GP Practice
Agreement
OPCRD
Pseudonymized Patient Data
-
Data Sharing & Licence Agreement
-
ADEPT Approval
Anonymised Research Data
OPCRD holds pseudonymised patient data from consented GP practices receiving the OPC Quality Improvement programmes and research support services or “OPC Services”. OPCRD does not hold any patient identifiable or sensitive clinical information. OPCRD does not hold data for patients who have expressed that their data should not be shared, including those who have opted-out via the National Data Opt-out scheme in England
Pseudonymised data is collected from the electronic health records (EHR) of
contributing practices using secure extraction software installed on-site at the
practices. The software de-identifies patient records and removes all
confidential patient details e.g. NHS number, name, date of birth, postcode,
etc. Each patient’s NHS, CHI, or HCN number is securely and irreversibly
hashed with a salt key using SHA256 and encrypted with AES-256 to generate a
pseudonym.
Prior to transferring the data into OPCRD, the pseudonym is replaced with an
integer-based ID that is generated for each data subject, thereby safeguarding
patient confidentiality. OPCRD’s data is stored on a secure server in the UK.
Access to the OPCRD is controlled at an individual user-level, combined with a
permission-based system configuration. All OPC staff, contractors, and clients
who access the data from OPCRD are required to have data protection training.
Pseudonymised OPCRD data required for research is fully anonymised before itis provided to the researcher. Additional security and data protection protocolsare put in place to anonymise the data when a client receives unlimited accessto their own client database derived from OPCRD.
OPCRD only provides data for ethically approved research. Research must beapproved by the Anonymised Data Ethics and Protocol Transparency committee(ADEPT) before receiving data.
Ethically Approved Research
Data protection Assurance
OPCRD operates under strict data security and protection policies in compliance with the General DataProtection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA).
Optimum Patient Care (OPC) is a registered data controller with the Information Commissioner’s Office,registration number: ZA197058.
OPC undertakes and complies with the NHS Data Security and Protection Toolkit (ref: 8HR85) assessmentannually. The assessment ensures compliance with the National Data Guardian’s (NDG) Data SecurityStandards.
OPC has ISO 27001 and ISO 9001 certification (certificate number 385342022). This accreditationdemonstrates that OPC operates in accordance with a global framework of information security and qualityassurance and management.
OPC employees and contractors are regularly trained on data security and protection (annually) and GoodClinical Practice (every 2 years).