COVID-19 Privacy Statement

This privacy statement has been developed in response to COVID-19 and is intended to both inform and reassure you that your information is being shared appropriately within the NHS in Scotland and with our partner organisations.

This statement also explains the newly developed process for governance in relation to tackling COVID-19. This information is available in different formats if required.  Please contact  DHCIG@gov.scot   with your requirements.


Summary

  • This privacy notice is to provide information in relation to the various tools and applications that are being developed to help in responding to the outbreak. Where possible, individual organisations who are leading on these areas of work have been signposted.
  • NHS Scotland and other health and care organisations are working closely together to provide the services people need as quickly and easily as possible during this COVID-19 (Coronavirus) outbreak.
  • To do this the NHS may need to make sure that relevant organisations gain access to appropriate information about your health and care so they can better support you. These organisations can include the NHSScotland, social care services, Local Authorities and those in the voluntary and private sectors delivering critical services to support health and care.
  • For instance, we may need to tell these organisations if you are one of the people who will need extra support (i.e. you are in the so called ‘Highest Risk of Covid-19’ group – formerly known as ‘the shielding list’) because you have a health condition that can make you more vulnerable to the virus, or that you have been to one of the COVID-19 Testing Centres to be tested for the virus.
  • Another example is using information held by GPs, Health Boards and National NHS Scotland organisations to identify individuals who are eligible for specific treatments if they catch COVID-19 ( e.g. Neutralising Monoclonal Antibodies). Lists of their potentially eligible patients may be provided to each Health Board so they can quickly assess if these treatments are suitable and a system will be implemented that will automatically flag to Health Boards when any of these patients test positive for COVID-19.
  • We want to assure you that we will only do this where necessary to support the public interest in the current health emergency.
  • Since we need to respond rapidly to the current pandemic it may not always be possible to inform you immediately that the data you previously gave the NHS is being used for a different purpose such as emergency planning, predicting future waves of the pandemic or research into vaccination or treatments for the virus.
  • It is also possible we may need to ask for additional personal information about you – such as if you have any underlying illnesses or are vulnerable – in order to deliver services that support you.
  • Please note that your data protection rights remain the same as before. Should you have concerns or want to exercise your rights, please follow the advice given section “Your Rights” below.

This sharing does not include information that’s part of your medical record unless this is absolutely necessary in order to secure the best care for you  or there is a compelling need for COVID-19 purposes, in which case the ICO and NHSScotland guidance for minimisation will be applied as soon as possible. In these limited circumstances, we would either seek your consent or inform you of the sharing as soon as possible and in line with ICO guidelines.

We want to highlight that this rapid action is only being taken due to the current Covid-19 outbreak, and we have developed data protection processes that can rapidly release the right information to the right organisations in order to ensure appropriate services can be put in place as this outbreak develops.

In order to provide the necessary care, we have made special arrangements with some of our existing partners, e.g. pharmacies, hospices and private hospitals and will share some of your details for them to provide the temporary extra duties we have asked them to deliver on behalf of the NHS or wider health and care partners.

The processing of personal data is mainly governed, in the UK, by the Data Protection Act 2018 and the Common Law Duty of Confidentiality, as well as other regulations and secondary legislation. The supervisory authority is the Information Commissioner’s Office, who has also provided specific guidance for the processing of personal data during COVID-19.

Processing activities

NHSScotland as well as our integrated health and care partners, already hold data regarding residents, employees, businesses and other stakeholders.

You may have provided this information for a specific reason. We would seek to inform you that the data provided would be being used for a different purpose. Due to the rapidly emerging situation regarding the current pandemic this will not always be possible. We will seek to update this Privacy Statement as soon as possible with any additional information.

If we already hold information regarding vulnerability (as defined in the current guidance from the Government and Public Health), we may share this for emergency planning purposes or to protect your vital interests by sharing with services both inside and outside the normal health and social care service providers.

Additionally, we may in this current crisis need to ask you, or be provided with, personal information that you have not previously supplied. This could include, for example, your age, your ethnicity, and other sensitive personal information, for example, if you have any underlying illnesses or are vulnerable. This is so we can assist and prioritise services.

Our health and social care services, Scottish Government and Ministers will have to make difficult decisions over the course of the pandemic. It is important to ensure we use data to inform these decisions, provide evidence, modelling estimates and find the cure for this disease.

Safely conducting essential research and sharing data in the face of COVID-19 is crucial in times where we need to find answers to the unknown.

The data used for making these decisions, for providing care or for essential research purposes may contain information about you. When using information about you in these ways, data protection obligations will be complied with.

We always aim to collect the minimum data necessary to achieve the purpose required.

The activities that have been developed in response to the outbreak are identified below. As more activities emerge, this list will be updated.

Click in these sections for further information on how your data is processed for each of these particular activities:

Lawful basis for processing

We have consulted with the ICO in relation to the legal basis for processing data under COVID-19 circumstances, by the NHSScotland, local authorities and other partner organisations, some of which are private organisations (e.g. pharmacies and private hospitals).

Depending on the organisation, one of the following legal basis applies:

  • Substantial Public Interest
  • Vital interests of the individual or other individuals

The Data Protection Act 2018 also allows the processing of sensitive data (e.g. some of your health data) as necessary for “reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health”. The current pandemic is an example of this situation.

Current data protection legislation also allows us to process data if it is necessary to comply with the obligations set out in law. We are given many powers in different Acts which can be used in the context of emergency data processing, including the Civil Contingencies Act 2004, the NHS (Scotland) Act 1978 and the Public Health (Scotland) Act 2008.

In particular, Public Health Scotland and NHS National Services Scotland (two National organisations with a legislative remit in relation to public health) are obliged under the Public Health, etc. (Scotland) Act 2008 (http://www.legislation.gov.uk/asp/2008/5/section/15) to receive notifications on individual patients about their notifiable disease and health risk states. COVID-19 is listed by the Scottish Government as a notifiable disease in law (https://www.gov.scot/news/coronavirus-becomes-notifiable-disease-in-scotland/ ).

In relation to these organisations, as well as all Health Bodies in Scotland who are involved in many of the activities noted above, NHS National Services Scotland and Public Health Scotland have the power, in law, to retain information on individuals about their health risk states in relation to COVID-19 and can set aside their individual right to object to our processing of their personal data in this regard. Our lawful basis for processing this information will be:

  • GDPR Article 6(1)(e) Performance of a task carried out in the public interest
  • GDPR Article 6(1)(h) Preventative or occupational medicine
  • GDPR Article 9(2)(i) Reasons of public interest in the area of public health
  • GDPR Article 9(2)(j) Statistical and historical research purposes

Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for (COVID-19), including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we follow the NHSScotland Records Management Code of Practice and the Scottish Council on Archives Record Retention Schedules (SCARRS).

How we protect your data

We take care to ensure your personal information is only accessible to authorised people. Our staff have a legal and contractual duty to keep personal health information secure, and confidential. You can learn more about how we protect personal information here.

We want to re-assure you that most of the processing of your data during COVID-19 is based on existing protocols in place.

However, new ways of sharing your data are considered following a rapid assessment process, which has been developed to allow due diligence even in these difficult circumstances. Any new processing must undergo a Rapid Assessment process. Further details are offered here.

Data Protection Officers review these rapid assessments, along with other Information Governance and Security professionals, and provide the necessary advice to protect your rights, apply reasonable security measures and comply with the data protection principles.

Once the pandemic is over, we will revisit any special arrangements put in place, and end any processing that is no longer necessary.

While we advance through challenging times, we learn numerous lessons and sometimes we discover better ways of doing things, to share data and communicate with you and others. When we find solutions that work better, we will consider the appropriateness of continuing to do things in that way, but only if they meet the legal requirements.

We will also ensure that any unjustified processing of data is dealt with. Any processing that significantly compromises data protection and privacy rights will be investigated and if necessary referred to the ICO for further investigation and action.

We want to re-assure that no new data processing will take place unless is necessary for the compelling public interest in the current health emergency.

In order to ensure rapid but due diligence takes place, any new processing must undergo a Rapid Assessment process. Further details are offered here

Your rights

There are no fundamental changes to your data protection rights.

However, as a result of the coronavirus (COVID-19) outbreak, we’re aware that individuals may experience delays with “subject access requests”. You may also need to confirm with the relevant data controller who is processing your data if there are temporary changes to the normal process (e.g. submission of scanned ID documents by email instead of by post).

Please note that currently, enquiries submitted by post are likely to be delayed.

Bear also in mind that our priority at the moment is the safety and security of the public, resources are stretched and normal processes are disrupted, therefore the length of time taken to respond to your request may take longer than usual. We appreciate your patience and understanding.

You can find more information about how to exercise you data protection rights within the NHSScotland here but also within your NHS health board, your GP website, NHS National Services Scotland, Public Health Scotland, or your local authority website; they offer this information through their own privacy notices.

Your data and your privacy matter to us.