Zhong, Xiaomin http://orcid.org/0000-0002-3448-6702
Palin, Victoria
Ashcroft, Darren M.
Goldacre, Ben
MacKenna, Brian
Mehrkar, Amir
Bacon, Sebastian C. J.
Massey, Jon
Inglesby, Peter
Hand, Kieran
Pate, Alexander
van Staa, Tjeerd Pieter
,
Article History
Received: 11 March 2024
Accepted: 12 June 2024
First Online: 2 July 2024
Declarations
:
: NHS England is the data controller of the NHS England OpenSAFELY COVID-19 Service; TPP is the data processor; all study authors using OpenSAFELY have the approval of NHS England []. This implementation of OpenSAFELY is hosted within the TPP environment which is accredited to the ISO 27001 information security standard and is NHS IG Toolkit compliant [].Patient data has been pseudonymised for analysis and linkage using industry standard cryptographic hashing techniques; all pseudonymised datasets transmitted for linkage onto OpenSAFELY are encrypted; access to the NHS England OpenSAFELY COVID-19 service is via a virtual private network (VPN) connection; the researchers hold contracts with NHS England and only access the platform to initiate database queries and statistical models; all database activity is logged; only aggregate statistical outputs leave the platform environment following best practice for anonymisation of results such as statistical disclosure control for low cell counts ().The service adheres to the obligations of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The service previously operated under notices initially issued in February 2020 by the Secretary of State under Regulation 3[] of the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations), which required organisations to process confidential patient information for COVID-19 purposes; this set aside the requirement for patient consent []. As of 1 July 2023, the Secretary of State has requested that NHS England continue to operate the Service under the COVID-19 Directions 2020 []. In some cases of data sharing, the common law duty of confidence is met using, for example, patient consent or support from the Health Research Authority Confidentiality Advisory Group [].Taken together, these provide the legal bases to link patient datasets using the service. GP practices, which provide access to the primary care data, are required to share relevant health information to support the public health response to the pandemic and have been informed of how the service operates.This study was approved by the Health Research Authority and NHS Research Ethics Committee [REC reference 21/SC/0287].
: Not applicable.
: The authors declare no competing interests.