain it, your organisation will need to establish a valid UK GDPR legal basis for continuing to process the data. If a valid legal basis cannot be established, the data must be removed from your system.

How can we continue to legally access data collected by other organisations who have vaccinated our staff members so we can understand vaccination rates?

After 30 June 2022, you will not be able to rely upon the provisions of the COPI notices to access information about the vaccination status of staff members who have not been vaccinated, or who were vaccinated by another organisation. For these individuals, your organisation will need to do its own assessment locally and establish what your legal grounds are for collecting and retaining their vaccine data. It is likely that your organisation will have to rely on consent under common law for staff members to volunteer this information themselves.

Questions about staff members accessing health and care systems from non-UK countries

Can staff members access health and care systems from non-UK countries?

Data protection laws do not stop staff accessing health and care systems from non-UK countries - however you will need to decide whether it is appropriate. You should consider:

  • Your organisation’s risk appetite and technical capabilities
  • Potential reputational damage to your organisation (if personal data is lost or unlawfully accessed abroad)
  • The nature of the services provided
  • The type of information that needs to be accessed

Accessing health and care systems from non-UK countries brings heightened risks to data. These could include laws in non-UK countries granting law enforcement agencies access to data, or individuals’ rights not being suitably protected.

You should set out your decision in an ‘accessing health and care systems from abroad’ policy document. If you make a policy decision that accessing health and care systems from non-UK countries could be appropriate for staff members, individual requests should still be looked at on a case-by-case basis as each case will differ.

Is an International Data Transfer Agreement (IDTA) required?

You do not need to put an International Data Transfer Agreement in place for staff accessing your organisation’s systems or information whilst overseas. This is because they are accessing systems and information in the same way they would whilst in the UK. The information stays within your organisation and is not transferred outside of it to another organisation.

What’s the best way to assess the IG risks of accessing health and care systems from non-UK countries?

A data protection impact assessment (DPIA) can be used to assess the risks to data and how to mitigate these risks. The DPIA must make clear who the Controller is whilst data is processed outside of the UK, and who is responsible for ensuring compliance with data protection requirements.

Does the country the staff member wishes to access information from make a difference?

Yes, different countries have different approaches to data protection so you will need to take this into account when assessing risk. You should consider the wider risks associated with a particular country on a case-by-case basis.

What data security measures should be taken?

You must ensure that appropriate organisational and technical security measures are in place to protect data whilst abroad such as device encryption, multi-factor authentication, and use of your organisation’s virtual private network (VPN). The security controls you choose should be proportionate to the risks associated with the particular country.

You should also check that the country where the staff member wishes to access information from does not prohibit, or have technical barriers in place which impact, secure data transfers or storage.

Access arrangements will also need to be clear, for example whether data would be accessed remotely or processed only on trusted devices.

Any heightened risks of cyber-attacks should also be considered, such as protecting devices from being able to connect to public or free Wi-Fi networks, leaving devices unattended or unsecured (such as being left on display in a hotel room), or countries that require intrusive mobile phone applications to be installed. One way of reducing this risk is by using your organisation’s VPN, which can secure connections to your organisation’s networks and systems and reduce the risk of a data breach.

Is it OK for personal data to be accessed from abroad?

If a staff member needs to access personal, or health and care, data, you will need to take this into account as part of your risk assessment. For some countries access to this type of data may be appropriate, whereas for others the risks will be too high. Individuals may not have the same legal protection if their information is processed in a different country.

Can staff access the NHS Spine and national applications whilst accessing information from overseas?

The NHS Spine was intended to be accessed from within the UK, so access from outside the UK should be treated as exceptional. Your risk assessment or DPIA must take this into consideration before deciding whether access to the NHS Spine and applications is appropriate and secure.

You must ensure that allowing staff access to information when abroad does not breach any contractual agreements. This includes the Health and Social Care Network (HSCN), which has terms restricting the transfer of data to certain countries, and you should also check the contractual agreements for any other products being used from abroad which connect to national services, such as the Personal Demographics Service (PDS).

If access from abroad is agreed, you will need to arrange and monitor how the staff member will obtain and use the NHS Smartcard, if relevant.

Should an employee’s contract be changed if it is agreed they can access health and care systems from a non-UK country?

Yes – where they will routinely be accessing health and care systems from abroad as part of their role, their contract should be changed. You should speak to your payroll and HR colleagues about what should be covered, for example they may need to include a clause about access to the NHS Spine and national applications if that has been agreed.

In addition, you should make sure the employee is clear about any conditions or limitations in place whilst they access health and care systems from abroad, for example, only using secure Wi-Fi connections, or encrypted mobile devices.

Where can I find out more?

NHS Employers has commissioned legal firm Capsticks LLP (and partners) to produce a guidance document on overseas working arrangements, which covers contractual terms, data protection and data transfer and other topics in more detail.

Questions about cookies and visitor activity trackers

What are visitor activity trackers in the context of health and care?

Visitor activity trackers are a way in which you can track users who visit your website and webpages. They provide information on what pages are accessed by users and how they interact with the website, for example by using the search function. This is usually done using cookies or similar technology.

Cookies are a small file, usually made up of letters and numbers, which are downloaded onto the user’s device, when accessing certain websites. These cookies are then sent back to the originating website on each future visit by the user to the website.

For further information about the use of cookies and similar technologies, please see guidance from the Information Commissioner’s Office (ICO).

What types of cookies do websites use?

There are three types of cookies:

  • Essential or necessary – to enable the website to function as intended
  • Analytics – to enable organisations to see what pages people are looking at, or how they are using the website (for example, pages or content with no hits might be taken down sooner than pages frequently accessed)
  • Marketing – used to promote products or services
Do you need user consent to use tracking mechanisms such as cookies?

For all cookies and similar technologies that are not strictly essential or necessary for the operation of the website, you are required to obtain user consent. This is usually done via a pop-up on the website. The ICO provides guidance on how to obtain consent including helpful pictures of compliant cookie banners.

Why is it important to ensure that visitor activity trackers are used appropriately on our website?

An inappropriate use of visitor activity trackers could result in a breach of data protection laws. This could occur for example if excessive information was collected by an activity tracker - particularly where marketing cookies are installed.

Inappropriate use of visitor activity trackers could also risk the confidentiality of individuals, for example if user derived information such as an IP address or personal details added to the webpage by the user, is linked with searching for health and care information about a specific condition, especially of the webpage asks the user to confirm if they have the condition.

How can we audit the tracking and profiling that is taking place on our website?

It is important that you regularly audit how you are tracking or profiling your website users and what data you are storing locally or passing to tracking services, to ensure the data collected is not excessive. There are readily available low-cost analytics tools that can audit the types of cookies you have, and to categorise them. This enables you to isolate or remove cookies you do not require.

What else should I do to ensure that the tracking and profiling on our website is appropriate?

You should:

  • have clear lines of accountability and responsibility for tracking and profiling activity within your organisation (who authorises the use of cookies or similar technology, who can deploy them etc)
  • have a clear process for ongoing monitoring of visitor activity tracking and profile management within the organisation (for example, running a regular scan of cookies deployed, highlighting new or suspect ones for further investigation etc)
  • ensure visitor activity trackers cannot be added or removed from their website without organisational approval – this applies to internal and external staff, such as contractors.
What do I need to tell the public about the use of cookies?

You should ensure that the public accessing your website understand:

  • what tracking mechanisms (such as cookies) you use
  • why you use those tracking mechanisms
  • what choice (if any) the public has about the cookies used

This could be done as part of your transparency information, and via a cookie pop-up when users first access your site, giving them the chance to choose which cookies to accept, and to find out more detailed information about their use. Transparency information should also include information about what organisations you are sharing data with and for what purpose.

Questions about local authority information sharing with NHS England

Is it legal for local authorities to share confidential information with NHS England?

Yes. A new legal data provision notice provides the legal basis under the common law duty of confidentiality for local authorities to share the specific information set out in these FAQs with NHS England.

The legal bases under the UK General Data Protection Regulation that support this sharing are Articles 6(1)(c) legal obligation and Article 9(2)(h) management of the social care system.

What information must local authorities share with NHS England?
Should a local authority submit the information it holds to NHS England if a service has been provided by another provider?

Yes. A local authority should submit the information it holds if it is listed in the data specification. For example, where the local authority has a contract with a provider but holds information because it is jointly involved in the individual’s care, the local authority should still submit the information it holds to NHS England.

Will service users be asked for their consent for this information sharing?

No. In common law, there is a duty of confidentiality which means that when someone shares information in confidence it must not be disclosed without some form of legal authority or justification. In practice, this usually means explicit consent is required for a purpose beyond individual care.

However local authorities are being required to share information by law (as set out in the new data provision notice). This data provision notice sets aside the common law duty of confidentiality and therefore explicit consent is not required.

Will the right to object or national data opt-out apply to the information shared by local authorities with NHS England?

No. Where there is a legal requirement to share information neither the UK GDPR right to object nor the national data opt-out apply.

How will service users be made aware of this information sharing?

Local authorities must update their privacy notice and other transparency materials, such as service user information leaflets. Transparency materials must set out what data is being shared, for what purposes, and what people’s rights are. NHS England’s privacy notice has been updated.

Can local authorities share confidential information with other organisations?

The new direction only applies where information is being shared with NHS England. Where a local authority needs to share confidential information with another organisation a clear legal basis must be in place.

Local authorities should check, with their Integrated Care Board (ICB) or Integrated Care System (ICS) partner organisations, what is planned to enable the legal sharing of information across the ICS for purposes beyond individual care, for example for risk stratification. Advice should also be sought from IG leads and Caldicott Guardians as appropriate.

Will NHS England share the information collected from local authorities with other organisations?

Yes. Information will be shared to benefit health and care, for example with other local authorities, ICBs and the Department of Health and Social Care. Wherever possible, anonymous data is shared. Identifiable information can only be shared by NHS England where there is a clear legal basis and appropriate approvals in place.

How can a local authority access information held by NHS England?

Local authorities will receive the data they submitted with data quality checks completed and missing NHS numbers traced.

Local authorities can also request access to the pseudonymised data (with identifiers removed and replaced with a pseudonym) with links to other NHS England commissioning datasets, to support with their duty to monitor and manage the local care system.

The Data Access Request Service (DARS) provides further information about the process for requesting access to information held by NHS England.

Questions about Integrated Care Boards (ICBs) and risk stratification

What is risk stratification in the NHS?

‘Risk stratification’ within the NHS refers to a process of applying algorithms and using tools to analyse data from multiple sources to identify high-risk patients who are likely to benefit from proactive care from their GP. The process uses national and GP data sources linked to a specific population to enable the early detection of patients at risk of conditions such as diabetes, heart disease or unplanned hospital admission. Risk stratification is used to improve overall health outcomes.

How does risk stratification work?

Risk stratification is undertaken at Integrated Care Board (ICB) level with the support of NHS England-approved suppliers of risk stratification services. These services use risk stratification tools to analyse the data to identify patients at risk, before returning their details to their GP for appropriate follow-up.

Which data sources are covered by this process?

The risk stratification process covers the linking of GP data to national data collected from the Secondary Uses Service (SUS), which includes data from A&E attendance, emergency admissions, and mental health services.

Does this process require the use of confidential patient information?

This process requires the use of the NHS number to link multiple datasets and identify the higher risk patients that could benefit from targeted intervention in general practice. The NHS number acts as the key to identify an individual and for that reason the information used for risk stratification is treated as confidential.

What is the lawful basis for processing this confidential data?

Some patients will have their data analysed but will not receive an intervention as part of their care, so risk stratification is considered a purpose beyond individual care.

The use of data for purposes beyond individual care would usually require explicit patient consent. However, because it is not practical to seek explicit consent from a larger population, NHS England sought support under regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 by submitting a single application on behalf of the system. This is often known as section 251 support and requires an application to the Confidentiality Advisory Group (CAG). Section 251 support enables the common law duty of confidentiality to be lifted for a period of time.

This support meant that ICBs could legally process confidential patient information for risk stratification without seeking explicit patient consent.

What is changing for ICBs?

On 30 September 2023, the national system-wide section 251 support will expire. Each ICB will become directly accountable for ensuring a legal basis is identified under the common law duty of confidentiality to process confidential patient information for risk stratification purposes within its local area. To do this, each ICB planning to undertake risk stratification will need to submit its own application to CAG. CAG will review each application and, if supportive, will advise the Secretary of State to set aside the duty of confidentiality for that instance.

How can ICBs make this application to CAG?

To support ICBs in this task, NHS England and system representatives have co-produced a user-friendly new ‘risk stratification application template’ (application template) and ‘supplementary information document’ (supplementary document) for ICBs to use for their CAG applications.

What is the new application template and supplementary document?

The new application template is populated with standard wording that has been approved by CAG and requires only minimal additions from each ICB. The ICBs can submit any specific wording, examples, or evidence needed to support their individual applications on the supplementary document provided along with the application template. The application template and the supplementary document must be completed and submitted together to CAG for assessment and approval.

What is the timeline?

The national system-wide section 251 support for risk stratification purposes will expire on 30 September 2023, when each ICB becomes directly accountable for ensuring it has a legal basis for using the data.

To enable the smooth transfer of accountability to the ICBs in time for the 30 September 2023 deadline, the following actions must take place:

28 June 2023 – 15 July 2023

ICBs to receive the application template and supplementary document.

15 July 2023 – 7 August 2023

ICBs to populate the application template and supplementary document.

7 August 2023

ICBs to submit the populated application template and supplementary document to CAG.

Week commencing 28 August 2023

CAG to review the application template and supplementary information document and provide comment and/or approval directly to the ICB.

Questions about OpenSAFELY

What is OpenSAFELY?

NHS England established the OpenSAFELY service Trusted Research Environment (TRE). It supports the use of data for COVID-19 purposes only including research, clinical audit, service evaluation and health surveillance.

The service uses the OpenSAFELY tool to run queries on the data and keep it secure within the OpenSAFELY TRE. Only research approved by NHS England takes place within the OpenSAFELY TRE.

What data does OpenSAFELY use?

The OpenSAFELY service uses pseudonymised data from various sources, which has identifiers removed and replaced with a pseudonym. One source is a pseudonymised copy of records of all patients registered at TPP or EMIS GP practices in England, which remains in the system of the GP system supplier and under the controllership of the GP. OpenSAFELY also includes a range of datasets under the control of NHS England. These are imported into the system to allow linkage. View the full list of data sources.

What about data of patients registered at practices which do not use TPP or EMIS?

Patients registered at practices not using TPP or EMIS as their GP system supplier are not included in OpenSAFELY. This accounts for about 60 practices or 1% of GP practices in England as of June 2023. For these practices, staff should be aware that no action for OpenSAFELY is required on their part, even though they have received a Data Provision Notice (DPN) about the service.

What research and analysis takes place within OpenSAFELY?

Only research and analysis for COVID-19 purposes takes place within OpenSAFELY including research, clinical audit, service evaluation and health surveillance. Only research and analysis approved by NHS England can take place. NHS England can also carry out essential maintenance to keep the service safe and operational. A remote query allows analysis of the pseudonymised patient data, without the researchers having direct access to see the data itself. View a full list of the projects to date. In future NHS England will also publish approvals as part of its Data Release Register.

What is the legal basis for using and sharing data with the OpenSAFELY service?

The OpenSAFELY service launched in 2020 under the legal basis of the emergency Control of Patient Information (COPI) notices. From 1 July 2023 the legal basis for OpenSAFELY will change, although the service will continue to operate in the same way. Rather than relying on emergency notices, the data will be processed under the legal basis of the COVID-19 Public Health Directions 2020 and DPN.

Who is the controller for this patient information?

GP practices are the controller for the pseudonymised patients records, in the same way as they are for the data they input into their clinical systems. Through the DPN, GP practices give NHS England permission to remotely query that data and to do essential technical work to keep it safe and effective.

Once the pseudonymised GP data is queried, and potentially linked to other NHS England datasets, NHS England rather than the GP Practice becomes the controller for the linked pseudonymised dataset. This dataset never leaves the system supplier boundary and is not accessed by researchers. Researchers use these smaller, linked datasets to run other remote queries and return anonymised, aggregate results.

How does OpenSAFELY use the data?

The OpenSAFELY tool enables researchers to write their analysis code away from the patient data. The code is run automatically on de-identified (pseudonymised) patient data. Only the aggregated outputs, now anonymous, are shared with researchers to be used, for example, in journal publications, reports or presentations. These controls keep patient data secure within the secure system supplier environment of EMIS and TPP and confidential from researchers.

Can patients opt out of having their data used for OpenSAFELY?

Patients who have registered a type one opt-out with their GP will not have their data processed as part of this service after 1 July 2023. Before this date, under the COPI notice, type one opt-out exemptions did not apply and this will continue to be the case for a small number of ongoing studies, so as not to jeopardise the research. Details of these studies can be found in appendix 3 of the NHS England DPIA.

The national data opt-out does not apply to this data because the outputs are all anonymous and aggregate.

How are access requests to OpenSAFELY approved?

All research conducted using the tool is approved by a team of experts at NHS England. Whilst we are confident that the current process is robust, it was set up during the pandemic and we intend to bring the approvals more into line with our usual processes over the coming months.

What will not happen with the data?

Under the legal basis of this DPN, the data will never be:

  • stored in anything other than pseudonymised form
  • visible to researchers or released from the system in anything other than anonymous aggregate results
  • used for any purposes that are not COVID-19 related
Is this a new service?

No, this service has been running since 2020, under COPI legislation, which expires on 30 June 2023. From 1 July 2023 the service will continue to operate the same way, but rather than relying on emergency legislation, the legal basis will change so that processing happens under COVID-19 Public Health Directions 2020.

Does this change the GP practice’s status as controller?

No. GP practices are the controller for the pseudonymised patients records, in the same way as they are for the data they input into the system. Through the DPN, NHS England is allowed to remotely run queries on that data and to link it to other pseudonymised datasets (which are under the controllership of NHS England), for the COVID-19 purposes stated above. Once that query has been run, NHS England becomes controller for the newly created, pseudonymised dataset. This dataset never leaves the system supplier boundary and it is not looked at by researchers. Researchers use these smaller, linked datasets to remotely run further queries which return anonymised, aggregate results which they can see.

Has a DPIA been completed for this?

Yes. NHS England has produced a Data Protection Impact Assessment (DPIA) for the OpenSAFELY COVID-19 service. GP practices have been sent a draft DPIA to cover their role as controller of the pseudonymised dataset. They may choose to use or adapt this DPIA, or to develop their own.

Do GP practices need to update their privacy notice?

GP practices should ensure that their privacy notice reflects all the processing of data that happens in relation to patient records. GP practices are therefore advised to add the following paragraphs to their privacy notice, or to draft their own information if they prefer:

NHS England has been directed by the Government to establish and operate the OpenSAFELY service. This service provides a Trusted Research Environment that supports COVID-19 research and analysis.

Each GP practice remains the controller of its own patient data but is required to let researchers run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym, through OpenSAFELY.

Only researchers approved by NHS England are allowed to run these queries and they will not be able to access information that directly or indirectly identifies individuals.

More information about OpenSAFELY is available.

Who can I contact for more information?

You can contact the GP Data team at NHS England by emailing gpdata@nhs.net.

Questions about transcription and productivity software

What is transcription and productivity software?

There is a growing number of software solutions that can record, transcribe and summarise virtual meetings held on online meeting platforms such as Microsoft Teams without the governance rigour and security benefits of approved Microsoft products.

What do we need to be aware of in relation to this type of software?

Some of these solutions can access individuals’ calendars within Microsoft Outlook in order to identify virtual meetings and ask the calendar owner if they wish to use the software at those meetings.

Any meeting attendee can invite the software to attend a virtual meeting. The software will appear as an additional attendee. It is possible that other meeting participants may not be aware that they are being recorded and that their data is being used in this way. There is also a concern that software could capture confidential information which is discussed during the meeting.

Who provides the software?

These software solutions can interact with Microsoft applications but are provided by third parties, not Microsoft itself. As a result, before they are used in an organisation, the software needs to be reviewed by IG and cyber/IT teams to ensure that any processing of personal data, or other confidential information, are well understood and any risks have been evaluated and accepted.

What data is used?

The software can capture all discussions which take place during a meeting at which the software is deployed. If such a meeting involves a discussion about individual patients or staff members, their personal data would be captured without their knowledge. There is also a risk that other commercially sensitive data could be captured. The software may also access personal data contained within calendars.

How is data used?

This will vary depending on the solution, but it is possible that the data captured by the software will be transferred outside of the UK. How the data will be used by the software provider needs to be understood by your organisation before it is used.

How is the software installed?

This will vary depending on the particular software.

Staff members in an organisation could potentially download the software as a free plugin for Microsoft.

For some iterations of this software, when the software has been used at a meeting, all meeting participants will be asked if they wish to also download and use the software. This creates a risk that the use of such software can spread very quickly across an organisation.

If your organisation’s IT and IG approvals processes have not been followed, there is a significant risk that the use of the software will breach your organisation’s acceptable use of IT policy.

What should our organisation do?

If you are considering allowing staff access, download and use such a solution, you should first complete a data protection impact assessment to ensure you understand the data processing which is occurring (including any international transfers of personal data), the potential risks and mitigations which need to be put in place.

You must ensure that, whenever data leaves the UK, you ensure that appropriate safeguard are in place in order to protect the data.

Where possible, you should implement technical controls to prevent staff from being able to install software without IT and IG approval.

You should also communicate to all staff which products are approved for use, for example approved Microsoft products, that they must not download or use software without appropriate internal approvals, and the consequences of doing so without approval.