Privacy notice: How we use administrative forms of personal data

Who we are 

The Clinical Practice Research Datalink (CPRD) is a centre of the Medicines and Healthcare products Regulatory Agency (MHRA), an executive agency of the Department of Health and Social Care (DHSC), which regulates medicines, medical devices and blood components for transfusion in the UK. The DHSC is the legal ‘controller’ of the data which we hold.

This is information for researchers, GP practices and users of this website about how we use administrative forms of personal data you have provided to us when using this website.

Information about medical research data can be found on the Transparency information page of the CPRD website.

What data we collect from you through this website 

The personal data we collect from users of this web-site will include:

  • The IP address you use to access cprd.com
  • The URLs of any of our web-pages which you visit and the time of your visit

We use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behavior patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

We use cookies to measure how you use the website so it can be updated and improved. Find out more about how to manage cookies.

The additional personal data we collect from researchers and GP practices who complete a form or contact CPRD will include:

  • Your name and title
  • Your email address
  • Your organisation name
  • Your job title at the organisation
  • Your phone number

The legal basis for processing this data is the performance of a task carried out in the public interest or in the exercise of official authority vested in DHSC or its executive agency, the MHRA.

What we do with your data 

We use your data to respond to your enquiry.

We also use administrative data from GPs and GP practices as part of the process of joining CPRD and contributing patient data for research. Find out more on the What we do with GP information web page

We use contact information for responsible individuals at research centres undertaking studies using CPRD data, both to arrange, support, and control use of that information under contract or licence and to vet applications for access to CPRD and related data (particularly CVs and past experience for chief and principal investigators).

Information about medical research data can be found on the Transparency information page of the CPRD website.

We will not:

  • sell or rent your data to third parties
  • share your data with third parties for marketing purposes

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

How long we keep your data

We will retain your personal data for as long as you are contributing data to CPRD or have an enquiry or customer account with CPRD. We will delete your data in line with the MHRA Records Retention Policy or as required by law – typically, 8 years after any enquiry is closed or contract terminated.

Where your data is processed and stored

We make sure that your data is as safe as possible at any stage, both while it is processed and when it is stored. Your personal data is only stored in the European Economic Area (EEA).

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you. We also make sure that any third parties that we deal with have an obligation to keep secure all personal data they process on our behalf.

What are your rights

You have the right to request:

  • information about how your personal data is processed
  • a copy of that personal data - this copy will be provided in a structured, commonly used and machine-readable format
  • that anything inaccurate in your personal data is corrected immediately

You can also:

  • raise an objection about how your personal data is processed
  • request that your personal data is erased if there is no longer a justification for it
  • ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Data Protection Officer - you can find their contact details below.

Changes to this notice

We may modify or amend this privacy notice at our discretion at any time. When we make changes to this notice, we will amend the last modified date at the bottom of this page. Any modification or amendment to this privacy notice will be applied to you and your data as of that revision date. We encourage you to periodically review this privacy notice to be informed about how we are protecting your data.

Questions and complaints

Contact our Data Protection Officer if you either:

  • have any questions about anything in this document
  • think that your personal data has been misused or mishandled

Data Protection Officer
DHSC
1st Floor North
39 Victoria Street
London
SW1H 0EU

or at data_protection@dh.gsi.gov.uk

You may also make a complaint to the Information Commissioner, who is an independent regulator.

The Information Commissioner
casework@ico.org.uk
0303 123 1113

Or by post at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

[Page last reviewed 24 September 2018]