The NHS England OpenSAFELY COVID-19 service - privacy notice

The NHS England OpenSAFELY COVID-19 Service is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support Approved Users (academics, analysts, and data scientists) to undertake approved projects for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.

The purposes for processing are to identify medical conditions and medications that affect the risk or impact of COVID-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.

This service previously operated under notices issued by the Secretary of State under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations), to process confidential patient information for COVID-19 purposes to create the Service. The last such notice was issued to NHS England, and GP Practices whose IT systems are supplied by the GP System Suppliers, on 2 May 2023 and will expire on 30 June 2023 (COPI Notice). As of 1 July 2023, the Secretary of State has requested that NHS England continue to operate the Service under the COVID-19 Directions to continue to operate the Service for the COVID-19 Purposes.

The information we will process for these purposes includes:

• demographic information (age, sex, area of residence, ethnicity)
• clinical information pertaining to coronavirus-related care and outcomes
• clinical information pertaining to wider health conditions, medications, allergies, physiological parameters (such as BMI), prior blood tests and other investigation results, and other recent medical history (such as smoking status)

We collect your personal data for this purpose from:

• primary care (GP) records processed by TPP and EMIS for GP practices that use their systems
• other NHS intensive care or relevant datasets containing information about the healthcare of patients with COVID-19

NHS England has contracted with The Phoenix Partnership (Leeds) Ltd (TPP) and EMIS Group PLC to act as data processors to host the service and enable access to approved researchers.

The Bennett Institute, University of Oxford, and the EHR research group, London School of Hygiene and Tropical Medicine (LSHTM), under contract with NHS England, provide platform development functions and conduct analyses of the data held on the service.

Organisations conducting approved projects have access to query the de-identified (pseudonymised) data held on within the service.

The retention period is in line with the NHS Digital Records Management Policy and the NHS Records Management Code. The pseudonymised and de-identified patient level summary data will be retained for at least 2 years for verification of analyses and for audit proposes. All data will be held according to GDPR regulations. Furthermore, the NHS Records and Document Management Policy and Corporate Retention and Disposal Framework: Implementation Process will be adhered to.

As the NHS data stores are held with the data processors TPP and EMIS, the data will be held for verification of findings and audit purposes and can be deleted once outside the retention periods, however the data cannot be transferred to other NHSE systems (as per operating requirements set out by the Secretary of State).

NHS England has been directed by the Secretary of State for Health and Social Care under section 254 of the Health and Social Care Act 2012 to establish and operate a system for the collection and analysis of the information specified for this service. The direction is published on the NHS England website. 

This information is required by NHS England under section 259(1)(a) of the Health and Social Care Act 2012.

In line with section 259(5) of the Act, all organisations in scope, in England, must comply with the requirement and provide information to NHS England in the form, manner and period specified in the associated NHS England OpenSAFELY (OS) COVID-19 Service Data Provision Notice (DPN).