General Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID-19)
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
- diagnoses and findings
- medications and other prescribed items
- investigations, tests and results
- treatments and outcomes
- vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:
Privacy Notice - individual GP level data - NHS Digital
Introduction and overview
The Department of Health has directed NHS Digital to provide General Practitioners (GPs) and general practices with clinical information on the care provision for their patients. This supports an objective "to improve out-of-hospital care" as set out in the government's NHS mandate for 2017-18.
NHS Digital will collect clinical data for a given set of metrics at the individual GP level and then report this information back to GPs and general practices only.
Each metric will measure how GPs work with their patients, such as the percentage of patients who have received a flu jab during the winter flu season.
This Individual GP Level Data work will effectively be a feasibility study. It will be an assessment of practicality used to test the method of collecting data at the individual GP level and the method of reporting this information back to GPs and general practices in the form of a report.
There will be two data collections in total and GPs and general practices will receive two reports, one for each data collection.
Reporting this information to GPs and general practices is intended to support GPs and general practices in overseeing, reviewing and continuously improving the quality of care that GPs provide for their named patients.
As this work involves NHS Digital collecting personal data, fair processing principles apply. This is why NHS Digital has issued this Privacy Notice.
Purpose of this Privacy Notice
This Privacy Notice serves two purposes:
Firstly, it ensures that NHS Digital meets its legal duty in line with the Data Protection Act 1998.
NHS Digital, as Data Controller of the personal data that are collected, must issue a Privacy Notice to clearly set out how, and why it is using patients' personal data, as well as what personal data are being used.
Secondly, it supports general practices in meeting their legal duty in line with the Data Protection Act 1998.
General practices, as Data Controller of their patients' personal data before these data are collected, must provide adequate fair processing information to their patients regarding the purpose(s) for which, and the manner in which, their patients' personal data will be processed.
It is intended that general practices will be able to link to the information included in this Privacy Notice in performing their legal duty in providing adequate fair processing information to their patients.
Purpose(s) for which, and manner in which, these personal data are processed
The Health and Social Care Act 2012 gives NHS Digital statutory powers to require data from health or social care providers in England where NHS Digital has been directed to do so by the Department of Health (on behalf of the Secretary of State for Health) or NHS England.
The Department of Health has directed NHS Digital to perform this work. Therefore, the collection of these data is mandatory.
General practices must comply with this data collection and provide these data in the form, manner and period as specified in the Data Provision Notice issued by NHS Digital; this Data Provision Notice will be issued at least six weeks before the first data collection takes places.
NHS Digital as the Data Controller
NHS Digital becomes the Data Controller of the patients' personal data once these data have been collected as NHS Digital is the organisation that holds these personal data.
(Please note that these personal data are still held by the general practices as NHS Digital collecting these data involves an extract (a copy) of these data being provided to NHS Digital via the third party IT system suppliers. These data are not physically moved from general practices to NHS Digital and therefore general practices also remain as Data Controller of their patients' personal data.)
General practices as the Data Controller
General practices are the Data Controller of their patients' personal data that they hold as they have overall control of these data.
Most general practices will have data processing arrangements with third party IT system suppliers; however, general practices are Data Controller for the data they hold about their patients and it is the Data Controller that retains responsibility for compliance with the Data Protection Act 1998.
What are general practices required to do?
As Data Controller of their patients' personal data, general practices have a legal duty to provide patients with fair processing information. To meet their legal fair processing duty for this data collection, general practices are required to:
- inform their patients how their personal data will be used (including what type of data will be used) and for what purpose(s) their personal data will be used
- reassure their patients that their personal data will remain safe and confidential and will be used only for its intended purpose
- allow patients to opt-out of sharing their personal data should they choose to do so.
The information included in this Privacy Notice will allow general practices to meet their fair processing duties.
What personal data are being collected?
NHS Digital will collect data at the level of the individual patient (that is: record level data). This will involve a separate row of data being returned for each individual patient.
NHS Digital will collect personal data in the form of patients' NHS Numbers.
The NHS Number is a unique number used to identify patients and match them to their health records. It is an identifiable, personal data item.
No other personal data items, such as Name, Address, Postcode or Date of Birth, will be collected. Similarly, no sensitive data items, such as Ethnicity, Sexual Orientation or Physical or Mental Health Conditions, will be collected.
NHS Digital will also collect other data to facilitate this data collection. This will comprise the individual GP assigned to each patient and whether or not each patient meets the criteria for each of the given metrics. No other data will be collected.
How are these personal data being used?
The collection of patients' NHS Numbers is required for two reasons:
Firstly, to determine the link between individual GPs and the patients they are responsible for within their general practice. The purpose of this data collection is to provide GPs and general practices with clinical data at the level of the individual GP. NHS Digital and the third party IT system suppliers are currently unable to do this without collecting personal data in the form of NHS Numbers.
Secondly, to link the general practice data to hospital data for one of the metrics included in this data collection. This metric involves determining the number of patients who have had an emergency admission to hospital for one, or multiple, specific condition(s), broken down by each individual GP at a general practice.
Patients' NHS Numbers will only be used by NHS Digital for the two reasons stated above. No other organisation will have access to these personal data.
Following the collection of these data, NHS Digital will perform the necessary validation, linkage and analysis of these data. Once these steps are performed and the information is reported back to GPs and general practices, the personal data held by NHS Digital will be deleted.
What should individuals do if they wish to opt-out of this data collection?
Individuals who wish to opt-out of this data collection should contact their general practice in order to register a Type 1 opt-out. This is an objection that prevents an individual's personal confidential information from being shared outside of their general practice except when it is being used for the purposes of direct care, or in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
NHS Digital will uphold Type 1 opt-outs in collecting these data from general practices (that is: any patients who have registered a Type 1 opt-out prior to the point in time at which this data collection takes place will not be included in this data collection).
A Type 2 opt-out is an objection that prevents an individual's personal confidential information from being shared outside of NHS Digital, except when it is being used for the purposes of direct care. Type 2 opt-outs do not apply to this data collection as no personal data will leave NHS Digital. Instead, the information that is reported back to GPs and general practices will include percentages (and associated counts) of patients who fall into each of the metrics.
Further information is available on the keeping patient data safe page.
How will NHS Digital collect these data?
These data will be collected via NHS Digital's General Practice Extraction Service (GPES). This will involve an extract (a copy) of these data that are held by general practices being provided to NHS Digital via the third party IT system suppliers.
The third party IT system suppliers work as the Data Processors on behalf of the general practices and NHS Digital.
Data processing activities performed by NHS Digital
The process of NHS Digital collecting these data will involve one data file per general practice being sent to GPES. These data files will be checked as part of the data collection process and, once this checking is complete, they will be loaded into the Data Management Service (DMS), which is NHS Digital's single, standardised, secure method for capturing, storing, managing and distributing data. Data will not be held in GPES as this is only the mechanism for collecting these data; instead, these data will be held within DMS.
Further data checks, including checking whether or not patients' NHS Numbers are valid, will be performed within DMS. A report will be produced on any data checking failures and this information will be included in the information that is reported back to GPs and general practices. All invalid data will be removed from the data set before any data linkage and analysis takes place.
One of the metrics included in this data collection involves linking these data that are collected from general practices to hospital data (that is: Hospital Episode Statistics Admitted Patient Care data), which are already held by NHS Digital. These hospital data will only include patients who were admitted to hospital as an emergency and who had a primary diagnosis of one, or more, of the conditions covered by this metric.
The data linkage between these general practice data and these hospital data will be performed using the NHS Number data item only. There must be an exact match on the patient's NHS Number in the general practice data and the patient's NHS Number in the hospital data. This data linkage will follow the NHS Digital standard approach for data linkage.
Following the data linkage for the one metric that involves data linkage, all of the data will then be analysed appropriately. This will involve transforming the record level data into aggregate level data (that is: counts of patients) so as to determine the numbers of patients who fall into the numerators and denominators for each of the given metrics. Dividing each numerator count by its equivalent denominator count will give the percentage of patients for each given metric.
These analysed data will then be used to populate automated reports. There will be one report produced for each general practice; this will include the metrics for all of the GPs who are registered at that general practice. Each report will only include data concerning the patients registered at that general practice, along with comparative Clinical Commissioning Group (CCG) level and national level information. Data concerning patients registered at other general practices will not be included in these reports except in the form of this comparative information.
How will NHS Digital ensure that patients' data are kept safe and confidential?
NHS Digital is the trusted national provider of high-quality information, data and IT systems for health and social care. Information is the core business of NHS Digital and it is NHS Digital's duty to keep information safe.
NHS Digital will hold these data as an information asset within DMS. As with all other information assets created and held by NHS Digital, the information asset for this data collection will be assigned an Information Asset Owner (IAO). An IAO is a senior member of NHS Digital staff who is responsible for the management of the information asset created and utilised by their team. The IAO role is mandatory across all government departments.
The information asset for this data collection will be managed by the DMS team. Access to this information asset will be provided on a restricted basis and only the appropriate NHS Digital staff members (that is: information analysts working within the IAO's team) will be given access to these data. Each NHS Digital staff member who does access these data must agree to only using these data for their intended purpose by signing a clear data access request form. This form will require the approval of the IAO before the appropriate NHS Digital staff member can be granted access to these data. This restricted access will be audited on a monthly basis so as to ensure only the necessary NHS Digital staff members have access to these data.
All patient data regarding this data collection will be kept safe and confidential at all times.
How long will patients' personal data be held by NHS Digital?
In line with the Data Protection Act 1998, NHS Digital will hold patients' personal data for no longer than is necessary to fulfil the purposes of this work. Once the information has been reported back to GPs and general practices, NHS Digital will permanently delete all personal data that were collected as part of this work.
When will these data be collected?
Details of when these data will be collected will be listed in the Data Provision Notice issued by NHS Digital. This document will be issued on the NHS Digital Data Provision Notices web page.
What information will be reported back to GPs and general practices?
This work will involve NHS Digital collecting patients' personal data (in the form of patients' NHS Numbers), yet the information that is reported back to GPs and general practices will not include any personal data.
The information that is reported back to GPs and general practices will be in the form of a report. This will include the metrics for all of the GPs who are registered at a general practice. The information that is included in this report will be percentages (and associated counts) of patients who meet the specific criteria for each of the given metrics (that is: aggregate level data). This information will not include patients' NHS Numbers.
GPs and general practices will receive information that concerns their own patients within each general practice; they will not receive information that concerns patients from other general practices except in the form of comparative CCG level and national level information. The information that is reported back to GPs and general practices will not be published or shared with any other organisation.
Last edited: on NHS DIGITAL WEBSITE :10 September 2018 2:33 pm