You will have recently have received a communication from NHS England in regards to signing up, via CQRS, for a Covid19 GPES extraction. The purpose of this update is to provide some background regarding any Information Governance and Data Protection queries this may raise.
All GP Practices are required, under a legal obligation (Section 259 of the Health and Social Care Act 2012) to allow the extraction and upload by NHS Digital of personal confidential data contained within patient records to be used for COVID-19 pandemic planning and research purposes.
These “Covid19 Purposes” were articulated in section 3.1. of the March 2020 Control of Patient Information (COPI) notice and are wide ranging.
This legal obligation allows NHS Digital to carry out this extraction without consent from either patients or the practice and without breaching the Common Law Duty of Confidentiality.
The data set extracted consists of about 40500 individual coded entries (13000 clinical codes and 27000 drug issues codes), in addition to a number of QoF clinical indicator drug issue Datasets.
This is a “patient level” data extract, so will also extract for each patient their name, NHS Number, DoB, Address etc.
Once extracted, NHS Digital will become the “Data Controller” for this information.
This data can only be used for purposes related to COVID-19, and all applications to access that information will be managed by NHS Digital, via their Data Access Request Service (DARS) , with support and advice provided for any disclosures by a number of independent bodies (including the Independent Group Advising on the Release of Data (IGARD), BMA, RCGP)
- “Business_Rules_Combined_Change_Log_GDPPR_v2.0a”-A list of codes extracted for the purpose of Covid19 (will download into the bottom left of your screen)
- “GPES Extract for Pandemic Planning and Research_Business_Rules_v2.0”- a background document showing the full list of data extracts included
- A data provision notice listing the rationale for the collection, the legal bases for extraction, supporting evidence from the BMA and RCGP and the expectation from General Practice in relation to this extract.
- “COVID-19_COPI” – Control of Patient Information Notice which articulates “Covid19 purposes”
 A Covid-19 Purpose includes but is not limited to the following:
- understanding Covid-19 and risks to public health, trends in Covid-19 and such risks, and controlling and preventing the spread of Covid-19 and such risks;
- identifying and understanding information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19;
- understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care;
- monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services;
- delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19, including the provision of information, fit notes and the provision of health care and adult social care services; and
- research and planning in relation to Covid-19.