Safeguarding Patient Data


Protecting the confidentiality of patient data is paramount. CPRD uses multiple steps to ensure the patient data we receive from GP practices is not identifiable and that the anonymised data we supply is used to benefit public health and improve patient care.

  • We never receive patient identifiable information from GP practices or from any other source - specifically CPRD never collects patient NHS number, name, full date of birth, address or free text medical notes
  • Only de-identified coded patient data flows from the practice to CPRD
  • Annual ethics approval   is obtained to receive and supply patient data for public health research
  • GP practices choose to contribute their patients’ de-identified data to CPRD
  • Individual patients can opt-out of contributing data to CPRD
  • Research requests to access the data held by CPRD are reviewed by an Independent Scientific Advisory Committee (ISAC)
  • Only bona fide researchers carrying out public health studies can receive the data
  • Following ISAC approval, data is further encrypted before it is released to researchers as an anonymised dataset
  • Contractual controls ensure researchers adhere to robust terms and conditions governing data use

The data flows and governance for CPRD to supply anonymised data for research are summarised in Figure 1.

Figure 1: Processes enabling CPRD to securely receive de-identified data from GP practices and provide anonymised data for public health research

CPRD Process

Linking English primary care data to other datasets

The ability to link primary care data to other health datasets such as secondary care and disease registries greatly expands the scope of important clinical questions that can be addressed with the data. CPRD has been supplying primary care data from GP practices in England linked to other datasets, for many years using the securely governed process below:

  • Each year CPRD must receive section 251   regulatory approval granted by the Health Research Authority to supply anonymised linked data for public health research
  • Data linkage is enabled by NHS Digital  , the statutory body in England legally permitted to receive identifiable patient data
  • For linkage to occur, patient identifiers from GP practices (NHS number, date of birth, postcode and gender) and from the dataset to be linked are sent to NHS Digital
  • NHS Digital matches the patient identifiers from the two datasets to generate an encrypted linker key that does not contain any patient identifiers
  • NHS Digital sends the encrypted key to CPRD which enables CPRD to link the de-identified datasets
  • CPRD never receives patient identifiable data from GP practices or from NHS Digital
  • Access to linked data for public health research purposes must be approved by ISAC
  • Following ISAC approval, data is further encrypted before it is released to researchers as an anonymised dataset
  • Following ISAC approval, linked data is further encrypted by CPRD before being sent to researchers as an anonymised dataset

The data flows and governance to enable data linkage in England is shown in Figure 2

Figure 2: Linkage process and approvals required for CPRD to provide anonymised data for public health research

CPRD Linkage Process

As part of agreeing to contribute patient data to CPRD, English GP practices must consent to their patients’ data being linked using the process described above.

CPRD can only link data from English GP practices. GP practices in Scotland, Wales and Northern Ireland just need to consent to CPRD extracting de-identified patient data as outlined in Figure 1 above.

For more information, email or call 020 3080 7206.