OPC DATA TRANSPARENCY INFORMATION
What this information is about
The information on this page provides further information about how Optimum Patient Care Limited (OPC, we are, us) collects, stores and uses data from its quality improvement and research support services (also called OPC Services). Information on how OPC handles personal data as controller is provided in our Privacy Notice. Both documents should be read together to give a complete view of how personal data is processed by OPC.
Important Definitions
To help understand the information on this page, the types of data mentioned are defined below.
Personal data
This is information which relates to a living individual who can be identified either directly or indirectly from that information. Personal data contains information or identifiers that can identify the person the data relates to e.g. name, date of birth, address, contact information, etc. OPC does not process data that can identify patients by name when providing the OPC Services (see further information on these services, below).
Pseudonymised or de-identified data
This is information which has had identifiers (information that will identify the person it relates to) such as name, date of birth, address, contact information, removed and replaced by a code or unique ID that cannot be traced back to the person the information relates to. The patient data OPC receives from GP practices is pseudonymised data as the identifiers of each patient has been replaced with a unique ID. Pseudonymised data is still considered personal data under the GDPR even though OPC cannot directly attribute the information received to a named individual.
Anonymised data
This is information which cannot identify or re-identify an individual (directly or indirectly), either on its own or when combined with other information. Anonymised data is not personal data. The research datasets that OPC provides access to for ethics approved research is anonymised data.
About Optimum Patient Care (OPC)
OPC is a not-for-profit, social enterprise that provides free quality improvement and research support services to GP practices in the UK since 2005. We help practices with reports and activities to assist them in improving the care they provide for patients with chronic and public health conditions such as asthma, COPD, rare diseases and many more. We also help practices to take part in real-life research and clinical trials.
Read more about our company, our team, our partners and all the quality improvement and research support services we provide.
Data OPC holds and why
Quality improvement data
Participating practices share pseudonymised patient data with OPC, for us to support them with their improvements and NHS approved research. We provide free quality improvement programmes for practices from a wide range of areas including in relation to asthma, COPD and rare diseases.
The pseudonymised data is collected from GP electronic health records (EHR) using secure data collection software. Any information that will identify a person (e.g. name, date of birth, address, contact information) is removed and a unique code (pseudonym) is given to each patient’s data. The pseudonym enables only the practice to identify their patients. The data is then encrypted and transferred through a secure network called the Health and Social Care Network (HSCN) to OPC.
The pseudonymised data is held securely in the OPC Service Database (OPCSD). We use OPCSD for ongoing provision of OPC Services to practices and to make improvements to our services for practices.
Patients cannot be identified from the data OPC receives from practices. We do not collect data for patients who have opted out of sharing their medical data for research. A practice can request at any time for their patients’ data to be removed from OPC databases without disclosing the identity of patients.
The pseudonymised data OPC collects from participating GP practices includes:
-
Patient demographic and registration information e.g. age (year of birth only), sex, ethnicity, district level postcode, practice joining and leaving dates, etc
-
Clinical or medical history, symptoms and diagnoses. This is both coded data and redacted text. The data includes date of event, event code, numeric results, etc
-
Prescriptions, therapies and appliances/devices – details of prescriptions for drugs issued to patient. Comprises coded data and redacted text. The data includes name of medication, ingredient, dose, date of issue, number of tablets, etc
-
Laboratory tests - e.g. blood tests, lung function tests, the date, the result of the test.
-
Referrals or information on care received outside the Practice e.g. date of referral, urgency of the referral (routine, urgent) type of referral.
Research data
Practices contribute pseudonymised patient data to the OPCSD which OPC, as data controller, transfers to our NHS research ethics approved database called the Optimum Patient Care Research Database (OPCRD). Research undertaken using data from OPCRD helps improve science and public health, understanding of medical conditions and how we treat and manage them. It also enables anonymous information of patients from contributing practices to be represented in research which matters and makes a difference. OPCRD has been used for over 120 published research articles.
OPC receives pseudonymised data from practices who have agreed for the data they provide to be used for ethically approved research purposes. OPCRD has NHS research ethics committee (REC) approval to provide access to anonymised research data for studies with scientific or patient benefits that have ethics approval.
A research study must first get ethics approval from an independent governing body called the Anonymised Data Ethics and Protocol Transparency Committee (ADEPT) before access to anonymised research data from OPCRD is provided. The access is provided under a limited Data Sharing or Access and Licence Agreement, given for a limited time (usually 12 months) for the research to complete its analysis. This agreement ensures the researcher(s) keeps the data secure, uses the data only for the purposes that have been approved, and obeys the data protection laws. You cannot identify a person from the anonymised data provided from OPCRD for research or the results of the research.
Clinical research data
OPC supported clinical trials, or research is where patients have been invited by their GP practice or doctor to participate in a study, and the patients have given their consent to take part and for their data to be used for research. Pseudonymised data from clinical trials is also contributed to OPCRD for ethically approved research.
Please visit https://www.opcrd.optimumpatientcare.org/health-data-for-research and Understanding Patient Data website for more information about the importance of patient medical data for research.
How long we hold data
A GP practice can request at any time for their patients’ data to be removed from OPC databases without disclosing the identity of patients; subject to any requirements on data retention by GDPR or DPA 2018. GP practices can also request the removal of a single patient’s data by providing OPC with the relevant unique code assigned to that individual.
OPC will continue to securely hold the pseudonymised data received from participating practices for the provision of OPC Services to the practices. The pseudonymised data OPC holds in OPCSD will be held for a maximum of five (5) years after the participating practice has terminated OPC Services. The participating practice can also instruct OPC to delete their pseudonymised data from OPCSD immediately when they terminate OPC Services.
OPC shall continue to hold pseudonymised data in OPCRD and OPCRD-linked databases in perpetuity unless the practice notifies OPC in writing to destroy the data, subject to any applicable legal requirements for data retention.
Please note that it is not possible to remove a patient’s data from anonymised research data, results or publications, as the patient cannot be identified.
Lawful basis for data OPC holds
OPC is a data processor on behalf of participating GP practices who are the data controllers of the pseudonymised patient data shared with OPC as part of receiving OPC Services. Each practice enters into a service, data processing and sharing agreement with OPC, which permits OPC to collect, pseudonymise and hold the data for providing OPC Services to the practice.
As data controller, the GP practice is responsible for determining the lawful basis under which the processing of your personal data takes place and you should refer to further information on this in the applicable privacy notice the GP practice provides to patients. The lawful basis for these activities is covered by one or more of the following lawful bases:
-
GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (being the GP practice).
-
GDPR Article 6(1)(e) and Article 9(2)(i): Medicines and medical device monitoring – processing of special category data (e.g. data concerning health) for public interest in the area of public health.
-
GDPR Article 6(1)(e) and Article 9(2)(j): Medical research and statistics - processing of special category data (e.g. data concerning health) for public interest and scientific research purposes.
OPC acts as a data controller for the purpose of transferring data from the OPC Services to make it available for anonymised research purposes. This applies to the data OPC holds in OPCRD and OPCRD-linked databases. The lawful basis for this is covered by:
-
GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller (being OPC) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
-
GDPR Article 6(1)(e) and Article 9(2)(j): Medical research and statistics - processing of special category data (e.g. data concerning health) for public interest and scientific research purposes.
Approvals and Governance
OPCRD is approved by the NHS Health Research Authority Research Ethics Committee (HRA REC reference: 20/EM/0148) to receive and provide data for scientific, exploratory and public health research.
OPCRD also has HRA Confidential Advisory Group (CAG) approval for confidential identifiable patient information (namely - NHS number, date of birth and sex) to be sent from participating practices to NHS Digital for HES hospital data linkage (CAG reference: 21/CAG/0001). The linked data is stored in OPCRD-linked databases, including NHS secure data environment(s). Any identifiers used for data linkage are destroyed after linkage.
All research requiring the use of anonymised data from OPCRD must have their protocol approved by the Anonymised Data Ethics and Protocol Transparency committee (ADEPT). ADEPT is an independent body of experts who control which research gets access to OPCRD data.
All approved research must sign and comply with a strict Data Sharing or Access and Limited Licence Agreement. It places responsibility on the approved researcher to keep the data secure; to use it only for the approved study; and to destroy it when the study is completed. All studies must have an intent to publish their results for public benefit.
OPC works with patient and public engagement groups to involve patients and the public in how we collect, handle and use patient data for research. Clinical trials also have to involve patients and the public in how trials are designed and carried out.
How we are funded
OPCRD is available to academic organisations such as universities, and to non-academic organisations such as charities and commercial companies, for ethically approved research.
OPC receives data access fees from researchers who access OPCRD anonymised research data. We provide access to anonymised data for single study use which we call single licence, or access for multiple study use which we call unlimited licence. The money is used to provide free OPC Services to GP practices across the UK, and to maintain the database for health and scientific research.
OPC also receives funding from organisations that conduct NHS approved studies, when OPC supports practices with taking part in the studies. We also receive funding support from our affiliate organisations - OPC Global and OPRI.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. We will try to assist with any requests we receive from data subjects, however rights are only exercisable against data controllers under the GDPR and so we may need to pass your request to (or ask that you approach) the relevant entity that controls the data (e.g. your GP practice):
-
Your right of access
You have the right to ask us for copies of your personal data held by OPC.
-
Your right to rectification
You have the right to ask OPC to change or correct information you think is inaccurate about you. You also have the right to ask OPC to complete information you think is incomplete.
-
Your right to erasure
You have the right to ask OPC to erase your personal data in certain circumstances.
-
Your right to restriction of processing
You have the right to ask OPC to restrict the processing of your information in certain circumstances.
-
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process is in our legitimate
interests.
-
Your right to data portability
This only applies to information you have given to OPC. You have the right to ask that we transfer the information you gave us from
one organisation to another or give it to you. The right only applies if we are processing information with your consent.
You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please note that we are only able to help you exercise your data protection rights if we hold your personal data and we can identify you.
Please send an email to us (Email: dataprotection@optimumpatientcare.org) if you wish to make a request, or contact our office line on (Tel: 01223 967855).
You can opt out of sharing data
You have the right to opt out of the sharing of your patient data by your GP practice with OPC. Opting out of sharing your health information will not affect the care you receive from your GP practice.
If you do not wish for your data to be shared by your GP practice, or you would like your data to be removed from our databases, please contact your GP practice who can provide OPC with a code (the pseudonym they assigned) to remove your data without disclosing your identity.
It is not possible to remove a patient from anonymised research datasets, research results or publications, as patients cannot be identified once the data is anonymised.
Data Protection and Security
OPC quality improvement and research support services are provided under strict data security and protection policies to assure patients, practices and researchers that we collect and use data securely and lawfully in compliance with data protection laws - the GDPR and the Data Protection Act 2018 (DPA 2018). OPC is a registered data controller with the Information Commissioner’s Office, registration number: ZA197058.
OPC undertakes and complies with the NHS Data Security and Protection Toolkit (ref: 8HR85) assessment annually. The assessment ensures OPC complies with the National Data Guardian’s data security standards.
OPC has ISO 27001 and ISO 9001 certification (certificate number 385342022) and UK Cyber Essentials (certificate number d8632649-8959-4fbc-8c68-4cf00770143f). This accreditation demonstrates that OPC operates in accordance with a global framework of information security and quality assurance and management.
OPC staff are regularly trained on data security and protection, including compulsory annual certified training provided by NHS Digital, and NIHR certified Good Clinical Practice (GCP) training. We conduct regular checks and audits to ensure compliance with the GDPR and DPA 2018.
How OPCRD receives pseudonymised data from GP practices but only provides anonymised data for research
The process of how OPCRD receives pseudonymised or de-identified data from practices, but only provides anonymised data for ethics approved research is described below:
-
GP practice agrees to contribute their de-identified patient data to OPCRD.
-
GP practice is supported by OPC to set-up their electronic health record system to allow only patient data that has been de-identified to flow to OPC. This means patients cannot be identified from the data the GP practice sends to OPC.
-
Patients who have opted-out of data sharing are not included in data shared with OPC.
-
Data is initially stored on the OPCSD following its extraction from the GP practice then undergoes further pseudonymisation and removal of data fields before OPC transfer the data onto the OPCRD, which it maintains as data controller.
-
OPCRD has NHS research ethics approval to provide anonymised data for research purposes.
-
Researchers request to access data from OPCRD for a specific study.
-
All requests are reviewed by an independent body called ADEPT. Only research studies approved by ADEPT can access anonymised research datasets from OPCRD.
-
The de-identified data required for the approved research is anonymised before access is provided to the researcher. You cannot identify a person from anonymised data or from any results or reports from anonymised data.
-
Researchers sign a limited Data Sharing/Access and Licence Agreement, which ensures researchers follow strict rules on how the data is used and for how long they can access the data.

How OPCRD links hospital data
Primary care data contributed by GP practices to OPCRD may be linked to hospital data and other health-related data and registries. Data linkage enables OPCRD data to provide a fuller picture of the patient care record to support vital impact analyses and public health research which help inform advances in patient care and healthcare resource utilisation.
How OPCRD data is linked to hospital data in England using identifiers is described below as an example.
-
OPCRD has CAG approval for participating GP practices to send patient identifiers to NHS England for the only purpose of providing hospital data.
-
GP practices send a secure file containing patient identifiers (NHS number, date of birth and sex) to OPC, who collect the files from many practices and send it to NHS England.
-
NHS England provides only de-identified hospital data for the requested patient identifiers.
-
Hospital data provided for linkage is stored in secure data environment at NHS England or OPC.
-
OPCRD-linked databases data is then used to conduct research for studies which have received approval from an independent ethics committee called ADEPT.
-
Research results or outputs are anonymous and you cannot identify a person.
How OPCRD data is linked to hospital data in England without using identifiers is described below as an example.
-
OPC select only patients from GP practices who have consented to hospital data linkage.
-
OPC send the hashing algorithm which is used to de-identify patients when data is collected at GP practices to NSH England.
-
OPC also send the hashed NHS numbers (pseudonyms), the OPCRD IDs and the GP dataset for the required cohort via secure route to NHS England.
-
NHS England apply the hashing algorithm to the required hospital datasets. Hospital data is only released for hashes which match to hashes in the cohort supplied by OPC.
-
NHS England send the GP dataset and OPCRD IDs, and the HES dataset and OPCRD IDs to the NHS Secure Data Environment (SDE), where OPC and researchers can access and use the m OPCRD with the HES dataset from NHS England.
-
The hashed NHS numbers supplied by OPC to NHS England for data linkage are destroyed by NHS England after linkage to eliminate risk of potential reidentification.
Data Protection Policies and DPIAs
For access to our data security and protection policies, and data protection impact assessments (DPIAs) completed for any of our services, please contact us using the information below.
Informing patients - posters for our GP practices
We encourage all GP practices who use OPC Services to display posters at their surgeries or on their websites to tell their patients that they work with OPC, they share deidentified data with OPC, and how their patients can opt out of their shared being with OPC.
Contact OPC
If you have any questions or complaints or you require any information about how we handle data at OPC, please contact our Data Protection Team by email, phone or post using the details below:
Write to us: Optimum Patient Care, 5 Coles Lane, Cambridge, CB24 3BA
Email us: dataprotection@optimumpatientcare.org
Phone us: 01223 967 855
Our Data Protection Officer is Francis Appiagyei. You can email him at francis@optimumpatientcare.org or write to him using our postal address above. Please mark the envelope ‘Data Protection Officer’.
Complaints
You can make a complaint about the way we process your personal information to the Information Commissioner’s Office (ICO) using their contact information below. You can also request independent advice from the ICO.
Phone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ICO website: https://ico.org.uk/make-a-complaint/
Data transparency page last updated 31st March 2025