The Research Group processes only pseudonymised information for the Disease Surveillance Programme. The information collected are clinical records of diseases needed for the surveillance programme, including records of vaccines, risk factors, laboratory confirmations of influenza, co-morbidities, and basic Demographic and geographical characteristics such as age, sex, NHS Region, ethnicity, deprivation, urban/rural living.

There are specific RCGP RSC/PHE mandated and ethically approved projects where patient identifiable information are processed. For example, projects that require linkage of the pseudonymised data of the RCGP RSC network with laboratory results of respiratory virological samples collected by the general practices, or with the data of NHS hospital episode statistics in system-wide analysis which use patient identifiable information for successful data linkage.

The RCGP RSC has been providing reports weekly about health and diseases in the Weekly Returns Service (WRS) since1964. The WRS monitors the number of patients consulting with new episodes of illness classified by diagnosis in England, and provides weekly incidence rates per 100,000 population for these new episodes of illness.

When data is transferred to the Research Group’s dedicated Structured Query Language (SQL) server, the Research Group’s Senior SQL Developer checks that the transfer process is successful by running validation queries as appropriate (e.g. check-sum), and document any relevant information/history associated with the file transfer.

For the purpose of the RCGP RSC Diseases Surveillance Programme, we produce weekly reports on 37 conditions. The Research Group initially creates a data table in SQL that contains all the relevant variables, which is then imported into Tableau (a data visualisation software) which turns the patient level data into results tables and graphs. These tables and graphs can be quickly refreshed weekly within Tableau with up-dated information. An example of other weekly reports we have completed recently is the adverse events of interest (AEIs) after vaccination reports.

Associated staff members of the Research Group, and students and trainee doctors on placements in the Research Group can also apply to the RCGP RSC for access to the pseudonymised data in ethically approved studies congruent with the purposed for which the data is collected. All such researches are conducted within the secure network of the Research Group. An example of a recent study is the examination of the prescription trends for people with atrial fibrillation.

The Public Health England commissioned Disease Surveillance Programme is supported by Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 to process patient identifiable information without consent.

Generally the Research Group processes personal and sensitive data under the legal basis of medical research or public interest. Medical research to answer legitimate research questions in the public interest is justified under schedule 1, sections 2 – 4 of the Data Protection Act 2018 and in the presence of appropriate data subject safeguards.  In specific research projects where patient identifiable information is processed (e.g. for the purpose of data linkage with other healthcare data bases), the legal basis is consent or approval for exemption under Section 251 of the NHS Act 2006.

In general research data are archived in the Research Group’s secure and private server for 10 year after the completion of the project in accordance with the Research Data Management policy of the University.  Unless there are prior patient consent or Section 251 of the NHS Act 2006 approval, only pseudonymised data of the Disease Surveillance Programme will be retained.

Person identifiable data, where used in specific projects with appropriate approvals, are used only for a brief duration within the secure network of the Research Group for the specific purpose of de-identification and data linkage.  All interim files created during the de-identification process containing strong identifiers will be irreversibly deleted immediately after the de-identification process.

Only pseudonymised data of the Disease Surveillance Programme will be retained. In general research data are archived in the Research Group’s secure and private server for 10 year after the completion of the project in accordance with the Research Data Management policy of the University.

Person identifiable data, where used in specific projects with appropriate approvals, are used only for a brief duration within the secure network of the Research Group for the specific purpose of de-identification and data linkage. Unless there are prior patient consent or Section 251 of the NHS Act 2006 approval, all interim files created during the de-identification process containing strong identifiers will be irreversibly deleted immediately after the de-identification process.

The RCGP RSC and the Research Group are co-data controllers of the Disease Surveillance Programme. Patient level pseudonymised data is accessible to the immediate project team who are authorised to work on the data from secure workstations within the secure network. Patient level pseudonymised data held in the secure servers of the Research Group will not be shared with other organisations.

The Research Group communicates the findings of the Disease Surveillance Programme to PHE, RSCP RSC in weekly reports (http://www.rcgp.org.uk/clinical-and-research/our-programmes/research-and-surveillance-centre.aspx). The findings may also be published in healthcare journals or conference presentation for the wider clinical and academic communities. Individual patients or practices will not be identified in these reports or publications without specific written consent.

The data sources for the RCGP RSC Diseases Surveillance Programme are information recorded routinely as part of clinical care in general practices of the RCGP RSC network. We have no need to update these clinical records. The Research Group, however, maintains an auditable trail for all the stages of data processing to ensure the integrity of the data are not compromised by the processing.

Patients who declined to share their data for research are excluded from the extraction process. The decision to opt-out can only be superseded where patient has given written consent to share their data for specific projects. There are, however some exemptions in exceptional circumstances such as a pandemic where PHE is required to monitor diseases as a national emergency.

General Data Protection Regulation (GDPR) gives you the following rights: -

The right to be informed
The right of access
The right to rectification
The right to erase/ right to be forgotten
The right to restrict processing
The right to data portability
The right to object
The Rights in relation to automated decision making and profiling

(Please note that many of these rights do not apply when the data is being used for research purposes, but the Research Group will respond to concerns or queries that you may have. For more information about these rights please see: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/)

Please contact the University's Data Protection Officer, Suzie Mereweather, s.mereweather@surrey.ac.uk,if:

• you would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately),
• you would like to complain about how the Research Group has used your data.

You also have the right to complain to the Information Commissioner who is the regulator for data protection in the UK: https://ico.org.uk/global/contact-us/

If you require further details of any aspects of this notice, please contact: -