Purposes for processing
NHS England is working with NHSX to provide a national response to the COVID-19 pandemic. Data is providing us with evidence to help keep the public safe and provide the best possible response to the virus. We are working with multiple companies under strict contractual controls to support our approach.
To support this, we have established an NHS COVID-19 Data Store. This will ensure that data can be used by the NHS and government to look at trends
to monitor the spread of the virus and implement appropriate measures to ensure services and support is available to patients. For example, the data can be used to look at bed capacity in hospitals or the number of ventilators available in a particular area.
The Secretary of State for Health and Social Care has issued NHS England and NHS Improvement a notice under the Control of Patient Information (COPI) Regulations 2015 section 3(4) which requires the collection and dissemination of confidential patient information to support the response to COVID-19.
What data is included?
The data required to support the response to COVID-19 is obtained from a number of sources. The datasets are listed in the COVID-19 Datastore Reference Library.
We are working with our partners to ensure that the data in the store is comprehensive. Both NHS Digital and The UK Health Security Agency (UKHSA) are providing data to the store. The datasets provided by NHS Digital are pseudonymised prior to going into the NHS Data Store to ensure that individual patients are not identifiable.
The following datasets are received in identifiable form directly from UKHSA and the Intensive Care National Audit and Research Centre:
- NHS England receives identifiable data from UKHSA. This includes Lab test data
- Data from the COVID-19 Hospitalisation in England Surveillance System (CHESS) database.
- Intensive Care National Audit and Research Centre (ICNARC) – Care provided to COVID-19 patients and discharge data
This data is validated by NHS England and pseudonymised before it is uploaded to the NHS COVID-19 Data Store. All data processed in the NHS COVID-19 Data Store is either pseudonymised, anonymised or aggregated and therefore does not identify any individual.
Categories of personal data
The NHS COVID-19 Data Store holds personal data representing aspects of individual patient’s access to health services including diagnosis, treatment and patient management information. The personal data held in the NHS COVID-19 Data Store is pseudonymised in line with Information Commissioner’s Office (ICO) guidance and best practice and does not identify individual patients.
Organisations and their roles
NHSX is responsible for driving forward the digital transformation of health and social care. Under the banner of NHSX, The NHS Commissioning Board (NHS England), The National Health Service Trust Development Authority (TDA) and Monitor (NHS Improvement) and the Department for Health and Social Care are the legal organisations working together to ensure data can be collected and processed safely and securely. NHS England is the Data Controller for the data held in the data store and there is an agreement in place which sets out the roles and responsibilities of each organisation when we are working jointly.
Other organisations which are supporting the work on the NHS COVID-19 Data Store either have a commercial contract (which covers supporting the technology element of the store); a data processing contract; or an honorary contract where direct access to data is required to support NHS requirements.
The NHS COVID-19 Data Store sits on a Microsoft Azure platform under contract with NHS England and NHS Improvement. Within that secure cloud processing environment, Palantir (acting under instruction from NHS England) manage their platform which is called Foundry.
Palantir, have built analytical dashboards for access by NHS England and Improvement staff, together with staff in the following organisations working under contract: Faculty AI, McKinsey and Deloittes. Data which is pseudonymised, is only available to staff working under contract with the organisations operating jointly under the NHSX banner.
The table below sets out each organisation and their role and contract types with level of access to data:
|Organisation||Role||Contract Type||Level of Access|
|Faculty Ltd||Support and help improve the NHSX Innovative Data Analytics capacity and capability||G-Cloud Call off Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|McKinsey||Support and help improve the Innovative Data Analytics capacity and capability||Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|Deloittes||Support and help improve the Innovative Data Analytics capacity and capability||Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|ANS Group||Support and platform build only||Contract with NHSE through SBS cloud solution framework||Pseudonymised/Aggregate/Anonymous|
|Palantir/using their Foundry platform||Set up platform for NHS COVID 19 Data Store||G-Cloud Call off data processing contract with NHSE||Pseudonymised/Aggregate/Anonymous|
Who will access the data?
The secure NHS COVID-19 Data Store brings together and protects accurate, real-time information to inform strategic and operational decisions in response to the current pandemic in one place. A number of different dashboards will be used by different organisations to support the response as shown below:
- a public Information Dashboard, showing statistics on cases of coronavirus and deaths associated with coronavirus in the UK, updated daily
- a Strategic Decision Makers Dashboard, providing a national summary of situation report (SitRep) information, alongside modelling, simulations and analysis. These dashboards are designed to help senior national and regional officials to make policy and strategic decisions in response to Covid-19. Only Government and senior regional analysts and managers are given access to this dashboard.
- an NHS Operational Dashboard, providing local NHS and local government organisations with a clear picture of what is happening both across the country and specifically in their area so that they can take the right local action.
There is a single Front Door process which manages applications from organisations relating to the NHS COVID-19 Data Store (e.g to request access or add data). This process ensures that the appropriate governance is in place. Further information can be found on the data and information page.
Legal basis for processing
For GDPR purposes NHS England’s basis for lawful processing is Article 6(1)(e) – ‘…exercise of official authority…’.
Article 6(1)(c) – ‘…compliance with a legal obligation…’.
For special categories (health) data the bases are
Article 9(2)(h) – ‘…health or social care…’;
Article 9(2)(i) – ‘…public health…’;
Article 9(2)(j) – ‘…archiving…research…or statistical purposes…’.
Our basis to process confidential patient information, setting aside the duty of confidence, is regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI), which were made under section 251 of the NHS Act 2006.