Indemnity and GDPR

Clinical negligence arising during the course of research is covered by the introduction of the Clinical Negligence Scheme for primary Care (CNSGP). This scheme brings clarity around the indemnity provision for research in primary care. For example, the new scheme would cover a doctor if they were to misread a dose of a trial drug and end up giving too much to the patient resulting in causing harm to the patient.

Any risk from the design of the clinical study, or if the patient comes to harm from the study despite the protocol being followed with no errors, is covered by trial sponsor’s indemnity. The Research Delivery Network checks for evidence that the trial sponsor has indemnity before the study is sent out to practices. 

The progress that the new process brings is excellent news and removes uncertainties around research indemnity and also confirms that additional indemnity cover for research from the Medical Defence Organisation is not required. 

With this reassurance we can deliver more research in primary care safe in the knowledge that indemnity is provided for the research activity we undertake. 

GDPR has implications for practices that wish to take part in research where patient data is to be utilised or extracted. However, GDPR has regulations that allow both academic research bodies and commercial research companies to utilise data providing that data protection principles are met.

Advantages for GP and research teams from using data:

• Provides real world evidence for trial data!

• More automated so less workload for practices and less reliant on staff members; allowing the opportunity for more practices to take part.

Risks for practices:

• Data breaches which can lead to fines

• Breakdown in trust between patients and the practice

To mitigate against the above risks it is important that, for any trial that involves data extraction;

• The practice needs to ensure that they display on their website/notice board that research is taking place using data (trial teams can provide this) and MUST stipulate patients can opt out, and also have a privacy statement which explains the process of doing so.

• If you have a Data Protection Officer (DPO), involve them early on to liaise with the trial team. They will review the data protection impact assessment (DPIA) from the trial team to ensure it is GDPR compliant and give their approval to say it is above board.

Please note that not all studies will need to be reviewed with a Data Protection Officer: 

For instance, PIC (Patient Identification Studies) only require a practice to identify and communicate study opportunities with eligible patients. Patient consent is taken by the study team directly. The practice would not be required to provide any patient data.

Research data-link organisations are GDPR compliant. Please check with organisations directly and they can provide you with further details on request.