To ask the Secretary of State for Health and Social Care, what assessment he has made of the compatibility of his oral contribution of 20 July 2020, Official Report 1865, on Data Protection Impact Assessments with the provisions of section 251(7) of the NHS Act 2006, under which powers the Control of Patient Information Notices are issued.
1 September 2020
Ensuring the privacy of individuals and the security of their personal data is a priority for the Government and National Health Service. We comply with the requirements of data protection legislation, ensuring data is used in a safe, secure and legal way. Personal data is handled according to the highest ethical and security standards.
We are clear that where organisations are using the Control of Patient information Notices to process confidential patient information under the Health Service Control of Patient Information Regulations 2002 (COPI) for purposes set out in Regulation 3(1) of COPI (insofar as those purposes relate to the current outbreak of COVID-19), that data controllers are still required to comply with relevant and appropriate data protection standards and to ensure that they operate within statutory and regulatory boundaries. Recipients of confidential patient information have responsibilities under COPI when processing the confidential patient information and must observe the restrictions which apply to their processing of it under Regulation 7 of COPI.
In addition, we are completing all necessary Data Protection Impact Assessments in order to meet our obligations under the General Data Protection Regulation.