The Observer recently published a story claiming that patient data from GP surgeries is being sold to American pharmaceutical companies. That article was followed by an editorial arguing that any plans to give US companies access to patient data in a post-Brexit trade deal must be prevented.  

Stories like this understandably raise a lot of concern about privacy, transparency and accountability for how patient data is used. Here’s our statement outlining what we think are important lessons to learn from this reporting.  

Is GP data being sold? 

The service the story refers to is the Clinical Practice Research Datalink (CPRD). It’s part of the Department for Health and Social Care and run by the Medicines and Healthcare Products Regulatory Agency, which collects de-identified patient data from a network of GPs in the UK that have signed up to the service.

For over 30 years, academics, researchers and private companies have paid for licenses to access CPRD data for research. This is the meaning of ‘data being sold’ in the article. Uses of CPRD data include research on drug safety, effectiveness of health policy and disease risk factors, which are critical to effective performance of our health systems and monitoring for unanticipated adverse drug effects.2  

Greater transparency and accountability 

People are increasingly aware that data about them is used by a range of organisations, and use of health data is unsurprisingly contentious. Data custodians need to do a better job of explaining how they allow access to data, and how this is monitored in practice. So do the organisations who access that data.  

In this case, responsibility to ensure that patients are aware of how data may be used, and what choices patients have, lies with both GP surgeries and CPRD. Information provided by both parties needs to be accurate, fully comprehensive and easily accessible. 

We know commercial access to NHS data is a sensitive topic. So it’s essential that data controllers are explicit about what kinds of commercial access are allowed and why, and how the restrictions on data use are checked and enforced.  

Politics and patient data 

In this reporting, the data practices of the CPRD have been conflated with wider discussions about the role of NHS data in a potential trade deal with the US. These are separate issues.  

The CPRD is setup to allow access to linked primary care data, granted under specific licenses. It is fair to say that these arrangements have not been transparent enough, and that steps are needed to improve accountability. But the intention is very different from “a free flow of data” through a trade deal.3  

Combining these two issues in light of a General Election fuels a polarising political argument about the future of the NHS. Instead, we should be focusing on the very real issues at stake for patient data: how to increase engagement with patients, improve transparency and integrity in data management, and enable better use of data to save lives.  

Research can bring benefits to patients and the NHS, but democratic accountability is essential. Understanding Patient Data will continue to push for better engagement with patients about how data is used and for data custodians to demonstrate how they can be trusted to manage health data. 



“De-identified” data is data that has had identifying information removed but may still constitute personal data as defined under data protection law. There are lawful bases for collecting and using this data under both GDPR and the NHS Act (2006) (a ‘section 251’ approval). 

To give a specific example, data held by the CPRD was used in the development of the whooping cough vaccine for pregnant women. CPRD data was used to monitor the safety and effectiveness of the vaccine after the programme was introduced. As a result of the research, all GPs and maternity services now offer vaccination to all pregnant mothers from 20 weeks. 

Last week, a leak of papers documenting discussions between UK and US officials over a post-Brexit trade deal showed that the “free flow of data” was a “top priority” for the US.