OpenSAFELY COVID-19 and Data Analytics services

NHS England established the OpenSAFELY COVID-19 (COVID-19 Service) during the pandemic to support the use of data for COVID-19 purposes. This includes:

• COVID-19 research
• COVID-19 clinical audit
• COVID-19 service evaluation
• COVID-19 health surveillance

The COVID-19 Service continues to support COVID-19 related analyses.

Learning from the COVID-19 Service, the OpenSAFELY Data Analytics Service (Data Analytics Service) will support non-COVID-19 analysis. This includes:

• research
• clinical audit
• service evaluation
• health surveillance
• the evaluation of the service and
• health and social care policy, planning and commissioning purposes and public health purposes, where agreed on a project specific basis

The services use pseudonymised GP data (from practices whose systems are supplied by TPP or Optum (formerly EMIS)) and other pseudonymised datasets from NHS England. Pseudonymised data has identifiers removed and replaced with a pseudonym. View the full list of data sources.

The OpenSAFELY tool enables approved users to write their analysis code away from the patient data. The code is run automatically on de-identified (pseudonymised) patient data.

Only the aggregated outputs are viewed by approved users. Only anonymous aggregated data can be exported from the system to be used, for example, in journal publications, reports or presentations.

These controls keep patient data secure within the secure system supplier environment of Optum and TPP and confidential from the approved users.

Patients who are registered at practices that do not have their systems supplied by TPP or Optum will not have their GP data included in either service.

GP practices whose systems are not supplied by TPP or Optum may receive communication regarding the OpenSAFELY Data Analytics Service but should ignore this.

NHS England has been directed by the government to establish and operate the COVID-19 Service and the OpenSAFELY Data Analytics Service pilot.

The Directions in place for each service are different.

The legal basis for the COVID-19 Service is the COVID-19 Public Health Directions 2020 and its associated data provision notice (DPN)  

For the Data Analytics Service, the data will be processed under the legal basis provided under the OpenSAFELY Data Analytics Service Pilot Directions 2025 and its associated data provision notice (DPN).

GP practices are the controller for the pseudonymised GP patients records, in the same way as they are for the data they input into their clinical systems. Through the DPNs, GP practices give NHS England permission to remotely query that data and to do essential technical work to keep it safe and effective.

Once the pseudonymised GP data is queried, and potentially linked to other NHS England datasets, NHS England rather than the GP practice becomes the controller for the linked pseudonymised dataset. This dataset never leaves the system supplier boundary and is not accessed by approved users. Approved users use these smaller, linked datasets to run other remote queries and return anonymised, aggregate results.

Patients who have registered a type one opt-out will not have their data processed as part of these services.

Patients who have registered a national data opt-out will have their data processed by these services unless an exception is agreed, in consultation with the British Medical Association (BMA) and the Royal College of General Practitioners (RCGP). Exceptions will be considered on a case by case basis for specific projects planning to use the OpenSAFELY Data Analytics Service. A technical solution for enabling this is being discussed.

All applications are assessed to ensure that:

• the application aligns with one of the approved uses of the relevant service
• the data necessary to support the purpose of the application is available in the system
• the applicant has submitted a completed application form, along with any relevant supporting documentation (including a study protocol)
• if the application is for research, then approval from the Health Research Authority (HRA) Research Ethics Committee (REC) is in place
• if the application is for a clinical audit, service evaluation and health surveillance purpose then approval for a local or institutional ethics committee is in place

All projects using the service are approved by or on behalf of NHS England.

Find more information about the application process for the COVID-19 service.

Where an application is made to use the OpenSAFELY Data Analytics Service for a planning, public health or commissioning purpose, these are approved on a project specific basis by or on behalf of:

• the Department of Health and Social Care
• NHS England
• a nominated representative of each of the RCGP and the BMA on behalf of the Joint GPIT Committee

Yes. NHS England has produced:

• a Data Protection Impact Assessment (DPIA) for the COVID-19 service
• a DPIA for the OpenSAFELY Data Analytics Service

In addition, GP practices have been sent draft DPIAs for both services to cover their role as controller of the pseudonymised dataset. They may choose to use or adapt this DPIA, or to develop their own.

GP practices should ensure that their privacy notice reflects all the processing of data that happens in relation to patient records. GP practices are therefore advised to add the following paragraphs to their privacy notice, or to draft their own information if they prefer:

You can contact the OpenSAFELY programme team at NHS England by emailing [email protected].