For more general information about preparing for GDPR please contact the Information Commissioner’s Office.
GDPR in relation to research within GP practices
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. During the past few months there have been concerns that GDPR would have a significant impact on the way that we deliver healthcare research. However, as the detail of GDPR is becoming clearer it seems that there will be limited implications for research and the Health Research Authority (HRA) has started to issue guidance to support this position.
There have been some concerns that GPs will need to seek informed consent from patients to invite them to take part in research i.e. sending out study invite letters. We have received advice from the HRA that this is NOT the case:
"For GDPR purposes, contacting patients registered with you as a GP to invite them to take part in research comes within public interest, and meets the additional requirements of public interest for access to special category data as long as the studies have HRA Approval (including REC approval where relevant) and are undertaken in accordance with the policy framework. To meet transparency requirements, information should be provided – e.g. by letting people know about this use of their records when they register. Although exemptions can apply to subject rights for research it is not a blanket exemption and in this scenario it would be reasonable to allow patients to opt out of being contacted. I.e. using records to send out mailings about future research can be an opt out and does not require explicit consent."
The final detail of GDPR is to be set out in national legislation and the Data Protection Act 2018 is yet to pass through Parliament.
The CRN Primary Care Clinical Support Team will continue to provide you with the usual level of support to deliver research in your practice and your dedicated CRN Primary Care Research Associate / Research Nurse will be on hand to discuss any issues you may have.
General Data Protection Requirements
It's important that you explain to your patients how you will be using their personal data, and what their rights are under the law. NHS organisations and GP practices are expected to link to this statement from the HRA from their webpages.
In addition, GP practices are expected to publish information about the research projects they are involved in. Such records should include details of the sponsor, allowing participants to access further information. Separate guidance is provided by the HRA here about information to be published in relation to the roles of data protection officers, information governance officers and research governance managers.
Your organisational privacy notices for staff and patients should also ensure that research is mentioned. The BMA provide useful information of how to include research in privacy notices here.
In addition, GP practices encouraged to display posters, leaflets and notices on their websites and new patient forms informing patients that they practice is research active and where they can find out more information about what this means.
Data Protection Policy