Purposes for processing
NHS England is working with NHSX to provide a national response to the COVID-19 pandemic. Data is providing us with evidence to help keep the public safe and provide the best possible response to the virus. We are working with multiple companies under strict contractual controls to support our approach.
To support this, we have established an NHS COVID-19 Data Store. This will ensure that data can be used by the NHS and government to look at trends
to monitor the spread of the virus and implement appropriate measures to ensure services and support is available to patients. For example, the data can be used to look at bed capacity in hospitals or the number of ventilators available in a particular area.
The Secretary of State for Health and Social Care has issued NHS England and NHS Improvement a notice under the Control of Patient Information (COPI) Regulations 2015 section 3(4) which requires the collection and dissemination of confidential data to support the response to COVID-19.
What data is included?
Data required to support the response to COVID-19 is obtained under the COPI notice from different sources.
We are working with our partners to ensure that the data in the store is comprehensive. Both NHS Digital and Public Health England (PHE) are providing data to the store. The datasets provided by NHS Digital are pseudonymised prior to going into the NHS Data Store to ensure that individual patients are not identifiable.
The following datasets are received in identifiable form directly from PHE and the Intensive Care National Audit and Research Centre:
- NHS England receives identifiable data from Public Health England. This includes Lab test data
- Data from the COVID-19 Hospitalisation in England Surveillance System (CHESS) database.
- Intensive Care National Audit and Research Centre (ICNARC) – Care provided to COVID-19 patients and discharge data
This data is validated by NHS England and pseudonymised before it is uploaded to the NHS COVID-19 Data Store. All data processed in the NHS Data Store is either pseudonymised, anonymised or aggregated and therefore does not identify any individual.
The sources of aggregate data or data which is already published as per DPIA (Data Protection Impact Assessment) include:
- Record level Secondary Uses Service (SUS) data extracts including aggregated data from emergency care, inpatient and outpatient activity data sets.
- SITREP (Daily Trust Situation Report Data) data collected within the NHS Improvement Strategic Information Platform to support the COVID-19 response.
- Patient Level Information and Costing Systems (PLICS) data mart
- Costing data mart
- UK Health Facts and UK Health Dimension Data published data and used to understand data quality
- North of England Commissioning Support (NECS) – Community and Bed
- Utilisation data mart
- Emergency care, Outpatient, Inpatient, A&E record level activity data marts
- Daily COVID-19 SITREP v1
- COVID-19 SITREP v2
- A&E SITREP
- Ambulance SITREP
- Record level and aggregated 111 data
- 111 online screening data
- 111 telephony data
- Reference data sourced from UK Health Dimensions, UK Health Facts, Organisational Hierarchy file
- Master Patient Index (MPI) with frailty flag data mart
- Spec Comm (Specialised Commissioning) data mart
- PHE diagnostic COVID-19 Testing data mart
- ESR workforce data mart
- Care home bed availability (partial coverage) data mart
- East Midlands home ventilation data mart
- Mental health activity data mart
- 111 data sourced from NCDR (National Commissioning Data Repository)
- COVID-19 Hospitalisation in England Surveillance System (CHESS) data mart
- Ventilator Orders data mart
- Oxygen gas supply and capacity data mart
- Deprivation data (from year 2019)
- Births by Clinical Commissioning Group (CCG) data mart
- Live bed capacity utilisation data
- Primary care data
- Ambulance capacity data mart
- International data daily dump of cases (infected, recovered, fatalities)
- Supply chain data mart
- Self-isolating information data mart
- Other workforce data mart
Categories of personal data
The NHS COVID-19 Data Store holds personal data representing aspects of individual patient’s access to health services including diagnosis, treatment and patient management information. The personal data held in the NHS COVID-19 Data Store is pseudonymised in line with Information Commissioner’s Office (ICO) guidance and best practice and does not identify individual patients.
Organisations and their roles
NHSX is responsible for driving forward the digital transformation of health and social care. Under the banner of NHSX, The NHS Commissioning Board (NHS England), The National Health Service Trust Development Authority (TDA) and Monitor (NHS Improvement) and the Department for Health and Social Care are the legal organisations working together to ensure data can be collected and processed safely and securely. NHS England is the Data Controller for the data held in the data store and there is an agreement in place which sets out the roles and responsibilities of each organisation when we are working jointly.
Other organisations which are supporting the work on the NHS COVID-19 Data Store either have a commercial contract (which covers supporting the technology element of the store); a data processing contract; or an honorary contract where direct access to data is required to support NHS requirements.
The NHS COVID-19 Data Store sits on a Microsoft Azure platform under contract with NHS England and NHS Improvement. Within that secure cloud processing environment, Palantir (acting under instruction from NHS England) manage their platform which is called Foundry.
Palantir, have built analytical dashboards for access by NHS England and Improvement staff, together with staff in the following organisations working under contract: Faculty AI, McKinsey and Deloittes. Data which is pseudonymised, is only available to staff working under contract with the organisations operating jointly under the NHSX banner.
The table below sets out each organisation and their role and contract types with level of access to data:
|Organisation||Role||Contract Type||Level of Access|
|Faculty Ltd||Support and help improve the NHSX Innovative Data Analytics capacity and capability||G-Cloud Call off Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|McKinsey||Support and help improve the Innovative Data Analytics capacity and capability||Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|Deloittes||Support and help improve the Innovative Data Analytics capacity and capability||Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|ANS Group||Support and platform build only||Contract with NHSE through SBS cloud solution framework||Pseudonymised/Aggregate/Anonymous|
|Palantir/using their Foundry platform||Set up platform for NHS COVID 19 Data Store||G-Cloud Call off data processing contract with NHSE||Pseudonymised/Aggregate/Anonymous|
Who will access the data?
The secure NHS COVID-19 Data Store brings together and protects accurate, real-time information to inform strategic and operational decisions in response to the current pandemic in one place. A number of different dashboards will be used by different organisations to support the response as shown below:
- a public Information Dashboard, showing statistics on cases of coronavirus and deaths associated with coronavirus in the UK, updated daily
- a Strategic Decision Makers Dashboard, providing a national summary of situation report (SitRep) information, alongside modelling, simulations and analysis. These dashboards are designed to help senior national and regional officials to make policy and strategic decisions in response to Covid-19. Only Government and senior regional analysts and managers are given access to this dashboard.
- an NHS Operational Dashboard, providing local NHS and local government organisations with a clear picture of what is happening both across the country and specifically in their area so that they can take the right local action.
There is a single Front Door process which manages applications from organisations relating to the NHS COVID-19 Data Store (e.g to request access or add data). This process ensures that the appropriate governance is in place. Further information can be found on the data and information page.
Legal basis for processing
For GDPR purposes NHS England’s basis for lawful processing is Article 6(1)(e) – ‘…exercise of official authority…’.
For special categories (health) data the bases are
Article 9(2)(h) – ‘…health or social care…’;
Article 9(2)(i) – ‘…public health…’;
Article 9(2)(j) – ‘…archiving…research…or statistical purposes…’.
Our basis to process confidential patient information, setting aside the duty of confidence, is regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI), which were made under section 251 of the NHS Act 2006.