Frequently Asked Questions

What is DECOVID?

DECOVID is a research database and a scientific endeavour. It will receive data from the electronic patient record systems of a number of hospitals. This data will be analysed in order to answer clinically important questions about how best to care for patients in hospital who are at risk of, are suspected or confirmed to have COVID-19. DECOVID also hopes to understand the impact of the pandemic on non-COVID-19 patients. DECOVID aims to ensure that a wide range of hospitals will contribute to its work so that new insights are generalizable across the UK and beyond.

What is the purpose of DECOVID research?

DECOVID aims to receive clinical data from hospitals, frequently updated, as the COVID-19 pandemic unfolds to allow researchers and clinicians to provide rapid and robust insights that could lead to more effective clinical treatment strategies for key clinical, operational and regulatory decision-makers. We also want to understand and reduce the impact on patients who do not have COVID-19.

Why is the data important?

When data from many patients are pooled, researchers and doctors can look for recurring patterns in the data, helping them develop new ways of predicting or diagnosing illness, and identify ways to improve clinical care. The information from health data is valuable in helping to understand more about disease, to develop new treatments, to monitor safety, to plan services and to evaluate NHS policy. In the response to coronavirus, it is essential that clinicians have information as quickly as possible.

Allowing researchers to analyse detailed data that is routinely collected by hospitals will let us:

• Understand which treatment options work best for patients with COVID-19 and which patients are likely to benefit from different treatment options
• Work out the best timing for helping patients breathe on their own after admission to intensive care
• Understand underlying risk factors that make it more likely that someone with COVID-19 develops other problems such as kidney or heart failure, allowing us to intervene early to try to prevent that.
• Work out how to spot more quickly patients whose condition is deteriorating

How is this going to help me, my family, or my friends?

If researchers have access to larger, more diverse datasets, it is more likely that they will find something that can help you, your family, your community or someone else who gets sick and needs hospital care. Emerging insights from researchers will be shared with clinical teams across the UK as quickly as possible, helping them to continually improve care for their patients. These insights will help with improving treatment for patients with COVID-19, which will also lead to benefits for other patients through the freeing up of hospital resources.

How will DECOVID help the NHS?

Insights from DECOVID will help hospitals treat COVID-19 patients more effectively - reducing the strain on frontline staff (both emotionally and physically) and the strain on the system as a whole. It will also research the impact of the pandemic on non-COVID patients who may have had their treatment delayed or who did not seek care when they otherwise would have. Understanding the impact of the pandemic on “normal business” will help the NHS plan for how to mitigate this impact in any future surges.

How will DECOVID work in practice?

NHS hospitals collect huge amounts of information about patients, termed “health data”. This is used to care for patients more effectively and efficiently and ensure the correct treatment or investigation is offered. The individual health data from each patient admitted during the COVID pandemic will be de-identified, so that you cannot tell who the patient is. All de-identified data will be curated and stored within a secure data safe haven within a secure Microsoft Azure cloud controlled by University Hospitals Birmingham NHS Foundation Trust. The clinical community will provide a list of questions which need answering as quickly as possible to improve patient care. Researchers, clinicians and members of the public will also be able to pose questions to DECOVID. These questions will be prioritised by a team of senior clinical experts and reviewed by a patient committee, so the most important questions are considered first. For each question, the de-identified data needed to provide an answer to that question will be picked out. A group of analysts working with clinical staff will then look at all of the de-identified data around that question to try and find an answer. The senior clinical team will “sense check” the answer, to make sure it is correct. That answer will then be forwarded to the clinical community. Patients and the public are at the heart of these processes and will sit on all senior decision making committees and review how the data is used.

Which organisations will contribute data for DECOVID?

To begin with, we are expecting only digitally mature Trusts who can easily extract electronic clinical data from their electronic patient record systems regularly to take part. By extracting data from the “back-end” of the systems, clinical staff will be able to focus on clinical care and will not have to prepare data for DECOVID. University Hospitals Birmingham NHS Foundation Trust (UHB) and University College London Hospitals NHS Foundation Trust (UCLH) are the founding NHS Trusts for DECOVID. We expect other Trusts to join DECOVID as we go forward.

Which organisations are involved in DECOVID?

• ​​​​​​University Hospitals Birmingham NHS Foundation Trust (UHB). UHB will host the data and ensure compliance with all the required standards to process and store sensitive) health data. UHB has a long track record of safely storing health data from other hospitals as part of two Health Data Research UK Health Data Research Hubs, Insight (Eye Health) and Pioneer (Acute care, or any unplanned healthcare contact). UHB has a digitally mature and comprehensive electronic medical record system, built in-house. They will be aggregating data from multiple hospitals for DECOVID using their Pioneer platform.
• University of Birmingham (UoB). The University of Birmingham is ranked amongst the world’s top 100 institutions, and its work brings people from across the world to Birmingham, including researchers and teachers and more than 6,500 international students from nearly 150 countries. Many UoB researchers will contribute to DECOVID as scientific analysts.
• University College London Hospitals NHS Foundation Trust (UCLH). UCLH is home to one of the leading Biomedical Research Centres in the UK and in the last year, has fully digitised the whole trust elevating its digital maturity. Alongside this, it has been developing EMAP, its strategic research informatics platform that provides tools for data-scientists to work with research-ready standardised individual level clinical data. DECOVID will be adopting this standard.
• University College London (UCL). UCL is consistently ranked among the top 10 universities in the world and is one of only a handful of institutions rated as having the strongest academic reputation and the broadest research impact. UCL’s community of more than 41,500 students from 150 countries and over 12,500 staff pursues academic excellence, breaks boundaries and makes a positive impact on real world problems. UCL is applying the depth and breadth of its cross-disciplinary research and expertise to help humanity recover from COVID-19 and to make the world more resilient and equitable in the future. As part of this, many world-class UCL researchers will contribute to the DECOVID project as scientific analysts.
• The Alan Turing Institute (Turing). The Turing is the UK’s national institute for data science and AI. It has a large network of leading researchers in AI, computational statistics, machine learning and data science as well as expertise in provisioning flexible, scalable data science environments and reproducible analysis pipelines with research software engineers working with analytic teams to ensure robust, reproducible, open-source tools.
• In addition, in-kind contributions for the analytics workstream are also being provied by the University of Edinburgh, UCL, Durham University, Newcastle University, London School of Hygience & Tropical Medicine, University of Oxford, MRC Harwell Institute, University of Leeds and University of Oxford.

What is the legal structure of DECOVID?

DECOVID is an HRA approved research database: DECOVID was approved by the HRA (reference 282225) and by the London - City & East Research Ethics Committee (reference 20/HRA/1689). The database is overseen by UHB but data use within DECOVID is governed by an HRA approved protocol and a legal collaborative partnership between UHB, UOB, UCL, UCLH and ATI.

How will DECOVID be managed, and is there an accountability structure in place?

DECOVID will be carefully managed with clear governance and accountability. All processes have been approved by the Health Research Authority and DECOVID will report all data access requests to the Regional Ethics Committee that approved DECOVID on an annual basis.. Data access will be under license and will meet the “5 safes” criteria. These are:

1. Safe projects - Is the requested use of the data appropriate?
2. Safe people - Can the researchers be trusted to use the data appropriately?
3. Safe data - Is there a risk that a person could be identified from the data and how can this be minimised?
4. Safe setting. - Is the data stored in a safe manner which limits the possibility for unauthorised use?
5. Safe outputs - Could the results of the analysis cause any individual to be identified and how can this be minimised?

The data license will only be granted if the 5 safes can be met.The data license will provide a legally binding framework to restrict use of the data other than for the purpose assessed and agreed in accordance with the “5 safes” criteria.. The DECOVID leadership team is responsible for how DECOVID is managed and runs. Lay summaries will be published of all data requests and results. Patient and public involvement will be a key part of DECOVID, with PPI colleagues helping make decisions about how the data is used.

Will industry, technology or commercial parties be involved in DECOVID?

At this time, no commercial or industry organisations will be permitted to access the data curated by DECOVID. Any future access by such organisations will only be permitted with the approval of both the DECOVID Data Trust Committee and the Health Research Authority (the ethics regulator for health research). Some commercial parties (such as Microsoft) have donated time and expertise to build the world-class digital research platform that meets the most stringent governance and cyber-security regulations, but they will not be permitted to access the data. Data will be uploaded to a secure and private Microsoft Azure cloud , but all data residing in the cloud will be controlled by University Hospitals Birmingham NHS Foundation Trust.

How long is this work going to last?

Whilst DECOVID is focused on the immediate emergency response to DECOVID, this project is currently due to last five years in order to research the longer-term implications of COVID-19.

How does DECOVID fit in with existing COVID-19 efforts?

There are a number of national initiatives to collect health data during the COVID-19 pandemic. DECOVID is different in a number of important ways. First, it collects very detailed data which can only be gathered from NHS Trusts and organisations with very advanced electronic health records. This includes serial measurements that are taken many times each day (such as pulse rate, blood pressure readings and oxygen levels) and all investigations and treatments, detailing what these were, in what form they were given, and when they were prescribed. This provides much more data than a single snap shot each day. Second, the data will be refreshed every 24 hours, creating a near-real time record. Third, DECOVID will collect data about all patients admitted acutely during this pandemic, ensuring that DECOVID will provide information about the impact of COVID-19 on all acute patients.

What data will DECOVID collect?

Detailed routinely collected data, updated daily, from the electronic health record systems of participating hospitals. This includes but is not restricted to:

• All vital signs (such as heart rate, breathing rate, blood pressure, temperature)
• All pathology (e.g. blood tests)
• Procedures and medication records
• Details on organ support (e.g. breathing support (ventilation) or support for a patient’s kidneys (Haemodialysis or Haemofiltration)
• Complications of illness and new diagnoses (such as heart attacks, strokes, fractures)
• Do Not Attempt Cardiopulmonary Resuscitation (DNACPR) status (i.e. whether a patient has asked that they not be resuscitated if they can no longer breathe on their own).
• Patient transfers within the hospital (e.g. between the Accident & Emergency departments, Wards and the Intensive Care Unit)
• Final outcomes: Death, adverse events, discharge including where they have been discharged to (their own home, a new social care setting etc.)

Does the data that is transferred from NHS Trusts into DECOVID contain patient identifiable information?

No. All of the data has been through a pseudonymisation process so that identifiers such as a patient’s NHS number, name, date of birth or address have been removed. Even within the database, the data is still regarded as sensitive, and so it can only be accessed for specific uses, by specific individuals, for a specific time period and adhering to licensing restrictions, as explained in the DECOVID protocol which can be found on our About page

Does the patient data used in this project relate to former or current patients?

The research database includes de-identified/ pseudonymised data from patients who were admitted to any of DECOVID’s partner NHS Trusts from 1st January 2020 until at least a year after the end of the pandemic. Some of these patients will have sadly died, some remain in hospital and some will have been discharged home.

Who owns the data?

In general, although the health data comes from individual patients (it is their health data), people’s health data about their stay in hospital is held and processed by the individual NHS hospitals - in technical terms hospitals (or rather the hospital Trust to which they belong) acts as the “Data Controller” and are responsible for how that data is stored and used.

Within DECOVID, University Hospitals Birminghamis the overall data controller, and is responsible for how DECOVID data is processed and used.

How will I know how my data is being used?

If you have been a patient at one of DECOVID’s contributing hospitals (current contributing hospitals are listed here) since January 2020 it is possible that your data is being used within DECOVID. This means your data may be helping to increase our understanding of COVID-19 infections and the impact this is having on the NHS. Your data may have answered, or may help to answer, questions that could improve patient care. Each hospital that is contributing data to DECOVID has a privacy notice which explains how data is used and you can contact your local Trust to read this. Unfortunately, we will not be able to tell you what questions your data has helped answer or solve, but a list of the questions answered and some information about what we have learnt will be available on the DECOVID website. Case studies will also be published on the DECOVID website. If you wish to remove your data from DECOVID, you need to use the NHS opt out process, which stops your de-identified health data from being used for any research question that can potentially improve patient care or healthcare processes without your explicit consent. Please see https://digital.nhs.uk/services/national-data-opt-out for more details of how to do this. Your data would then be removed from DECOVID, in line with the DECOVID protocol.

Could individual patients be identified? How will patient data be anonymised?

DECOVID takes data security and privacy very seriously. There are agreed national and international standards for processes to de-identifiy data. This includes pseudonymisation, where a private and secure link remains between your data and your identity, which allows the data to be added to if a person has another hospital admission or healthcare contact. The researchers who are permitted access to your data in line with the “5 Safes” criteria, do not have or know that link (only the NHS Trust would have this). This also includes anonymised data, where no such link exists and there is no connection between your identity and the health data. All DECOVID patient data will be de-identified and pseudonymised. There are also set procedures to ensure that potentially identifiable data is protected. For example, a postcode is used in some disease risk scores (such as the cardiovascular risk score called QRISK) and to estimate socioeconomic status, but DECOVID would never provide a researcher with a full postcode. Instead DECOVID would (in these examples) either perform the QRISK score for the researcher and give them the QRISK score or calculate the socioeconomic status score and pass the score to them. That way, identifiable information is protected.

Will industry or commercial organisations have access to my data?

No, not at this time. Only researchers at UK universities, charitable partners or from contributing hospitals will have access to your data. Researchers will only have access following a rigorous process which includes all required information governance training. Researchers will never have access to your NHS number, name or address. Any future access by any industry or commercial organisations will only be permitted with the approval of both the DECOVID Data Trust Committee and the Health Research Authority (the ethics regulator for health research).

Is there priority access for particular researchers or research groups?

No. There is a data access process which is open for any researchers (from NHS, government, charitable or academic institution) to apply to. However, there are clear standards which have to be met before data access would be considered. These include meeting the ”5 safes”, data being used for public good and approval by our Scientific Steering Committee (of national experts) and Data Trust Committee (of patient and public members).

Did patients give consent for their data to be used for research? Can they opt out and what is the rationale for using unconsented patient data?

The DECOVID database will curate health data without obtaining explicit written consent.

On what legal basis will the data be accessed?

Data accessed and processed through DECOVID will be in line with the existing, robust governance processes through the current health data custodians, and the current terms of access for the datasets.

These terms ensure that data accessed is proportionate, appropriate and done on a legitimate basis. This will only ever be done within the legal frameworks, strict parameters of the Codes of Practice and the standards set out by the National Data Guardian and regulatory bodies including the Information Commissioner's Office (ICO). The majority of data accessed will be de-identified, in line with Section 251 of the National Health Service Act, the Data Protection Act 1998 and GDPR (as well as the Public Benefit and Privacy Panel for Health in Scotland) and accessed in a Trusted Research Environment certified to ISO 27001 that only allows for the dissemination of statistical results and not the data itself. Where identifiable data is required for research purposes, only data that has been consented for research purposes will be used.

Researchers will be provided access to data through the existing processes that the data controllers have in place. This work will minimise data travel, operating in line with best practice of ‘distributed analytics’, meaning that data continues to be held in a safe environment, and researchers and innovators will analyse the data in its safe location.

How can I find out what information is being held about me?

Under General Data Protection Regulations you have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR. This guide from the Information Commissioner explains how to make a subject access request.

Who is in charge of keeping the data safe?

For DECOVID, UHB is the overall data controller and is responsible for keeping your data safe (which can be found on the UHB privacy notice). Other Trusts contributing data will control patient data from their hospitals, but overall responsibility lies with UHB. Every member of staff who works for these organisations has a legal obligation to keep information about you confidential. In the NHS, organisations maintain a duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access. For the DECOVID dataset all pseudonymised data from each contributing hospital will be held by UHB, who act as the Data Controller for the database. That means UHB is responsible for keeping your data safe within the database and will control any licenses for data access to answer research questions about the COVID pandemic. Every member of staff who works for UHB within DECOVID has a legal obligation to keep information about you confidential. Pseudonymised data will only be shared with organisations and individuals that have a legitimate and legal basis for access using an agreed data license, approved by medical, scientific and public members of DECOVID

How will data be stored and kept safe?

Research on the data is carried out in what’s known as a Trusted Research Environment or Safe Haven. These are highly secure places – either physical servers often in a locked room or on a Safe Cloud – that can only be used by researchers who have been permitted access. The aim is to enable maximum security, through multiple layers, and to minimise the risk of anyone’s data being misused. DECOVID, which is affiliated to PIONEER, will store all data securely in a Microsoft Azure cloud platform, controlled by UHB..

What are the Data Protection measures in place for this project?

During the course of the project, rigorous measures will be taken to protect the security of the anonymised data. The data may not be disclosed to anyone other than the researchers and engineers working on the project.

What processes are in place to ensure that the anonymised data transferred is only ever seen by the research team?

The anonymised data is encrypted and only accessible to a limited number of researchers who are working on this project and have been granted permission by University Hospitals Birmingham (as the Data Controller) and the DECOVID Scientific Steering Committee. Access to the data is only granted for officially approved research purposes and is automatically audited and logged. All researchers who are involved in the studies have completed NHS Digital security awareness training and information governance training.

Who will be responsible for making decisions on who can access the data?

DECOVID has an access request committee in place to make decisions on how the data will be used. This includes a Scientific Steering Committee (with a membership of clinicians, researchers and members of the public) who help prioritise which clinical questions should be looked at first ( and the Data Trust Committee of public members who see what requests are made to access the data and what the outputs of the data requests are.) These groups will always put patient privacy, safety and benefit first and we have multiple safeguards in place to ensure this happens. See the DECOVID protocol (found on our About page) for how we operate.

How do researchers get access to the data and how will this be controlled?

All requests for data access and proposals for research questions will be considered by the scientific steering committee (SSC) that will be hosted by UCL and chaired by a senior clinical academic. All founding partners and sites providing data will have a position on the SSC. Initially, the SSC will meet frequently due to the unfolding nature of the pandemic. Furthermore, unlike a standard research database where researchers come with particular research questions to request access, we plan to instead assign questions to pools of data scientists who have made themselves available during this phase of the pandemic. This activity will be coordinated by the data analysis workstream. Upon approval research groups and DECOVID project teams will be provided access to a trusted research environment and be provisioned with the appropriate data and tools to perform their analyses.

Once a researcher/research team has been granted access to a dataset, can they share this dataset with others?

No. Data access will be licensed. This means that researchers can only use the data for the purpose on the license, and not any other project. It also means that data cannot be shared. The data required to answer the research question (and only that data) is accessed within a secure area of the data safe haven, dedicated to that research question. Data does not leave this area and the area is closed after an agreed period of time or when the research question is answered (whichever is sooner). The area does not contain any health data not directly related to the research question, it is selective and sufficient; enough to answer the question but no more.

What happens if there’s a data breach?

The organisations responsible for managing the data (the ‘data custodians’) already have tried and tested data protection plans in place to respond to threats to data security, including significant data breaches or near misses. These plans are regularly reviewed by the NHS and other organisations involved as part of their commitment to cybersecurity, and their legal duty under the Data Protection Act and General Data Protection Regulations to protect people’s data. If ever there is a security breach, or a risk of a security breach, these plans will come into place and will likely involve reporting the incident to the Information Commissioners Office.

Can we be reassured that data won’t be sold for commercial purposes?

Data cannot be shared with commercial organisations and will not be sold to commercial entities.

Does the research have ethical approval?

Yes. DECOVID was approved by the HRA (reference 282225) and by the London - City & East Research Ethics Committee (reference 20/HRA/1689).

How is DECOVID considering ethical challenges?

The DECOVID team recognise that some health data is very sensitive and that difficult questions may be asked of the data. These might include sensitive diagnoses (for example, whether patients with a certain type of illness have worse outcomes during the pandemic) or about certain characteristics which might be important (for example, do people of different ethnicities have a greater susceptibility to COVID-19). Also, some diseases are very rare and by studying the impact of COVID on rare diseases, this might increase the potential for a patient to be identified. To understand and consider these ethical challenges in DECOVID processes , DECOVID discusses each data request with public and patient members of DECOVID (our Data Trust Committee) and also has experts in information governance and ethics advising us. Our work is transparent and we will publish lay summaries of both the requests for data access and the outputs of those data requests (what was learned) on our website for public viewing. Our protocol explains how data requests are considered and the role of the Data Trust Committee and is available for public review.

How will the data be governed, and how does this relate to ethical and legal frameworks for using patient data?

DECOVID processes have been defined in a protocol which has been approved by an independent ethics committee and the Health Research Authority (HRA). This includes meeting all legal requirements when operating a health data research database. DECOVID will report to the Ethics committee and HRA, including what requests for data access have been made. For more information, please see “On what legal basis will the data be accessed?” question.

How have patients been involved in the development of DECOVID?

We have patient representatives on the DECOVID project team who are advising us every step of the way and who are embedded within senior decision making processes. This includes a patient and public involvement lead and group and the Data Trust Committee, who review the requests for data access and the decisions made within DECOVID. Our patient representatives are involved to ensure that the health data in DECOVID is used ethically and responsibly for the direct benefit of UK patients and the public, UHB has discussed specifically the use of de-identified data without explicit consent, with >300 members of the population, including > 40 children aged between 13 and 17 (as the national data opt out includes children aged 13 and over) to understand how the public would like DECOVID to run.

The results of this consultation are that the following percentage of patients would be happy for their de-identified health data to be used, without their explicit consent in the following circumstances:

• 99% for research which improves NHS services

• 98% for research undertaken by healthcare staff

• 97% for research undertaken by academic staff not connected to the NHS

These initial consultations have informed the design for DECOVID and provided a structure for meaningful PPI/E within DECOVID

As part of PIONEER Patient and Public Involvement, 168 members of the public, patients and healthcare providers were asked to consider which parts of healthcare provision needed most improvement. They identified unplanned healthcare contacts, the inclusivity of research to address both acute health concerns of ageing, multi-morbid patients and to improve healthcare in geographical areas of greatest need. Improvements in acute care were regarded as the main priority for health innovation. The same 168 people were asked for their thoughts on health data use. with 99% of participants happy for their pseudonymised health data to be used in research for patient benefit by non-NHS and academic institutions,and 96% happy for their health data to be used in non-health related research for public benefit. 100% of participants were happy to have their de-identified health data to be accessed by NHS staff not directly involved in their care; 98% by academic researchers not involved in the NHS and 96% by industry, if the data would improve health or care for other patients or members of the population.

How can I take part?

COVID -19 is a national and international emergency that our health data can help solve. We would like patients and the public to contribute to this as much as possible.

What will you do with the results of the research?

The DECOVID teams will be publishing the findings in peer-reviewed journals, informing policy-makers, writing blogs, as well as developing tools to be used. For all findings, the relevant code will always be attached so that other researchers can replicate and reproduce any of the findings

Will DECOVID findings be shared with other countries?

Yes. This is an international challenge and it is important that we work as a global community to help each other. However, even though we will be sharing the knowledge gained from DECOVID, your personal data will not leave the UK. Instead we will share aggregated data (averages such as the average age of people admitted to hospital with COVID-19, the average length of stay in hospital, the most useful treatments). This is how all data is reported in published papers and summaries, so that individual identity is protected.

How will the success of DECOVID be measured?

DECOVID will be successful if we provide insights which improve how we care for patients. This includes understanding more about the viral disease, the impact of COVID-19 on non-COVID-infected patients, what works to improve outcomes, what doesn’t work and should be avoided. DECOVID is also a new way of working, bringing clinicians, scientists and data analysts together in a data environment where the data is constantly refreshed and renewed to reflect the changing face of this pandemic. This is exciting, and provides “real time” insights, but is also a real challenge. Big data projects have not always worked in the UK, but we are making huge progress. We see this as being a potential “gold standard” way of working moving forward, where we can learn as much as possible from our health data, in a controlled, publicly transparent, patient supported and carefully governed framework.

COVID-19 is currently ongoing – how quickly do you anticipate there will be findings that could lead to changes? How will this be disseminated and put into practice across the NHS?

Any insights into patient care need to come quickly, but they also need to be correct. This means answers need to be checked. However, we expect to have our first questions answered within the next few weeks. These findings will be published and publically accessible. to ensure as many people as possible – including policy makers and other Trusts –have access to the new knowledge. An important part of this is to share how the new knowledge was generated (by sharing code and analytic techniques). The sharing of code and analytic techniques will allow other people to replicate our work on their own data, and therefore check what we have found. This collaborative and transparent way of working ensures any changes to clinical care have been assessed in different environments and are right. We will also update our website with new knowledge and case studies so everyone can follow our progress.