The General Practitioners Committee (GPC) has now concluded a review of the management and use of patient data by the Clinical Practice Research Datalink (CPRD). The GPC are content that practices can safely and lawfully share data with the CPRD.
The GPC carried out tests on a number of theoretical risks and considered them to be below any threshold of concern. There is a significant pseudonymisation and key data process to protect patient identity and data security during the process used by the CPRD. No free text, documents or associated files are extracted from records.
Known opt outs are not processed but there is still a slight anomaly with old type 2 opt outs, which are now only registered nationally via the National Data Opt-Out. As these are not currently written back into practice systems there is a possibility for a patient to register an opt out in this way and have their data used if they do not tell their practice. The GPC state that this anomaly will be corrected early next year.
If CPRD do contact your practice you should:
- Complete a DPIA (Data Protection Impact Assessment)
- Add an entry in your ROPA (Record of Processing Activities)
- Ensure your privacy notices are up to date and cover the use of patient data for research purposes
- Communicate to your patients through the practice’s usual channels that you share data with CPRD for research purposes.
CPRD will provide pre-prepared sample documents for practices to use when they contact the practice, which the GPC have seen and signed off.
Further information on CPRD can be found here.
Last updated : 23 Oct 2019