COVID-19 Privacy Notice

(This Privacy Notice is to run alongside our standard Practice Privacy Notice)

As we move away from the initial response to COVID-19 the health and social care system will need to continue to take action to manage and mitigate the spread and impact of the outbreak. This includes ensuring that approved researchers can continue to securely access pseudonymised data held by GP IT systems to assist the health and care service’s response to COVID-19 by, for example:

  • recognising trends in COVID-19 diseases and identifying risks it poses
  • controlling and preventing the spread of COVID-19
  • monitoring and managing outbreaks

The OpenSAFELY COVID-19 research service provides a secure analytics service that supports COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.  

Under the COVID-19 Public Health Directions 2020 NHS England has been directed by the Secretary of State for Health and Social Care to establish and operate the OpenSAFELY service.  While each GP practice remains the data controller of its own patient data, they are required under the provisions of s259 of the Health and Social Care Act 2012 to provide access to de-identified (pseudonymised) patient data through the OpenSAFELY service. 

The service enables individuals (academics, analysts and data scientists) approved by NHS England to run queries on pseudonymised GP and NHS England patient data which is held within the GP system suppliers’ data environments.  Controls are in place to ensure that individuals only have access to aggregated outputs from the service (i.e. they cannot access information that either directly or indirectly identifies individuals).

Purpose of this Notice

OpenSAFELY service is used to analyse de-identified (pseudonymised) data within the EMIS and TPP boundaries, to support COVID-19 related research. 


This is a continuation of a service which is supported by the BMA which has been operating since 2020. The permanent legal basis (the COVID-19 Direction) above allows the practice to provide this data to NHSE as an ongoing service. 

The OpenSAFELY service is a Trusted Research Environment (TRE) established within the secure environment of EMIS and TPP. Researchers write their analysis code away from the patient data; the code is run automatically on de-identified (pseudonymised) patient data; and only the aggregated outputs (now anonymous) are shared with researchers to be used, for example, in journal publications, reports or presentations. 

These controls keep patient data secure inside EMIS and TPP and confidential from researchers. The use of TREs and the data processing principles which OpenSAFELY represents is supported by the RCGP.

To date, this service has supported a range of important COVID-19 related research, including one of the world’s first and largest studies to identify the clinical factors associated with COVID-19 related death, which informed the national COVID-19 vaccination strategy and Green Book guidance. Other studies have also informed COVID-19 related NICE guidance and decisions made by SAGE. 

All NHS England approved research studies are published online, including sharing the exact analysis code each study used to analyse the patient data, by whom and when such code was run. In future, NHSE will also publish approvals on our data release register.

During the pandemic, and in the recovery phase, de-identified data has been crucial in helping to save lives. It has supported research into COVID-19 and the ways that it has affected our lives, our health, and to identify effective medicines and treatments. 

Research has helped to identify new treatments for COVID-19 and to understand how we can keep our communities safe. Data has helped us to prioritise the right care to the most vulnerable in our society and to develop vaccines to protect against COVID-19.

If you have any questions, please contact us at gpdata@nhs.net

Recording of processing

A record will be kept by Spa Medical Centre of all data processed under this Notice.

Sending Public Health Messages

Data protection and electronic communication laws will not stop Spa Medical Centre from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

Digital Consultations

It may also be necessary, where the latest technology allows Spa Medical Centre to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

Creating a new NHS England: NHS England and NHS Digital merged on 1 February 2023. All references to NHS Digital now, or in the future, relate to NHS England.

Please click here to download the entire document.