News Contact

Security & Privacy

How we keep your data safe

uMed aims to provide better access for patients and healthcare providers to participate in clinical research. To do this we process data to help match patients to the most suitable studies.

We put privacy and security first and our priority is to ensure that patients and healthcare providers have full transparency and control over the use of their data.

Find out more about how uMed processes data in our frequently asked questions below.

  • ISO9001:2015 certified

  • ISO27001:2022 certified

  • Compliant and exceeds the requirements of the NHS Digital Data and Security Protection Toolkit (ODS8k677)

  • Cyber Essentials certification

  • HIPAA Compliant

To find out more contact us for a copy of our Information Governance White Paper.

Frequently asked questions

  • What does uMed do?

    uMed is a company that acts on behalf of your GP practice to support the delivery of best practice care as well as increase the number of medical research projects that are offered by the practice.  uMed does this using a technology platform alongside a team of medical staff to streamline the process of engaging patients with opportunities specific to them.

  • Why am I being contacted by uMed?

    We are working on behalf of your GP practice, and they will be using our technology platform to deliver targeted health education and questionnaires to you, as well as presenting you with potential research relevant to you. uMed does this by sending SMS, letters, or emails that your GP practice has approved. uMed also has a team of medically trained staff who can provide additional advice to patients for each of the programmes we support.

  • Why did my GP trust the uMed Platform?

    uMed platform is fully integrated with EMIS and System One through the Message Exchange for Social Care and Health (MESH) NHS Digital approved system.

    Our software is approved and audited by NHS Digital Data Security, and Protection Toolkit assured (ODS8K677), ISO27001:2022 and ISO9001:2015 certified, UK Government’s Cyber Essentials Plus, Crown Commercial Service approved supplier, and UK GDPR compliant.

  • What information do you use?

    Unless you have opted out of NHS data sharing, uMed receives the following information from your healthcare provider:

    • Name
    • Date of birth
    • NHS number
    • Phone number
    • Email address
    • Demographic area
    • Health record information
    • Correspondence between you and your healthcare professional or between healthcare professionals about you

  • How will my data be used?

    Health data collected from you and your healthcare provider record system will only be used for the research study, and not for any other purpose.

    We obtain your consent to use this data when you sign up for the study, and this consent includes allowing the study team to share de-identified data (meaning patients will not be identifiable from this information) with external research organisations. The study protocol, including data sharing provisions has been reviewed by independent ethics committees in the the US and UK.

  • How do you keep my data secure?

    The uMed Platform separates all identifiable information from your health data. Therefore, your health data is anonymised and is never presented simultaneously with personally identifiable information (PII).

    An encrypted link identifier is the only connection between the two, which allows your GP to send you relevant opportunities based on this data.

    We meet and exceed the highest standards of safety and security, as set by NHS bodies and the government. We go through assurance processes for these, and we regularly go through security checks conducted by independent experts.

  • How does uMed’s platform comply with UK GDPR and Data Protection Act 2008?

    Your GP signs a data processing agreement with uMed, that legally allows your GP or Doctor to share your data on your behalf in order to provide you with individualised care and offer you research opportunities to take part in. This is also the legal basis for us to process your data on behalf of your GP or Doctor (the controller of the data).

    uMed is not required to request CAG approval. Data is provided to uMed by GPs, in order to provide a service under a Data Process Agreement.

    uMed cannot use the data for research purposes itself, only under the direction of the data controller (GP), who may agree to participate in a specific study that may require CAG approval.

  • How does uMed’s platform comply with the NHS rules on data protection?

    uMed, acting on behalf of the Providers, ensures that the duty of confidence owed to the patient is respected. uMed has achieved this by creating a system that ensures no Patient information is visible to any uMed employees or any subscribers to the uMed Platform unless patient consent has been obtained. The only exception to this is when the uMed clinical support team contacts patients as a subcontracted member of the direct care team for which there is extensive precedent.

    In addition to these controls, there is well established precedent and an exception to the duty of confidentiality for data being disclosed to processors when data is being used to support direct care (implied consent).

  • Can I Opt-Out?

    Patients remain in charge of their data at all times and can opt out of being contacted, sharing data, or participating in studies at any time. We will not contact patients who have registered for the NHS national data opt-out. More information can be obtained on Opt-Out of sharing your health records-NHS.

  • Does uMed sell or share my data?

    No, uMed uses your information only for the purpose of helping your healthcare provider deliver your primary care or to give you the best opportunities to participate in medical research under the direction of your GP practice.

    uMed will never share health record data with another organisation unless instructed by your GP practice in a manner consistent with UK GDPR and the Common Law Duty of Confidentiality.

  • Will patients receive any payment for participation?

    No, patients will not receive any payment. However, we may allocate donations to relevant disease charities if we ask you to undertake additional tasks for the study such as completing longer questionnaires.

    We will also keep you updated on the outcomes of research that uses your data and show you how your contribution is improving the lives of others living with disease.

  • What will be involved if I consent to participate in a study?

    If you choose to engage with a particular study, you will be presented with detailed information about the study, including what is involved and if the study requires your health data to be shared with another organisation. It is entirely your choice whether or not to be a part of the study, and if you decide not to participate, it will have no impact on the care you receive from your GP practice.

  • I have more questions: who can I speak to?

    If you have any questions, please do not hesitate to contact uMed at patientsupport@umed.io or +44 (0) 808 304 9869, and one of our dedicated team members will speak to you.

  • Who is uMed?

    uMed is a clinical research and health technology company that partners with healthcare professionals to deliver research opportunities.

  • What data does uMed process?

    To allow us to send communications to patients on your behalf, we process patient data to our secure uMed platform. This data includes names, contact details, and demographics, as well as any communication back from patients, such as answers to questionnaires or patient replies to text messages.

  • How does uMed keep patient data secure?

    uMed separates all patient identifiable information from health data. An encrypted identifier is the only connection between these silos. The result is that patient identifiable information (PII) and health data are never simultaneously presented within the uMed platform to ensure the very highest standard of data protection.

  • Why should GPs trust the uMed Platform?

    The uMed platform fully integrates with EMIS and System One through the Message Exchange for Social Care and Health (MESH) NHS Digital-approved system.

    Our software is approved and audited by NHS Digital Data Security, and Protection Toolkit assured (ODS8K677), ISO27001:2022 and ISO9001:2015 certified, UK Government’s Cyber Essentials Plus, Crown Commercial Service approved supplier, and UK GDPR compliant.

  • How much involvement will be required from me and my practice?

    Who is uMed?
    What data does uMed process?
    How does uMed keep patient data secure?
    Why should GPs trust the uMed Platform?
    How much involvement will be required from me and my practice?
    uMed has been developed to enable you and your practice to participate in clinical research whilst removing the associated administrative burden.

    Getting started – Our onboarding process takes on average 15 minutes and involves the review and signing of our data processing agreement and the provision of ODS codes. Our support team is available to help along the way and discuss any part of the process.

    Participating in a study – Once set up, we will start presenting relevant study opportunities for patients in your practice in our web-based application. To participate in a study, we require you to review and approve study documents in our web app (~10 minutes).

    uMed searches, identifies, and builds the list of research eligible patients from your practice based on de-identified health record data. When the practice has provided details to their EHR system, our GCP-trained nurses then review the patient lists on your behalf to ensure that no patients are contacted who are not eligible. Alternatively, our web app allows a member of your practice staff to review and approve the list of patients identified as eligible for the study.

    Patients are contacted via SMS (or email or letter if appropriate) and can complete the consent process remotely and electronically. We also provide a dedicated patient helpline designed to support patients throughout the process and reduce the pressure of incoming calls for your practice staff related to the study.

  • What is a data processing agreement (DPA), and why is it required?

    The agreement details how uMed will process data on behalf of the practice, both for research and direct care programmes. This includes processing to:

    a) Match potential subjects in the practice population with study opportunities for review by the practice.

    b) If approved by the practice, engagement of those patients on behalf of the practice to support recruitment and data capture.

    c) If approved by the practice, linkage of outcomes from the clinical record to the study case report form (CRF).

    It is important to note that this is not a data-sharing agreement. As a data processor, uMed cannot share or utilise practice data unless explicit permission is obtained from the practice (the data controller). In the same way, other NHS processors such EMIS, Apollo, Accurx, and other technology vendors cannot use practice data outside of that defined in their service agreement with practices.

    The DPA is required to legally allow your practice to share patient data in order to provide patients with individual care and offer them research opportunities to take part in. This is also the legal basis for uMed to process patient data on behalf of their Healthcare Providers (the controller of the data).

  • How does uMed’s platform comply with UK GDPR and Data Protection Act?

    Healthcare Providers sign a data processing agreement with uMed, that legally allows the sharing of data on patient’s behalf in order to provide them with individualised care and offer research opportunities to take part in. This is also the legal basis for us to process patient data on behalf of their Healthcare Providers (the controller of the data).

  • uMed and the Common Law Duty of Confidentiality

    uMed is not required to request the Confidentiality Advisory Group (CAG) approval. Data is provided to uMed by GPs, in order to provide a service under a Data Process Agreement.

    uMed cannot use the data for research purposes itself, only under the direction of the data controller (GP practice), who may agree to participate in a specific study that may require CAG approval.

  • How does uMed’s platform comply with the NHS rules on data protection?

    uMed, acting on behalf of the Healthcare Providers, ensures that the duty of confidence owed to the patient is respected. uMed has achieved this by creating a system that ensures no patient information is visible to any uMed employees or any subscribers to the uMed Platform unless patient consent has been obtained. The only exception to this, is when the uMed clinical support team contacts patients as a subcontracted member of the direct care team for which there is extensive precedent.

    In addition to these controls, there is well established precedent and an exception to the duty of confidentiality for data being disclosed to processors when data is being used to support direct care (implied consent).

  • Does the uMed agreement affect other research my practice may be involved in?

    No. uMed simply provides a technology service to support an array of academic and commercial studies, which can be both observational and interventional. There is no exclusivity, and the practice is free to participate in other studies as usual.

  • Will my practice have to spend a lot of time answering patient questions?

    uMed provides a dedicated patient helpline designed to support patients throughout the process and reduce the pressure of incoming calls for your practice staff related to the study.

  • How can Patients Opt-Out?

    Patients remain in charge of their data at all times and can opt out of contact, sharing data, or study participation at any time. We will not contact patients who have registered for the national data opt-out. Patients can contact the uMed support line and withdraw from the study or just Opt-Out to be contacted for further research opportunities.

  • Does uMed use my personal data for Marketing?

    uMed, on some occasions, may send out feedback surveys about our services to ensure our systems and services can be improved. In these situations, we always ask permission to do this when you complete the survey. You also can look at our Privacy Policy for more detail on how we handle your data. Further information on this can also be found on the NHS link What is and isn’t direct marketing?

Help & Support

Email us support@umed.io and we’ll endeavour to respond within two business days.