Sharing Patient Records - UK BioBank and CPRD
Please see below response from Paul Cundy IT Lead for GPC :
You will remember we were asked to comment on invitations being received by practices to share their patient databases with CPRD (https://www.cprd.com/) . We had suggested that practices not sign up to CPRD until we had had further discussions with them.
I’m delighted to report these have been concluded, although I apologise for the repeated failed promised deadlines, these have all been entirely my fault. I will not restate the issues in detail other than to say we believe that it is safe and lawful for practices to contribute their data to CPRD. Whilst no system can ever really be 100% guaranteed secure the features of CPRD are about as secure as one could imagine and whilst there are theoretical risks we have played these out and consider them to be well below any threshold for concern.
In brief when you provide data your system supplier generates a pseudonymisation CPRD key code for each patient. They then split patient data into the clinical data plus the key, which is sent to CPRD, and demographic data plus the key, which is sent to NHSD. NHSD use the demographic data to link to any clinical data they hold. They then send that clinical data plus the key to CPRD. CPRD then use the key to link the GP sourced data and the NHSD supplied data. No free text is extracted, nor documents nor associated files, just the coded components. Opt outs, as recorded in the practices database are respected. There is a current anomaly in that the old type 2 opt outs, which are now only registered nationally via the National Data Guardian https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ are not currently written back into GP systems. Therefore it is possible for a patient to register an NDO opt out, and if they do not tell the practice, their data will flow. however there is only a 50% annual chance of this occurring for any practice (4,200 being registered a year among 8,000practices). This will be corrected early next year.
Practices can expect CPRD to be contacting them in the future and we would encourage them to participate. They will need to carry out a DPIA and add an entry in their Article 30 processing register (CPRD will provide pre-prepared sample documents for practices to use, which we have seen and signed off). They will also need to ensure their Privacy Notices are up to date and cover the use of patient data for Research. Its highly likely that if they have adopted pre-prepared BMA privacy notices this is already covered. They should then also use their usual channels to communicate this to their patients. In this case I do not think they need to use individual messaging such as letters, texts or mails.