We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.
The NHS England OpenSAFELY COVID-19 service - privacy notice
The NHS England OpenSAFELY COVID-19 Service is a secure, transparent, open-source software platform for analysis of electronic health data.
Purposes for processing
The NHS England OpenSAFELY COVID-19 Service is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support Approved Users (academics, analysts, and data scientists) to undertake approved projects for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.
The purposes for processing are to identify medical conditions and medications that affect the risk or impact of COVID-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.
This service previously operated under notices issued by the Secretary of State under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations), to process confidential patient information for COVID-19 purposes to create the Service. The last such notice was issued to NHS England, and GP Practices whose IT systems are supplied by the GP System Suppliers, on 2 May 2023 and will expire on 30 June 2023 (COPI Notice). As of 1 July 2023, the Secretary of State has requested that NHS England continue to operate the Service under the COVID-19 Directions to continue to operate the Service for the COVID-19 Purposes.
Categories of personal data
The information we will process for these purposes includes:
demographic information (age, sex, area of residence, ethnicity)
clinical information pertaining to coronavirus-related care and outcomes
clinical information pertaining to wider health conditions, medications, allergies, physiological parameters (such as BMI), prior blood tests and other investigation results, and other recent medical history (such as smoking status)
Sources of the data
We collect your personal data for this purpose from:
primary care (GP) records processed by TPP and EMIS for GP practices that use their systems
other NHS intensive care or relevant datasets containing information about the healthcare of patients with COVID-19
Categories of recipients
NHS England has contracted with The Phoenix Partnership (Leeds) Ltd (TPP) and EMIS Group PLC to act as data processors to host the service and enable access to approved researchers.
The Bennett Institute, University of Oxford, and the EHR research group, London School of Hygiene and Tropical Medicine (LSHTM), under contract with NHS England, provide platform development functions and conduct analyses of the data held on the service.
The retention period is in line with the NHS Digital Records Management Policy and the NHS Records Management Code. The pseudonymised and de-identified patient level summary data will be retained for at least 2 years for verification of analyses and for audit proposes. All data will be held according to GDPR regulations. Furthermore, the NHS Records and Document Management Policy and Corporate Retention and Disposal Framework: Implementation Process will be adhered to.
As the NHS data stores are held with the data processors TPP and EMIS, the data will be held for verification of findings and audit purposes and can be deleted once outside the retention periods, however the data cannot be transferred to other NHSE systems (as per operating requirements set out by the Secretary of State).
Legal basis for processing
NHS England has been directed by the Secretary of State for Health and Social Care under section 254 of the Health and Social Care Act 2012 to establish and operate a system for the collection and analysis of the information specified for this service. The direction is published on the NHS England website.
This information is required by NHS England under section 259(1)(a) of the Health and Social Care Act 2012.
Data Provision Notice to enable the continuing operation of the OpenSAFELY COVID-19 Service, a secure analytics service for academics, analysts and data scientists to access general practice and NHS England pseudonymised patient data for COVID-19 purposes.