We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Our purposes for processing personal data
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. Accurate and up to date data is also essential in managing the coronavirus outbreak.
To support the response to the outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients from their GP record for the duration of the coronavirus emergency period. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this approach.
NHS Digital will analyse the data and securely and lawfully share data with other appropriate organisations described below for coronavirus response purposes only. These purposes include:
- carrying out vital research into treatments and vaccines for the virus, including clinical trials
- identifying coronavirus trends and risks to public health
- diagnosing and monitoring the effects of coronavirus
- controlling and helping to prevent the spread of the virus
- planning and providing health, social care and other public services in response to coronavirus (COVID-19)
- helping clinicians, scientists, public health bodies and the government to provide guidance and develop policies to respond to the outbreak
- monitoring and managing the outbreak
Our legal basis for collecting, analysing and sharing personal data
NHS Digital is the controller of the personal data collected and analysed above under the General Data Protection Regulation 2016 (GDPR) jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect, analyse and in certain circumstances disseminate this data under the COVID-19 Public Health Directions 2020 (COVID-19 Directions).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.
NHS Digital has various powers to share personal data which are explained below under ‘Who we share your personal data with’.
Under GDPR our legal basis for collecting and analysing this data is Article 6(1)(c) - legal obligation. Our legal basis for collecting and analysing personal data relating to health, will be Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Directions.
Our legal basis for sharing personal data under GDPR will depend on the organisation we are sharing the data with and their purposes for using the data. This will include:
- Article 6(1)(c) – legal obligation, for example where the NHS Digital COPI Notice applies
- Article 6(1)(d) – vital interests, for example where it is necessary to protect your or other patients’ vital interests
- Article 6(1)(e) – public task, for example where we are sharing data with another public authority for the purposes of them exercising their statutory or governmental functions
- Article 6(1)(f) – legitimate interests, for example where we are sharing information with a research organisation to carry out vital coronavirus research
Our legal basis for sharing personal data under GDPR relating to health will include:
- Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions or for other organisations exercising their governmental or statutory functions
- Article 9(2)(h) – health or social care purposes
- Article 9(2)(i) – public health purposes
- Article 9(2)(j) – scientific research or statistical purposes.
Types of personal data we process
The data to be collected will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research.
It will not include details for any patient who has registered a Type 1 objection with their GP practice. Where a Type 1 objection has been registered, your GP practice will not share your personal identifiable confidential information outside of the GP practice, except when it is being used for the purposes of your care and treatment or where there is a legal requirement to do so. Although there is a legal requirement to do so here, NHS Digital has agreed with the National Data Guardian, the British Medical Association and the Royal College of General Practitioners to respect Type 1 objections.
The data which NHS Digital will collect and analyse contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death. It will also include coded health data which is held in your GP record such as details of:
- diagnoses and findings
- medications and other prescribed items
- investigations, tests and results
- treatments and outcomes
- vaccinations and immunisations
Detailed information about the data we will collect and the specific codes is contained in the Data Provision Notice issued to GP practices.
How we obtain your personal data
NHS Digital collects this data from general practices in England, who are legally required to provide this data. The data is extracted from GP clinical systems by the clinical system supplier and transferred to NHS Digital using the General Practice Extraction Service (GPES). This is an existing secure data extraction tool which is used to extract other data from general practice clinical systems.
How long we keep your personal data for
We will retain your personal data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code of Practice for Health and Social Care 2016 and NHS Digital’s Records Management Policy.
Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.
Where we store the data
NHS Digital only stores and processes your personal data for this data collection within the United Kingdom.
Fully anonymised data, for example statistical data (which does not allow you to be identified), may be stored and processed outside of the UK.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, our legal basis for collecting this information and what choices and rights you have, see our Coronavirus (COVID-19) response transparency notice, how we look after your health and care information and our general transparency notice.
Changes to this notice
We may make changes to this transparency notice. If we do, the ‘last updated’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change.