The GPC has just concluded a review of the management and use of patient data by the Clinical Practice Research Datalink (CPRD). The GPC are now content that practices can safely and lawfully share data with the CPRD.
The GPC carried out tests on a number of theoretical risks and considered them to be below any threshold of concern. There is a significant amount of key data process to protect patient identity and data security during the process used by the CPRD. No free text, documents or associated files are extracted from records.
Known opt-outs are not processed but there is still a slight anomaly with old Type 2 opt-outs, which are now only registered nationally via the National Data Opt-Out. As these are not currently written back into practice systems, there is a possibility for a patient to register and opt-out in this way and have their data used if they do not inform their practice. Preferrably in writing. The GPC state that this anomaly will be corrected early in 2020. If CPRD do contact your practice, you should:-
- complete a DPIA (Data Protection Impact Assessment)
- add an entry in your ROPA (Record of Processing Activities)
- ensure your privacy notices are up to date
- communicate to your patients through the practices usual channels that you share data with CPRD for research purposes.