Data Sharing – Was COPI Trustworthy?

In March 2020 NHS Digital issued a series of Control Of Patient Information (COPI) notice that required NHS Digital to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes.

Now that we are a couple of years on – how trustworthy was this approach – let’s have a look at the (available) data.

There have been 5 extensions of the COPI regulations:
March 2020 – September 2020
July 2020 – March 2021
January 2021 – September 2021
August 2021 – March 2022
February 2022 – June 2022

The use of data was defined as follows:
A Covid-19 Purpose includes but is not limited to the following:
– understanding Covid-19 and risks to public health, trends in Covid-19 and such risks, and controlling and preventing the spread of Covid-19 and such risks;
– processing to support the NHS Test and Trace programme;
– identifying and understanding information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19;
– understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care;
– monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services;
– delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19, including the provision of information, fit notes and the provision of health care and adult social care services;
– research and planning in relation to Covid-19

Given the hullabaloo around GPDPR and GP data sharing (GP Data Sharing – Dr that was halted after local and national campaigns, there was concern around how COPI could be trusted.

So – back to COPI – all these notices were published on NHS Digitals website:
Control of patient information (COPI) notice – NHS Digital

The process discussed and circulated widely was that it would not extend beyond June 2022 – but lo and behold – just in the trustworthy nature of government handling of data – another regulation notice was published – but this time not on the NHS Digital website – but on the site where the notice was extended to October 2022.
Coronavirus (COVID-19): notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 – GOV.UK (

So let’s have a look at the data uses up until July 2022 – with the NHS Digital published COPI notices.

Data Agreement uses
There were 3386 Uses defined on the register.

When you look at the data closely, out of these 3386 data uses, 8% – so 278 uses were for commercial processes……………..
Is this transparent and trustworthy?

Sensitive Data Requests
So let’s look more closely at the use.
Of the 3386 agreements, there were 26176 dataset requests.
Some of these were identifiable – and some contained sensitive patient data.

So of the 5424 identifiable dataset requests, 76% were sensitive data requests.

And these dataset releases were not just one offs – they were also ongoing in some instances.

In total there were 46814 dataset releases.

with a significant data release (46%) that was sensitive

OptOut Applications
But of course we have the data opt out that patients have been submitting forms for so that their data security would be honoured. Was this trustworthy?

So Opt outs were honoured IN ONLY 18% OF DATA RELEASES.

Which means that they were BYPASSED IN 82% DATA RELEASES.

So, even though the new process and COPI arrangements under are specifically stated to be approved projects through OpenSAFELY, it remains to be seen how much Trust has been eroded and how much Trust will be maintained.

You be the judge of whether your data is secure and protected and was processed in a transparent way from March 2020.

Leave a Reply

Your email address will not be published. Required fields are marked *