NHS Digital Data Release Register - reformatted

NHS England (Skipton House) projects

6 data files in total were disseminated unsafely (information about files used safely is missing for TRE/"system access" projects).

GDPPR COVID-19 – NHS England Application — DARS-NIC-384608-C9B4L

Type of data: Pseudonymised

Opt outs honoured: No - data flow is not identifiable, Anonymised - ICO Code Compliant (Does not include the flow of confidential data, Statutory exemption to flow confidential data without consent, Flow to de-identified environment - no analysis on confidential patient information)

Legal basis: CV19: Regulation 3 (4) of the Health Service (Control of Patient Information) Regulations 2002, Health and Social Care Act 2012 - s261 - 'Other dissemination of information', Health and Social Care Act 2012 - s261(5)(d), NHS England De-Identified Data Analytics and Publication Directions 2023

Purposes: No, (Agency/Public Body, internal NHS transfer)

Sensitive: Sensitive, and Non-Sensitive

When:DSA runs 2020-07-16 — 2021-03-31 2020.09 — 2021.05.

Access method: One-Off, Frequent Adhoc Flow


Sublicensing allowed: No


  1. GPES Data for Pandemic Planning and Research (COVID-19)
  2. Civil Registration - Deaths
  3. COVID-19 Second Generation Surveillance System
  4. Medicines dispensed in Primary Care (NHSBSA data)
  5. NHS Pathways Data Set
  6. Shielded Patient List
  7. SUS for Commissioners
  8. COVID-19 Ethnic Category Data Set
  9. Covid-19 UK Non-hospital Antigen Testing Results (pillar 2)
  10. Electronic Prescribing and Medicines Administration (EPMA) data in Secondary Care for COVID-19
  11. COVID-19 Hospitalization in England Surveillance System
  12. COVID-19 ICNARC Case Mix Programme for Adult Critical Care
  13. COVID-19 General Practice Extraction Service (GPES) Data for Pandemic Planning and Research (GDPPR)
  14. Civil Registrations of Death
  15. COVID-19 Second Generation Surveillance System (SGSS)
  16. COVID-19 Electronic Prescribing and Medicines Administration (ePMA) in Secondary Care
  17. COVID-19 UK Non-hospital Antigen Testing Results (Pillar 2)
  18. COVID-19 SGSS First Positives (Second Generation Surveillance System)


NHS England, also known as the ‘National Commissioning Board’ leads the National Health Service (NHS) in England. NHS England are responsible for the budget, planning, delivery and day-to-day operation of the commissioning side of the NHS in England as set out in the Health and Social Care Act 2012.

NHS England has responsibility for a wide range of purposes and hold Statutory Duties, including commissioning specialised services, paying for primary care, public health services, offender healthcare and specific services for the armed forces. NHS England is also legally required to undertake a range of non-commissioning functions, including oversight of Clinical Commissioning Group (CCG) and new care models assurance, reviewing major service changes, development of policy and financial allocations.

NHS England’s statutory duties are set out in the NHS Act 2006 and by the Health and Social Care Act 2012 amendments. To enable NHS England to assess the value, quality and effectiveness of the services it commissions, the Health and Social Care Act 2012 (Section 254) empowers NHS England to direct NHS Digital to collect the data it requires. NHS Digital are required to process confidential patient-level data, transform it into an agreed anonymised format which NHS England can legally receive and safely use without impacting the privacy of service users.

The legal bases underpinning some of NHS England’s statutory commissioning and population health management duties are set out below:

Legal Basis
Ref Statute
A1 DUTY: Eliminate discrimination, harassment and victimisation and advance equality of opportunity
A2 DUTY: Have regard to impact on services in certain areas
A3 DUTY: Payment of sums
A4 DUTY: Performance of functions outside England
A5 DUTY: Prevent people from being drawn into terrorism
A6 DUTY: Process data for the prevention or detection of crime
A7 DUTY: Provide integrated services to improve outcomes and reduce inequalities
A8 DUTY: Safeguard and promote the welfare of children
A9 DUTY: Securing continuous improvement in quality of services provided to individuals
A10 DUTY: To arrange the provision of health services in England
A11 DUTY: To collect and analyse information relating to safety of services
A12 DUTY: To commission secondary dental, armed forces and health and justice health services
A13 DUTY: To consider the economic, social and environmental benefits to be achieved through commissioning
A14 DUTY: To ensure health services are provided in an integrated way
A15 DUTY: To exercise functions relating to primary dental services
A16 DUTY: To exercise relevant public health functions
A17 DUTY: To improve quality of services
A18 DUTY: To monitor and improve the quality of care
A19 DUTY: To pay CCGs to meet their expenditure
A20 DUTY: To promote a comprehensive health service
A21 DUTY: To provide certain specified services
A22 DUTY: To provide high secure psychiatric services
A23 DUTY: To provide pharmaceutical services
A24 DUTY: To provide primary medical services
A25 DUTY: To provide primary ophthalmic services
A26 DUTY: To provide secondary community ambulance mental health services or facilities
A27 DUTY: To put and keep in place arrangements to monitor and improve the quality of health care
A28 DUTY: To secure continuous improvement in the quality of services
A29 DUTY: Understand impact of commissioning decisions on provision of services to Welsh and Scottish residents
A30 POWER: Produce documents to support counter fraud and security management functions
A31 POWER: Reimbursement for pharmaceutical remuneration
A32 POWER: To assist SoS in providing health services and exercising public health functions
A33 POWER: To commission certain health services as requested by SoS
A34 POWER: To conduct research
A35 POWER: To make payments to CCGs in respect of quality of services
A36 POWER: To pay for community services
A37 POWER: To scrutinise or review areas of the health service with local authorities
A38 REGULATION: To ensure buying decisions are fair and improve quality and efficiency of healthcare services
A39 REGULATION: To enter into prescribed arrangements between NHSE, CCGs, providers and local authorities
A40 SECONDARY LEGISLATION: Carry out financial duties
A41 SECONDARY LEGISLATION: To provide community dental, health and justice, armed forces and specialised services

In order for NHS England to discharge its statutory duties, all elements of the contracting cycle, from assessing population health needs, through service planning and contract management, to service evaluation and redesign, requires access to high quality data within the appropriate legal framework. As part of its duties, NHS England also has responsibilities to respond to major incidents.

In general data access is required for the purposes of commissioning and underpinning system activities within the NHS England demographic area, including reducing health inequalities, identifying and managing preventable and existing conditions, managing demand, monitoring pathway compliance, comparison to peers, monitoring outcomes, understanding how services impact across the health economy and designing the future healthcare system.

With the pandemic of COVID-19, which began in the United Kingdom back in January 2020, NHSX, NHS England and NHS Improvement have been tasked with leading the national data response to COVID-19. This required a Data Store (specific for COVID-19 data) to be created that ensures data can be used effectively to support the national response to protecting citizens against the COVID-19 virus. This response also includes the recovery and restoration of health services as the need for COVID-19 specific services reduce.

The NHS COVID-19 Data Store has been established under the provisions of the COPI (Control of Patient Information) notices issued by the Secretary of State for Health and Social Care using powers available to him under regulation 3 of the Health Service (Control of Patient Information) Regulations 2002, and is designed to support a range of activities, including:

● Understanding COVID-19 and impact to provision of NHS services and patient outcomes;
● Identifying and understanding information about patients or potential patients with or at risk of COVID-19;
● Delivering services to patients, clinicians, the health services;
● Planning in relation to COVID-19.

These powers give NHS England, an organisation which falls under regulation 3(3) of the COPI regulations, powers delegated by the Secretary of State to require the disclosure of confidential patient information.

The COVID-19 Data Store is a strictly controlled central point that brings together all data necessary to provide NHS England and NHS improvement analysts only, with the most comprehensive datasets related to COVID-19. There is however a requirement to ensure that all necessary data sets, required to support the national response are acquired, as this will provide a full picture of how the pandemic is impacting all areas of the National Health Service. One area of the service NHS England does not currently have data for, is Primary Care – specifically the GPES (General Practice Extraction Service) Data for Pandemic Planning and Research (GDPPR) data.

Data stored within the data store, including GDPPR, all share a common pseudo key. This means that GDPPR is linkable, however it must only be linked for purposes listed under this DSA.

The Data Protection Impact Assessment (DPIA) and Privacy Notice for the use of NHS COVID-19 data can be found at https://www.england.nhs.uk/ourwork/tsd/data-info/

NHS England requires pseudonymised GDPPR data under Regulation 3 the Control of Patient Information Regulations 2002 (COPI) Notice which was issued by the Secretary of State for Health in March 2020. The GDPPR data will be used to provide intelligence to support NHS England in their response to the COVID-19 pandemic as set out in the COPI notice and shown below:

NHS England and NHS Improvement is required to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI (insofar as those purposes relate to the current outbreak of COVID-19).

NHS England and NHS Improvement (under the legal entities of Monitor and NHS Trust Development Authority (TRA)) are joint data controllers in this agreement.

The data will be analysed so that health care provision can be planned to support the needs of the population for the COVID-19 purposes and to better understand and plan the impacts on NHS Services and patient outcomes.

Such uses cases of the data include but are not limited to:
• To help plan, monitor and manage the national response to the COVID-19 pandemic, which will help save lives.
• NHS England will be monitoring and managing jointly with PHE;
(i) outbreaks of communicable disease to anticipate downstream impacts to NHS services and patient outcomes;
(ii) incidents of exposure to communicable disease;
(iii) the delivery, efficacy and safety of immunisation programmes;
(iv) adverse reactions to vaccines and medicines;
(v) risks of infection acquired from food or the environment (including water supplies);
(vi) the giving of information to persons about the diagnosis of communicable disease and risks of acquiring such disease.
• Provide comprehensive national pictures of COVID-19 care and outcomes in England (at National, Regional and Sub regional levels) which included understanding COVID-19 and risks to public health, trends in COVID-19 and risks, and controlling and preventing the spread of COVID-19 and its impact on NHS Services and patient outcomes.
• Understand the scope and scale of variation of COVID-19 identification, diagnoses, hospitalisation, treatments, deaths across the national, regional and sub-regional areas.
• Identifying and understanding information about patients or potential patients with or at risk of COVID-19 (for example Obese or Diabetic patients).
• Delivering through NHS services including primary care to patients, the provision of information, fit notes, immunisations, and vaccinations (including school vaccinations).
• Understand both the effectiveness of the NHS 111 First Programme in reducing the risk of nosocomial transmission of COVID-19 in Emergency Departments (EDs) and the potential impact the programme may have on the wider UEC (Urgent and Emergency Care) system and primary care.
• Understanding impacts of patient access to health services for example reviewing the referrals rates to Cancer services a direct or indirect result of COVID-19 and the availability and capacity of those services or that care.
• Review and plan restoration of Health care services and providing funding where necessary to bring services back online, where COVID-19 has had an impact.

Research Ethics Committee (REC) approval is not appropriate under these conditions, as the data will be used to support analysis for policy, guidance and operational management of the NHS.

Poor management and control of COVID-19 will be associated with higher risk of hospitalisations (therefore increased demand and reduced capacity within hospitals) as well as death and long-term health complications of patients. Those who are from a minority ethnic background as well as those patients that have underlying health conditions are more vulnerable to adverse health outcomes from COVID-19.

To support these patients, NHS England will be looking to perform a system level risk stratification. This means NHS England will need to know the overall population and be able to understand the cohorts of patients that are more susceptible to COVID-19. This will be done nationally using Population Segmentation – identifying groups of patients based on diagnoses, ethnicity etc, where there is no requirement to re-identify patients. It is therefore not the same as ‘patient level risk stratification’ as known to be done within GP Practices, where re-identification of patients is needed for the provision of direct care.

Looking at the Primary care system as a whole, the 111 First programme is anticipating an increase in the use of NHS 111 so it is important to understand how any increase in 111 demand impacts on demand for primary care services and the wider urgent and emergency care (UEC) system.

Below is a specific example of how the data will be used and linked. There are other use case examples in a separate document provided alongside this application. These are:
• Use Case 01 – 111 First Programme Evaluation
• Use Case 02 – Public health screening
• Use Case 03 – Flu Vaccination Programme
• Use Case 04 – Mortality increased risk in patients that are overweight
• Use Case 05 – Vaccinations & Immunisations
• Use Case 06 – Restoration of Health Care Services

Data will only be linked with other COVID-19 data where the analysis required has gone through an approval process. This ensures that it is clearly in line with the purposes of NHS England and the COPI Notice.

Access to both GPES and 111 Pathways data, will allow robust analysis to be conducted to inform decision making and development of improved models of care in the UEC system and mitigate the risk of other parts of the health services becoming overburdened with additional demand. It would not be statistically valid to undertake the analysis only using an extract of the GPES data for the cohort who presented at 111, as this would not provide a robust comparison with baseline activities.

The GDPPR data will be used for specific bespoke use cases such as the one illustrated above, it would not be feasible to utilise the Trusted Research Environment (TRE), and therefore a direct feed from NHS Digital to NHS England is required, in order for the Organisation to perform the additional duties in supporting with the COVID-19 efforts.

Under GDPR, NHS England can rely on Article 6(1)(c) – Legal Obligation to receive and process the Disseminated data from NHS Digital for the Agreed Purposes under the Recipient COPI Notice. As this is health information and therefore special category personal data the Recipients can also rely on Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine and 9(2)(i) – processing is necessary for reasons of public interest in the area of public health.

With regard to the application of the Type 1 and national data opt outs to data processed under the COPI notice, our view is that as the COPI notice places a legal requirement on organisations to process Confidential Patient Information (CPI), opt outs will not apply to any data accessed by virtue of the notice. In any case, as set out in NHS Digital’s National Data Opt-Out operational policy guidance CPI processed under regulation 3 of the COPI regulations is not subject to the national data opt- out.

The data received by the Joint Data Controllers is pseudonymised data which is processed under strict controls and therefore meets the ICO Anonymisation Code of Practice.

Expected Benefits:

• Reduce deaths associated with COVID-19
• Support primary care to increase capacity and to meet heightened demand as a result of a left shift based on 111 first
• Reallocation of resources and correctly allocate resources in line with demand
• Bring in additional workforce support
• Assists commissioners in making decisions to better support patients
• Identifying COVID-19 trends and risks to public health
• Increase resilience in supply chain for PPE based on localised demand from primary care
• Enables NHS England to provide guidance and develop policies to respond to the outbreak
• Controlling and helping to prevent the spread of the virus
• NHS England can share a common understanding of activity levels across the system in regard to COVID-19.
• Better activity data will also enable a more robust national planning process and improve the allocation of resources across the system. This will support the response to the pandemic but also the recovery of services.


Any outputs to 3rd parties not included as a Data Controller/Processor in this application/agreement must be aggregated
(with small number suppression applied in line with NHS Digital requirements).

Within 1 week of NHS England receiving the data from NHS Digital, it will be able to use the dataset to provide analysis that starts to respond to the following:

• Support the NHS response to COVID-19
• Analyse the spread of COVID-19 diagnoses geographically and demographically, to identify any trends. Appointment activity will also be analysed to better understand use of non-face to face consultation trends and potential differences across geographical areas.
• Operational planning to predict likely demand on primary, community and acute service for vulnerable patients.
• Analysis of resource allocation.
• Diagnosing and monitoring the effects of COVID-19 at a National, Regional and sub regional level.
• Ensuring NHS England has adequate data to inform that interventions and measures put in place to reduce the transmission of COVID-19 are being effective and impactful.
• Analyse factors that result in increased service utilisation for COVID-19 patients.
• Start building modelling and forecasting tools for COVID-19 from Primary care perspective. Learning from and predicting likely patient pathways in order to influence early interventions and other alternatives for patients.


Data will only be used for the purposes stipulated within this Data Sharing Agreement. Any additional disclosure / publication will require further approval from NHS Digital.

The bespoke Use cases as highlighted in Section 5a, it would not be feasible to utilise the Trusted Research Environment (TRE), and therefore a direct feed from NHS Digital to NHS England is required.

Data Processors must only act upon specific instructions from the Joint Data Controllers.

The COVID Data Store consists of different areas for processing, and one of those is the Palantir Foundry platform. The GDPPR data will not be processed by Palantir or ingested into the Foundry platform. Palantir Foundry Platform are not involved with the dataset, storage or other form of processing under this application

Under the terms of the DSA, this data can only be accessed by NHSE and NHSI employees and can not be onwardly shared (which for the avoidance of doubt, includes extracts and/or access to online systems within or outside of NHSE and NHSI).

All access to data is managed under Role-Based Access Controls. Users can only access data authorised by their role and the tasks that they are required to undertake.

Patient level data will not be linked other than as specifically detailed within this Data Sharing Agreement.

NHS Digital reminds all organisations party to this agreement of the need to comply with the Data Sharing Framework Contract requirements, including those regarding the use (and purposes of that use) by “Personnel” (as defined within the Data Sharing Framework Contract i.e.: employees, agents and contractors of the Data Recipient who may have access to that data).

The Joint Data Controllers will keep their cut of the electronic Disseminated data in an encrypted form and take all required security measures to protect the Disseminated data and they will not generate copies of their cuts of the Disseminated data unless this is strictly necessary. Where this is necessary, the Joint Data Controllers will keep a log of all copies of the Disseminated data and who is controlling them and ensure these are updated and destroyed securely.

The GDPPR data will only be processed by the Joint Data Controllers teams under strict access controls. It will not be disseminated outside of the Joint Data Controller's boundaries and will only be linked with other COVID-19 data where the analysis required has gone through an approval process which demonstrates that it is clearly in line with the purposes outlined in section 5a.

There will be no Sub-licencing and the GDPPR data will not be shared outside of NHS England.

Where the Data Processor and/or the Joint Data Controllers hold both identifiable and pseudonymised data, the GDPPR data will be held separately so data cannot be linked without appropriate authorisation with pre-approved justification.

all processing and use of data provided under this DSA (including derivatives of the data) is auditable by NHS Digital in accordance with the Data Sharing Framework Contract and NHS Digital terms.

Under the Local Audit and Accountability Act 2014, section 35, Secretary of State has power to audit all data that has flowed, including under COPI.

Microsoft Limited provide IT infrastructure and are therefore listed as data processors. They supply support to the system, but do not access data. Therefore, any access to the data held under this agreement would be considered a breach of the agreement. This includes granting of access to the database[s] containing the data.

The Data Services for Commissioners Regional Office (DSCRO) obtains the following data sets:
- GDPPR Data
Pseudonymisation is completed within the DSCRO (GEM DSCRO / NW DSCRO) and is then disseminated as follows:
1. Pseudonymised GDPPR data is securely transferred from the DSCRO to the Joint Data Controllers / Processor
2. Allowed linkage is between the data sets contained within point 1.
3. Aggregation of required data will be completed by the Joint Data Controllers (or the Processor as instructed by NHS England).

Any further reports sent beyond the joint data controllers and processors as stipulated in this agreement will contain aggregate data only, and will be subject to the disclosure controls of the relevant datasets as NHS Digital and ONS guidance: https://www.ons.gov.uk/methodology/methodologytopicsandstatisticalconcepts/disclosurecontrol/healthstatistics

Analysis within the Joint Data Controllers:
The Joint Data Controllers may at any time require any of its Commissioning Support Units (CSUs) to undertake activities on its behalf for specific project(s) under a Service Level Agreement. All NHS CSUs are therefore listed below and operate as NHS England teams rather than separate legal data processors. This does not mean that all of NHS England CSU’s will access GDPPR data. This DSA will be updated to add further datasets already provided by NHS Digital and therefore including all NHS England processing teams ensures transparency:

• Arden and Greater East Midlands Commissioning Support Unit (AGEM CSU)
• NHS North of England Commissioning Support Unit (NECS)
• NHS North & East London Commissioning Support Unit (NEL CSU)
• NHS South, Central & West Commissioning Support Unit (SCW CSU)
• NHS Midlands and Lancashire Commissioning Support Unit

When the NHS England CSU teams are undertaking analysis they are prohibited from sharing anything other than anonymous data with any third parties. In this instance, “anonymous data” means data that is aggregated (with small numbers suppressed in line with NHS Digital guidance).

Processing activities undertaken only take place on pseudonymised patient-level data and would include:
• Data quality checks
• Data validation
• Generation of ad-hoc analysis and reports to support specific projects

A lead CSU will be nominated for each project. This approach ensures that the Joint Data Controllers can flexibly meet demand across the NHS system.
AGEM CSU is the only identified NHS England CSU team processing the GDPPR dataset.