Privacy Issues

The request was successful.

Dear Medicines and Healthcare products Regulatory Agency,

re: Clinical Practice Research Datalink (CPRD)

Please can you inform me of the following.

1. who will be able to access the data?

2. what precautions have be taken to prevent data inference?

3. the audit procedures

Please also supply a data model of the dataset accessible by researchers.

Yours faithfully,

P Foomer

MHRA Customer Services, Medicines and Healthcare Products Regulatory Agency

Dear Enquirer,
 
Thank you for your enquiry to the MHRA. This automated response confirms
that we have received your email and that it will be dealt with as quickly
as possible.
 
You can expect a reply from us within a few days for a straightforward
request, however where a more detailed response or contribution from a
specialist is required this is likely to take longer; we endeavour to
respond to all requests within the Department of Health’s target response
time of 20 working days. Further information on how we handle different
requests can be found on our website at the link below:
 
[1]http://www.mhra.gov.uk/Contactus/Central...
 
The MHRA website contains a wealth of information which may assist with
your enquiry. Some of our popular pages are:
 
Clinical Trials of medicines:
 
[2]http://www.mhra.gov.uk/Howweregulate/Med...
       
Clinical Trials of medical devices:
 
[3]http://www.mhra.gov.uk/Howweregulate/Dev...
 
Manufacturer’s and wholesale dealer’s licences:

[4]http://www.mhra.gov.uk/Howweregulate/Med...
 
Registration of medical devices, opticians and dental laboratories:

[5]http://www.mhra.gov.uk/Howweregulate/Dev...
 
Reporting a side effect to a medicine:

[6]http://www.mhra.gov.uk/Safetyinformation...
 
Reporting an adverse incident involving a medical device:
 
[7]http://www.mhra.gov.uk/Safetyinformation...
 
Does my product need a licence?:

[8]http://www.mhra.gov.uk/Howweregulate/Med...
 
Reporting a counterfeit medical product:
 
[9]http://www.mhra.gov.uk/Safetyinformation...
 
Buying medicines over the internet:
 
[10]http://www.mhra.gov.uk/Safetyinformation...
 
 
If you have not heard from us after 20 working days then please contact us
on 020 3080 6000.
 
Kind regards
 
Customer Services
External Relations
Medicines and Healthcare products Regulatory Agency
 
Please note this is an automated reply; please do not respond to this
message.
 
 
 

This email and any files transmitted with it are confidential. If you are
not the intended recipient, any reading, printing, storage, disclosure,
copying or any other action taken in respect of this email is prohibited
and may be unlawful.

 

If you are not the intended recipient, please notify the sender
immediately by using the reply function and then permanently delete what
you have received.Incoming and outgoing email messages are routinely
monitored for compliance with the Department of Healths policy on the use
of electronic communications.

 

For more information on the Department of Healths email policy, click

http://www.dh.gov.uk/DHTermsAndCondition...

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

References

Visible links
1. http://www.mhra.gov.uk/Contactus/Central...
2. http://www.mhra.gov.uk/Howweregulate/Med...
3. http://www.mhra.gov.uk/Howweregulate/Dev...
4. http://www.mhra.gov.uk/Howweregulate/Med...
5. http://www.mhra.gov.uk/Howweregulate/Dev...
6. http://www.mhra.gov.uk/Safetyinformation...
7. http://www.mhra.gov.uk/Safetyinformation...
8. http://www.mhra.gov.uk/Howweregulate/Med...
9. http://www.mhra.gov.uk/Safetyinformation...
10. http://www.mhra.gov.uk/Safetyinformation...

MHRA Customer Services, Medicines and Healthcare Products Regulatory Agency

Our Ref: FOI 12/345

Dear P Foomer,

RE: REQUEST UNDER THE FREEDOM OF INFORMATION ACT 2000

Thank you for your enquiry which we received on 1st September 2012.

I confirm that your request is being handled under the Freedom of Information Act and you should receive a reply within 20 working days from our date of receipt.

If you need to contact us again about this request, please quote the reference number above.

Yours Sincerely

Yvonne
Customer Services
External Relations
MHRA
Tel: 020 3080 6000

show quoted sections

Ford, Jon, Medicines and Healthcare Products Regulatory Agency

2 Attachments

Please find attached a response to your Freedom of Information Act
request, together with a further document referred to in our response.
 
 
Jon Ford
CPRD Head of Operations
020 3080 6581
 
 

This email and any files transmitted with it are confidential. If you are
not the intended recipient, any reading, printing, storage, disclosure,
copying or any other action taken in respect of this email is prohibited
and may be unlawful.

 

If you are not the intended recipient, please notify the sender
immediately by using the reply function and then permanently delete what
you have received.Incoming and outgoing email messages are routinely
monitored for compliance with the Department of Healths policy on the use
of electronic communications.

 

For more information on the Department of Healths email policy, click

http://www.dh.gov.uk/DHTermsAndCondition...

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Dear Jon Ford

Thank you for your reply.

Regarding your comments in my request regarding Data Inference, I include the following passage from the Wikipedia entry on Inference Attack.

An Inference Attack is a data mining technique performed by analyzing data in order to illegitimately gain knowledge about a subject or database.

A subject's sensitive information can be considered as leaked if an adversary can infer its real value with a high confidence.

This is an example of breached information security. An Inference attack occurs when a user is able to infer from trivial information more robust information about a database without directly accessing it.

The object of Inference attacks is to piece together information at one security level to determine a fact that should be protected at a higher security level.

This describes my intent in the original request, and look forward to your reply.

Yours sincerely,

P Foomer

nb

2. what precautions have be taken to prevent data inference?

“Data inference” is a phrase with a number of different interpretations. Could you explain what you mean by this question and I will provide you with a full response.

Ford, Jon, Medicines and Healthcare Products Regulatory Agency

Thank you for your clarification.

Firstly, there are a number of steps we take with the data itself. As I am sure you understand, we do not collect from source patient identifiers such as names, dates of birth or address details. We also remove day and month of birth, so only birth year is available (which is sufficient for most research). Patients are not identified by geographical areas any smaller than Strategic Health Authority area, which again, allows research on geographical variations in health care while reducing the risk of providing information which could be useful to an inference attack. Similarly, we remove all corresponding information about treating doctors and geographical areas of treatment. For example, if a patient were referred to a hospital, the research record would indicate a hospital referral, but not to which hospital the patient was sent. The CPRD dataset is also a sample of the whole population, covering approximately 8% of the UK population. This in itself provides a degree of protection against disclosure of the identity of a patient - if someone were searching for an individual they would not know whether they were in the dataset, or in the 92% of the population who were not. This is not, of course, any sort of protection mechanism, just a feature of the data itself.

There is, of course, an inherent issue with any research dataset - to completely remove absolutely all risk of data inference would be simple, but it would also render the data useless for the public health benefitting research we support. We therefore have some additional steps to strengthen the system without preventing research. Ours is a closed system, with strong, multi-factor authentication for users. Access is only provided to bona fide researchers, who must have a research protocol, approved by the Independent Scientific Advisory Committee for any research undertaken. All access is covered by contractually binding licence agreements which contain robust provisions prohibiting attempts to identify any patient or practice.

Jon Ford
CPRD Head of Operations
020 3080 6581

5th Floor, 151 Buckingham Palace Road,
London, SW1W 9SZ.

show quoted sections