Data protection impact assessment: GPES Data for Pandemic Planning and Research (COVID-19)

The General Data Protection Regulation (GDPR) requires a Data Protection Impact Assessment (DPIA) to be completed by a controller where its processing of personal data is considered to be a high risk to the rights and freedoms of individuals.

In particular GDPR requires a DPIA to be carried out where there is processing of personal data relating to health on a large scale.

The GP practices are the controllers of the collected data before it is extracted and shared with NHS Digital. When it has been collected by NHS Digital, NHS Digital becomes the controller of the collected data. The collection by NHS Digital of this collected data is considered to require a DPIA to be carried out by NHS Digital. NHS Digital has therefore prepared this document as its DPIA to satisfy its own compliance requirements as a controller of the collected data under the COVID-19 Direction.

Download the DPIA

GPES Data for Pandemic Planning and Research data protection impact assessment

pdf 1 MB

Further information

GPES Data for Pandemic Planning and Research – Data Protection Impact Assessment PDF - disproportionate burden assessment

We've carried out a disproportionate burden assessment on the GPES Data for Pandemic Planning and Research – Data Protection Impact Assessment (DPIA), which has been published as a 105-page PDF.

Last edited: 4 March 2021 11:30 am