News Contact

Patient Privacy Notice

Who we are

uMed is a company that acts on behalf of your General Practice (GP) to support the identification of eligible patients for medical research studies. These studies play a vital role in improving patient care and advancing treatments. GPs in the UK are obliged to ensure patients have the opportunity to join appropriate medical research studies whilst respecting those who wish to opt out.

uMed works with GP practices under a Data Processing Agreement (DPA) – an agreement that tells us how we can safely use information from your GP – which provides the legal framework to ensure compliance with regulations such as the General Data Protection Regulation (GDPR) and the NHS Act 2006. uMed is the data processor and your GP remains the data controller. As such the legal basis for processing is determined by the controller, which is ‘public task’ for general information and ‘research in the public interest’ for health data—both allowed under UK data protection law.

Contact address: 8 Warner Yard, London, EC1R 5EY

Scope of this privacy notice

This notice is for patients who are or who have been registered at GPs that have a Data processing Agreement (DPA) with uMed. If you are unsure if your GP shares data with uMed, we advise you to contact them, in the first instance, and ask whether they share patient data with uMed.

If you are a researcher, member of staff at a general practice and contribute to uMed, or a user of uMed’s website, please refer to uMed’s Privacy Notice for Researchers, GPs and Website Users for information on how and why uMed processes your personal data.

What information we collect and where it comes from

uMed receives pseudonymised, clinical-coded, electronic health data from your GPs software provider such as EMIS® and TPP SystmOne®. This data covers patients of all ages, including children aged below 16.

On receipt of the data it is segregated into separate databases retaining electronic health records (EHR), and personal identifiable information (PII) separately. A unique identifier is applied to all records. This process pseudonymises the data and in turn ensures that processing is minimal and proportionate to the purpose.

Clinical-coded refers to the process by which patient information has been translated into specific codes, for the purpose of storing information in patients electronic health records (EHR). Coding the data in this way means that the clinical information can be shared and analysed effectively.

Not all GP practices provide data to uMed. The pseudonymised patient-level data received by uMed from contributing GP practices includes:

  • A unique ID code (pseudonym) for each patient whose data we receive.
  • Full Name
  • Date of Birth
  • Sex (as recorded)
  • Address
  • Telephone Number(s)
  • Email address
  • GP Practice Identifier
  • Medical History / Diagnosis (SNOMED-CT Codes), no GP notes are shared.

When and how does uMed process my data?

When a research study has been granted ethical approval by the Health Research Authority (HRA) through a Research Ethics Committee (REC), an eligibility search is requested by the researcher. uMed performs a search of eligible patients based on specific search criteria. A list of potentially eligible patients is then sent to the relevant GPs (data controller) who must give authority for uMed to contact the eligible patients on their behalf.

uMed then sends an invite for those eligible patients to participate in the research study. This may be done via Text messaging, email, letter or telephone calls from uMed’s qualified and trained nurses. Explicit consent must then be given to participate before any data can be shared with the researcher.

uMed may continue to support the research study, following consent from the patient, in the form of engagement surveys and scheduling appointments.

Who can access my data?

The pseudonymised patient data received by uMed is not downloaded or shared outside of the uMed Access Platform without patient consent. Limited uMed employees are required to access the platform for the purpose of their role. This may include engineering platform enhancements, incident response, auditing or patient outreach via dedicated, qualified, trained nurses. The uMed platform contains a full audit trail that documents who and when personnel have accessed the platform.

uMed anonymises (unconsented) health data before it’s used in aggregated research outputs. This means your individual details are fully protected and cannot be traced back to you.

Categories of recipients include: your GP practice (for authorisation), approved researchers (post-consent only), qualified uMed nurses (for outreach), and audited subprocessors (e.g., secure cloud hosting under DPA).

Storage and retention

uMed retains your data for as long as there is a data processing agreement (DPA) in place with your GP. Daily feeds of the data ensure that the data is current and accurate to ensure that all eligible patients are given an opportunity to participate in research studies.

uMed treats your data with the highest level of protection, meeting and often exceeding NHS and government standards. The following lists some of the ways in which we ensure your data is kept secure:

  • Pseudonymisation from the start
  • Encryption in transit and at rest
  • Strict access controls (uMed staff cannot view your data unless it is necessary for direct support)
  • Independent checks and certifications. We are regularly audited and certified by:
    • NHS Data Security and Protection Toolkit (assured)
    • ISO 27001:2022 (information security)
    • ISO 9001:2015 (quality management)
    • Cyber Essentials Plus (government-backed cybersecurity)
  • Full UK GDPR compliance
  • No sharing without GP’s instruction
  • You control at all times (you can opt out at anytime, see below “you can opt-out”)

International transfers

We do not transfer non-consented personal data outside its country of origin.

You can opt out

If you do not want your GP to share pseudonymised, clinically-coded data from your EHR with uMed, you can opt out of your health data being used for research.

If you are registered at a GP practice in England, uMed complies with the National Data Opt-Out Policy. To check or set up an opt-out Visit: nhs.uk/your-nhs-data-matters.

If you are registered at a GP practice in Wales, Scotland or Northern Ireland and do not want your GP practice to share information from your health record with uMed, you can let your GP practice know.

Opting out of sharing your health data will not affect the care that you receive.

If you consent to a study, you can withdraw at any time by contacting uMed or your GP. We will stop processing and inform the researcher, though data already used cannot be undone.

Your data rights

The individual rights provisions of the UK GDPR enable individuals to understand, make choices about, and exercise control over how their personal data are used.

Under the UK GDPR, individuals have the following rights:

  • The right to be informed about the collection and use of their personal data.
  • The right of access and to receive a copy of their personal data.
  • The right to rectification – to have inaccurate personal data corrected (rectified), or completed if it is incomplete.
  • The right to erasure of their personal data in certain circumstances.
  • The right to request the restriction of the processing of their personal data in certain circumstances.
  • The right to data portability – to obtain and reuse their personal data for their own purposes across different IT services in certain circumstances.
  • The right to object to the processing of their personal data in certain circumstances.
  • Rights related to automated decision-making, including profiling.

Not all of the above rights apply in the same way and depend on factors such as an organisation’s purposes for processing and lawful bases.

Pseudonymised patient data that uMed receives are subject to the individual rights provisions of the UK GDPR to the extent that those rights apply. The right to be informed is met by the provision of this Privacy Notice.

For most individual rights requests, it is unlikely to be practical for uMed to directly support them because patient-level data is pseudonymised and your GP remains the data controller. In these cases, contact your GP practice to exercise these rights, such as access or rectification.

Your right to lodge a complaint with the ICO

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us first.

Changes to this privacy notice

This notice may be updated. Current version 1.0, published on 07 November 2024.

Contact uMed’s Data Protection Officer

Email: dpo@umed.org

12-Nov-2025