What is DECOVID?
What is the purpose of DECOVID research?
Why is the data important?
Allowing researchers to analyse detailed data that is routinely collected by hospitals will let us:
Understand which treatment options work best for patients with COVID-19 and which patients are likely to benefit from different treatment options
Work out the best timing for helping patients breathe on their own after admission to intensive care
Understand underlying risk factors that make it more likely that someone with COVID-19 develops other problems such as kidney or heart failure, allowing us to intervene early to try to prevent that.
Work out how to spot more quickly patients whose condition is deteriorating
How is this going to help me, my family, or my friends?
How will DECOVID help the NHS?
How will DECOVID work in practice?
NHS hospitals collect huge amounts of information about patients, termed “health data”. This is used to care for patients more effectively and efficiently and ensure the correct treatment or investigation is offered. The individual health data from each patient admitted during the COVID pandemic is de-identified, so that you cannot tell who the patient is. All de-identified data is being curated and stored within a secure data safe haven controlled by University Hospitals Birmingham NHS Foundation Trust. The clinical community have provided a list of questions, which need answering to improve patient care. These questions were prioritised by a team of senior clinical experts and reviewed by a patient committee, so the most important questions were considered first. For each question, the de-identified data needed to provide an answer to that question has been picked out. A group of analysts working with clinical staff are now looking at all of the de-identified data around that question to try and find an answer. The senior clinical team will “sense check” the answer, to make sure it is correct. That answer will then be forwarded to the clinical community. Patients and the public are at the heart of these processes and will sit on all senior decision making committees and review how the data is used.
Which organisations contribute data for DECOVID?
Which organisations are involved in DECOVID?
University Hospitals Birmingham NHS Foundation Trust (UHB). UHB hosts the data and ensure compliance with all the required standards to process and store sensitive) health data. UHB has a long track record of safely storing health data from other hospitals as part of two Health Data Research UK Health Data Research Hubs, Insight (Eye Health) and Pioneer (Acute care, or any unplanned healthcare contact). UHB has a digitally mature and comprehensive electronic medical record system, built in-house.
University of Birmingham (UoB). The University of Birmingham is ranked amongst the world’s top 100 institutions, and its work brings people from across the world to Birmingham, including researchers and teachers and more than 6,500 international students from nearly 150 countries.
University College London Hospitals NHS Foundation Trust (UCLH). UCLH is home to one of the leading Biomedical Research Centres in the UK and in the last year, has fully digitised the whole trust elevating its digital maturity. Alongside this, it has been developing EMAP, its strategic research informatics platform that provides tools for data-scientists to work with research-ready standardised individual level clinical data.
University College London (UCL). UCL is consistently ranked among the top 10 universities in the world and is one of only a handful of institutions rated as having the strongest academic reputation and the broadest research impact. UCL’s community of more than 41,500 students from 150 countries and over 12,500 staff pursue academic excellence, breaks boundaries and makes a positive impact on real world problems. UCL is applying the depth and breadth of its cross-disciplinary research and expertise to help humanity recover from COVID-19 and to make the world more resilient and equitable in the future.
The Alan Turing Institute (Turing). The Turing is the UK’s national institute for data science and AI. It has a large network of leading researchers in AI, computational statistics, machine learning and data science as well as expertise in provisioning flexible, scalable data science environments and reproducible analysis pipelines with research software engineers working with analytic teams to ensure robust, reproducible, open-source tools.
In addition, in-kind contributions for the analytics workstream are also being provided by the University of Edinburgh, UCL, Durham University, Newcastle University, London School of Hygiene & Tropical Medicine, , MRC Harwell Institute, University of Leeds and University of Oxford.
What is the legal structure of DECOVID?
How will DECOVID managed, and is there an accountability structure in place?
DECOVID is carefully managed with clear governance and accountability. All processes have been approved by the Health Research Authority and DECOVID will report all data access requests to the Regional Ethics Committee that approved DECOVID on an annual basis. Data access will be under license and will meet the “5 safes” criteria. These are:
Safe projects - Is the requested use of the data appropriate?
Safe people - Can the researchers be trusted to use the data appropriately?
Safe data - Is there a risk that a person could be identified from the data and how can this be minimised?
Safe setting. - Is the data stored in a safe manner which limits the possibility for unauthorised use?
Safe outputs - Could the results of the analysis cause any individual to be identified and how can this be minimised?
Data licenses have been granted for projects where the 5 safes are met.
The data license provides a legally binding framework to restrict use of the data other than for the purpose assessed and agreed in accordance with the “5 safes” criteria. The DECOVID leadership team is responsible for how DECOVID is managed and runs. Lay summaries will be published of all data requests and results. Patient and public involvement will be a key part of DECOVID, with PPI colleagues helping make decisions about how the data is used.
Will industry, technology or commercial parties be involved in DECOVID?
How long is this work going to last?
How does DECOVID fit in with existing COVID-19 efforts?
There are a number of national initiatives to collect health data during the COVID-19 pandemic. DECOVID is different in a number of important ways. First, it collects very detailed data which can only be gathered from NHS Trusts and organisations with very advanced electronic health records. This includes serial measurements that are taken many times each day (such as pulse rate, blood pressure readings and oxygen levels) and all investigations and treatments, detailing what these were, in what form they were given, and when they were prescribed. This provides much more data than a single snap shot each day. Second, the data will be refreshed every 24 hours, creating a near-real time record. Third, DECOVID will collect data about all patients admitted acutely during this pandemic, ensuring that DECOVID will provide information about the impact of COVID-19 on all acute patients.
What data will DECOVID collect?
All vital signs (such as heart rate, breathing rate, blood pressure, temperature)
All pathology (e.g. blood tests)
Procedures and medication records
Details on organ support (e.g. breathing support (ventilation) or support for a patient’s kidneys (Haemodialysis or Haemofiltration)
Complications of illness and new diagnoses (such as heart attacks, strokes, fractures)
Do Not Attempt Cardiopulmonary Resuscitation (DNACPR) status (i.e. whether a patient has asked that they not be resuscitated if they can no longer breathe on their own).
Patient transfers within the hospital (e.g. between the Accident & Emergency departments, Wards and the Intensive Care Unit)
Final outcomes: Death, adverse events, discharge including where they have been discharged to (their own home, a new social care setting etc.)
Does the data that is transferred from NHS Trusts into DECOVID contain patient identifiable information?
No. All of the data has been through a pseudonymisation process so that identifiers such as a patient’s NHS number, name, date of birth or address have been removed. Even within the database, the data is still regarded as sensitive, and so it can only be accessed for specific uses, by specific individuals, for a specific time period and adhering to licensing restrictions, as explained in the DECOVID protocol which can be found on our About page
Does the patient data used in this project relate to former or current patients?
Who owns the data?
In general, although the health data comes from individual patients (it is their health data), people’s health data about their stay in hospital is held and processed by the individual NHS hospitals - in technical terms hospitals (or rather the hospital Trust to which they belong) acts as the “Data Controller” and are responsible for how that data is stored and used.
Within DECOVID, University Hospitals Birminghamis the overall data controller, and is responsible for how DECOVID data is processed and used.
How will I know how my data is being used?
Could individual patients be identified? How will patient data be anonymised?
DECOVID takes data security and privacy very seriously. There are agreed national and international standards for processes to de-identifiy data. This includes pseudonymisation, where a private and secure link remains between your data and your identity, which allows the data to be added to if a person has another hospital admission or healthcare contact. The researchers who are permitted access to your data in line with the “5 Safes” criteria, do not have or know that link (only the NHS Trust would have this). This also includes anonymised data, where no such link exists and there is no connection between your identity and the health data. All DECOVID patient data will be de-identified and pseudonymised. There are also set procedures to ensure that potentially identifiable data is protected. For example, a postcode is used in some disease risk scores (such as the cardiovascular risk score called QRISK) and to estimate socioeconomic status, but DECOVID would never provide a researcher with a full postcode. Instead DECOVID would (in these examples) either perform the QRISK score for the researcher and give them the QRISK score or calculate the socioeconomic status score and pass the score to them. That way, identifiable information is protected.
Will industry or commercial organisations have access to my data?
Is there priority access for particular researchers or research groups?
Did patients give consent for their data to be used for research? Can they opt out and what is the rationale for using unconsented patient data?
The DECOVID database will curate health data without obtaining explicit written consent.
- Include people who may not have capacity to consent so that the COVID-related health journeys of more vulnerable adults also have the potential to benefit from innovation. Delirium appears common in older people with COVID-19 infection. Currently, visitors are restricted in NHS hospitals, so there will be no ability to gain consent from relatives, and the distressing nature of COVID-19 infections places an undue burden on relatives if their agreement was sought for study participation.
- Include data from patients who have died. Mortality for admitted patients with COVID-19 is high. We wish to include data from people who have died following COVID-19 infections. Mortality is also expected to go up from non-COVID-19 related health complaints, and so data from non-COVID-19 patients will also be critical to understanding the impact of COVID-19.
- Include a population that is fully representative of the patient population, which cannot be achieved from usual research cohorts.
- Include as many people as possible. We need to include all patients who have had a COVID-19 related unplanned, emergency contact across the UK to understand the burden of this pandemic and its long-term effects. However, it is recognised that the COVID-19 pandemic will impact on non-COVID related health outcomes as well, as resources are diverted from standard clinical care. There is a need to understand and map both impacts. There is also great interest, in time, in including international datasets, so we can benchmark our services and outcomes against the best and worst performing sites internationally, to learn where our services can be improved. Including these numbers is vital to allow an in-depth study of the impact of COVID-19 on health care across the nation, which can provide national and international insight into COVID-19-associated care challenges.
- The scale of these data and the inclusion of data from people who have died prevent the gaining of informed consent for data use, as would be the usual standard. No additional data to that collected as part of standard of care is requested and all data will be accessed to fulfil the research request in a format where patient identification is extremely unlikely by the researcher.
- If a person wishes to remove their health data from DECOVID, they need to use the NHS opt out process, which stops that person’s de-identified health data from being used for any research question that can potentially improve patient care or healthcare processes without their explicit consent. Please see https://digital.nhs.uk/services/national-data-opt-out for more detials of how to do this. Their NHS number would show that they had “opted out” and their health data would then be removed from DECOVID, in line with the DECOVID protocol which can be found on our About page
On what legal basis will the data be accessed?
These terms ensure that data accessed is proportionate, appropriate and done on a legitimate basis. This will only ever be done within the legal frameworks, strict parameters of the Codes of Practice and the standards set out by the National Data Guardian and regulatory bodies including the Information Commissioner's Office (ICO). The majority of data accessed will be de-identified, in line with Section 251 of the National Health Service Act, the Data Protection Act 1998 and GDPR (as well as the Public Benefit and Privacy Panel for Health in Scotland) and accessed in a Trusted Research Environment certified to ISO 27001 that only allows for the dissemination of statistical results and not the data itself. Where identifiable data is required for research purposes, only data that has been consented for research purposes will be used.
Researchers will be provided access to data through the existing processes that the data controllers have in place. This work will minimise data travel, operating in line with best practice of ‘distributed analytics’, meaning that data continues to be held in a safe environment, and researchers and innovators will analyse the data in its safe location.
How can I find out what information is being held about me?
Under General Data Protection Regulations you have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR. This guide from the Information Commissioner explains how to make a subject access request.
On what legal basis will the data be accessed?
Data accessed and processed through DECOVID will be in line with the existing, robust governance processes through the current health data custodians, and the current terms of access for the datasets.
These terms ensure that data accessed is proportionate, appropriate and done on a legitimate basis. This will only ever be done within the legal frameworks, strict parameters of the Codes of Practice and the standards set out by the National Data Guardian and regulatory bodies including the Information Commissioner's Office (ICO). The majority of data accessed will be de-identified, in line with Section 251 of the National Health Service Act, the Data Protection Act 1998 and GDPR (as well as the Public Benefit and Privacy Panel for Health in Scotland) and accessed in a Trusted Research Environment certified to ISO 27001 that only allows for the dissemination of statistical results and not the data itself.
Researchers have been provided access to data through the existing processes that the data controllers have in place. This work minimises data travel, operating in line with best practice of ‘distributed analytics’, meaning that data continues to be held in a safe environment, and researchers and innovators will analyse the data in its safe location.
Safety & Security
Who is in charge of keeping the data safe?
For DECOVID, UHB is the overall data controller and is responsible for keeping your data safe (which can be found on the UHB privacy notice). Other Trusts contributing data will control patient data from their hospitals, but overall responsibility lies with UHB. Every member of staff who works for these organisations has a legal obligation to keep information about you confidential. In the NHS, organisations maintain a duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access. For the DECOVID dataset all pseudonymised data from each contributing hospital will be held by UHB, who act as the Data Controller for the database. That means UHB is responsible for keeping your data safe within the database and will control any licenses for data access to answer research questions about the COVID pandemic. Every member of staff who works for UHB within DECOVID has a legal obligation to keep information about you confidential. Pseudonymised data will only be shared with organisations and individuals that have a legitimate and legal basis for access using an agreed data license, approved by medical, scientific and public members of DECOVID
How will data be stored and kept safe?
What are the Data Protection measures in place for this project?
What processes are in place to ensure that the anonymised data transferred is only ever seen by the research team?
Who will be responsible for making decisions on who can access the data?
How do researchers get access to the data and how will this be controlled?
Once a researcher/research team has been granted access to a dataset, can they share this dataset with others?
What happens if there’s a data breach?
Can we be reassured that data won’t be sold for commercial purposes?
Patient Involvement & Ethics
Does the research have ethical approval?
Yes. DECOVID was approved by the HRA (reference 282225) and by the London - City & East Research Ethics Committee (reference 20/HRA/1689).
How is DECOVID considering ethical challenges?
The DECOVID team recognise that some health data is very sensitive and that difficult questions may be asked of the data. To understand and consider these ethical challenges in DECOVID processes, DECOVID discussed each data request with public and patient members of DECOVID (our Data Trust Committee) and also experts in information governance and ethics. Our work is transparent and we have published lay summaries of both the requests for data access and (once available) the outputs of those data requests (what was learned) on our website for public viewing. Our protocol explains how data requests are considered and the role of the Data Trust Committee and is available for public review.
How will the data be governed, and how does this relate to ethical and legal frameworks for using patient data?
How have patients been involved in the development of DECOVID?
The results of this consultation are that the following percentage of patients would be happy for their de-identified health data to be used, without their explicit consent in the following circumstances:
99% for research which improves NHS services
98% for research undertaken by healthcare staff
97% for research undertaken by academic staff not connected to the NHS
These initial consultations have informed the design for DECOVID and provided a structure for meaningful PPI/E within DECOVID
As part of PIONEER Patient and Public Involvement, 168 members of the public, patients and healthcare providers were asked to consider which parts of healthcare provision needed most improvement. They identified unplanned healthcare contacts, the inclusivity of research to address both acute health concerns of ageing, multi-morbid patients and to improve healthcare in geographical areas of greatest need. Improvements in acute care were regarded as the main priority for health innovation. The same 168 people were asked for their thoughts on health data use. with 99% of participants happy for their pseudonymised health data to be used in research for patient benefit by non-NHS and academic institutions,and 96% happy for their health data to be used in non-health related research for public benefit. 100% of participants were happy to have their de-identified health data to be accessed by NHS staff not directly involved in their care; 98% by academic researchers not involved in the NHS and 96% by industry, if the data would improve health or care for other patients or members of the population.
How can I take part?
COVID -19 is a national and international emergency that our health data can help solve.
You can see if your hospital is taking part in DECOVID on our website.
As DECOVID is answering the final questions posed by the clinical community, there will be no further public events until the results are available. We are also now closed to further questions. However, we will flag the results of the last data analyses on the website, with lay summaries of results.