Quick links: Data controller / Privacy noticeNational data opt-outParticipating in a research study / Access to patient dataPatient Identifiable Data before/without consent / Projects which aren't managed as research / Freedom of Information legislation / Further information to help with queries or concerns about data for researchAnonymised/de-identified or pseudonymised data / COPI notice / Sharing data between the UK and other countries / Glossary

How to guide: Data protection

It is understandable to be nervous about data issues around research, including GDPR. Research can often require the sharing of information and it can be difficult to know what you can and cannot do. This guide attempts to summarise some of the key points but there is a lot of other guidance available (links below) if you want to read more. You can also contact and we will be able to advise you.

Key information you should be aware of:

Full guide

This guide relates to research which has approval from the HRA. The HRA takes responsibility for reviewing and approving, amongst other things, the use and sharing of data. A practice can be assured that the data activities described in the approved study documentation have been confirmed as acceptable – so a researcher (or any members of the practice team) acting in accordance with the study protocol is approved by the national body.

In this guide, we address key points you should know and what actions you must take. We also give links to read more, and practices can always contact us to ask any questions. This guide also gives information about projects which are not managed as research.

Some useful training can be found here: (an account is required but can be created via this link for free).

Data controller

Although the practice is the data controller of the patient record system, if data is extracted by a research study or created in the process of the research, then the research sponsor of the study is the data controller of this data for the purposes of research. If data is created by a member of the practice team (e.g. for completing a case report form (CRF)) for the purposes of research, then the research sponsor is the data controller and the person completing the form is the data processor.

You can read more at:

Privacy notice

If you are undertaking research in your practice you should mention this in your privacy notice, to be displayed on your practice website as well as in your practice, particularly if you produce information for new patients joining the practice. The law says that you must be transparent about data that you collect from patients. You should explain what you are collecting and sharing, why and how, and how patients can object (it is not sufficient to just say ‘research’ – e.g. the practice team may look at your record to determine whether you are suitable to be invited for a research study.) The notice should explain enough that the patient can understand what is being done and there should be no surprises. If someone other than practice staff will have access to any records, then this should be mentioned in the privacy notice.

The practice should think about means of communicating the privacy notice to patients – for example a text message campaign or recorded message on the phone system, which could direct patients to read the notice on the practice website.

The BMA produces templates and posters you can use, so you can be confident that these meet legal requirements:

Action: Make sure research is mentioned in your privacy notice and displayed/communicated to patients. You should clearly explain what will be done with a patient record.

National data opt-out

The national data opt-out gives patients the opportunity to opt out of the use of confidential patient information for use in planning and research. That means that if you share data for research, the practice is responsible for ensuring that people who have opted out are removed from that data. You must exclude patients who have indicated an opt-out. The data opt-out does not apply where the patient has individually consented to take part in a particular study (and in some other circumstances).  

Although opt-out is not currently mandatory for practices to implement, you can still be subject to ICO regulatory investigation.

The national data opt-out is now the primary means of patients opting out of data sharing for research and planning. The previous type-1 opt-outs (recorded at the practice) have now been converted to the national data opt-out, although patients can still record these. This will probably be discontinued as the system moves to the national data opt-out.

Parents/guardians can also make the same choice on behalf of a child under 13. Children over 13 can opt-out for themselves.

Opt-outs do not apply in the following cases:

Opt-outs do apply where:

Opt-outs continue to apply after death, but do not apply retrospectively, so will not need to be applied for data that has been previously shared.

The requirement for practices to comply with the opt-out has been extended to the end of June 2022, but practices should try and comply earlier if possible, providing this doesn’t conflict with your COVID-19 response.

Action: Practices must:

Practices are recommended to:

Implementing the data opt out:

You can read more about the technical solution for implementing the opt-out online: link

See for details on complying with the opt-out.

The following training from e-Learning for Healthcare is useful if you have any further concerns. You need to register for an e-LFH account if you don’t already have one:

Participating in a research study

Your practice may be invited to be involved in research studies and should bear in mind the following:

Access to patient data

If any researchers ask to access your practice or practice record system, it is the practice’s decision whether to allow this. You should bear in mind the following:

Action: Ask to see all researchers’ letters of access if accessing patients or data.

Patient Identifiable Data before/without consent

In most cases, where studies involve accessing patient identifiable data before consent (e.g. for the purposes of inviting a patient to participate in a study), then this may only be accessed by someone who is a member of a patient’s direct care team.

‘Member of the direct care team’ usually means a member of staff at the practice, or in some cases where there are groups of practices, it could be a member of staff at another practice in the Primary Care Network (PCN), or someone employed by the federation, if they can meet the following criteria:

In these cases, there should be a formal employment contract or data sharing arrangement between the person and their employing organisation, and this access should be mentioned in the practice's privacy notice.

A study’s plans for any access to patient data before consent should be outlined in the study protocol, and this has been reviewed and approved by an ethics committee and the HRA – so by following the study protocol practices can be assured that the way of working is approved. In case of any concerns, contact WY R&D. If a study team requests to access data using methods not outlined in the study protocol, then you can also contact WY R&D for advice.

Projects which aren’t managed as research

Projects may (under specific conditions) be managed as service evaluation, audit or quality improvement, which may mean they do not require formal research approvals.

Freedom of information (FOI) legislation

ICB FOI requests can be made here: Research information may be exempt from Freedom of Information legislation, if the release of the information may prejudice the continuing research and/or publication. If you receive a freedom of information request, contact the ICB governance lead for further advice.

Appendix 1

Further information to help with queries or concerns about data for research

You may get queries from patients or staff about participating in research studies, so below is some further information. It is not expected that practices need to be familiar with the below, but practices may have concerns and queries, so this information is provided for reassurance. In addition, the HRA, WY R&D and CRN are all available for any further queries. Your practice may also have access to advice from a DPO (usually provided by the federation or ICB) – please bear in mind that research is a specific case in terms of data protection law, so DPOs may not be familiar with all of the detail in research and you may wish to seek advice from

Section 251 (also known as Confidentiality Advisory Group or CAG approval)

Anonymised/de-identified or pseudonymised data

It is best practice to minimise the sharing of personal confidential data and this will mean using anonymised data where possible or reducing the number of identifiers shared.

Data which is truly anonymised is not subject to GDPR, but care should be taken when referring to data as ‘anonymised’ as it is often not fully anonymous and can be reidentified with either existing knowledge or if in conjunction with other information. The term ‘de-identified’ is sometimes used to denote data which has had identifiers removed.

If asked to produce de-identified data, practices must:

Anonymisation/de-identification should happen in the practice and be carried out by someone legitimately allowed to view/process the data (usually a member of the direct care team) before it is sent to an external researcher.

COPI notice

The Control of Patient Information (COPI) notice, which allowed organisations to share patient data to support the COVID-19 response, including research, has now expired. Any research which was using this notice as its legal basis for sharing, must now have an alternative legal basis for this. Practices must ensure that any data they share has a legal basis for doing so. If they are not sure they should query this with the study team, the ICB Data Protection Officer, or the ICB research team:

Sharing data between the UK and other countries

There may be cases where personal data is shared with other countries as part of a research project – for example storing data in another country including perhaps using servers located in another country. This is permitted with other EU countries, and also Andorra, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay. If the project is sharing data with any other countries, you may wish to read more about this.

There is a more problematic issue, if your practice is involved in any research projects which involve receiving data from the EU (or other countries). This is unlikely as most of the time practices are involved with the use of their own data.

The EU and UK have come to a ‘data adequacy decision’ which allows the free flow of data between the UK and EU. This means that the EU has agreed that the UK data protection safeguards are enough to allow data to flow between the EU and UK the same as between EU member states.

You can read more at:

Glossary of Acronyms and Terms


We would love to hear from you! To provide us with feedback please click here and complete the feedback form.