OPC DATA TRANSPARENCY INFORMATION 

What this information is about 

 

The information on this page provides further information about how Optimum Patient Care Limited (OPC, we are, us) collects, stores and uses data from its quality improvement and research support services (also called OPC Services). Information on how OPC handles personal data as controller is provided in our Privacy Notice. Both documents should be read together to give a complete view of how personal data is processed by OPC.  

 

Important Definitions 

 

To help understand the information on this page, the types of data mentioned are defined below. 

 

Personal data 

This is information which relates to a living individual who can be identified either directly or indirectly from that information. Personal data contains information or identifiers that can identify the person the data relates to e.g. name, date of birth, address, contact information, etc. OPC does not process data that can identify patients by name when providing the OPC Services (see further information on these services, below). 

 

Pseudonymised or de-identified data 

This is information which has had identifiers (information that will identify the person it relates to) such as name, date of birth, address, contact information, removed and replaced by a code or unique ID that cannot be traced back to the person the information relates to. The patient data OPC receives from GP practices is pseudonymised data as the identifiers of each patient has been replaced with a unique ID. Pseudonymised data is still considered personal data under the GDPR even though OPC cannot directly attribute the information received to a named individual.  

 

Anonymised data 

This is information which cannot identify or re-identify an individual (directly or indirectly), either on its own or when combined with other information. Anonymised data is not personal data. The research datasets that OPC provides access to for ethics approved research is anonymised data. 

 

About Optimum Patient Care (OPC) 

 

OPC is a not-for-profit, social enterprise that provides free quality improvement and research support services to GP practices in the UK since 2005. We help practices with reports and activities to assist them in improving the care they provide for patients with chronic and public health conditions such as asthma, COPD, rare diseases and many more. We also help practices to take part in real-life research and clinical trials. 

Read more about our company, our team, our partners and all the quality improvement and research support services we provide. 

 

Data OPC holds and why 

 

Quality improvement data 

 

Participating practices share pseudonymised patient data with OPC, for us to support them with their improvements and NHS approved research. We provide free quality improvement programmes for practices from a wide range of areas including in relation to asthma, COPD and rare diseases. 

 

The pseudonymised data is collected from GP electronic health records (EHR) using secure data collection software. Any information that will identify a person (e.g. name, date of birth, address, contact information) is removed and a unique code (pseudonym) is given to each patient’s data. The pseudonym enables only the practice to identify their patients. The data is then encrypted and transferred through a secure network called the Health and Social Care Network (HSCN) to OPC. 

 

The pseudonymised data is held securely in the OPC Service Database (OPCSD). We use OPCSD for ongoing provision of OPC Services to practices and to make improvements to our services for practices. 

 

Patients cannot be identified from the data OPC receives from practices. We do not collect data for patients who have opted out of sharing their medical data for research. A practice can request at any time for their patients’ data to be removed from OPC databases without disclosing the identity of patients. 

 

The pseudonymised data OPC collects from participating GP practices includes:  

 

• Patient demographic and registration information e.g. age (year of birth only), sex, ethnicity, district level postcode, practice joining and leaving dates, etc  

• Clinical or medical history, symptoms and diagnoses. This is both coded data and redacted text. The data includes date of event, event code, numeric results, etc  

• Prescriptions, therapies and appliances/devices – details of prescriptions for drugs issued to patient. Comprises coded data and redacted text. The data includes name of medication, ingredient, dose, date of issue, number of tablets, etc  

• Laboratory tests - e.g. blood tests, lung function tests, the date, the result of the test.  

• Referrals or information on care received outside the Practice e.g. date of referral, urgency of the referral (routine, urgent) type of referral.

 

Research data 

 

Practices contribute pseudonymised patient data to the OPCSD which OPC, as data controller, transfers to our NHS research ethics approved database called the Optimum Patient Care Research Database (OPCRD). Research undertaken using data from OPCRD helps improve science and public health, understanding of medical conditions and how we treat and manage them. It also enables anonymous information of patients from contributing practices to be represented in research which matters and makes a difference. OPCRD has been used for over 120 published research articles. 

 

OPC receives pseudonymised data from practices who have agreed for the data they provide to be used for ethically approved research purposes. OPCRD has NHS research ethics committee (REC) approval to provide access to anonymised research data for studies with scientific or patient benefits that have ethics approval. 

A research study must first get ethics approval from an independent governing body called the Anonymised Data Ethics and Protocol Transparency Committee (ADEPT) before access to anonymised research data from OPCRD is provided. The access is provided under a limited Data Sharing or Access and Licence Agreement, given for a limited time (usually 12 months) for the research to complete its analysis. This agreement ensures the researcher(s) keeps the data secure, uses the data only for the purposes that have been approved, and obeys the data protection laws. You cannot identify a person from the anonymised data provided from OPCRD for research or the results of the research. 

 

Clinical research data 

 

OPC supported clinical trials, or research is where patients have been invited by their GP practice or doctor to participate in a study, and the patients have given their consent to take part and for their data to be used for research. Pseudonymised data from clinical trials is also contributed to OPCRD for ethically approved research. 

 

Please visit https://www.opcrd.optimumpatientcare.org/health-data-for-research and Understanding Patient Data website for more information about the importance of patient medical data for research. 

 

How long we hold data 

 

A GP practice can request at any time for their patients’ data to be removed from OPC databases without disclosing the identity of patients; subject to any requirements on data retention by GDPR or DPA 2018. GP practices can also request the removal of a single patient’s data by providing OPC with the relevant unique code assigned to that individual.  

 

OPC will continue to securely hold the pseudonymised data received from participating practices for the provision of OPC Services to the practices. The pseudonymised data OPC holds in OPCSD will be held for a maximum of five (5) years after the participating practice has terminated OPC Services. The participating practice can also instruct OPC to delete their pseudonymised data from OPCSD immediately when they terminate OPC Services. 

 

OPC shall continue to hold pseudonymised data in OPCRD and OPCRD-linked databases in perpetuity unless the practice notifies OPC in writing to destroy the data, subject to any applicable legal requirements for data retention. 

 

Please note that it is not possible to remove a patient’s data from anonymised research data, results or publications, as the patient cannot be identified. 

 

Lawful basis for data OPC holds 

 

OPC is a data processor on behalf of participating GP practices who are the data controllers of the pseudonymised patient data shared with OPC as part of receiving OPC Services. Each practice enters into a service, data processing and sharing agreement with OPC, which permits OPC to collect, pseudonymise and hold the data for providing OPC Services to the practice. 

 

As data controller, the GP practice is responsible for determining the lawful basis under which the processing of your personal data takes place and you should refer to further information on this in the applicable privacy notice the GP practice provides to patients. The lawful basis for these activities is covered by one or more of the following lawful bases: 

• GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (being the GP practice). 

• GDPR Article 6(1)(e) and Article 9(2)(i): Medicines and medical device monitoring – processing of special category data (e.g. data concerning health) for public interest in the area of public health. 

• GDPR Article 6(1)(e) and Article 9(2)(j): Medical research and statistics - processing of special category data (e.g. data concerning health) for public interest and scientific research purposes. 

 

OPC acts as a data controller for the purpose of transferring data from the OPC Services to make it available for anonymised research purposes. This applies to the data OPC holds in OPCRD and OPCRD-linked databases. The lawful basis for this is covered by: 

• GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller (being OPC) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. 

• GDPR Article 6(1)(e) and Article 9(2)(j): Medical research and statistics - processing of special category data (e.g. data concerning health) for public interest and scientific research purposes. 

 

Approvals and Governance 

 

OPCRD is approved by the NHS Health Research Authority Research Ethics Committee (HRA REC reference: 20/EM/0148) to receive and provide data for scientific, exploratory and public health research. 

 

OPCRD also has HRA Confidential Advisory Group (CAG) approval for confidential identifiable patient information (namely - NHS number, date of birth and sex) to be sent from participating practices to NHS Digital for HES hospital data linkage (CAG reference: 21/CAG/0001). The linked data is stored in OPCRD-linked databases, including NHS secure data environment(s). Any identifiers used for data linkage are destroyed after linkage. 

 

All research requiring the use of anonymised data from OPCRD must have their protocol approved by the Anonymised Data Ethics and Protocol Transparency committee (ADEPT). ADEPT is an independent body of experts who control which research gets access to OPCRD data. 

 

All approved research must sign and comply with a strict Data Sharing or Access and Limited Licence Agreement. It places responsibility on the approved researcher to keep the data secure; to use it only for the approved study; and to destroy it when the study is completed. All studies must have an intent to publish their results for public benefit. 

 

OPC works with patient and public engagement groups to involve patients and the public in how we collect, handle and use patient data for research. Clinical trials also have to involve patients and the public in how trials are designed and carried out. 

 

How we are funded 

 

OPCRD is available to academic organisations such as universities, and to non-academic organisations such as charities and commercial companies, for ethically approved research. 

 

OPC receives data access fees from researchers who access OPCRD anonymised research data. We provide access to anonymised data for single study use which we call single licence, or access for multiple study use which we call unlimited licence. The money is used to provide free OPC Services to GP practices across the UK, and to maintain the database for health and scientific research. 

 

OPC also receives funding from organisations that conduct NHS approved studies, when OPC supports practices with taking part in the studies. We also receive funding support from our affiliate organisations - OPC Global and OPRI. 

​

Your data protection rights 

 

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. We will try to assist with any requests we receive from data subjects, however rights are only exercisable against data controllers under the GDPR and so we may need to pass your request to (or ask that you approach) the relevant entity that controls the data (e.g. your GP practice):  

 

• Your right of access 

       You have the right to ask us for copies of your personal data held by OPC. 

 

• Your right to rectification 

       You have the right to ask OPC to change or correct information you think is inaccurate about you. You also have the right to ask OPC         to complete information you think is incomplete. 

​

• Your right to erasure 

       You have the right to ask OPC to erase your personal data in certain circumstances. 

 

• Your right to restriction of processing 

       You have the right to ask OPC to restrict the processing of your information in certain circumstances. 

 

• Your right to object to processing 

       You have the right to object to processing if we are able to process your information because the process is in our legitimate     

       interests. 

 

• Your right to data portability 

       This only applies to information you have given to OPC. You have the right to ask that we transfer the information you gave us from 

       one organisation to another or give it to you. The right only applies if we are processing information with your consent. 

 

You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please note that we are only able to help you exercise your data protection rights if we hold your personal data and we can identify you. 

 

Please send an email to us (Email: dataprotection@optimumpatientcare.org) if you wish to make a request, or contact our office line on (Tel: 01223 967855). 

 

You can opt out of sharing data 

 

You have the right to opt out of the sharing of your patient data by your GP practice with OPC. Opting out of sharing your health information will not affect the care you receive from your GP practice. 

 

If you do not wish for your data to be shared by your GP practice, or you would like your data to be removed from our databases, please contact your GP practice who can provide OPC with a code (the pseudonym they assigned) to remove your data without disclosing your identity. 

It is not possible to remove a patient from anonymised research datasets, research results or publications, as patients cannot be identified once the data is anonymised. 

 

Data Protection and Security 

 

OPC quality improvement and research support services are provided under strict data security and protection policies to assure patients, practices and researchers that we collect and use data securely and lawfully in compliance with data protection laws - the GDPR and the Data Protection Act 2018 (DPA 2018). OPC is a registered data controller with the Information Commissioner’s Office, registration number: ZA197058. 

 

OPC undertakes and complies with the NHS Data Security and Protection Toolkit (ref: 8HR85) assessment annually. The assessment ensures OPC complies with the National Data Guardian’s data security standards. 

 

OPC has ISO 27001 and ISO 9001 certification (certificate number 385342022) and UK Cyber Essentials (certificate number d8632649-8959-4fbc-8c68-4cf00770143f). This accreditation demonstrates that OPC operates in accordance with a global framework of information security and quality assurance and management. 

 

OPC staff are regularly trained on data security and protection, including compulsory annual certified training provided by NHS Digital, and NIHR certified Good Clinical Practice (GCP) training. We conduct regular checks and audits to ensure compliance with the GDPR and DPA 2018. 

 

How OPCRD receives pseudonymised data from GP practices but only provides anonymised data for research 

 

The process of how OPCRD receives pseudonymised or de-identified data from practices, but only provides anonymised data for ethics approved research is described below: 

 

• GP practice agrees to contribute their de-identified patient data to OPCRD. 

• GP practice is supported by OPC to set-up their electronic health record system to allow only patient data that has been de-identified to flow to OPC. This means patients cannot be identified from the data the GP practice sends to OPC. 

• Patients who have opted-out of data sharing are not included in data shared with OPC. 

• Data is initially stored on the OPCSD following its extraction from the GP practice then undergoes further pseudonymisation and removal of data fields before OPC transfer the data onto the OPCRD, which it maintains as data controller.  

• OPCRD has NHS research ethics approval to provide anonymised data for research purposes. 

• Researchers request to access data from OPCRD for a specific study. 

• All requests are reviewed by an independent body called ADEPT. Only research studies approved by ADEPT can access anonymised research datasets from OPCRD. 

• The de-identified data required for the approved research is anonymised before access is provided to the researcher. You cannot identify a person from anonymised data or from any results or reports from anonymised data.

• Researchers sign a limited Data Sharing/Access and Licence Agreement, which ensures researchers follow strict rules on how the data is used and for how long they can access the data.