Skip to main content

NHS Digital transparency notice: GPES data for pandemic planning and research (COVID-19)

13 May 2020: This transparency notice provides details about how NHS Digital collects, analyses, publishes and disseminates personal data collected from GP practices for coronavirus (COVID-19) planning and research purposes.

Our purposes for processing personal data

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. Accurate and up to date data is also essential in managing the coronavirus outbreak.

To support the response to the outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients from their GP record for the duration of the coronavirus emergency period. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this approach.

NHS Digital will analyse the data and securely and lawfully share data with other appropriate organisations described below for coronavirus response purposes only. These purposes include:

  • carrying out vital research into treatments and vaccines for the virus, including clinical trials
  • identifying coronavirus trends and risks to public health
  • diagnosing and monitoring the effects of coronavirus
  • controlling and helping to prevent the spread of the virus
  • planning and providing health, social care and other public services in response to coronavirus (COVID-19)
  • helping clinicians, scientists, public health bodies and the government to provide guidance and develop policies to respond to the outbreak
  • monitoring and managing the outbreak

See more information about how data, including this data collected from GP medical records, is being used by NHS Digital in the response to coronavirus.

Our legal basis for collecting, analysing and sharing personal data

NHS Digital is the controller of the personal data collected and analysed above under the General Data Protection Regulation 2016 (GDPR) jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect, analyse and in certain circumstances disseminate this data under the COVID-19 Public Health Directions 2020 (COVID-19 Directions).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.

NHS Digital has various powers to share personal data which are explained below under ‘Who we share your personal data with’.

Under GDPR our legal basis for collecting and analysing this data is Article 6(1)(c) - legal obligation. Our legal basis for collecting and analysing personal data relating to health, will be Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Directions.

Our legal basis for sharing personal data under GDPR will depend on the organisation we are sharing the data with and their purposes for using the data. This will include:

  • Article 6(1)(c) – legal obligation, for example where the NHS Digital COPI Notice applies
  • Article 6(1)(d) – vital interests, for example where it is necessary to protect your or other patients’ vital interests
  • Article 6(1)(e) – public task, for example where we are sharing data with another public authority for the purposes of them exercising their statutory or governmental functions
  • Article 6(1)(f) – legitimate interests, for example where we are sharing information with a research organisation to carry out vital coronavirus research

Our legal basis for sharing personal data under GDPR relating to health will include:

  • Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions or for other organisations exercising their governmental or statutory functions
  • Article 9(2)(h) – health or social care purposes
  • Article 9(2)(i) – public health purposes
  • Article 9(2)(j) – scientific research or statistical purposes.

Types of personal data we process

The data to be collected will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research.

It will not include details for any patient who has registered a Type 1 objection with their GP practice.  Where a Type 1 objection has been registered, your GP practice will not share your personal identifiable confidential information outside of the GP practice, except when it is being used for the purposes of your care and treatment or where there is a legal requirement to do so. Although there is a legal requirement to do so here, NHS Digital has agreed with the National Data Guardian, the British Medical Association and the Royal College of General Practitioners to respect Type 1 objections.

The data which NHS Digital will collect and analyse contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

Detailed information about the data we will collect and the specific codes is contained in the Data Provision Notice issued to GP practices.

How we obtain your personal data

NHS Digital collects this data from general practices in England, who are legally required to provide this data. The data is extracted from GP clinical systems by the clinical system supplier and transferred to NHS Digital using the General Practice Extraction Service (GPES). This is an existing secure data extraction tool which is used to extract other data from general practice clinical systems.

Who we share your personal data with

In the current emergency it has become even more important to share health and care information across relevant organisations. NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share information in certain circumstances under the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information. 

NHS Digital will securely and lawfully share this data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for purposes relating to coronavirus only.

For example, we may share data for coronavirus planning purposes with the Department of Health and Social Care and other government departments involved in the coronavirus response, NHS England and Improvement, Public Health England, NHS Trusts and Clinical Commissioning Groups (CCGs). We may share information with research organisations, including universities, NHS Trusts and private research companies for the purposes of carrying out vital coronavirus research. Examples of current urgent public health nationally prioritised coronavirus research studies and the organisations carrying out that research are available on the National Institute of Health Research Portal.

Data which is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus related purpose will be shared.

All requests to access this data for coronavirus planning and research purposes will be assessed by NHS Digital’s Data Access Request Service, to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately. Requests for access to record level patient data obtained through this data collection will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest in and legal requirements to share information.

We will publish information about the data that we share, including who with and for what purpose in our data release register.

We may also publish information which we have obtained under this collection where we are allowed to do so under the legal direction. Any information that is published will be fully anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice (or any subsequent document on the same topic published by the Information Commissioner’s Office) and be in accordance with the Code of Practice for Statistics.

How long we keep your personal data for

We will retain your personal data for as long as is necessary for the purposes outlined above in accordance with the Records Management Code of Practice for Health and Social Care 2016 and NHS Digital’s Records Management Policy.

Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.

Where we store the data

NHS Digital only stores and processes your personal data for this data collection within the United Kingdom.

Fully anonymised data, for example statistical data (which does not allow you to be identified), may be stored and processed outside of the UK.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information and what choices and rights you have, see our Coronavirus (COVID-19) response transparency notice, how we look after your health and care information and our general transparency notice.

Changes to this notice

We may make changes to this transparency notice. If we do, the ‘last updated’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change.

Last edited: 14 May 2020 1:29 pm