Indemnity & GDPR

Clinical negligence arising during the course of research is covered by the introduction of the Clinical Negligence Scheme for primary Care (CNSGP - page 7). This scheme brings clarity around the indemnity provision for research in primary care. For example, the new scheme would cover a doctor if he / she were to misread a dose of a trial drug and end up giving too much to the patient resulting in causing harm to the patient.

Any risk from the design of the clinical study, or if the patient comes to harm from the study despite the protocol being followed with no errors, is covered by trial sponsor’s indemnity. The Health Research Authority (HRA) checks for evidence that the trial sponsor has indemnity before they grant approval. The Research Delivery Network ensures all studies on the portfolio have full HRA approval in place before we reach out to practices.

This process removes uncertainties around research indemnity and also confirms that additional indemnity cover for research from the Medical Defence Organisation is not required. 

With this reassurance we can deliver more research in primary care safe in the knowledge that indemnity is provided for the research activity we undertake. 

GDPR has implications for practices who wish to take part in research where patient data is to be utilised or extracted. However, GDPR has regulations that allow both academic research bodies and commercial research companies to utilise data providing that data protection principles are met.

Advantages for GP & research teams from using data:

• Provides real world evidence for trial data!

• More automated so less workload for practices and less reliant on staff members; allowing the opportunity for more practices to take part.

Risks for practices:

• Data breaches which can lead to fines

• Breakdown in trust between patients and the practice

To mitigate against the above risks it is important that, for any trial that involves data extraction;

• The practice needs to ensure that they display on their website/notice board that research is taking place using data (trial teams can provide this) and MUST stipulate patients can opt out, and also have a privacy statement which explains the process of doing so. We have a selection of promotional material on our 'Resources and Guides' page that you can use to raise awareness about your research status.

• If you have a Data Protection Officer (DPO), involve them early on to liaise with the trial team. They will review the data protection impact assessment (DPIA) from the trial team to ensure it is GDPR compliant and give their approval to say it is above board.

Please note that NOT all studies will need to be reviewed with a Data Protection Officer:
For instance, PIC (Patient Identification Centre) studies only require a practice to identify and communicate study opportunities with eligible patients. Patient consent is taken by the study team directly. The practice would not be required to provide any patient data.

Research data-link organisations such as The Oxford RCGP Research Surveillance Centre are GDPR compliant.
Please check with organisations directly and they can provide you with further details on request.