Skip to main content
COVID-19 Population Risk Assessment transparency notice

Version 1: 15 February 2021. This transparency notice is provided to explain how your personal information may be used by NHS Digital in relation to the COVID-19 Population Risk Assessment.

The COVID-19 Population Risk Assessment uses a risk prediction model developed by the University of Oxford called QCovid®.  This combines a number of factors such as age, sex registered at birth, ethnicity, body mass index (BMI) and specific health conditions and treatments to estimate the risk of a person catching coronavirus and becoming seriously unwell. The COVID-19 Population Risk Assessment uses patient data held in existing NHS Digital datasets to identify people in England who may be at risk of extreme vulnerability to coronavirus.  It then generates risk assessment results for each person and those people with a result above a threshold set by the Chief Medical Officer for England (CMO) have been added to the Shielded Patient List (SPL) in England. 

Full guidance on shielding and protecting people who are high risk (clinically extremely vulnerable (CEV)) can be found online on GOV.UK. More information about the SPL can be found on NHS Digital’s Shielded Patient List (SPL) webpages.


The purposes for processing your personal information

Researchers from across the UK, led by the University of Oxford, produced a risk prediction model called QCovid® as part of a clinical research project. This combines a number of factors such as age, sex registered at birth, ethnicity, BMI and specific health conditions and treatments to estimate the risk of a person catching and becoming seriously unwell with coronavirus.

NHS Digital has been asked by the CMO to use QCovid® to identify people in England who may be at high risk of becoming seriously unwell from coronavirus, but who have not currently been identified as high risk (clinically extremely vulnerable).

NHS Digital has therefore developed the COVID-19 Population Risk Assessment, which uses QCovid® and patient data held in existing NHS Digital datasets, to identify those people with relevant factors or health issues, to assess their risk. NHS Digital generates risk assessment results for each of these people. Those with a result above an agreed threshold set by the CMO in consultation with senior clinicians, are considered to be potentially high risk (clinically extremely vulnerable).

A cautious approach has been taken, so there is a chance that a person’s risk is lower than the risk assessment has indicated. This is because, where data was missing from the NHS Digital datasets, the risk assessment uses default values which may overestimate a person’s risk. This cautious approach is to reduce the risk of underestimating people’s risk and excluding them from the group who will be added to SPL. This approach was agreed by the CMO as clinically the most appropriate to ensure that those people who may be at high risk can receive advice and support on how to protect themselves and can be prioritised for a coronavirus vaccination.     

People who are identified as potentially high risk (clinically extremely vulnerable) will therefore be prioritised for coronavirus vaccination and will be added to the SPL, which is maintained by NHS Digital.

The QCovid® Calculation Engine and the COVID-19 Population Risk Assessment are each registered as medical devices with the Medicines and Healthcare products Regulatory Agency (MHRA).

Read more about the COVID-19 Population Risk Assessment and QCovid®, including the research behind it, the data it uses and how it works.


Types of personal information we are processing

In order to identify people who may be at high risk of catching and becoming seriously unwell with coronavirus, we process the following information about relevant people in England:

  • NHS Number
  • date of birth
  • sex registered at birth
  • ethnicity
  • height, weight and Body Mass Index
  • postcode (to identify a Townsend deprivation score, a well-known way of measuring deprivation based on data from the 2011 Census)
  • information about whether you live in your own home, are homeless or resident of a care home (based on your address)  
  • health related data (in the form of condition codes held in central NHS records), including data about certain:
    • cardiovascular diseases
    • respiratory diseases and treatment
    • metabolic, renal and liver conditions
    • neurological and psychiatric conditions
    • autoimmune and haematological conditions
    • immunosuppressants, cancer conditions and treatments

Get a full list of health conditions and treatments.


Whose data we are processing

Only information about the following people is processed: 

  • people aged 19-100 who could potentially meet the threshold for being considered potentially high risk (clinically extremely vulnerable)
  • people who have not previously been identified by existing SPL processes

Records for people who have already been identified as CEV and who are therefore already on the SPL are not included. Records of people who have previously been removed from the SPL by their GP or hospital doctor are also not included.


Who we share your information with

GP practices (GPs) and hospitals will receive information about their own patients who have been identified as potentially high risk (clinically extremely vulnerable) by the COVID-19 Population Risk Assessment through the SPL.

GPs will also be able to securely access information held by NHS Digital about their own patients who were assessed as part of the COVID-19 Population Risk Assessment but not identified as high risk (clinically extremely vulnerable), in order to review their risk assessment results.

Clinicians can add or remove a patient from the SPL at any time and will continue to review whether patients are clinically extremely vulnerable an ongoing basis, according to their clinical judgement and when a patient requests this. 


How long we keep your personal data for

Data will be processed until the expiry of the COVID-19 Directions which is currently 31 March 2022 (unless extended).  Data shall be retained for 8 years from the expiry of those Directions in accordance with the Records Management Code of Practice 2021 and the NHS Digital Records Management Policy.


Your rights over your personal data

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information and what choices and rights you have, see how we look after your health and care information, our general transparency notice and our Coronavirus (COVID-19) response transparency notice

We may make changes to this transparency notice. If we do, the ‘last updated’ date at the top of the notice will also change. Any changes to this notice will apply immediately from the date of any change.

Last edited: 5 August 2021 10:10 am