Purposes for processing

OpenSAFELY is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support approved projects.

The purposes for processing are to identify medical conditions and medications that affect the risk or impact of Covid-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.

Categories of personal data

The information we will process for these purposes includes:

• Demographic information (age, sex, area of residence, ethnicity);
• Clinical information pertaining to coronavirus-related care and outcomes;
• Clinical information pertaining to wider health conditions, medications, allergies, physiological parameters (e.g. BMI), prior blood tests and other investigation results, and other recent medical history (g. smoking status).

Sources of the data

We collect your personal data for this purpose from:

• COVID-19 Hospitalisation in England Surveillance System (CHESS) (Public Health England), Intensive Care National Audit and Research Centre (ICNARC) and other NHS intensive care or relevant datasets containing information about the healthcare of patients with COVID-19;
• Primary care (GP) records processed by TPP and EMIS for GP practices that use their systems.

Categories of recipients

NHS England has contracted with The Phoenix Partnership (Leeds) Ltd (TPP) and EMIS Group PLC to act as data processors to provide the OpenSAFELY platform and enable access to approved researchers.

The DataLab, University of Oxford, and the EHR research group, London School of Hygiene and Tropical Medicine (LSHTM), under contract with NHS England, specify and conduct analyses of the data held on the OpenSAFELY platform.

Organisations conducting approved projects have access to the de-identified (pseudonymised) data held on the OpenSAFELY platform.

Retention period

Your data will be stored for the following period. The pseudonymised data will be retained for the duration of the Covid-19 emergency; de-identified patient level summary data will be retained for 2 years for verification of analyses.

Legal basis for processing

For GDPR purposes NHS England’s basis for lawful processing is Article 6(1)(e) – ‘…exercise of official authority…’.

Article 6(1)(c) – ‘…compliance with a legal obligation…’.

For special categories (health) data the bases are

Article 9(2)(h) – ‘…health or social care…’;

Article 9(2)(i) – ‘…public health…’;

Article 9(2)(j) – ‘…archiving…research…or statistical purposes…’.

Our basis to process confidential patient information, setting aside the duty of confidence, is regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI), which were made under section 251 of the NHS Act 2006.