NHS England has now released the national Data Protection Impact Assessment and Data Sharing Agreement for the expansion of OpenSAFELY. This means the requirement for practices to activate the OpenSAFELY module within their clinical system is now live.
What this means for practices
OpenSAFELY has been developed to support research, audit and surveillance within a secure environment that sits inside GP systems. It uses a privacy by design model. Patient level data does not leave the GP system. Queries are run within the system itself and only aggregate, anonymised outputs are released. Practices remain data controllers for the records they hold.
The national Data Provision Notice has now been issued. All practices are required to enable OpenSAFELY within the timescale set out. For most systems this involves confirming acceptance within the clinical system workflow. Once accepted, no further local action is needed to make the module available.
Why this has become mandatory
The earlier communication described a forthcoming requirement. Activation has now become mandatory because NHS England has completed the necessary privacy and governance work. The release of the DPIA and DSA removes the need for practices to produce their own local documentation.
What practices should do now
- Activate OpenSAFELY within your clinical system when prompted
- Update your practice privacy notice if required using the national template
- Ensure your information asset register reflects the addition of OpenSAFELY
- Contact us if you have specific concerns about local implementation