Coronavirus (COVID-19) response transparency notice

The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19).

Action to be taken requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. This notice describes how we may use your information to protect you and others during the COVID-19 outbreak.

To support the healthcare response to COVID-19, NHS Digital was directed by the Secretary of State for Health and Social Care (the Secretary of State) and NHS England under the COVID-19 Directions to: 

• establish information systems to collect and analyse data in connection with COVID-19; and
• develop and operate IT systems to deliver services in connection with COVID-19  

NHS Digital merged with NHS England in February 2023. The Directions from the Secretary of State and NHS England to NHS Digital are now treated as Directions from the Secretary of State to NHS England and continue to operate in the same manner, so throughout this transparency notice NHS Digital should be read as NHS England.

• NHS England may also process data for non COVID-19 purposes where they have a lawful basis to do so.

We may also be requested by the NHS in Scotland, Wales and Northern Ireland to collect, analyse and disseminate data for them, including information about residents of these countries.

Examples of some of the purposes for which NHS England may process personal data under the COVID-19 Directions and in response to these requests may include processing personal data for the purposes of: 

• understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
• identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
• understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services
• monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
• delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services
• research and planning in relation to COVID-19
• NHS England may also process personal data for non COVID-19 purposes where they have a lawful basis to do so.  For example, where directed to do so by the Secretary of State for Health and Social Care or for the purposes of managing vaccinations services under The Health Service (Control of Patient Information Regulations) 2002 

Under the General Data Protection Regulation 2016 (GDPR), NHS England is the controller of your personal data where we are directed or requested to process personal data for COVID-19 purposes. We are also a joint controller with the person who has directed or requested us to do this work. This may be the Secretary of State for Health and Social Care, NHS England or an NHS body in Scotland, Northern Ireland or Wales.

Where we share data, NHS England is usually the sole controller, unless we have been directed to share the data by the Secretary of State, in which case we will be joint controllers.

Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation and we are allowed to do this under Article 6 (1)(c) of GPDR. 

Where we process personal data as part of our statutory functions, including where requested by other bodies, for example. by the NHS in Scotland, Wales or Northern Ireland, this is part of our public task. We are allowed to do this under Article 6(1)(e) of GDPR. 

Where we need to process health data and other special categories of personal data, we will only do this where it is necessary as part of our statutory functions. Under GPDR we are allowed to do this where it is necessary for substantial public interest reasons (Article 9(2)(g)), where it is necessary for healthcare purposes (Article 9(2)(h)), where it is necessary for public health purposes (Article 9(2)(i)) or where it is necessary for scientific research or statistical purposes (Article 9(2)(j)).

We are also allowed to share your personal data under GDPR where it is necessary for us to do so for one of the purposes explained above.

More information can be found in the Who we share your data with section. 

The types of personal data we may process in response to COVID-19 include:

• demographic data – your name, date of birth, sex, NHS number and your contact details such as your address, telephone numbers and email address
• health information – information relating to your health and the care you have been provided - this may include information about medical conditions, treatments, prescription information, care episodes, hospital admission and discharge information, test results, including tests relating to COVID-19, information on whether you are self-isolating
• information collected as part of our online services which we need to help maintain the security and performance of our website and also to help us understand how our services are used so that we can make improvements. This may include information such as your IP address, technical log events, the type of browser you’re using and the actions you took when using these services

We will only process the minimum data necessary to achieve our purposes.

Collecting personal data from you directly

We may collect personal data from you directly, in which case we will tell you at the time the purposes for which we will use your data in a privacy or transparency notice.

Examples of where we have done this for COVID-19 purposes are the Isolation Note Service and the service to Get text messages from the NHS about coronavirus. We will not collect more information than we require, and we will ensure that any personal data collected is treated with the appropriate safeguards.

Collecting personal data from other organisations

We may also collect personal data from other organisations, including health and social care organisations, for example from the UK Health Security Agency, NHS trusts, GP Practices, Local Authorities, the Department of Health and Social Care and other government departments.

Usually we do this by issuing the organisation with a Data Provision Notice. This requires or requests those organisations to provide us with data where this is necessary for us to perform our functions under the Health and Social Care Act 2012.

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. 

The Health Service (Control of Patient Information) Regulations 2002 allow confidential patient information to be used and shared appropriately and lawfully in a public health emergency and are being used during this outbreak.

Using these regulations, the Secretary of State issued legal notices requiring NHS Digital, NHS England and Improvement, Arms-Length Bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use patient information.  

NHS England also has a number of legal powers under the Health and Social Care Act 2012 to share data with organisations where it is necessary for particular purposes.

We may, therefore, share your personal data using these powers, or under the legal notice mentioned above, with other health and care organisations for the purposes of your individual care and treatment or for planning, commissioning and research purposes.

We may also share your personal data with approved researchers outside NHS England (subject to a rigorous governance process), including for the purposes of carrying out clinical trials (for example, to invite you to join a trial). We will only share your data with other organisations where this is lawful and in line with data protection law.

Types of organisations we may share your data with

The types of organisations we may share your data with include:

• the Department of Health and Social Care and other government departments, as part of the government response to coronavirus
• UK Health Security Agency
• GPs
• Clinical Commissioning Groups
• Local Authorities
• other NHS, health, or social care organisations
• NHS bodies in Scotland, Wales and Northern Ireland
• researchers involved in COVID-19 studies, such as university researchers, hospital researchers, pharmaceutical companies (for example, those who have developed a new vaccine), or clinical research organisations (private companies that help to run clinical trials)

We may also share your information with organisations who process personal data for us on our behalf. They are called Processors. Where we use Processors we have contracts in place with them which means that they can only process your personal data on our instructions. Our Processors are also required to comply with stringent security requirements when processing your personal data on our behalf.

We will also publish data we have obtained for COVID-19 purposes which is anonymous, so that no individuals can be identified from that data. This will enable NHS and other organisations to use this anonymous data for statistical analysis and for planning, commissioning and research purposes as part of the response to coronavirus. 

We will only retain your personal data for as long as is necessary for the purposes for which we obtained it and in accordance with the following: 

Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.

NHS England only stores and processes your personal data within the United Kingdom.

Fully anonymous data, for example, statistical data, which does not allow you to be identified, may be stored and processed outside of the UK. Some of our Processors may process your personal data outside of the UK. If they do we will always ensure that the transfer outside of the UK complies with data protection laws.

To read more about the health and care information the former NHS Digital (now NHS England) collects, our legal basis for collecting this information, and what choices and rights you have, see How we look after your health and care information and our General transparency notice.

We may make changes to this transparency notice. If we do, the date at the top of the notice will also change. Any changes to this notice will apply immediately from the date of any change.