Sharing Patient Records - UK BioBank and CPRD
Please see below response from Paul Cundy IT Lead for GPC :
I am aware that practices may recently have had communications about sharing their patient records with either or both UK BioBank and CPRD. Both are highly respected research organisations.
UK BioBank is a genomic study following a cohort of patients recruited up to 2010. On average each practice is likely to have 60 patients in the scheme. The entire patient record is shared. It is consent based. CPRD’s approach is to link large health data sources and then provide extracts for researchers in an anonymous or pseudonymous form. It currently has records on 35 million patients. It operates under an exemption for the common law duty of confidentiality and, for GDPR, probably relies on the processing for ‘research purposes’ lawful basis (this is a non-consented lawful basis). The entire practice patient database, except those who have opted out, is shared.
In both schemes they will be accessing the records via the practices GPSoC core clinical supplier.
As the data controller of the patients’ records the practice has responsibilities under GDPR. Some of those responsibilities are clear and have already been communicated; updating Privacy Notices, Processing Registers and doing a DPIA (which must be done before any sharing takes place). Other aspects are not as clear because of the data controller / data processor relationships.
In addition GP data controllers have responsibilities to ensure processing remains transparent whenever there is a change in data sharing arrangements. We are in the process of clarifying with the ICO if this places any additional responsibilities on practices and hope to be able to offer definitive advice soon.
However in the meantime we recommend that practices do not agree to either scheme unless they are clear that they have fully complied with their GDPR responsibilities.