We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
NHS Digital transparency notice: GPES data for pandemic planning and research (COVID-19)
13 May 2020: This transparency notice provides details about how NHS Digital collects, analyses, publishes and disseminates personal data collected from GP practices for coronavirus (COVID-19) planning and research purposes.
Our purposes for processing personal data
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. Accurate and up to date data is also essential in managing the coronavirus outbreak.
To support the response to the outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients from their GP record for the duration of the coronavirus emergency period. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this approach.
NHS Digital will analyse the data and securely and lawfully share data with other appropriate organisations described below for coronavirus response purposes only. These purposes include:
carrying out vital research into treatments and vaccines for the virus, including clinical trials
identifying coronavirus trends and risks to public health
diagnosing and monitoring the effects of coronavirus
controlling and helping to prevent the spread of the virus
planning and providing health, social care and other public services in response to coronavirus (COVID-19)
helping clinicians, scientists, public health bodies and the government to provide guidance and develop policies to respond to the outbreak
Our legal basis for collecting, analysing and sharing personal data
NHS Digital is the controller of the personal data collected and analysed above under the General Data Protection Regulation 2016 (GDPR) jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect, analyse and in certain circumstances disseminate this data under the COVID-19 Public Health Directions 2020 (COVID-19 Directions).
NHS Digital has various powers to share personal data which are explained below under ‘Who we share your personal data with’.
Under GDPR our legal basis for collecting and analysing this data is Article 6(1)(c) - legal obligation. Our legal basis for collecting and analysing personal data relating to health, will be Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Directions.
Our legal basis for sharing personal data under GDPR will depend on the organisation we are sharing the data with and their purposes for using the data. This will include:
Article 6(1)(d) – vital interests, for example where it is necessary to protect your or other patients’ vital interests
Article 6(1)(e) – public task, for example where we are sharing data with another public authority for the purposes of them exercising their statutory or governmental functions
Article 6(1)(f) – legitimate interests, for example where we are sharing information with a research organisation to carry out vital coronavirus research
Our legal basis for sharing personal data under GDPR relating to health will include:
Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions or for other organisations exercising their governmental or statutory functions
Article 9(2)(h) – health or social care purposes
Article 9(2)(i) – public health purposes
Article 9(2)(j) – scientific research or statistical purposes.
Types of personal data we process
The data to be collected will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research.
It will not include details for any patient who has registered a Type 1 objection with their GP practice. Where a Type 1 objection has been registered, your GP practice will not share your personal identifiable confidential information outside of the GP practice, except when it is being used for the purposes of your care and treatment or where there is a legal requirement to do so. Although there is a legal requirement to do so here, NHS Digital has agreed with the National Data Guardian, the British Medical Association and the Royal College of General Practitioners to respect Type 1 objections.
The data which NHS Digital will collect and analyse contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death. It will also include coded health data which is held in your GP record such as details of:
NHS Digital collects this data from general practices in England, who are legally required to provide this data. The data is extracted from GP clinical systems by the clinical system supplier and transferred to NHS Digital using the General Practice Extraction Service (GPES). This is an existing secure data extraction tool which is used to extract other data from general practice clinical systems.
Who we share your personal data with
In the current emergency it has become even more important to share health and care information across relevant organisations. NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share information in certain circumstances under the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
NHS Digital will securely and lawfully share this data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for purposes relating to coronavirus only.
For example, we may share data for coronavirus planning purposes with the Department of Health and Social Care and other government departments involved in the coronavirus response, NHS England and Improvement, Public Health England, NHS Trusts and Clinical Commissioning Groups (CCGs). We may share information with research organisations, including universities, NHS Trusts and private research companies for the purposes of carrying out vital coronavirus research. Examples of current urgent public health nationally prioritised coronavirus research studies and the organisations carrying out that research are available on the National Institute of Health Research Portal.
Data which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus related purpose will be shared.
All requests to access this data for coronavirus planning and research purposes will be assessed by NHS Digital’s Data Access Request Service, to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately. Requests for access to record level patient data obtained through this data collection will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest in and legal requirements to share information.
We will publish information about the data that we share, including who with and for what purpose in our data release register.
Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.
Where we store the data
NHS Digital only stores and processes your personal data for this data collection within the United Kingdom.
Fully anonymised data, for example statistical data (which does not allow you to be identified), may be stored and processed outside of the UK.