Data protection and processing notice

What types of data do we hold?

The Clinical Practice Research Datalink (CPRD) is a centre of the Medicines and Healthcare products Regulatory Agency (MHRA). The MHRA is an executive agency of the Department of Health & Social Care (DHSC), with responsibility for regulating medicines, medical devices and blood components for transfusion in the UK. The DHSC is the legal ‘controller’ of all the data that MHRA hold. 

If you have queries about how the Agency protects and uses your personal data, please contact dataprotection@mhra.gov.uk in the first instance. You may also contact the DHSC Data Protection Officer at data_protection@dhsc.gov.uk.

Alternatively, you can contact us in writing:

Data Protection Officer
MHRA
10 South Colonnade
London
E14 4PU

Or

Data Protection Officer
DHSC
1st Floor North
39 Victoria Street
London
SW1H 0EU

In common with most organisations, CPRD holds administrative personal data such as information on staff, customers, GP practices, partners and third party suppliers. The legal basis for processing the administrative personal data that we hold is detailed on the CPRD Privacy Notice page and is covered under the privacy notices of MHRA and DHSC.

CPRD also holds and processes health data for the purposes of supporting public health and clinical research. The legal basis that enables CPRD to process health data for research is described below. 

Why do we hold and process health data?

It is vital that the medicines you use are safe and effective and the healthcare you receive is based on the best evidence available. CPRD is the UK Government’s dedicated health data research service aimed at providing evidence through research, to improve public and patient health and the delivery of healthcare.

For more than 30 years, research supported by CPRD data services has answered important medical and public health questions. See our case studies for examples of how CPRD’s anonymised health data has been used in research for patient benefit.

Over 3,000 research studies using CPRD data have been published in scientific and medical journals. Findings from these studies inform drug safety and clinical guidelines and lead to changes in everyday healthcare delivery in the NHS.

What patient data do we hold and process?

CPRD holds anonymised patient data securely shared by GP practices across the UK. To provide a more complete and accurate picture of a patient’s healthcare, CPRD also receives anonymised patient data from other sources such as hospital data from NHS England and cancer registry data from the National Disease Registration Service (formerly Public Health England (PHE)).

For details on the specific datasets that CPRD holds and processes, see our web pages on linked data and how CPRD safeguards patient data.

It is not possible to identify individual patients in any dataset that CPRD holds because CPRD never receives patient identifiable information such as name, address, NHS number or date of birth from any data source.

The patient health data that CPRD holds has been processed in accordance with the Information Commissioner’s Office (ICO) Anonymisation Code of Practice.

In England, NHS England, the statutory body legally permitted to receive identifiable patient data, collects and processes identifiable data on CPRD’s behalf to allow different datasets to be linked together. The data CPRD receives from NHS England is anonymised. For more information about how the data is anonymised and the data linkage process see the Safeguarding patient data page.

The legal bases for processing this information

The legal bases under the General Data Protection Regulation (GDPR) for CPRD holding and processing patient health data are: 

  • Medicines and medical device monitoring: Article 6(e) and Article 9(2)(i) - public interest in the area of public health
  • Medical research and statistics: Article 6(e) and Article 9(2)(j) - public interest and scientific research purposes

CPRD has legal support under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 to cover the collection and processing of patient identifiers by NHS England for dataset linkage.

Who can access CPRD data?

CPRD anonymised data can only be used by bona fide researchers for research to benefit patient and public health. Researchers and their affiliated organisations seeking access to CPRD data must undergo a rigorous approvals process.

Users of CPRD research services and anonymised data provided by CPRD include medicines and public health regulators, academic institutions, health research not-for-profit organisations, pharmaceutical and commercial clinical research organisations. You can find out more about which studies and research organisations have been approved to carried out research using CPRD data in the list of approved studies.

How long is the anonymised patient data held?

Being able to reproduce the findings of a scientific study is very important to confirm that the evidence from this research is valid. In some cases, there is a requirement for researchers to be able to access the original data used for a specific study, so that this data can be inspected by regulators at a later date. To enable reproducibility of research, CPRD maintains the original anonymised patient data used for these research studies. This data may be held indefinitely.

There is, however, a requirement for individual researchers who receive CPRD data to only hold this anonymised patient data for 12 months, or subject to approval, for a longer defined period. After this time, researchers must destroy the anonymised data provided by CPRD, but they are permitted to retain the processed analysis dataset in line with their institutional data retention policies for research audit purposes.

What GDPR data subject rights do I have?

GDPR data subject rights enable individuals to understand and make choices about how their data is used. CPRD patient data have been anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice. Because the patient data is anonymised, it is not possible for CPRD to identify any individuals from the data CPRD holds. Therefore, it is not possible for CPRD to directly support an individual’s GDPR data subject rights.

GP practices are obliged to be transparent about sharing data with others. If it is not clear which organisations your GP practice shares data with, you can ask them whether they share anonymised patient data with CPRD.

You have the right to make a complaint to the Information Commissioner’s Office through their website or their helpline 0303 123 1113.

You can opt out

You can opt out of any of your patient information being used for planning and research. Opting out of sharing your health records will not affect the direct care that you receive, though it may affect how well the NHS can operate (see below). You can find out more about the National Data Opt-out in England. If you are in Wales, Scotland or Northern Ireland and you do not want your GP practice to share this information from your health record, let your doctor know.

CPRD operates in compliance with the National Data Opt-out Policy for patients in England.

The Government depends on the data collected by CPRD to monitor drug safety and safeguard public health. If large numbers of patients or specific patient groups choose not to share anonymised health information for research, the information in CPRD will not truly represent the UK population. 

You may also wish to look at the Understanding Patient Data website for more general information about research using medical data. 

 

 
Page last reviewed