Security & Privacy
Security & Privacy
uMed aims to provide better access for patients and healthcare providers to participate in clinical research. To do this we process data to help match patients to the most suitable studies.

We put privacy and security first and our priority is to ensure that patients and healthcare providers have full transparency and control over the use of their data.
Fully ISO27001:2022 and ISO9001:2015 certified, Cyber Essentials Plus and NHS Digital Data & Security Toolkit certified.
HIPAA-compliant for studies involving US participants.
Personal identifiable data (PII) is stored separately from health data — only encrypted link identifiers connect them.
Data use is strictly limited — only for approved studies with explicit patient consent. Any health data shared with researchers is always de-identified.
Patients are always in control: they can opt out at any time. No data is used for marketing or unrelated purposes.
Security FAQs
Frequently asked questions
For healthcare providers
Who is uMed?

uMed is a clinical research and health technology company that partners with healthcare professionals to deliver research opportunities.

What data does uMed process?

To allow us to send communications to patients on behalf of Healthcare Providers, we process patient data to our secure uMed platform. This data includes coded medical records, names, contact details, and demographics, as well as any communication back from patients, such as answers to questionnaires or patient replies to text messages.

How does uMed keep patient data secure?

uMed keeps patient data secure by separating personally identifiable information (PII) from health data. These are stored in distinct databases, connected through a secure coded identifier managed within the uMed platform. Only authorised systems and personnel with a legitimate purpose can access linked data under strict governance controls. This structure ensures a very high standard of data privacy and protection.

Why should GPs trust the uMed Platform?

The uMed platform fully integrates with EMIS and System One through the Message Exchange for Social Care and Health (MESH) NHS Digital-approved system.

Our software is approved and audited by NHS Digital Data Security, and Protection Toolkit assured (ODS8K677), ISO27001:2022 and ISO9001:2015 certified, UK Government’s Cyber Essentials Plus, Crown Commercial Service approved supplier, and UK GDPR compliant.

How much involvement will be required from me and my practice?

uMed has been developed to enable Healthcare Providers to participate in clinical research whilst removing the associated administrative burden.

Getting started – Our onboarding process takes on average 15 minutes and involves the review and signing of our Data Processing Agreement (DPA) and the provision of ODS codes. Our support team is available to help along the way and discuss any part of the process.

Participating in a study – Once set up, we will start presenting relevant study opportunities for patients in your practice in our web-based application. To participate in a study, we require you to review and approve study documents in our web app (~10 minutes).

uMed searches, identifies, and builds the list of research eligible patients from your practice based on de-identified health record data. Our web app allows a member of your practice staff to review and approve the list of patients identified as eligible for the study.

Patients are contacted via SMS (or email or letter if appropriate) and can complete the consent process remotely and electronically. We also provide a dedicated patient helpline designed to support patients throughout the process and reduce the pressure of incoming calls for your practice staff related to the study.

What is a data processing agreement (DPA), and why is it required?

The agreement details how uMed will process data on behalf of the practice, both for research and direct care programmes. This includes processing to:

a)a Match potential subjects in the practice population with study opportunities for review by the practice.

b)b If approved by the practice, engagement of those patients on behalf of the practice to support recruitment and data capture.

c) If approved by the practice, linkage of outcomes from the clinical record to the study case report form (CRF).

It is important to note that this is not a data-sharing agreement. As a data processor, uMed cannot share or utilise practice data unless explicit permission is obtained from the practice (the data controller). In the same way, other NHS processors such EMIS, Apollo, Accurx, and other technology vendors cannot use practice data outside of that defined in their service agreement with practices.

The DPA is required to legally allow your practice to share patient data in order to provide patients with individual care and offer them research opportunities to take part in. This is also the legal basis for uMed to process patient data on behalf of their Healthcare Providers (the controller of the data).

How does uMed’s platform comply with UK GDPR and Data Protection Act?

Healthcare Providers sign a Data Processing Agreement (DPA) with uMed, which legally allows the sharing of data on a patient’s behalf in order to provide them with individualised care and offer research opportunities to take part in. This is also the legal basis for us to process patient data on behalf of their Healthcare Providers (the controller of the data).

uMed and the Common Law Duty of Confidentiality

Data is provided to uMed by Healthcare Providers, in order to provide a service under a Data Processing Agreement (DPA). uMed cannot use the data for research purposes itself, only under the direction of the data controller (GP practice), who may agree to participate in a specific study that may require CAG approval.

How does uMed’s platform comply with the NHS rules on data protection?

uMed, acting on behalf of GP practices (the data controllers), ensures that the common law duty of confidence owed to patients is respected at all times.

Patient-identifiable information is only accessed by a limited number of authorised uMed clinical support staff (qualified and trained nurses) for the specific purpose of contacting patients who may be eligible to participate in ethically approved research studies. All access is strictly controlled, role-based, and recorded in a full audit trail.

The primary legal basis for uMed to receive and process identifiable patient data without prior consent is provided by:

  • A Data Processing Agreement (DPA) with each participating GP practice, and
  • Approval from the Health Research Authority’s Confidentiality Advisory Group (CAG) under Section 251 of the NHS Act 2006.

This approval authorises the use of confidential patient information to identify and invite eligible patients to research studies where it is not practicable to seek consent before initial contact.

In addition to these legal gateways, uMed applies strong technical and organisational safeguards, including pseudonymisation of data at source, encryption in transit and at rest, segregation of personal identifiers from clinical data, and rigorous access controls. These measures ensure that patient confidentiality is protected to the highest NHS standards.

Does the uMed agreement affect other research my practice may be involved in?

No. uMed simply provides a technology service to support an array of academic and commercial studies, which can be both observational and interventional. There is no exclusivity, and the practice is free to participate in other studies as usual.

Will my practice have to spend a lot of time answering patient questions?

uMed provides a dedicated patient helpline designed to support patients throughout the process and reduce the pressure of incoming calls for your practice staff related to the study.

How can Patients Opt-Out?

Patients remain in charge of their data at all times and can opt out of contact, sharing data, or study participation at any time. We will not contact patients who have registered for the national data opt-out. Patients can contact the uMed support line and withdraw from the study or just opt out to be contacted for further research opportunities.

Does uMed use my personal data for Marketing?

uMed, on some occasions, may send out feedback surveys about our services to ensure our systems and services can be improved. In these situations, we always ask permission to do this when you complete the survey. You also can look at our Privacy Policy for more detail on how we handle your data. Further information on this can also be found on the NHS link What is and isn’t direct marketing?

Changes to this notice

This notice may be updated periodically

Last updated: 27 May, 2026

Policies
Policies & Agreements
Privacy Notice
View
Terms & Conditions
View
Patient Privacy Notice
View
Data processing agreement
(available on request)
Request
SMS Terms & Conditions
View
Cookie Policy
View
List of our Sub-Processors
View
Credentials
ISO9001:2015
View
ISO27001:2022
View
Cyber Essentials Plus
View
NHS Digital Data & Security
Compliant and exceeds requirements
View
EMIS Health
Accredited partner
View
HIPAA Compliant
If you wish to confirm whether a specific GP surgery has registered with uMed, please contact us
Partnerships
uMed Announces Strategic Partnership with WellSky® to Expand Patient Access to National Clinical Research Registries
Read the press release
Book a complimentary demonstration.
For a clear picture of how uMed could work for you, book a free session with our team.

hello@umed.io
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Navigation
HomeAbout usCase studiesNews & InsightsCareersContact us
Platform
CohortsStudy ServicesCollectRecruitSpanACCESSSnapACCESS
Platform
Access CMDAccess PDAccess ILD
Legal
View UK SiteView US SiteSecurity & Privacy
Privacy Notice
Terms & Conditions
Patient Privacy Notice
Data processing agreement
SMS Terms & Conditions
Cookie Policy
By signing up you agree to our Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.