Retailers will begin contacting customers this week on a government-supplied list of medically vulnerable people.
But they must delete the data they received when the coronavirus crisis subsided, the information commissioner warned. Until then, the information, which covers at least 1.5 million people, can be stored and used by supermarkets to help prioritize deliveries to those most in need.
Data transmission is permitted under the measures of the Data Protection Act which allow public authorities to share relevant information to provide essential support services.
A spokesperson for the ICO said: “Data protection law allows organizations to share personal data when appropriate. In a national emergency such as the Covid-19 pandemic, sharing information between organizations can make a real difference in protecting the vulnerable.
“Where necessary, public authorities are able to share relevant information to help provide essential support services, as long as they share only the minimum amount of information required and ensure that they are not not kept longer than necessary. Data sharing can be done in accordance with the law, in particular by putting in place the appropriate guarantees so that personal information is treated responsibly. “
Initially, 110,000 people were on a list that was shared with supermarkets last Thursday, according to a letter to customers of Tesco CEO Dave Lewis. The supermarket managed to match this information to 75,000 people in its own records.
But this is only a fraction of the complete list of 1.5 million people classified by the NHS as “clinically extremely vulnerable,” a categorization that includes transplant recipients, people with cystic fibrosis or asthma, and cancer patients currently on chemotherapy.
Supermarkets can supplement this list with their own data, the government said, if they also want to prioritize older customers or those with milder health problems. “We have provided supermarkets with the information they need – in addition to their own data – to ensure that essential items are delivered as soon as possible to people with health conditions that make them most vulnerable,” said a spokesperson. word of government.
Sainsbury’s, for example, has successfully identified more than 450,000 elderly or vulnerable customers, said CEO Mike Coupe in a letter to buyers, identifying these customers through a mixture of preexisting data, calls to its customer support line. and shared government data. .
Although the data has been temporarily transferred, ownership is retained by the NHS at all times, the Guardian understands, and supermarkets are held to strict data security standards due to the sensitivity of the information involved.
But neither the government nor the retailers would answer questions whether the transfer included details of the medical condition, or simply the fact that the appointees were classified as extremely vulnerable. The former could help prioritize additional care, but would impose an additional burden by adhering to data protection principles.
It is hoped that the data transfer will help solve the problems of some customers. A Sainsbury’s buyer who wrote to the Guardian, for example, called himself an extremely vulnerable patient because of his immunotherapy, but struggled to get the supermarket to book a delivery the week before the data was due.
Another, a 78-year-old woman with multiple disabilities, should have been included in the voluntary prioritization of supermarkets for older customers, but also did not book deliveries.
After the Guardian raised the issue, the retailer apologized to customers and secured the delivery slots.