Data security and protection

OPCRD-NEXUS platform is securely hosted by Harvey Walsh Limited, a registered data controller with the Information Commissioner’s Office, registration number: Z9575186. OPC is also a registered data controller with the Information Commissioner’s Office, registration number: ZA197058. OPCRD-NEXUS is protected from unauthorised access, damage or loss, and maintained with industry level security under Harvey Walsh ISO Information Security Standard 27001 Certification.

OPC and Harvey Walsh comply with the NHS Data Security and Protection Toolkit assessment once every year, which is published for transparency. The assessment ensures that we comply with the National Data Guardian’s 10 Data Security Standards, including protection of patient confidentiality and respect for patient data rights.

OPCRD-NEXUS does not receive any data for patients who have expressed that their data should not be shared, including those who have opted-out through the National Data Opt-out Policy in England.

How OPCRD links data from GP practices to other datasets such as hospital data

When we link primary care data from GP practices who contribute to OPCRD with hospital care data, the linked data is held in a secure platform called OPCRD-NEXUS. The platform is hosted by Harvey Walsh Limited.
The process of how we link GP data and hospital data using England as an example, is described below:

● As part of agreeing to contribute patient data to OPCRD, practices also consent to their patients’ data being linked for research purposes.
● OPCRD must get Section 251 approval from the Confidentiality Advisory Group for Harvey Walsh and NHS Digital to process patient identifiers from GP practices for the sole purpose of linking OPCRD primary care (GP) data to hospital data.
● GP practices send a secure file containing only patient identifiers (NHS number, date of birth and sex) to Harvey Walsh, who collect the files from many practices and send it to NHS Digital.
● NHS Digital conduct a match for the patient identifiers in hospital datasets and then provide only de-identified hospital data for the requested patient identifiers.
● NHS Digital then send the de-identified hospital data to Harvey Walsh.
● Harvey Walsh also receive de-identified GP data from OPCRD.
● Harvey Walsh join link the GP data and hospital data to form the GP-Hospital linked dataset, which is then stored securely in OPCRD-NEXUS.
● Researchers request to access to the linked data for a specific study. All requests from researchers to gain access to linked data must be approved by an independent body called ADEPT – the Anonymised Data Ethics and Protocol Transparency committee.
● The linked data is completely anonymised following ADEPT approval before it is provided to the researcher for a limited a period of time. You cannot identify a patient from anonymised data or from any results or reports from anonymised data.
● OPCRD-NEXUS never receives patient-identifiable information from GP practices or from NHS Digital at any stage during this process.

If you have any queries or feedback, or you have a complaint, please contact us:

Optimum Patient Care Limited
5 Coles Lane, Oakington, Cambridge, CB24 3BA

Phone: 01223 967 855