Privacy Notice

Privacy Notice - Covid -19 and how we will use your data

Last updated: 4th April 2022

This notice describes how we may use your information to protect you and others during the Covid-19 (Coronavirus) outbreak. It supplements our main Privacy Notice which is available on our website.

In the current emergency it has become even more important to share health and care information quickly across relevant organisations, to deliver care to individuals, support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. The health and social care system is facing significant extra pressures due to the Covid-19 outbreak.

Existing law allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. The Secretary of State requires NHS Digital; NHS England and NHS Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any arrangements put in place specifically to use or share information during the Covid-19 are temporary and will be limited to the period of the outbreak unless there is another existing legal basis that covers the use and sharing of that data.

During the COVID-19 outbreak London Clinical Commissioning Groups will not process any new requests to opt-out of local data sharing arrangements such as the One London Health and Care Record exemplar, Connecting your Care or The National Data Opt-Out.

All opt-out requests currently submitted will be held until the outbreak ceases at which point, the request to opt-out will be processed.

It may take us longer to respond to Subject Access Requests and Freedom of Information requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example, neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance, such as Public Health England, for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. During this period of emergency, you may be offered a consultation via telephone or videoconferencing. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

1. Controller Contact Details Dr S Tibrewal
Richmond Road Medical Centre
2. Data Protection Officer contact details Miles Dagnall
3. Purpose of the processing of your data effectively treat and prevent the onward spread of COVID-19, as such there is a need to share Patient Identifiable Data and Special Category (or sensitive) information. However, for each new data flow a review will be undertaken to ensure that the minimum amount of personal data is processed and processed securely.
4. ) Lawful basis for processing your data  Under the General Data Protection Regulation (EU GDPR), Article 6, 1(c)- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

There are a number of pieces of legislation currently available to allow the processing of personal data and special category data in response to public health breakouts, which includes:
  • Public Health (Control of Disease) Act 1984
  • The Health and Social Care Act 2008 (by virtue of The Care Act 2014)
The relevant basis in UK law is set out in the Data Protection Act (DPA) 2018, in Schedule 1 condition 2. This condition covers the following purposes:
  • preventive or occupational medicine;
  • the assessment of an employee’s working capacity;
  • medical diagnosis;
  • the provision of health care or treatment;
  • the provision of social care (this is likely to include social work,
  • personal care and social support services); or
  • the management of health care systems or services or social care systems or services.
Article 9(3) of the GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes:
  • a health professional or a social work professional; or
  • another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
By virtue of the Data Protection Act 2018 (c. 12) Schedule 1 — Special categories of personal data and criminal convictions etc data, Part 1 – Conditions relating to employment, health and research etc, paragraph 3(a), processing meet the GDPR Article 9 condition ‘if processing is necessary for reasons of public interest in the area of public health’.
5. Recipient or categories of recipients of the processed data Health and social care organisations, hospitals, GPs, GP Federations, Clinical Commissioning Groups, Arm’s Length Bodies (such as Public Health England); local authorities;
6. Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a Court of Law.
7. Retention Period The data will be retained in line with the law and national guidance. or speak to the South West London CCG. 
8. Right to complain You have the right to complain to the practice, to the Data Protection Officer (details above) or the Information Commissioner’s Office (ICO), you can use this link

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

The ‘Notice’ issued sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.

Three circumstances making disclosure of confidential information lawful are: 

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.