The Department of Health and Social Care has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require Dudley Council to process confidential patient information for purposes set out in Regulation 3(1) COPI. The council will collect and use your personal information in order to manage and mitigate the spread and impact of the current outbreak of Covid-19:
- for the purposes of research,
- to protect public health,
- to provide public health and social care services to the public, and
- to monitor and manage the Covid-19 outbreak and incidents of exposure.
NHS Digital have further advised that from 1st January 2022 the Agreed Purposes are amended to permit relevant organisations to continue to process Disclosed Shielded Patient List (SPL) data for:
1. the purposes of providing direct care and support to people who were previously clinically extremely vulnerable;
2. the purposes of the Public Inquiry
Article 6 (GDPR) lawful basis for processing personal data:
- Processing is necessary for compliance with a legal obligation
- Processing is necessary for the performance of task carried out in the public interest
- Processing is necessary in order to protect the vital interests of data subjects
Article 9 (GDPR) condition for processing special category personal data:
- Processing is necessary for reasons of public interest in the area of public health
We also consider that the following criteria is met:
Article 6(1)(d) GDPR - processing is necessary in order to protect the vital interests of the data subject or another natural person.
Recital 46 adds that "some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread".
Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met as follows:
Article 9(2)(i) GDPR – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
Schedule 1, Part 1(3) Data Protection Act 2018 – processing is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
Article 9(2)(g) GDPR - processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
The legislations, policies and guidance that relate to this service include, but are not limited to:
The Civil Contingencies Act 2004 and (contingency planning) Regulations 2005 Allows the local authorities continue to exercise its functions in the event of a emergency
The Local Government Act 2000 - Give powers to local authorities to promote economic, social and environmental well-being within District
Care Act 2014 - legal framework for local authorities support the individual’s ‘wellbeing’