COVID 19 - Privacy notice

1st July 2022

The practice is required to process data for COVID-19 Purpose under the COPI regulation 3(4) of the Health service regulations (control of patient information 2002) To process data for purposes set out in Regulation 3(1) of COPI.

A COVID-19 Purpose includes but is not limited to the following:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
  • processing to support the NHS Test and Trace programme
  • identifying and understanding information about patients or potential patients with or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
  • understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19 and the availability and capacity of those services or that care
  • monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
  • delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services
  • research and planning in relation to COVID-19


OpenSAFELY – the Coronavirus (COVID-19) Research Platform

Purposes for processing

OpenSAFELY is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support approved projects.

The purposes for processing are to identify medical conditions and medications that affect the risk or impact of Covid-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.

Categories of personal data

The information we will process for these purposes includes:

  • Demographic information (age, sex, area of residence, ethnicity);
  • Clinical information pertaining to coronavirus-related care and outcomes;
  • Clinical information pertaining to wider health conditions, medications, allergies, physiological parameters (e.g. BMI), prior blood tests and other investigation results, and other recent medical history (g. smoking status).

Sources of the data

We collect your personal data for this purpose from:

  • COVID-19 Hospitalisation in England Surveillance System (CHESS) (Public Health England), Intensive Care National Audit and Research Centre (ICNARC) and other NHS intensive care or relevant datasets containing information about the healthcare of patients with COVID-19;
  • Primary care (GP) records processed by TPP and EMIS for GP practices that use their systems

Categories of recipients

NHS England has contracted with The Phoenix Partnership (Leeds) Ltd (TPP) and EMIS Group PLC to act as data processors to provide the OpenSAFELY platform and enable access to approved researchers.

The DataLab, University of Oxford, and the EHR research group, London School of Hygiene and Tropical Medicine (LSHTM), under contract with NHS England, specify and conduct analyses of the data held on the OpenSAFELY platform.

Organisations conducting approved projects have access to the de-identified (pseudonymised) data held on the OpenSAFELY platform.

Retention period

Your data will be stored for the following period. The pseudonymised data will be retained for the duration of the Covid-19 emergency; de-identified patient level summary data will be retained for 2 years for verification of analyses.

Legal basis for processing

For GDPR purposes NHS England’s basis for lawful processing is:

Article 6(1)(e) – ‘…exercise of official authority…’.
Article 6(1)(c) – ‘…compliance with a legal obligation…’.

For special categories (health) data the bases are:

Article 9(2)(h) – ‘…health or social care…’;
Article 9(2)(i) – ‘…public health…’;
Article 9(2)(j) – ‘…archiving…research…or statistical purposes…’.

Our basis to process confidential patient information, setting aside the duty of confidence, is regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI), which were made under section 251 of the NHS Act 2006.

Coronavirus (COVID-19): notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002

NHS England » OpenSAFELY – the Coronavirus (COVID-19) Research Platform

Expiry of this Notice

If no further notice is sent by the secretary of state this Notice will expire on 31 October 2022.