Transformation Directorate

NCCID privacy notice

This page provides data privacy information relating to the National COVID-19 Chest Imaging Database (NCCID) and artificial intelligence (AI) validation programmes at the NHS AI lab.

The NCCID programme is committed to abiding by all relevant UK data protection laws and will be open and transparent in how we use your personal information. This privacy notice provides information relating to your personal information along with how we collect, use and share your data to support the programme.

Data controllers

NHS England and the Department of Health and Social Care are “joint data controllers”. This means that we are jointly responsible for deciding the purpose for processing and use of personal information about you.

Under data protection legislation, we are required to explain to you why we process information about you, how we intend to use that information and whether we will share your information with anyone else. This statement tells you how the information we collect from you, or which you provide to us, will be processed by us.

Data required for non direct care purposes is de-identified at the point of data collection.

NHS England registered address:

NHS England London
Skipton House
80 London Road

DHSC registered address:

Department of Health and Social Care
1st Floor North
39 Victoria Street

Purposes for processing

National COVID-19 Chest Imaging Database (NCCID) comprises chest X-ray, CT and MR images and other relevant information of patients with suspected COVID-19. The database has been created to enable the development and validation of automated analysis technologies that may prove effective in supporting COVID-19 care pathways, and to accelerate research projects to better understand the disease.

This is to support a better understanding of the COVID-19 virus and develop technology which will enable the best care for patients hospitalised with a severe infection. Personal data is required for understanding clinical patterns of the disease and to improve the efficacy and accuracy of technology tools.

Categories of personal data

The information we will process for these purposes includes:

  • demographic information (age, gender, pseudonymised NHS or Community Health Index (CHI) number, ethnicity)
  • clinical information pertaining to coronavirus-related care and outcomes
  • clinical information pertaining to wider health conditions, investigation results, and the clinical information contained in this COVID-19 data (positive) template.

The processing will involve the collection of an extensive amount of de-identified patient data and will affect many subjects. As the number of patients suspected of having COVID-19 will increase, so will the number of patients whose data (X-Ray, CT or MR images and relevant healthcare records) will be included in the database.

The personal data is limited to the medical information required for the purposes of this programme.

Third parties

Formal interaction with third parties (for example companies who would be interested in participating in the AI validation programme to test the performance of their AI models) will be collected on the validation qualification form.

Name, email address and individual or organisational details are collected to allow formal interaction with relevant individuals or organisations. Participants or third parties will have choice over participation and control over the disclosure of this information.

Sources of the data

We collect your personal data for this purpose from hospital sites by Royal Surrey NHS Foundation Trust (RSNFT) on their infrastructure (for England, Wales and Northern Ireland).

Data from Scotland will be collected through a link with the Health Informatics Centre (HIC) at the University of Dundee.

Data is collected from the linkages of the data in the database to additional clinically relevant information held in other research and clinical databases. The linkages include NHS intensive care or relevant datasets containing information about the healthcare of patients with COVID-19 at hospitals and trust sites. This includes the International Severe Acute Respiratory and Emerging Infection Consortium (ISARIC) database for the collection of the NCCID clinical variables through the ISARIC database, avoiding duplication of activities for research nurses.

Please note: personal data (de-identified at the point of collection) will be collected from the participating hospitals and trusts, from the electronic patient record without needing to ask the data subject directly. (Control of Patient Information (COPI) Notice and Public Benefit and Privacy Panel (PBPP) application 2021-0018 for Scottish data)

Categories of recipients

Your personal data is received and used by Royal Surrey NHS Foundation Trust Health Informatics Centre (HIC).

Royal Surrey NHS Foundation Trust HIC, receives and processes the data. Royal Surrey NHS Foundation Trust HIC will act as the data processor.

The de-identified data will be made available to researchers, clinicians, technology companies and all those wanting to investigate the disease and develop solutions that can support the COVID-19 patient care pathway. A formal and stringent application process is in place to review data access requests. The process is managed and monitored to comply with Data and Security Standards and Data Access Framework.

Retention period

The pseudonymised data will be retained for the duration of the COVID-19 emergency and to support research and development in response to the COVID-19 crisis. Data from Scotland can be retained until 1 February 2022 (or 18 months after the approval of the Public Benefit and Privacy Panel (PBPP) 2021-0018).

The data collected from the NCCID users (who access NCCID test datasets for their studies and research) and the data collected from the AI validation programme from third parties will be retained for one year.

Patient safety and privacy

Patients’ privacy will be safeguarded at every stage of the process and data will only be used for creating tools to support health and social care.

Clinical data and images are de-identified (also known as pseudonymised) at the point of upload. This means that no patient identifiable information will leave hospital sites. The pseudonymised images become part of datasets that can be used to trial new AI technologies and to validate, or prove the accuracy, of existing ones.

We have worked with the relevant regulatory and advisory bodies to ensure the safety of data and to verify the significant value of the AI Lab’s imaging database projects.

Legal basis for processing

For GDPR purposes NHS England’s basis for lawful processing is Article 6(1)(e) – ‘…exercise of official authority…’.

For special categories (health) data the bases are:

  • Article 9(2)(h) - ‘…health or social care…’;
  • Article 9(2)(i) - ‘…public health…’;
  • Article 9(2)(j) - ‘…archiving…research…or statistical purposes…’.

Our basis to process confidential patient information, setting aside the duty of confidence, is regulation 3(4) of the Health Service (Control of Patient Information Notice) Regulations 2002 (COPI), which were made under section 251 of the NHS Act 2006.

Your rights

If you have any questions about our use of your personal data, you are welcome to contact us. You will find our contact details at the bottom of this page. If you notice any errors in your personal data, you have the right to have them corrected.

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

You can request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it

You can request correction of the personal information that we hold about you - This enables you to have any incomplete or inaccurate information we hold about you corrected

You can request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)

You can object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground

You can request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it

You can request the transfer of your personal information to another party. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Protection Officer in writing

Links to other websites

Our services may contain links to other websites of interest outside the NHS England and NHS Transformation Directorate websites. This privacy policy only applies to NHS England and NHS Transformation Directorate websites, systems and services, and doesn’t cover other websites and services that we may link to. You should exercise caution and look at the privacy statement applicable to the website or service in question.

Our Data Protection Officer

Our Data Protection Officer is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws. If you have any concerns or questions about our use of your personal data, you can contact our Data Protection Officer by emailing

Changes to this privacy notice

We may amend this privacy notice at any time so please review it frequently and at least each time you submit personal information to us. The date at the top of this page will be amended each time this policy is updated. Our current privacy notice applies to all information that we have about you and your account.

Right to complain to the Information Commissioner’s Office (ICO)

You also have the right to complain to the Information Commissioner’s Office (the “ICO”) if you are not satisfied with the way we use your information. You can contact the ICO by writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF