NHS OpenSAFELY Data Analytics Service pilot - Privacy notice

This privacy notice explains:

• Why we collect information about you (we call this 'personal data')
• What we do with it, including who we share it with (we call this 'processing')
• How long we keep it for and where we store it
• Our legal basis for using it
• What your data protection rights are

To read more about how NHS England uses personal data to improve health and care, see the NHS England privacy notice.

The NHS OpenSAFELY Data Analytics Service is a secure data analytics service managed by NHS England. It is available to approved users (such as academics, data analysts, data scientists and researchers) to help them to analyse patient data which is held by your GP practice and by NHS England, in a safe and secure way that protects your privacy. 

This is a pilot service which builds upon the success of the NHS England OpenSAFELY COVID-19 Service, which was introduced to:

• help identify medical conditions and medications which affect the risk or impact of COVID-19 infection on individuals
• identify the risk factors associated with poor patient outcomes
• gather information to monitor and predict the demand on health services

The service uses a software platform called OpenSAFELY which is designed with the following privacy safeguards:

OpenSAFELY uses pseudonymised data, held by your GP practice and by NHS England. Pseudonymised data is where information which can uniquely identify you, such as your NHS number, is replaced with a unique marker (a random string of letters and numbers). Other information which can also uniquely identify you, such as your name, date of birth and address are also removed from the data and replaced with something more general, for example, your date of birth is replaced with your age and your postcode is replaced with a geographical region. More information about pseudonymisation and other techniques used to protect your privacy can be found on the Understanding Patient Data website. 

The OpenSAFELY software does not move patient data outside of the secure IT environments they are held in. Instead, the software is implemented inside the data centres of the 2 largest GP IT system suppliers, TPP and Optum so that when approved users of OpenSAFELY run code to analyse the pseudonymised data, it never leaves your GP practice’s IT system.

Approved users are given access to an off-line development environment, where they can build and develop their data analysis code using ‘dummy’ (pretend or fictional) data rather than real patient data. The code is tested before it is sent securely into the live data environment to be executed (run) against the real pseudonymised patient data held in your GP practice’s IT system. This means that approved users never see any real patient data, cannot download any real patient data and can only see aggregate anonymous results or outputs (which do not identify you). 

A record (a log) is kept of all user activity and code which has been executed on the OpenSAFELY software platform and is published.

The users of the service are approved by, or on behalf of, NHS England to carry out data analytic projects for purposes such as:

• clinical audit (a way to check if healthcare is being provided in line with care standards to help improve the quality of healthcare services)
• service evaluation (to assess how well a healthcare service is achieving its intended aims)
• health surveillance (to better understand the health of the population)
• research, such as to find new treatments, improve early diagnosis of disease and prevent ill-health
• to plan NHS services, develop and improve health and social care policy, and to commission NHS services
• public health purposes (to identify and monitor diseases that pose a risk to the health of population)

The following personal data, which has been pseudonymised, is processed by the NHS OpenSAFELY Data Analytics Service:

Demographic information: such as your age, sex, gender, marital status, sexual orientation, area of residence, ethnicity, religion or beliefs.

Health information: such as your health conditions, medications, allergies, Body Mass Index (BMI), prior blood tests and other investigation results.

Lifestyle information: such as whether you are a smoker, non-smoker or ex-smoker.

The NHS OpenSAFELY Data Analytics Service uses:

• data held by your GP practice (if they use IT systems managed by TPP and Optum) which has been pseudonymised, and;
• other relevant data sets which NHS England has approved for use in the service and has pseudonymised before it is stored in the OpenSAFELY secure platform.

The service does not share any personal data with other organisations.

Approved users who are conducting approved data analytic projects on pseudonymised data within the service (such as academics, data analysts, data scientists and researchers) will only see aggregate anonymous results and outputs (which do not identify you). A summary of the projects which have been given approval are published.

Under a Data Processing Agreement (contract), NHS England has instructed:

• the Phoenix Partnership (Leeds) Ltd (TPP) and Optum (formerly EMIS Group PLC) to host the service in their secure data centres and allow access to approved users
• the Bennett Institute for Applied Data Science (University of Oxford) to provide platform development functions and conduct analyses of the data held on the service

Your data will be kept for as long as is necessary to deliver and run the service in accordance with the NHS Records Management Code of Practice 2021, NHS England’s Records Management Policy and the UK GDPR and the Data Protection Act 2018.

The aggregate anonymous results and outputs made available to approved users of the service will be kept in line with the above policies to check and validate the data analysis and for audit purposes.

The OpenSAFELY secure platform stores and processes data in the UK.

Data protection law requires NHS England to have a legal basis before we can process your personal data.

Our legal basis is:

Legal obligation - Article 6(1)(c) of UK GDPR. This is because the Secretary of State for Health and Social Care has issued us with a Direction to provide this service. This Direction is called the NHS OpenSAFELY Data Analytics Service Pilot Directions 2025.

We also need an additional legal basis in the UK GDPR and the Data Protection Act 2018 (DPA 2018) to process data which is extra sensitive. This is known as 'special categories of personal data'. Our legal basis to process this is:

Substantial public interest – Article 9(2)(g) of UK GDPR, plus Schedule 1, Part 2, Paragraph 6 'statutory etc. and government purposes' of DPA 2018, plus;

Health or social care – Article 9(2)(h) of UK GDPR, plus Schedule 1, Part 1, Paragraph 2 'Health or social care purposes' of DPA 2018.

NHS England’s role under data protection law is a 'joint controller' with the Secretary of State for Health and Social Care. This means that we have jointly decided what personal data to collect and how it will be processed, to provide the NHS OpenSAFELY Data Analytics Service in accordance with the NHS OpenSAFELY Data Analytics Service Pilot Directions 2025.

You can read more about the health and care information collected by NHS England, and your choices and rights on the following webpages:

NHS England’s general privacy notice
How we look after your health and care information
How to make a subject access request

Type 1 opt-out

Type 1 opt-outs are recorded in GP practice records. They represent patients' choice to opt out of their confidential patient information which is held by their GP practice from being used for purposes beyond their individual care (without their explicit consent). If you have registered a Type 1 opt-out with your GP practice, your choice will be respected, and your data will not be used by the NHS OpenSAFELY Data Analytics Service.

You can make register a Type 1 opt-out by completing a form and returning it to your GP practice.  More information is available on the NHS website.

National Data Opt-Out

The National Data Opt-Out allows patients to opt out of their confidential patient information being used for research or planning purposes. If you have registered a National Data Opt-Out, your data will still be processed by NHS OpenSAFELY Data Analytics Service, with certain exceptions*. This is because the National Data Opt-Out does not apply where NHS England has a legal obligation to operate the service under the NHS OpenSAFELY Data Analytics Service Pilot Directions 2025. The National Data Opt-Out also does not apply to aggregate anonymous data (data which does not identify you) which is the only data shared with approved users of the OpenSAFELY service.

We take our responsibility to look after your data very seriously. If you have any questions or concerns about how NHS England uses your data, please contact our Data Protection Officer at: [email protected].  

You also have the right to make a complaint about how we are using your data to the Information Commissioner’s Office by calling 0303 123 1113 or through the ICO website. 

This privacy notice was first published on 22 July 2025. NHS England may make changes to this privacy notice. If so, the date it was last amended will be shown below. Changes to this notice will apply immediately from the date of any change.