Research privacy notice

As a GP Practice, we feel that research is essential for progress in healthcare and is of considerable benefit to individual patients and the public as a whole. We regularly take part in research studies with the help of experienced NHS staff who search medical records for people who might be suitable so that we can write to them asking if they are interested in taking part. A formal agreement is in place with North Cumbria Integrated Care NHS Foundation Trust; their staff (led by Dr Stacey Fisher, Research GP), who have appropriate contractual arrangements with our GP Practice, assist us in carrying out these activities. Overall, we are bound to operate in line with the principles of Article 89(1) of UK GDPR General Data Protection Regulation and Chapter 2 section 19 of the Data Protection Act 2018.

1) Data Controller contact details

Please see the main privacy notice for the GP practice, or contact the surgery directly for this information

2) Data Protection Office contact details

Please see the main privacy notice for the GP practice, or contact the surgery directly for this information

3) Purpose of the sharing

Medical research

4) Lawful basis for processing or sharing

Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are; Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”


Article 6(1)€ may apply “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”


Article 9(2)(i) – “processing is necessary for…scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union of Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.

5) Recipient or categories of recipients of the shared data

Use and sharing of information for research purposes

Sometimes your information may be requested to be used for research purposes – we will always ask your permission before releasing your information for this  purpose. We may also use external companies to process personal information, such as for sending out bulk postal invites (see below for further information) or for archiving purposes.

These companies are bound by contractual agreements to ensure information is kept confidential and secure, and will only be utilised for research studies approved by the Health Research Authority (HRA). Our GP practice has signed up to the Clinical Practice Research Datalink (CPRD), a UK Government initiative. CPRD is a Government organisation that provides anonymised patient data for research to improve patient and public health. Identifiable data flows to NHS Digital but you cannot be
identified from the information sent to CPRD.

Furthermore, we contribute to the Royal College of GPs Research and Surveillance Centre (RCGP RSC). This initiative helps to keep track of the trends for certain diseases (including infectious diseases such as flu and COVID-19).

Access the full NHS Privacy statement on the Information Commissioner’s Office website.

Third party involvement for postal services (Docmail)

Our GP practice uses a mailing company called Docmail to handle some mailings to patients. Typically this is for bulk mailings such as the invitations to attend the flu clinics where it is difficult to accommodate the administrative work involved without affecting our ability to serve patients. This is permissible under guidance from both the Information Commissioner’s Office (ICO) and the Department of Health (DoH) subject to the provisions of the Data Protection Act. For Health Research Authority approved research studies, Docmail may also be used if it concerns bulk postal invites that involves hundreds or thousands of mailings.

What is Docmail?

Docmail is provided by CFH Docmail Ltd a secure print and mailing company which provides print and mailing services for Local Government, GPs, Dentists, Medical Practices, Schools, Exam Boards and Banks etc. throughout the UK. The system can be found online at . The system allows us to upload a letter template and mailing data for the patients we want to write to via a secure web portal. Docmail has achieved a 100% rating in the Department of Health’s Information Governance Toolkit Assessment for 2014-2015 and we meet with the terms and conditions of the DH Information Governance Assurance Statement.
Docmail’s own privacy policy can be viewed on their website.

The Information Commissioners Office (ICO) issued guidance in February 2012 for organisations that outsource some of its data processing to a third party. The Data Protection Act allows outsourcing to take place but stipulates certain conditions
that must be met for it to be compliant. Where a data processor is used the data controller (the GP practice) must ensure that suitable security arrangements are in place in order to comply with the seven data protection principles.

Docmail can only act in accordance with instructions from our GP practice, i.e. they can only print and mail letters in accordance with data provided by us – this is typically only a patient’s name and address. They are not able to do anything else with that data and the data they received from the GP practice needs to be deleted within a stipulated time period: 28 days after the mailing, or 60 days if patients are invited to return a reply back to Docmail.

6) Rights to object

You do not have to consent to your data being used for research. You can change your mind and withdraw your consent at any time and opt out of being contacted about research studies. Contact the Data controller or the practice.

For us to be able to exclude patients that have requested not to be contacted about research, one of two read codes can be added to your notes: read code

9Ndd (‘Declined consent for researcher to access clinical record’) and/or 9Nu0 (‘Dissent from secondary use of GP patient identifiable data’) be added to their medical records.

No personal identifiable data is removed from the NHS or provided to any researchers without specific consent from patients.

7) Right to access and correct

You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.

8) Retention period

The data will be retained for the period as specified in the specific research protocol(s).

9) Right to Complain

You have the right to complain to the Information Commissioner’s Office, you can use this link:

Or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

Date published: 11th April, 2024
Date last updated: 11th April, 2024