Privacy notice

Who we are 

The Clinical Practice Research Datalink (CPRD) data services are delivered by the Medicines and Healthcare products Regulatory Agency (MHRA), an executive agency of the Department of Health and Social Care (DHSC), which regulates medicines, medical devices and blood components for transfusion in the UK. The DHSC is the legal ‘controller’ of the data which we hold.

This is information for researchers, GP practices and users of this website about how we use administrative forms of personal data you have provided to us when using this website. For researchers, this may include the electronic research applications portal (eRAP), the CPRD data access portal, and the Trusted Research Environment (TRE). 

Information about administrative personal data that we hold can be found in the MHRA and DHSC privacy notices.

Information about medical research data can be found on the Data protection and processing notice page of the CPRD website.

What data we collect from you through this website 

The personal data we collect from users of this website may include:

  • The IP address, and any other online identifiers you use to access, and its related portals and systems
  • The URLs of any of our web pages which you visit and the time of your visit


We use cookies to measure how you use the website so it can be updated and improved.

We use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

Data collected by Google Analytics may be transferred outside the EEA for processing. A Google Analytics opt-out browser add-on is available.

When you visit you will be notified that we use cookies and asked whether you are happy to accept this or choose to Decline. You will regularly receive prompts about this preference.

If you choose Decline, we will still use necessary cookies so that our site works.

You can find out more about how to manage cookies on the Information Commissioner’s Office (ICO) website.

Professional contact details 

The additional personal data we collect from researchers and GP practices who complete a form or contact CPRD will include:

  • Your name and title
  • Your email address
  • Your organisation name
  • Your job title at the organisation
  • Your phone number

The legal basis for processing this data is the performance of a task carried out in the public interest or in the exercise of official authority vested in DHSC or its executive agency, the MHRA.

Log Data

The additional personal data we collect from researchers who use the Trusted Research Environment (TRE) will include:

  • Date and time of system access
  • Record of activities carried out in the TRE

The legal basis for processing this data is the legitimate interests of the CPRD, as a centre of the DHSC’s executive agency the MHRA, to prevent unauthorised system access to confidential data, and ensure the secure and effective operation of the CPRD TRE in line with legal and regulatory requirements. More information is provided in the End User Access Agreement, which researchers must read and accept prior to TRE system access. 

What we do with your data 

We use your data to respond to your enquiry.

We also use administrative data from GPs and GP practices as part of the process of joining CPRD and contributing patient data for research. Find out more on the What we do with GP information web page

We use contact information for responsible individuals at research centres undertaking studies using CPRD data, both to arrange, support, and control use of that information under contract or licence and to vet applications for access to CPRD and related data.

We use log data collected in the TRE, and linked to individual user accounts and IP addresses, to prevent unauthorised system access, ensure contractual compliance and compliance with legal and regulatory requirements, and secure the effective operation of the CPRD TRE. 

Information about medical research data can be found on the Data protection and processing notice page of the CPRD website.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime. We may use service providers in the course of our activities, and we ensure we have contracts in place with our processors to keep secure all personal data they process on our behalf. 

How long we keep your data

We will retain your personal data for as long as you are contributing data to CPRD or have an enquiry or customer account with CPRD. We will delete your data in line with the MHRA Records Retention Policy or as required by legal, regulatory, operational, or accounting requirements. 

Log data collected specifically as part of TRE system use, will be retained in accordance with CPRD policies and procedures relating to the use of the TRE. Data may be retained for longer if we are required to do so by law, for example to prevent fraud or other crime, or to further any investigation into unauthorised system use. 

Where your data is processed and stored

We make sure that your data is as safe as possible at any stage, both while it is processed and when it is stored. Your personal data is only stored in the United Kingdom (UK) or European Economic Area (EEA).

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you. We also make sure that any third parties that we deal with have an obligation to keep secure all personal data they process on our behalf.

What are your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data - this copy will be provided in a structured, commonly used and machine-readable format
  • that anything inaccurate in your personal data is corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Data Protection Officer - you can find their contact details below.

Changes to this notice

We may modify or amend this privacy notice at our discretion at any time. When we make changes to this notice, we will amend the last modified date at the bottom of this page. Any modification or amendment to this privacy notice will be applied to you and your data as of that revision date. We encourage you to periodically review this privacy notice to be informed about how we are protecting your data.

Questions and complaints

If you have queries about how the Agency protects and uses your personal data, please contact in the first instance. You may also contact the DHSC Data Protection Officer at

Alternatively, you can contact us in writing:

Data Protection Officer
10 South Colonnade
E14 4PU


Data Protection Officer
1st Floor North
39 Victoria Street

You have the right to make a complaint to the Information Commissioner’s Office through their website or their helpline 0303 123 1113.

Page last reviewed