CPRD operates under a range of UK and European Laws as well as NHS and other Guidelines. These taken together form a complete, well documented and governed process from the NHS clinical data to the desk of a researcher. Not only does CPRD work with anonymised data it also has in place - Charters, Privacy Enhancing Technologies, physical security measures, legal arrangements, contracts of employment, Standard Operating Procedures and rights of audit. All our work is subject to both ongoing and annual reviews.
All research undertaken using data obtained from CPRD is approved by, as appropriate, an ethics committee, a scientific committee and the National Information Governance Board Ethics and Confidentiality Committee.
We have detailed arrangements with each Data source/Data Controller that clearly defines the way CPRD will operate and what it will do to protect both patient and healthcare professional confidentiality. It also makes it clear that CPRD does not rely on anonymisation of data as it is recognised that healthcare data is potentially disclosive only.
Privacy Enhancing Technologies
CPRD uses methods of anonymisation at more than one point in the process when making data available for a research project. Data sent from the clinical dataset to the research dataset are always split in a way that maximises data confidentiality. Researchers can only access key datasets via the use of robust, industry standard security systems including a passphrase which changes every 30 seconds and installing a CPRD certificate on the computers of researchers who are authorised users. This ensures we always know where and by whom data is used.
Physical security measures
When data is trasmitted and/or stored, CPRD operates measures that ensure protection of the data at the highest level. A tier 3 Datacentre is used to store all data. This Datacentre meets the full requirements for managing and storing such important data and security measures are regulary reviewed and audited.
Every research user is under a legal agreement that details the responsibility placed upon the research organisation and their researchers for appropriate use of the data.
Contracts of employment
All CPRD staff are under contracts of employment that require them to abide by the highest standards of confidentiality. All staff are also required to confirm on a regular basis that they understand their responsibilities in relation to data security and confidentiality.
Standard Operating Procedures (SOPs)
CPRD operates under a comprehensive set of Standard Operating Procedures (SOPs) which mandate exactly how each stage in the process of making data available for research must be undertaken. SOPs are reviewed on a regular basis and compliance is mandatory and continuously monitored.
Rights of audit
CPRD has via its contractual agreements, the right of audit on any researcher or research organisation using CPRD data in order to ensure compliance with legal requirements.