Key COVID-19 legal developments in the health sector: Information governance issues – what do you need to know?

Key COVID-19 legal developments in the health sector: Information governance issues – what do you need to know?'s Tags

Tags related to this article

Key COVID-19 legal developments in the health sector: Information governance issues – what do you need to know?

Published 11 August 2020

Health sector organisations have had to adapt quickly in light of COVID-19. We have seen a greater use of technology, for example, through remote consultations, as well as an increase in data sharing to help ensure risks can be identified and mitigated. With these changes come various information governance issues that need to be addressed. The ICO and NHSX have produced some relevant guidance which makes it clear that information governance obligations should not prevent the heath sector from taking action, and highlights the importance of information sharing within the health and social care sector. Some of the key points made in the NHSX guidance are as follows:

  • It is fine to use mobile messaging to communicate with colleagues and patients as needed, including using commercial off the shelf applications such as WhatsApp and Telegram where there is no practical alternative, and benefits outweigh the risk. The ICO guidance also confirms that mobile messaging (as well as standard phone calls or email communications) can be used to send public health messages.
  • The use of videoconferencing is encouraged to help reduce the spread of COVID19, including using Skype, WhatsApp, Facetime and other commercial products. It is permissible to use your own device for videoconferencing where there is no practical alternative. Again, the ICO guidance supports this, confirming that technology can be used to facilitate consultations and diagnoses.
  • Where a personal device is being used for videoconferencing, ensure that strong passwords and secure channels (i.e. apps that use encryption) are used, and don’t store personal/confidential patient information on the device unless absolutely necessary, and ensure appropriate security is in place. Ensure relevant information is transferred to the appropriate health and safety record as soon as it is practical to do so.
  • Where your organisation is going to process confidential patient information in ways not covered by an existing Data Protection Impact Assessment (e.g. using videoconferencing for consultations), a short high level DPIA should be carried out covering:
    • The activity being proposed.
    • Data protection risks.
    • Whether the proposed activity is necessary and proportionate.
    • Mitigating actions that can be put in place.
    • A plan or confirmation that mitigation has been put in place.

The ICO acknowledges there may be an increased need to collect and share personal data, and that organisations (particularly those in the health sector) are facing challenges. The ICO has recently published a statement on its regulatory approach, which states that it is committed to supporting healthcare organisations during this time, and will help fast track any helpful guidance – we recommend that organisations review the ICO website regularly to keep track of any new advice. The ICO has also confirmed it will take “an empathetic and pragmatic approach” to regulatory action where there has been a breach, for example, where deadlines have been missed in relation to information rights request. As such, while meeting information governance obligation is important, the ICO is likely to be sympathetic if there are any shortcomings due to resources having to be diverted elsewhere.

Authors

Sophie Devlin

Sophie Devlin

Newcastle

+44(0)191 404 4192

Darryn Hale

Darryn Hale

London - Walbrook

+44 (0)20 7894 6125