Purpose:
NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.
Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.
Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.
Legal Basis:
- UK GDPR – Article 6 basis: UK GDPR Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject (the Directions).
- UK GDPR Article 9 basis: UK GDPR Article 9(2)(g) - processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject, by virtue of compliance with a direction supplemented by:
- Data Protection Act 2018 basis: Data Protection Act 2018 (DPA 2018) Schedule 1, Part 2, paragraph 6: Statutory etc and government purposes.
Patients who do not wish their data to be used as part of this process can register a Type 1 opt out with their GP.
You can find additional information about OpenSAFELY here.
Processor:
NHS England
The Phoenix Partnership (TPP)