NHS England Transparency Notice: GPES Data for Pandemic Planning and Research (COVID-19) (GDPPR)

The Secretary of State for Health and Social Care has directed NHS England to collect, process and analyse data in connection with COVID-19 to support the Secretary of State’s response to COVID-19 and to support various COVID-19 purposes set out in the COVID-19 Public Health Directions 2020 (COVID-19 Directions). This enables NHS England to collect and analyse the data and link it, for COVID-19 purposes, with other data held by NHS England

The purpose of the data collection is also to respond to the intense demand for general practice data to be shared in support of vital planning and research for COVID-19 purposes.

NHS Digital (now NHS England) was requested by the joint co-chairs of the Joint GP IT Committee (JGPITC), which comprises membership from the British Medical Association (BMA) and the Royal College of General Practitioners (RCGP), to provide a tactical solution during the period of the COVID-19 pandemic to meet this demand and to relieve the growing burden and responsibility on general practices. On 15 April 2020 the BMA and RCGP therefore gave their support via JGPITC to NHS Digital’s proposal to use the General Practice Extraction Service (GPES) to deliver a data collection from general practices, at scale and at pace, as a tactical solution to support the COVID-19 response in the pandemic emergency period.

Organisations, including the Government, health and social care organisations and researchers need access to this data for a range of COVID-19 purposes, including to help support research into to the COVID-19 pandemic and to provide insight into the recovery of health and social care services. COVID-19 purposes for which this data may be analysed and used may include:

• understanding COVID-19 and risks to public health, trends in COVID-19 and such risks and controlling and preventing the spread of COVID-19 and such risks
• identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
• understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services
• monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
• delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services; and
• research and planning in relation to COVID-19

Data may be analysed and linked to other data held by NHS England or held by other organisations to which access to the data is granted for COVID-19 purposes. This is managed via the Data Access Request Service (DARS), with oversight provided by the Advisory Group for Data (AGD) and the Patient Advisory Group (PAG).

Data is collected nationally from all active general practices by NHS England every month. All requests to access this data will be triaged, assessed and fulfilled by NHS England through DARS. This will significantly reduce the burden on general practice, enabling general practice to focus on delivering health care and support to patients. It will also reduce compliance burden and risk for general practice associated with sharing data.

See more information about how data, including this data collected from GP medical records, is being used by NHS England in the response to COVID-19 .

Collection and analysis

NHS England has been directed by the Secretary of State for Health and Social Care under section 254 of the Health and Social Care Act 2012 (the 2012 Act) to establish and operate a system for the collection and analysis of the information specified for this service: GDPPR.

All general practices in England are legally required to share data with NHS England for this purpose under section 259(1)(a) of the 2012 Act. General practices are notified of the requirement to provide data for this purpose through the Data Provision Notice issued by NHS England. The Data Provision Notice is issued in accordance with the procedure published as part of an NHS England duty under section 259(8) of the 2012 Act.

NHS England is the data controller of the personal data collected and analysed under the UK General Data Protection Regulation (UK GDPR) jointly with the Secretary of State for Health and Social Care, who has directed NHS England to collect, analyse and in certain circumstances disseminate this data under the COVID-19 Directions.

NHS England’s lawful basis for processing (collecting and analysing) personal data is:

• Article 6(1)(c) - legal obligation.

NHS England’s lawful basis for processing (collecting and analysing) special categories of personal data (data relating to health) is:

• Article 9(2)(g) – substantial public interest, for the purposes of NHS England exercising its statutory functions under the COVID-19 Directions.

Publication

NHS England has been directed not to publish any information it obtains under the COVID-19 Directions, which includes GDPPR, except for anonymous statistical data (with small numbers supressed) where:

• this is either agreed by the Secretary of State for Health and Social Care; or
• NHS England reasonably believes:
  • it to be in the public interest to publish the data following consultation with relevant parties such as the Department of Health and Social Care (DHSC) and professional bodies (BMA, RCGP and JGPITC); and
  • this does not to any significant extent interfere with NHS England’s performance of its other functions in response to COVID-19 or its other functions more generally

Any information that is published will be fully anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice and be in accordance with the Code of Practice for Statistics.

Dissemination

NHS England has legal powers to disseminate the data for COVID-19 purposes under section 261 of the 2012 Act.

NHS England’s lawful basis, under the UK GDPR, for sharing personal data will depend on the organisation with whom it is sharing the data and the purposes for which they are processing the data. This will include:

• Article 6(1)(c) – legal obligation
• Article 6(1)(d) – vital interests - for example where it is necessary to protect patients’ vital interests
• Article 6(1)(e) – public task - for example where NHS England is sharing data with another public authority for the purposes of them exercising their statutory or governmental functions
• Article 6(1)(f) – legitimate interests - for example where NHS England is sharing information with a research organisation to carry out vital COVID-19 research.

NHS England’s lawful basis, under the UK GDPR, for sharing special categories of personal data (data relating to health) will include:

• Article 9(2)(g) – substantial public interest, for the purposes of NHS England exercising its statutory functions or for other organisations to exercise their governmental or statutory functions
• Article 9(2)(h) – health or social care purposes
• Article 9(2)(i) – public health purposes
• Article 9(2)(j) – scientific research or statistical purposes.

The data collected relates to patients who are currently registered with a general practice or who have a date of death on or after 1 November 2019 and whose record contains coded information relevant to COVID-19 planning and research.

Where you have registered a Type 1 objection with your general practice, your practice will not share your personal identifiable confidential information, except when it is being used for the purposes of your care and treatment or where there is a legal requirement to do so. Although there is a legal requirement to do so here, NHS England has agreed with the National Data Guardian, the BMA and the RCGP to respect Type 1 objections.

The national data opt-out will not apply to the submission of data to NHS England for this collection as the Data Provision Notice is a legal requirement with which the participating organisations must comply.

The personal data which NHS England collects and analyses comprises NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death. It also includes coded health data which is held in your GP record such as details of:

• diagnoses and findings
• medications and other prescribed items
• investigations, tests and results
• treatments and outcomes
• vaccinations and immunisations

Detailed information about the data NHS England collects and the specific codes is contained in the Data Provision Notice issued to general practices in England.

NHS England collects GDPPR from general practices in England.

Practices are sent an invitation to participate in the GDPPR service via the Calculating Quality Reporting Service (CQRS). Practices, as data controllers of the data that is provided to NHS England, are required to take a ‘positive action’ to participate in the service as a means of providing permission to suppliers, which act as data processors on behalf of practices, to extract and provide the required data to NHS England. 

The invitation must be accepted as there is a Direction in place for the data collection and it is a legal requirement for general practices to provide the data under section 259(1)(a) of the 2012 Act.

Once a general practice has accepted the offer to participate in the service, the data is extracted from their clinical system by their GP system supplier and transferred to NHS England using GPES. GPES is an approved and established secure mechanism for extracting and delivering data.

NHS England retains responsibility and accountability at all times for the dissemination of GDPPR as the Joint Data Controller under the UK GDPR. It will do so through ensuring that requests for data are necessary, proportionate, that the minimum amount of data necessary for the purpose only is shared and that the transfer and use of the data shared will be secure and lawful.

Organisations seeking access to the data for planning purposes may include DHSC, other government departments involved in the COVID-19 response, NHS Trusts and Integrated Care Boards (ICBs). Research organisations, including Universities and private research companies, may seek access to the data for the purposes of carrying out vital COVID-19 research. A list of COVID-19 research studies and the organisations carrying out these studies is available on the National Institute for Health and Care Research Portal.

Data applicants will need to demonstrate though the DARS assessment process that they have a lawful basis to access and process the data for COVID-19 purposes. Where identifiable data is requested, the data applicant must demonstrate a legal basis under the common law duty of confidentiality. Use of data for research purposes will also require Research Ethics Committee approval.

NHS England will consult with the BMA and the RCGP on all requests for access to GDPPR received by DARS. An outline of the process, which has been agreed with the BMA and the RCGP, is published on the NHS England website. Requests by organisations to access record level (pseudonymised or identifiable) data from this collection will also be subject to AGD and PAG consideration and advice.

Requests will be assessed by DARS, AGD and PAG against specific criteria underpinned by information governance assessment standards. These standards include additional scrutiny where there is involvement from an organisation whose involvement may warrant public concern. The DARS process is robust and well-established, and consists of enquiry, triage, review, independent oversight through AGD, approval, access, audit and destruction phases. All data approved for release through DARS and AGD are subject to robust data sharing agreements between NHS England and the data applicant(s).

NHS England discloses in its Data Uses Register the organisations to whom it disseminates GDPPR data and the purposes of dissemination to ensure the public and the profession are informed of the benefits generated from the use of the data.

In the unlikely event that AGD did not recommend approval of a request for access to GDPPR and NHS England disagreed with that recommendation, NHS England would seek guidance from the National Data Guardian or, where appropriate, advice from the Health Research Authority (HRA) Confidentiality Advisory Group (CAG) under section 262A of the 2012 Act before disseminating any data. 

The application of the national data opt-out will be considered on a case by case basis in relation to the dissemination of data from NHS England and may or may not apply depending on the specific COVID-19 purposes for which the data is to be used. This is because the national data opt-out will not generally apply where data is used to support the COVID-19 outbreak, due to the public interest in and legal requirements to share information. For more information on the national data opt-out and its application during the COVID-19 period see Section 6.2 of the national data opt-out operational policy guidance.

NHS England will retain your personal data for as long as is necessary for the purposes outlined above in accordance with the NHS Records Management Code of Practice and the COVID-19 Directions.

Other organisations with whom NHS England shares your personal data have obligations to keep it for no longer than is necessary for the purposes for which the personal data has been shared. Information about this will be provided in the transparency or privacy notices published on their websites.

NHS England only stores and processes your personal data for this data collection within the United Kingdom.

Fully anonymised data, for example statistical data (which does not allow you to be identified), may be stored and processed outside of the UK.

To read more about the health and care information NHS England collects, its legal basis for collecting this information and what choices and rights you have over the processing of your personal data, please see NHS England’s Coronavirus (COVID-19) response transparency notice, it's how we look after your health and care information and it's general transparency notice.

NHS England may make changes to this transparency notice. If it does, the ‘last updated’ date on this page will also change. Any changes to this notice will apply immediately from the date of any change.