Service User Privacy Notice April 2020 - update COVID 19

NHS City and Hackney CCG is committed to protecting your personal information. In the fight against this global pandemic we are currently working with all our partners in Health and Social Care to ensure information is shared with the right people at the right time to ensure you receive the best possible care.

Data Protection rules will not hinder the sharing of personal information during these unprecedented times and we will continue to process information in accordance with national law and GDPR.

The processing of personal information relating to this is necessary for reasons of planning and providing health and social care to both individual data subjects and is in the substantial public interest in the area of public health and specifically to support the control of an epidemic. For more detailed information regarding the lawful basis to undertake these activities please see the links below:

Health Service Control of Patient Information Regulations 2002

On 20 March 2020, the Secretary of State for Health and Social Care issued a ‘Notice’ under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 (COPI) to:

  • Organisations providing health services;
  • General Practices;
  • Local Authorities; and,
  • Arm’s Length Bodies of the Department of Health and Social Care. 

The purpose of this ‘Notice’ requires the aforementioned organisations to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to COVID-19.

“Processing” for these purposes is defined as dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3)2 of COPI. This Notice will be reviewed on or before 30 September 2020 and may be extended further by Notice in writing. If no further notice is sent, this Notice will expire on 30 September 2020.

This ‘Notice’ has been named ‘COVID-19 Notice’. This Notice:

  • legally requires an organisation to share and process data for COVID-19 purposes;
  • sets aside the requirements of Common Law Duty of Confidentially3 for COVID-19 purposes;
  • sets aside the obligation to honour the National Data Opt-Out4 (NDOO) for COVID-19 purposes (where local or historic opt outs are in place to meet data protection ‘proportionality’ of processing and are not in relation to the ‘information standard DCB3058 and 91/2018, published under section 250 of the Health and Social Care Act 2012’,
  • DOES NOT set aside the requirements of the Data Protection Act 2018 (DPA 18), nor The General Data Protection Regulation6 (EU GDPR), in particular the provisions of data minimisation;
  • Requires a record to be kept of the data shared or processed; and,
  • Imposes a civil penalty on any person who does not comply with the Notice. 

The Health Service (Control of Patient Information) Regulations 2002 make provision for the processing of patient information, including confidential patient information. 

Regulation 3 makes provision for the processing of patient information for the recognition, control and prevention of communicable disease and other risks to public health.

Regulation 3(4) provides powers under which the Secretary of State may require certain persons who perform health services or other public functions to process information where, for example, there is a need to assess whether there is a significant risk to public health. 

Regulation 4 provides that information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence. 

Regulation 7 restricts the processing of information under the Regulations, for example by requiring the removal of particulars by which the persons to whom information relates can be identified if it is practical (regulation 7(1)(a)).  

Regulation 8 provides for enforcement by civil penalty of requirements imposed under regulations 2(4) or (5), 3(4) or (5) or 7. 

A COVID-19 Purpose includes but is not limited to:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks;
  • identifying and understanding information about patients or potential patients with or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19;
  • understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19, and the availability and capacity of those services or that care;
  • monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services; 
  • delivering services to patients, clinicians, the health services and adult social care services, workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services; and,
  • research and planning in relation to COVID-19.

Information Commissioner 

The Trust will comply with all published guidance by the Information Commissioner.

Further information can be found here

If you have concerns about how your information is being used

You can contact the Trust Information Governance Team via email

Please note that due to working restrictions linked to COVID-19, these are the only way at this point to contact the Team.

If you email us, please be aware that email is not a secure way to communicate.  It is possible that someone could read what you write.  

We will be careful of the information we get from you, and will comply with data protection laws in the way we handle and store it.

So that we can track the way people use this website, we have systems which log and analyse information including which pages people visit and which pages people search for. This information can not be traced back to your individual computer, but could, in theory, be used to identify that a computer from your ISP and/or in your geographic region visited this website.

If you sign up to get regular updates from us, we may ask for personal information. If you want to change or delete this information, please let us know. However, we may not be able to send you updates if you do this.


To comply with EU legislation we are required to tell you about the cookies used on this website.

We use cookies only because we want you to find the information you need as quickly and easily as possible.

A cookie is a small text file that is placed on your computer when you visit a website. Cookies help websites function usefully and can provide information to website owners.

Cookies do not place viruses on your computer and cannot run programs.

Our cookies do not provide us with any private or personally identifiable information about you. All data that is gathered is anonymous.

Some of the cookies we use collect information about how visitors use our site.

For example, one of our cookies counts the number of visitors to the site and notes which pages they visited. This anonymous information helps us to compile statistical reports, which can help us to improve the site.

Your web browser gives you the ability to accept or decline cookies. Generally, web browsers automatically accept cookies, but you can modify your browser settings to decline cookies if you prefer. However, if you choose to decline cookies, some useful features of this website will not work.

For example, there is the option to view this website as text only, with no graphics. The 'useTextOnly' and 'setString' cookies remember that you have chosen to view this site with no graphics. If you choose to decline cookies you will have to select the text only option every time you view a new page.

The cookies we use and what they do

Cookie Name


More information


This is used to store whether you are using the site in textOnly mode or not.

Persistent for three months.



This is used to store user preferences for viewing sites in textOnly mode e.g. font-size and colour.

Persistent for one month.



This is used to store the username and password for the ‘remember my login’ feature on extranets.

Persistent for one month.



This is used to store whether a site user has agreed to receive cookies.

Persistent for one year.


Google Analytics


These cookies are used to collect information about how visitors use our site. This information can be used to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

Click here for an overview of privacy at Google


This cookie has two functions.

Firstly it serves as a session cookie for extranet users. Without this cookie, an extranet user will have to login to each individual page in the extranet.

It also enables us to track the pages that a user visits while they navigate around our site.



Places to go to find out more about cookies

You can find out more about cookies, including how to see what cookies have been set and how to manage and delete them, at these sites:

Third party websites

The website has hyperlinks to websites owned and operated by other organisations. These third party websites have their own privacy policies, including cookies, and we can not take responsibility for the way they use your information.

We do not take responsibility for the content of other websites.

Hospital records

As well as having a copy of your health records, your GP surgery will also have a summary of any hospital tests, or treatment, that you have had. Any hospitals where you have had treatment, or tests, will also hold records.

To see your hospital health records, you will have to contact your local hospital trust. See the 'further information' section below to find the contact details for your local trust.

Your request to see your records will be forwarded to the health records manager. The manager will decide whether your request will be approved. Your request will usually only be refused if your records manager, GP, or other health professional believes that information in the records is likely to cause you, or another person, serious harm.

If you have any questions about any of this information, please contact us:

The web editor
NHS outer north east London
Becketts House