Covid-19: UK health service forced to disclose patient data

The UK’s health ministry has ordered healthcare organisations to process and share confidential patient information – but the order leaves some room for interpretation. 

The purpose of the letters was to provide the legally required notice needed for the sharing of confidential patient information in the UK, said Rohan Massey, a partner at Ropes & Gray in London. He added that the shared data doesn’t necessarily have to be personal information. 

Gita Shivarattan, of counsel at Ashurst in London, explained: “The notice issued by the Department of Health and Social care creates the statutory basis for the purpose of sharing data in the context of this pandemic … [it] was required to satisfy the requirement of the processing activity having a basis under Union or member state law. 

Sharon Lamb, a partner at McDermott Will & Emery in London, said it’s important to remember the fact that health information in the UK is subject to two different regimes: the GDPR and a common law duty of confidentiality. 

“These two regimes apply entirely separately”, she said – meaning that even if GDPR requirements for sharing and processing data are met, “they will still need to satisfy the duty of confidentiality”. This is usually covered by consent, but the letter provides the statutory basis to share and use confidential information on different grounds. “Without these regulations in place and expanded as per the notice, health professionals may have been in a difficult place because even if sharing and processing was permitted under the GDPR, they would still not have been able to share information because it was subject to the common law duty of confidence,” Lamb said.

The notice is broad as to whom data might be sent to. The UK’s National Health Service (NHS) has partnered with companies like Amazon, Palantir, and Microsoft to help with the pandemic response, and the notice’s wording does appear to include them as relevant organisations. 

What protections are in place?

Existing data protection requirements still apply. The notice also explicitly imposes others. Shivarattan said any breach would likely qualify as a personal data breach. Lamb concurred, and said that “liability and responsibility will still continue under GDPR.” 

The notice has an expiry date of 30 September 2020, though it is subject to renewal. Shivarattan said this is “important from a data protection perspective to ensure that the authority to process the data in this way is controlled and does not continue for longer than necessary.” Massey said it is worth noting that the expiry date is “much longer than the proposed lockdown [currently in place in the UK] … the government is clearly seeing the need for this to continue at least until then.”  

The notice also requires organisations to keep records of all data processed under the notice. Massey said organisations should consider having a policy document detailing what personal data they are collecting, with whom they are sharing it or receiving it from and why. “The policy should also set out the retention period and erasure policy for the data shared or received,” he said. Wilson Sonsini Goodrich & Rosati of counsel Lore Leitner concurred: “If I was a [data protection officer] at one of these organisations I’d make sure all of this was very well documented and be conservative in my approach to compliance.”

What risks are there - left unclear? 

Leitner told GDR that it’s important to remember that the notice, while providing legal basis for this activity, does not mean other principles of the GDPR can be ignored. “They’re going to have to make sure nothing is disproportionate … they’ll need to carry out an assessment,” she said. “It doesn’t mean broad sharing without accountability.”  

The breadth of the notice leaves some parts open to interpretation, Shivarattan noted. She said the notice is “light on the method of data sharing… for example, will the information be shared on request of the authorised persons or are organisations required to proactively and regularly disclose the information to a central party.”  

Shivarattan also said that the broad and non-exhaustive list of relevant processing activities “does seem to permit a degree of interpretation by organisations as to what would qualify as a covid-19 purpose.” This runs the “risk of excessive processing”, she said. Eventually, this would be up to the ICO or a court to decide. 

A role for the ICO

It is unclear whether the UK Information Commissioner’s Office was consulted on the letters. It isn’t a requirement to do so, observers stress; Shivarattan said it “does not seem strange”, adding that as a regulator the ICO would typically be engaged to the extent that there was a concern that the approach being considered was not compliant with data protection regimes. 

An ICO spokesperson told GDR: “Data protection law enables organisations to share personal data when it is appropriate to do so. In a national emergency such as the covid-19 pandemic, sharing information between organisations can make a real difference to protecting vulnerable individuals.” 

When asked whether the watchdog was consulted on the notices beforehand, the spokesperson declined to comment further.

GDR also approached the Department of Health and Social Care for comment on whether the ICO or another body had been consulted on the notices beforehand; GDR also asked how data will be shared, and with whom – notably requesting clarity for Google, Palantir, Microsoft, and Amazon. A spokesperson declined multiple requests to comment, advising GDR that NHSX — the NHS unit responsible for developing policy and standards for technology, digital and data — would be best placed to answer the question, in spite of the Department name on the letters. NHSX did not respond to requests for comment. 

Massey said that while the ICO has previously made clear that it believes the response to covid-19 should not be hampered by data protection laws, it has stressed that it is critical that personal data is still handled lawfully. 

“As we move from emergency reaction to more of a new normal … it is likely that the ICO … will focus once more on strong compliance and good data protection practices in all areas of operations. Organisations will need to be prepared for this.”