CPRD Safe End User Access Agreement

CPRD Safe End User Access Agreement (EUAA)

The use of the CPRD Safe, CPRD's Trusted Research Environment (TRE), is governed by these terms and conditions.

  1. Introduction

    1.1. Please read this EUAA carefully before you start to use CPRD Safe. The obligations set out in this EUAA are also obligations under the CPRD Licence Agreement that your organisation has signed with CPRD. Please ensure that you are familiar with the terms and conditions of your organisation's CPRD Licence Agreement before accessing and using CPRD Safe.

    1.2. Your use of CPRD Safe is also subject to your compliance with your organisation's relevant CPRD Licence Agreement(s).

    1.3. This is version 1.1 of this EUAA, which was most recently updated on 13th September 2024.

 

  1. Definitions

    2.1. The following definitions are used in this EUAA:

ACRO means Automatic Checking of Research Outputs and refers to an open-source tool for automating the statistical disclosure control (SDC) of research outputs. This tool is available to researchers within CPRD Safe.

Airlock means the mechanism within a CPRD Safe Workspace by which you may request content to be imported or exported to or from CPRD Safe.

Airlock request means a single request for content to be imported or exported to or from CPRD Safe, made by an Authorised User. 

Authorised User means an individual from an organisation who has been approved by CPRD to access CPRD Safe.

Dataset has the same meaning as set out in the CPRD Licence Agreement.

CPRD Content means the material in CPRD Safe, which may include:

i. Login details and associated information, website and portal designs, commercial data, information, text, standards, images, interactive services, reports, and any other works or materials,

ii. But excludes the dataset as defined in your CPRD Licence Agreement.

CPRD Licence Agreement means the agreement(s) which an organisation must enter into to allow access to a particular CPRD Dataset, setting out the legally binding terms which will apply to each and every occasion a dataset is accessed by you or your organisation.

CPRD Safe is the Trusted Research Environment (TRE) and secure data and research analysis platform via which approved researchers with approved projects may access and analyse CPRD healthcare data.

CPRD Safe Workspace means the secure area within the TRE where approved researchers may collaborate on an approved project.

End User Access Agreement or EUAA means this agreement (together with the documents and links referred to in it) setting out the terms and conditions on which you may use CPRD Safe.

Intellectual Property Rights has the same meaning as set out in the CPRD Licence Agreement.

Login details means the username and password which you use to access CPRD Safe.

Malware means computer viruses, trojans, worms, logic bombs, disabling code or routines, or other materials which are malicious or technologically harmful.

Organisation means the entity authorised by CPRD to access CPRD Safe after entering into a CPRD Licence Agreement.

Output Data means any data and/or content you want to extract from the CPRD Safe Workspace, and is limited to one of or a combination of: statistical summaries and aggregations with small numbers suppressed, tables, figures, reports, models, visualisations and charts, reports, and codes. The Output Data must undergo review and require approval by CPRD before its release. 

Output Checking means the process by which CPRD will review requests to export Output Data from CPRD Safe made via the Airlock.

Network provider means the provider of your network or other facility which you use to obtain internet connectivity and access.

Privacy notice means that notice identified in clause 5.1.

RDG Approved Protocol means a research protocol which has received approval via CPRD’s Research Data Governance (RDG) process.

Third-party tool(s) means certain third-party tools, products, or services (including any enhancements, upgrades or versions thereof) which we make available to you from time to time for use in the management, analysis and/or modelling of CPRD content or dataset within CPRD Safe.

Third-party tool provider means the provider of a third-party tool.

We, our, us, and CPRD are references to the Clinical Practice Research Datalink, a division of the Medicines and Healthcare products Regulatory Agency.

You or your means the personnel, contractor, agent, or authorised representative of an organisation accessing and using CPRD Safe.

 

  1. Terms of use

    3.1. This EUAA (together with the documents and links referred to in it) set out the terms and conditions on which you may use CPRD Safe.

    3.2. You may access and use CPRD Safe only: 

    i. If you are an Authorised User of CPRD Safe under an applicable valid CPRD Licence Agreement of an authorised organisation; and

    ii. You personally agree to be legally bound by this EUAA every time you access CPRD Safe; and 

    iii. As directed by CPRD, if at any time you do not agree to be legally bound by this EUAA you may not access or use CPRD Safe.

    3.3. By using CPRD Safe, you are: 

    i. Acknowledging and understanding the terms described in this EUAA (such use of CPRD Safe includes accessing, viewing, interacting with, logging in to, downloading materials or data from, uploading content to, or using CPRD Safe in any other way); and 

    ii. Confirming that you accept this EUAA and that you agree to comply with it.

  2. Changes and updates

    4.1. We may make changes at our discretion to the content and features of CPRD Safe, this EUAA, the terms and conditions applicable to any third-party tool, Appendix A, the privacy notice, and any other policies or links applicable to your use of CPRD Safe, at any time and for any reason without providing notice of those changes to you.

    4.2. Every time you wish to use CPRD Safe, please ensure that you understand and agree to the provisions that apply at the time. The date of the most current version of this EUAA is set out above in clause 1.3.

    4.3. Your access and continued use of CPRD Safe after an update has been made signifies your acceptance of those changes. Depending on the update, you may not be able to use CPRD Safe unless you have accepted any new or additional terms.

 

  1. Information about you and your use of CPRD Safe

    5.1. When you access CPRD Safe, we process information about you. We will only use your personal data in accordance with applicable data protection laws (including the UK General Data Protection Regulation and Data Protection Act 2018) and as described in our privacy notice, the purposes for which may include among other things:

    i. To ensure the safety, security, and integrity of CPRD Safe;

    ii. For the purposes of provisioning, managing, and administrating CPRD Safe;

    iii. In order to provide customer/technical support, and;

    iv. For audit and quality management purposes

    Find our privacy notice

    5.2. By using CPRD Safe you warrant that all data provided by you for verification of identity, access, and security purposes is accurate.

    5.3. You acknowledge and agree that we may collect certain usage data regarding your usage of CPRD Safe ("Usage Data") and that we shall be the owner of such Usage Data.

    5.4. Subject to the rest of this EUAA, we are responsible for managing CPRD Safe and your access to CPRD Safe and will therefore have access to any dataset and any analysis done by you within CPRD Safe.

    5.5. CPRD Safe is a private computing environment and system that CPRD control and provide clients with access to as part of our standard business activities. As such, by accessing and using CPRD Safe, you acknowledge and understand that your use of CPRD Safe may be monitored and that records pertaining to such use may be kept by CPRD, and that CPRD reserves the right to access your CPRD Safe Workspace (as defined by your CPRD Licence Agreement).  Such monitoring, record-keeping and access will always take place in accordance with applicable law and for certain specified purposes, which may include, without limitation: 

    i. Ascertaining and ensuring compliance with legal and regulatory requirements in relation to the use of CPRD Safe; 

    ii. Ascertaining and ensuring compliance with the standards of acceptable use of CPRD Safe, as set out in the CPRD Licence Agreement, this EUAA and other CPRD policies and procedures in place from time to time; 

    iii. For the purposes of preventing or detecting crime; 

    iv. For the purposes of investigating or detecting the unauthorised use of CPRD Safe; and/or 

    v. In order to secure, or as an inherent part of, the effective operation of CPRD Safe.    

  2. Freedom of information

    6.1. The CPRD, as a division of the MHRA, is subject to the provisions of the Freedom of Information Act 2000 and any requests for information relating to CPRD Safe received will be handled in accordance with MHRA policies and procedures relating to FOI requests.

 

Find our policy and other information on this topic

 

  1. Using CPRD Safe

    7.1. Your status as an Authorised User of CPRD Safe requires your Organisation to first enter into a CPRD Licence Agreement with CPRD, and then to receive our confirmation as to your status, which we may give or remove at any time at our discretion for any reason. Your Organisation must also authorise you to access CPRD Safe.

    7.2. By logging on to CPRD Safe, you confirm that you have completed and understood the relevant CPRD Safe Learning.

    7.3. As further set out in the relevant CPRD Licence Agreement, you recognise that we may on occasion need to recall and/or resupply Datasets.

    7.4. We are not responsible or liable for your compliance with any local laws, should you seek to access CPRD Safe outside of England and Wales. We may limit the availability of CPRD Safe to any person or geographic area at any time at our discretion.

    7.5. You recognise that CPRD Safe is a service with other users, and that access or capacity may on occasion be limited. You will comply with any guidance as to fair use that may be given by CPRD from time to time. You recognise that we may need to suspend or throttle usage that is in excess of fair usage at our discretion or where we consider it may impact other users.

    7.6. You may only use and save data from CPRD Safe within CPRD Safe, unless we have provided you with permission to download, use, and save that particular data in a secured location outside of CPRD Safe as set out in the applicable CPRD Licence Agreement. This permission may be granted or withdrawn in accordance with that CPRD Licence Agreement.

    7.7. Uploading your own content to CPRD Safe is only permitted where this is set out and agreed in the applicable CPRD Licence Agreement. Should you wish to upload content to CPRD Safe you must provide such content to CPRD to upload to CPRD Safe.

    7.8. Your use of any of the Third-party tools available within CPRD Safe may require you to agree to additional terms and conditions in relation to that particular Third-party tool before it may be used. Further, your use of any Third-party tool will also at all times be subject to: 

    i. CPRD making that Third-party tool available to you; 

    ii. Any controls and/or reasonable use restrictions which we put in place; 

    iii. Any existing agreements you may have with the tool provider, and 

    iv. The terms of the applicable CPRD Licence Agreement. The availability of any Third-party tool will be solely at our discretion.

  2. Accessibility and browsers

    8.1. We aim to make CPRD Safe accessible (subject to the controls) and comply with standards which should work on the majority of browsers in use. However, we offer no warranty for CPRD Safe working in any particular browser or configuration. Please note that you may see inconsistencies in the presentation of pages if you are using an older or deprecated version of a browser, or CPRD Safe may not work at all.

     

Find out more about accessibility.

 

  1. Registration, login and security

    9.1. In order to use CPRD Safe and/or access certain content, systems, or features of CPRD Safe, your organisation will first need to identify you as an Authorised User in relation to the applicable CPRD Licence Agreement. You may need to complete an online registration form and create or update login details. These login details will consist of a user identification name and password. You may be asked to provide additional information as required as part of our security procedures.

    9.2. As a minimum, passwords you use to access CPRD Safe must have a level of complexity which ensures they cannot be easily guessed by hackers or malicious software and be in accordance with government best practice.

    9.3. As a minimum each password must be at least 12 characters long and comprise at least three of the following:

    i. Lower case letters;

    ii. Upper case letter(s);

    iii. Number(s);

    iv. Special character(s).

    9.4. Your password must only be known to you. Never share your password under any circumstances.

    9.5. Do not use the same password that you are using for another account or service.

    9.6. Your passwords must not include details readily associated with you, such as your name, date of birth, address or that of your relatives.

    9.7. Do not base your passwords on the following:

    i. Organisation names, identifiers, or references;

    ii. Telephone numbers or similar all-numeric groups;

    iii. User ID, username, group ID or other system identifier or job-related title, for example: scientific, medical, accounts;

    iv. Personal characteristics that others might guess, for example: addresses, nicknames, favourite sports teams, family pets;

    v. More than three consecutive identical characters.

    9.8. We may ask you to change your login details, or manually enter your login details from time to time as a security measure. We do not recommend using biometric data (such as fingerprints or facial recognition) to store your login details if other people can also access your device using their biometric data.

    9.9. You agree to provide true, accurate, current and complete information about yourself when registering for and using CPRD Safe and you agree to keep this information up to date and accurate at all times.

    9.10. Unless directly caused by CPRD, you are responsible for, and agree to hold CPRD harmless from, any unauthorised access or changes made to your login details or account resulting from shared or unauthorised access to your device or other individuals having access to your login details.

    9.11. You must treat your login details as confidential, and you must not disclose them to anyone. If you know or suspect that anyone other than you knows your login details or that your access to CPRD Safe has been compromised, you must immediately: 

    i. Notify CPRD Enquiries by writing to enquiries@cprd.com; and 

    ii. If possible to do so, change your login details.

    9.12. If you cease to be authorised by the organisation at any time, then you must cease using your login details and accessing CPRD Safe immediately. You or your organisation are required to notify CPRD as set out in the CPRD Licence Agreement.

 

  1. Prohibited use of CPRD Safe

    10.1. You may only use CPRD Safe for lawful purposes and in accordance with this EUAA, and agree not to access without authority, interfere with, damage or disrupt: 

    i. Any part of CPRD Safe or any content or dataset found therein;

    ii. Any equipment or network on which CPRD Safe is stored;

    iii. Any software or services used in the provision of CPRD Safe; and/or

    iv. Any equipment or network or software owned or used by any third-party.

    10.2 You may not use CPRD Safe:

    i. In any way that breaches this EUAA or any applicable local, national, or international law or regulation;

    ii. In any way that breaches your organisation's applicable CPRD Licence Agreement(s);

    iii. Unlawfully, fraudulently, maliciously, or in any way that is harmful to CPRD, any Third-Party Tool Provider or other users, or that has any unlawful, fraudulent, malicious, or harmful purpose or effect;

    iv. To send, knowingly receive, upload, paste-in, download, use or re-use any material which you do not have the right to do so or which does not comply with this EUAA;

    v. To transmit, or procure the sending of any (a) unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam) or (b) bank, credit card or other financial account related data or credentials;

    vi. To knowingly send or transmit any data that contains malware;

    vii. With the Login Details of another user, or permit any unauthorised person to use your Login Details to use CPRD Safe;

    viii. In any way which would change CPRD Safe or infringe on any intellectual property rights in relation to using CPRD Safe;

    ix. In any way which attempts to unencrypt or otherwise intercept any transmission of data to or from CPRD Safe or any applicable third parties; and/or;

    x. In any way which could disable or compromise the security of CPRD Safe.

 

  1. Intellectual property rights

    11.1. The Intellectual Property Rights pertaining to your use of the Dataset are set out in your Organisation's applicable CPRD Licence Agreement.

    11.2. CPRD or its licensors own all Intellectual Property Rights in CPRD Safe and the CPRD content. Your licence to use the CPRD content is as set out in the CPRD Licence Agreement and applies whilst you are an Authorised User of CPRD Safe.

 

  1. Uploading content to CPRD Safe

    12.1. You may request content to be uploaded to CPRD Safe via the Airlock mechanism. The number of Airlock requests which can be made is restricted to 10 per CPRD Safe Workspace per day.

    12.2. You my also upload content via Gitea, subject to access controls and restrictions.

    12.3. You may not upload or attempt to upload any content of any type to CPRD Safe via any other route or mechanism. Under no circumstances may you upload any content to CPRD Safe which is not owned by your organisation, or which you are not authorised to upload on behalf of your organisation, and which has not been approved by CPRD.

    12.4. You must not upload or attempt to upload any of the following content into the CPRD: 

    i. Files containing or suspected of containing malware; 

    ii. Files containing patient or event-level data that have not been provided by CPRD; 

    iii. Files containing personal data (as defined by applicable data protection laws); 

    iv. Files that present a risk of re-identification of CPRD Data if used in conjunction with the CPRD Dataset within CPRD Safe (unless the use of these files has been specifically approved as part of a protocol approved by CPRD in line with our applicable policies and procedures).

    12.5. You will be required to provide contextual information in order to support the review of your Airlock request. We reserve the right to reject your request if you supply false, misleading, or inadequate information.

    12.6. We reserve the right to block your ability to make Airlock requests or to suspend or terminate your access to CPRD Safe in the event you make false or misleading Airlock requests, or attempt in any way to compromise or subvert the Airlock mechanism.

    12.7. For Airlock requests for importing content, CPRD aim to respond within 3 working days.

 

  1. Exporting content from CPRD Safe

    13.1. You may request Output Data to be exported from CPRD Safe via the Airlock mechanism. The number of Airlock requests which can be made is restricted to 10 per CPRD Safe Workspace per day.

    13.2 All Output Data must comply with the following Disclosure Control Rules:

    i. Be aggregated, summary results;

    ii. Follow CPRD suppression rules;

    iii. Contain only information which would be appropriate to make available in the public domain (for example in a research paper or report);

    iv. Be consistent with the RDG Approved Protocol;

    v. Be sufficiently clear and comprehensible to permit output checking without the need for dataset- or project-specific knowledge;

    vi. Be static (e.g. graphs should be submitted as fixed images (e.g.PNG);

    vii. Use a permitted file type.

    13.3. Output Data must not:

    i. Contain event or patient level data;

    ii. Contain any data that could lead to the identity of an individual or of their associated confidential information being revealed;

    iii. Contain personal data or data that is otherwise sensitive;

    iv. Contain hidden information (e.g., embedded files, comments, track changes).

    13.4. You will be required to provide contextual information in order to support the review of your Airlock request. We reserve the right to reject your request if you supply false, misleading, or inadequate information.

    13.5. We reserve the right to block your ability to make Airlock requests or to suspend or terminate your access to CPRD Safe in the event you make false or misleading Airlock requests, or attempt in any way to compromise or subvert the Airlock mechanism.

    13.6. For Airlock requests for standard Output Data involving safe statistics only (as defined in "The SACRO guide to statistical output checking"), CPRD aim to respond within 3 working days.

    13.7. For Airlock requests for Output Data involving unsafe statistics, and where ACRO has been used where appropriate, CPRD aim to respond within 5 working days.

    13.8. Airlock requests for non-standard Output Data will take longer to review. These include requests:

    i. That are exceptionally large;

    ii. Contain complex or novel methods;

    iii. Request an exception from CPRD disclosure rules, or;

    iv. Have chosen not to use automated output checking tools, where these could have been used.

    13.9. We advise users allow at least 15 working days for Airlock requests for non-standard Output Data to be reviewed or checked. This does not include the time taken to respond to any requests for clarification from the CPRD team and does not necessarily mean that outputs will be approved in that period.

 

  1. External links from CPRD Safe

    14.1. We are not responsible for the content or reliability of any external websites we may link to from CPRD Safe and do not endorse the views expressed within them. We aim to replace broken links to websites but cannot guarantee that these links will always work as we have no control over the availability of those websites.

    14.2. Due to the nature of the internet, we cannot guarantee that CPRD Safe or any websites we link to will always be available to you.

 

  1. Limitation of our liability

    15.1. CPRD's liability position in relation to this EUAA is set out in the CPRD Licence Agreement.

    15.2. For the avoidance of doubt, we will not be liable to you for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with: 

    i. Use of, or inability to use, CPRD Safe;

    ii. Any loss in connection with any error, omission, defect, malware, or system failure.

    15.3. We will not be liable for any loss or damage caused by malware which may infect your device, computer equipment, computer programs, data or other proprietary material due to your use of CPRD Safe, or in relation to your downloading of any content or data from CPRD Safe, or on or from any third-party website linked to CPRD Safe.

    15.4. We do not assume any responsibility for the content of third-party websites which may be linked on CPRD Safe. Such links should not be interpreted as an endorsement of those linked websites. We will not be liable for any loss or damage that may arise from your use of them.

    15.5. To the extent permitted by law, we exclude all other conditions, warranties, representations or other terms which may apply to CPRD Safe or any dataset or content on it, whether express or implied.

    15.6. You agree to reimburse CPRD for any losses that we incur as a result of your: 

    i. Breach of, or failure to comply with, this EUAA; or 

    ii. Unauthorised use of CPRD Safe.

  2. Suspension/termination of use

    16.1. We do not guarantee that CPRD Safe will always be available or that your use of CPRD Safe will be uninterrupted. Access to CPRD Safe is permitted on a temporary basis.

    16.2. We may suspend, withdraw, discontinue or change all or any parts of CPRD Safe without notice and without compensation to you.

    16.3. We may, at any time, suspend or terminate your Login Details and/or use of CPRD Safe (in whole or in part) temporarily or permanently. We may do this:

    i. If we, or a third party which provides some or all of the services related to CPRD Safe, are making repairs, updates, or conducting maintenance on our tools and systems or those related to the Third-party companies or services;

    ii. If we have concerns about the security of CPRD Safe;

    iii. If we suspect that your Login Details have been compromised or used fraudulently or in an unauthorised way;

    iv. If we suspect that you may be using CPRD Safe or any Dataset in a fraudulent or unauthorised way, or in violation of this EUAA or any applicable law;

    v. If there are legal obligations which we have to meet;

    vi. If we are prevented from providing CPRD Safe for any reason beyond our reasonable control;

    vii. If you have not accessed or used CPRD Safe for a period of 12 months or more; or

    viii. For any other reason at our absolute discretion.

    16.4. We will endeavour to give you advance notice of any suspension or termination, but may not be able to do so in all circumstances. We will not provide notice to you if providing that notice would compromise our security measures or is unlawful.

    16.5. You may request the reactivation of your Login Details if we suspended or terminated your access, but we are under no obligation to do so.

    16.6. We will not be liable to you if for any reason any part of CPRD Safe is unavailable or inaccessible to you at any time or for any period.

    16.7. You can terminate your use of CPRD Safe at any time by writing to enquiries@cprd.com and by no longer using your login details. It is your responsibility to remove any saved login details from your device if you wish to terminate your use of CPRD Safe, or if you change your device or otherwise dispose of it, or if you cease to be authorised by your organisation.

    16.8. On termination of your right to use CPRD Safe, you must stop using CPRD Safe and any Third-Party tools immediately.

 

  1. Malware

    17.1. We do not guarantee or warrant that CPRD Safe will be secure or free from malware, that the functions of CPRD Safe will be uninterrupted or error free, that defects will be corrected, or represent the full functionality, accuracy, or reliability of the materials or dataset.

    17.2. You are responsible for configuring your accessing device in order to access CPRD Safe securely. You should use and maintain your own malware protection software that is fit for purpose and meets industry standards.

    17.3. You must not misuse CPRD Safe by knowingly introducing malware. You must not attempt to gain unauthorised access to CPRD Safe, the server on which CPRD Safe or related data is stored, or any server, computer or database connected to CPRD Safe. You must not attack CPRD Safe via a denial-of-service attack or a distributed denial-of service attack. Unauthorised penetration testing of CPRD Safe is strictly prohibited.

    17.4. In using CPRD Safe you are giving CPRD, or an agent or representative appointed on CPRD’s behalf, permission to: 

    i. Carry out an audit at any time and without notice to you in relation to your use of CPRD Safe; and 

    ii. Share information with your organisation in relation to that audit and its findings.

 

  1. How we may contact you

    18.1. By registering to use CPRD Safe and receiving login details, you are giving CPRD permission to contact you or your organisation from time to time by using any of the methods which you have authorised during the registration process, or as set out in the applicable CPRD Licence Agreement. You may update your preference at any time by writing to enquiries@cprd.com.

    18.2. You are responsible for keeping CPRD updated if your contact details change. We are not responsible if we are not able to contact you, or if your contact details are out of date.

 

  1. Miscellaneous

    19.1. If any part of this EUAA becomes or is held by a court to be invalid, illegal, or unenforceable, this will not affect the validity of the remaining provision which will remain in full force and effect.

    19.2. Ceasing to use CPRD Safe does not affect any provision of this EUAA, which are expressly or by implication intended to continue on in effect.

    19.3. We may transfer our rights and obligations under this EUAA to another organisation at any time and at our discretion. You may not transfer your rights or obligations to anyone else.

    19.4. No attempt by you to vary this EUAA will be valid.

    19.5. This EUAA, its subject matter and formation (and any non-contractual disputes or claims), and the use of the website, are governed by English law. We both agree to the exclusive jurisdiction of the courts of England and Wales in respect of any disputes or causes of action arising under these terms and conditions or the use of CPRD Safe.

 

  1. Contact us

    20.1. If you have any queries about the use of CPRD Safe or this EUAA, please contact CPRD by email at enquiries@cprd.com – and include the following in your email subject line: CPRD Safe - Query

 

Page last reviewed