GPES data for pandemic planning and research (COVID-19): agreed process document

Assessment of requests for GPES data for pandemic planning and research will have input from general practice in addition to the usual DARS process. All applications will be reviewed by the RGCP and BMA, and a GP representative will be part of the IGARD panel that considers the application.

This document details the process agreed upon between NHS Digital, IGARD, BMA and RCGP to provide extra safeguards for GPES COVID-19 data releases.

The NHS Digital DARS and IGARD process for assessing requests for access to GPES data for pandemic planning and research (COVID-19) including the role of the BMA and RCGP. Version 1.0, 14 May 2020.

The following process for the assessment of requests to access GPES data for pandemic planning and research (COVID-19) has been agreed with the British Medical Association (BMA) and the Royal College of General Practitioners (RCGP) with support from the National Data Guardian (NDG). All requests for access to this data collection (referred to in this document as GPES COVID-19 data) will be considered by NHS Digital in accordance with this process. This process is particular to the GPES COVID-19 data and will apply for the duration of the collection, which is until the expiry of the COVID-19 Public Health Direction 2020, which is currently the end of September 2020.

The principles agreed with NHS Digital, IGARD, BMA and RCGP include that:

• all relevant stakeholders want to ensure that comments from RCGP and BMA inform the overall process, and that IGARD has visibility of those comments in reaching a recommendation
• timely, appropriate, proportionate and secure access to data is vital
• RCGP and BMA would comment on applications from the perspective of ethical, clinical and public interest (including clinical risk).  They would of course have the right to make any other comments in addition, but are not reviewing the entirety of the application that is seen by IGARD (for example, legal basis, security controls, consent material, consistency of protocol/ethics, compliance with common law duty etc), given IGARD’s wider assurance role.

1. NHSX and NHS England and NHS Improvement have established a single point of contact (SPOC) process for applicants to request health and care data to support the coronavirus (COVID-19) response. All requests for GPES COVID-19 data from NHS Digital will be received through the NHSX SPOC request process. Applicants should fill in the Access Request Form for GPES Data for Pandemic Planning and Research (COVID-19) and email [email protected] to begin this process.
2. Following triage and prioritisation in consultation with NHS Digital, the NHSX SPOC process will pass requests for access to GPES COVID-19 data on to NHS Digital, and through to the NHS Digital Data Access Request Service (DARS). 
3. Where a request is made for GPES COVID-19 data at record level (either pseudonymised or identifiable) it will be added to the agenda for a weekly (or more frequent period if demand requires) meeting with representatives of the RCGP and the BMA.  At the meeting, representatives from the RCGP and BMA, the NHS Digital Associate Director of Data Access and the NHS Digital Caldicott Guardian will review new applications (based on detail provided by the DARS team). Resulting comments will be documented by NHS Digital and agreed at the meeting.  The comments will accompany the request application when it is formally provided to the Independent Group Advising on the Release of Data (IGARD) as part of the application pack. 
4. In parallel, each such request will be assessed through DARS against specified criteria, with advice on legal basis for dissemination from the NHS Digital information governance team, and progress to IGARD review.
5. IGARD will meet twice a week during the COVID-19 period to deal with record level GPES COVID-19 data requests and other data requests. All record level GPES COVID-19 data requests will be considered by IGARD with a GP representative as part of the panel. IGARD can also provide more urgent out of meeting reviews where required.
6. IGARD will consider all detail in reaching a recommendation, including comments from BMA and RCGP on applications. IGARD’s consideration is minuted for each application and the minutes are published weekly on NHS Digital’s website. NHS Digital will publish the comments made by the profession at the same time as the relevant minutes from IGARD.  
7. Where IGARD considers an application, it may make one of a number of recommendations to NHS Digital:

• recommended for approval without conditions or with amendments only
• recommended for approval with conditions
• recommend deferral
• unable to make a recommendation to approve.

8. If NHS Digital is unable to agree with the recommendation made by IGARD it will approach the NDG for advice.
9. All approvals, when agreed by NHS Digital, are signed by the Associate Director of Data Access, and are subject to a contractual framework and data sharing agreements between NHS Digital and the controller(s) receiving access to data.  All agreements are for a specific time period, and must be either renewed/extended prior to expiry, or otherwise data must be securely destroyed by the recipient (and any related data processors).
10. It is expected that following a number of similar requests for access to GPES COVID-19 data that IGARD will develop precedents with NHS Digital which would enable DARS to process certain record level requests without individual IGARD approval (precedent requests). However those precedent requests would still be subject to oversight by IGARD through the oversight and assurance mechanism. Professional representatives will continue to be notified and consulted for all such precedent requests.
11. Renewals, extensions and amendments to existing applications may be agreed by the Associate Director of Data Access, who in turn reserves the right to pass applications back into the process for additional comment or review if they wish.  Any amendment to an existing agreement to add access for GPES COVID-19 data would be treated as a “new” application for the purposes of the process above.
12. Breaches of any data sharing agreement would be investigated in line with existing approaches, subject to the constraints that COVID-19 emergency period restrictions bring.  Action taken during investigation may vary depending upon the level of risk, but includes suspension of data flow for that agreement, for all agreements with the controller, and/or data destruction.  Any application following a breach is automatically seen by IGARD.
13. One of the aims of the overall approach is to minimise burden on GPs.  Therefore where NHS Digital does not support an application (for example where IGARD has indicated that it is unable to support approval of an application) the decision not to support approval of an application at that time may be referred to by GPs as a reason to decline to service that request, should they be approached directly by the same applicant.
14.  NHS Digital publishes details of data releases made through DARS in its well-established Data Release Register.