Purposes for processing
NHS England is providing a national response to the COVID-19 pandemic. Data is providing us with evidence to help keep the public safe and provide the best possible response to the virus. We are working with multiple companies under strict contractual controls to support our approach.
To support this, we have established an NHS COVID-19 Data Store. This will ensure that data can be used by the NHS and government to look at trends
to monitor the spread of the virus and implement appropriate measures to ensure services and support is available to patients. For example, the data can be used to look at bed capacity in hospitals or the number of ventilators available in a particular area.
What data is included?
The data required to support the response to COVID-19 is obtained from a number of sources. The datasets are listed in the COVID-19 Datastore Reference Library.
We are working with our partners to ensure that the data in the store is comprehensive. Both NHS Digital and The UK Health Security Agency (UKHSA) are providing data to the store. The datasets provided by NHS Digital are pseudonymised prior to going into the NHS Data Store to ensure that individual patients are not identifiable.
The following datasets are received in identifiable form directly from UKHSA and the Intensive Care National Audit and Research Centre:
- NHS England receives identifiable data from UKHSA. This includes Lab test data
- Data from the COVID-19 Hospitalisation in England Surveillance System (CHESS) database.
- Intensive Care National Audit and Research Centre (ICNARC) – Care provided to COVID-19 patients and discharge data
This data is validated by NHS England and pseudonymised before it is uploaded to the NHS COVID-19 Data Store. All data processed in the NHS COVID-19 Data Store is either pseudonymised, anonymised or aggregated and therefore does not identify any individual.
Categories of personal data
The NHS COVID-19 Data Store holds personal data representing aspects of individual patient’s access to health services including diagnosis, treatment and patient management information. The personal data held in the NHS COVID-19 Data Store is pseudonymised in line with Information Commissioner’s Office (ICO) guidance and best practice and does not identify individual patients.
Organisations and their roles
NHS England and the Department for Health and Social Care (DHSC) are the legal organisations working together to ensure data can be collected and processed safely and securely. NHS England is the Data Controller for the data held in the data store and there is an agreement in place which sets out the roles and responsibilities of each organisation when we are working jointly.
Other organisations which are supporting the work on the NHS COVID-19 Data Store either have a commercial contract (which covers supporting the technology element of the store); a data processing contract; or an honorary contract where direct access to data is required to support NHS requirements.
The NHS COVID-19 Data Store sits on a Microsoft Azure platform under contract with NHS England. Within that secure cloud processing environment, Palantir (acting under instruction from NHS England) manage their platform which is called Foundry.
Palantir, have built analytical dashboards for access by NHS England staff, together with staff in the following organisations working under contract: Faculty AI, McKinsey and Deloittes. Data which is pseudonymised, is only available to staff working under contract with NHS England or DHSC.
The table below sets out each organisation and their role and contract types with level of access to data:
|Organisation||Role||Contract Type||Level of Access|
|Faculty Ltd||Support and help improve the NHSX Innovative Data Analytics capacity and capability||G-Cloud Call off Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|McKinsey||Support and help improve the Innovative Data Analytics capacity and capability||Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|Deloittes||Support and help improve the Innovative Data Analytics capacity and capability||Contract with DHSC and Honorary contracts with NHSE/I||Pseudonymised/Aggregate/Anonymous|
|ANS Group||Support and platform build only||Contract with NHSE through SBS cloud solution framework||Pseudonymised/Aggregate/Anonymous|
|Palantir/using their Foundry platform||Set up platform for NHS COVID 19 Data Store||G-Cloud Call off data processing contract with NHSE||Pseudonymised/Aggregate/Anonymous|
Who will access the data?
The secure NHS COVID-19 Data Store brings together and protects accurate, real-time information to inform strategic and operational decisions in response to the current pandemic in one place. A number of different dashboards will be used by different organisations to support the response as shown below:
- a public Information Dashboard, showing statistics on cases of coronavirus and deaths associated with coronavirus in the UK, updated daily
- a Strategic Decision Makers Dashboard, providing a national summary of situation report (SitRep) information, alongside modelling, simulations and analysis. These dashboards are designed to help senior national and regional officials to make policy and strategic decisions in response to Covid-19. Only Government and senior regional analysts and managers are given access to this dashboard.
- an NHS Operational Dashboard, providing local NHS and local government organisations with a clear picture of what is happening both across the country and specifically in their area so that they can take the right local action.
Legal basis for processing
For GDPR purposes NHS England’s basis for lawful processing is Article 6(1)(e) – ‘…exercise of official authority…’.
Article 6(1)(c) – ‘…compliance with a legal obligation…’.
For special categories (health) data the bases are
Article 9(2)(h) – ‘…health or social care…’;
Article 9(2)(i) – ‘…public health…’;
Article 9(2)(j) – ‘…archiving…research…or statistical purposes…’.
Our mandate to process confidential patient information, setting aside the duty of confidence, has been a notice from the Secretary of State for Health and Social Care under regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (“COPI notice”). This supplements our permissive powers under regulation 3(3) to process confidential patient information for purposes related to communicable disease and other risks to public health.
A similar notice to organisations providing health services, GP practices, Local Authorities and Arm’s Length Bodies of DHSC provided the basis for requiring the dissemination of confidential patient information to NHS England and NHS Improvement for Covid-19 purposes.
These notices expired on 30 June 2022.
From 1st July 2022 NHS England will continue to receive and process the confidential patient information that is necessary for Covid-19 purposes. Although no longer mandated, the dissemination of confidential patient information to NHS England by organisations that were previously required to do so by the their COPI notice remains lawful as they can apply their powers under regulation 3(3).