Good practice in research
About this guidance
In Good medical practice,1 we advise doctors who are involved in research that:
General Medical Council (2013).
7. You must be competent in all aspects of your work, including management, research and teaching.
11. You must be familiar with guidelines and developments that affect your work.
12. You must keep up to date with, and follow, the law, our guidance and other regulations relevant to your work.
67. You must act with honesty and integrity when designing, organising or carrying out research, and follow national research governance guidelines and our guidance.
This explanatory guidance is intended to provide more detailed advice about how to comply with these principles.
It should be read in conjunction with our other guidance, in particular:
- Consent to research, which explains how the principles in Consent: patients and doctors making decisions together2 apply to research
- Confidentiality: good practice in handling patient information,3 which gives guidance on research and other secondary uses of data, and
- 0–18 years: guidance for all doctors, which gives additional advice on research involving children or young people.
Together, these guidance documents set out the GMC’s advice to doctors involved in research. You must use your judgement in applying the principles in the guidance to the types of research you undertake, and to the situations you face in practice as a doctor, whether or not you hold a licence to practise. Serious or persistent failure to follow the guidance will put your registration at risk.
Scope of the guidance
Research in this guidance refers to an attempt to derive generalisable new knowledge. Research aims to find out what is best practice by addressing clearly defined questions with systematic and rigorous methods. It includes studies that aim to generate hypotheses as well as those that aim to test them.
This guidance covers research with people, as well as research involving human tissue and records-based research that does not involve people directly.
It also applies to clinical trials, which cover a broad range of different types of research involving people.4 For example, they can test medicines or vaccines, treatments, surgical procedures, devices, or health prevention or care. A clinical trial of investigational medicinal products is a particular type of trial that is governed by legislation. The key elements of the law for conducting a clinical trial of investigational medicinal products in the UK are set out in annex B.
The World Health Organization defines a clinical trial as any research study that prospectively assigns human participants or groups of humans to one or more health-related interventions to evaluate the effects on health outcomes. Clinical trials may also be referred to as interventional trials. Interventions include but are not restricted to drugs, cells and other biological products, surgical procedures, radiologic procedures, devices, behavioural treatments, process-of-care changes, preventive care, etc. This definition includes phase I to phase IV trials.
This guidance does not apply to clinical audit or service evaluation projects, which aim to measure standards of care.5 Nor does it cover innovative treatments designed to benefit individual patients. These activities are covered by the standards and principles set out in Consent: patients and doctors making decisions together and Confidentiality: good practice in handling patient information.
The National Research Ethics Service provides definitions of research, clinical audit, service evaluation and surveillance.
Principles of good research practice
To protect participants and maintain public confidence in research, it is important that all research is conducted lawfully, with honesty and integrity, and in accordance with good practice. This guidance sets out principles of good research practice, which you must follow if you are involved in research.
Law and governance
The law and governance arrangements that apply to research are complex and vary depending on the type of research, the participants involved, how it is funded and where in the UK it is undertaken. You must comply with the law, governance arrangements and codes of practice that apply to the research you are undertaking. The legal annexes to this guidance give more detail and links to further information about the relevant legal and governance framework for research (see annex A) and the key elements of the legislation that governs clinical trials of investigational medicinal products in the UK (see annex B).
Good research design and practice
You must make sure that research is based on a properly developed protocol that has been approved by a research ethics committee.6 It must be prepared according to good practice guidance given by government and other research and professional bodies.
You must make sure that the safety, dignity and wellbeing of participants take precedence over the development of treatments and the furthering of knowledge.7
Update to: World Medical Association Declaration of Helsinki, 2013
You must make sure that foreseeable risks to participants are kept as low as possible. In addition, you must be satisfied that:
- the anticipated benefits to participants outweigh the foreseeable risks, or
- the foreseeable risks to participants are minimal if the research only has the potential to benefit others more generally.
You must make sure that decisions at all stages of research, especially for recruitment, are free from discrimination8 and respect participants’ equality and diversity. You should take all reasonable steps to make sure that people eligible to participate in a project are given equal access to take part and the opportunity to benefit from the research. Where appropriate, you should use patient and public involvement groups at all stages of the project to help make sure that the research is well designed and conducted.
Restricting research participants to subgroups of the population that may be defined, for example, by age, gender, ethnicity or sexual orientation, for legitimate methodological reasons does not constitute discrimination.
You should make sure that details of a research project are registered on an eligible, publicly available database that is kept updated, where such a database exists.
You should be satisfied that appropriate monitoring systems are in place to make sure research is being carried out in accordance with the law and good practice.
You must keep your knowledge and skills up to date. If you lead a research team, you must make sure that all members of the team have the necessary skills, experience, training and support to carry out their research responsibilities as effectively as possible.
You should make sure that commercial and other interests do not stop or adversely affect the completion of research. If you are concerned about this you should follow the guidance on raising your concerns in paragraph 19.
All doctors have a responsibility to encourage and support a culture in which staff can raise concerns openly and safely.
Protecting participants from harm
You must stop research where the results indicate that participants are at risk of significant harm or, in research involving treatment required by a patient, where no benefit can be expected.
You must report adverse findings as soon as possible to the affected participants, to those responsible for their medical care, to the research ethics committee, and to the research sponsor9 or primary funder where relevant. You must make sure that bodies responsible for protecting the public, for example, the Medicines and Healthcare products Regulatory Agency, are informed.10
A sponsor is the person, individual or group that takes responsibility for the initiation, management and financing (or arranging the financing) of the research. All research undertaken in the NHS must have a sponsor. You should refer to the Medicines for Human Use (Clinical Trials) Regulations 2004 for a full definition of a sponsor and its responsibilities in clinical trials of investigational medicinal products.
Medicines and Healthcare products Regulatory Agency
You should make sure that participants are not encouraged to volunteer more frequently than is advisable or against their best interests. You should make sure that nobody takes part repeatedly in research projects if it might lead to a risk of significant harm to them. You should make sure that any necessary safeguards are in place to protect anybody who may be vulnerable to pressure to take part in research. You must follow our guidance in paragraphs 21 - 22 of Consent to research on involving vulnerable adults in research.
Some adults with capacity may be vulnerable to pressure to take part in research. You should be aware that their health or social circumstances might make them vulnerable to pressure from others. Vulnerable adults may be, for example, living in care homes or other institutions, or have learning difficulties or mental illness. In these circumstances, it is particularly important that you check whether they need any additional support to understand information or to make a decision.11 You must make sure that they know they have the right to decline to participate in research, and that they are able to decline if they want to. The Royal College of Physicians of London provides further guidance on involving vulnerable groups in research.12
You should raise concerns with a senior colleague, or your employing or contracting organisation, if systems are not in place to provide the additional support that vulnerable adults may need to make a decision about taking part in research. If you are not sure when or how to raise concerns, you should follow the guidance in Raising concerns about patient safety.13
If a participant is involved in investigations that may contribute to a cumulative long-term risk of harm, for example, radiation from X-rays or radioactive substances, you must consider any previous exposure to the risk and make sure that a record is kept about their participation.11
Further advice is provided in the publication Notes for Guidance on the Clinical Administration of Radiopharmaceuticals and Use of Sealed Radioactive Sources (Administration of Radioactive Substances Advisory Committee, 2006).
If you have good reason to believe that participants are at risk of significant harm by taking part in research or by the behaviour of anyone conducting research, you must report your concerns to an appropriate person in your employing or contracting body. If you remain concerned you should inform the research ethics committee and the research sponsor or primary funder. You should follow the guidance in Raising concerns about patient safety if you are not sure when or how to raise concerns.
If you are responsible for acting on concerns raised by colleagues, you must make sure that reporting procedures are in place and that staff are aware of them. If a concern is brought to your attention you must take appropriate action promptly and professionally.12
Further advice on responding to incidents and complaints is set out in paragraphs 44-45 of Management for doctors.
Honesty and integrity
You must conduct research honestly. If you are concerned about the quality or integrity of the research, including allegations of fraud or misconduct, you must follow the guidance in paragraph 19 on raising concerns. You must report evidence of financial or scientific fraud, or other breaches of this guidance, to an appropriate person in your employing or contracting body, and where appropriate to the GMC or other statutory regulatory bodies.
All doctors have a responsibility to encourage and support a culture in which staff can raise concerns openly and safely.
You must be open and honest with participants and members of the research team, including non-medical staff, when sharing information about a research project. You must answer questions honestly and as fully as possible.
You must make clear, accurate and legible records of research results, as soon as possible after the data are collected. You must keep records for the appropriate period13 to allow adequate time for review, further research and audit, or to help resolve any concerns about the data or research project.
Personal Information in Medical Research (pdf) (Medical Research Council, 2000) provides further advice on how long research records should be kept. The NHS Code of Practice: Records Management (Department of Health, 2006); Records Management: NHS Code of Practice (Scotland) (Scottish Government, 2008); Welsh Health Circular (2000) 71: For The Record (National Assembly for Wales); and Good Management, Good Records (Department of Health, Social Services and Public Safety, Northern Ireland, 2005) all include schedules of the minimum periods for which research records should be kept.
You must report research results accurately, objectively, promptly and in a way that can be clearly understood.14 You must make sure that research reports are properly attributed and do not contain false or misleading data. Whenever possible, you should publish research results, including adverse findings, through peer- reviewed journals.15
The EQUATOR Network website provides advice on good practice in reporting health research.
Further information on publication and authorship is provided in section 3.15 of the Code of Practice for Research: Promoting good practice and preventing misconduct (UK Research Integrity Office, 2009).
You should make research findings available to those who might benefit. You should make reasonable efforts to inform participants of the outcome of the research, or make the information publicly available if it is not practical to inform participants directly.
Avoiding conflicts of interest
You must be open and honest in all financial and commercial matters relating to your research and its funding.
You must not allow your judgement about a research project to be influenced, or be seen to be influenced, at any stage, by financial, personal, political or other external interests. You must identify any actual or potential conflicts of interest that arise, and declare them as soon as possible to the research ethics committee, other appropriate bodies, and the participants, in line with the policy of your employing or contracting body.
Consent to research
You must get consent from participants before involving them in any research project. You must have other valid authority before involving in research adults who lack capacity, or children or young people who cannot consent for themselves.
You must make sure that people are informed of, and that you respect, their right to decline to take part in research and to withdraw from the research project at any time, with an assurance that this will not adversely affect their relationship with those providing care, or the care they receive.
When seeking consent for research, you must follow the guidance in Consent to research and, where relevant, Consent: patients and doctors making decisions together.
You must respect participants’ right to confidentiality, and make sure that any data collected as part of a research project are stored securely and in accordance with data protection law and other requirements.
You must follow the guidance in Confidentiality: good practice in handling patient information, in particular the guidance in paragraphs 77 - 86 and 103 -114 on using and disclosing patient information for secondary purposes, if you undertake records-based research that does not involve people directly.
Many important uses of patient information contribute to the overall delivery of health and social care. Examples include health services management, research, epidemiology, public health surveillance, and education and training. Without information about patients the health and social care system would be unable to plan, develop, innovate, conduct research or be publicly accountable for the services it provides.
There are also important uses of patient information that are not connected to the delivery of health or social care, but which serve wider purposes. These include disclosures for the administration of justice, and for purposes such as financial audit and insurance or benefits claims.
Anonymised information will usually be sufficient for purposes other than the direct care of the patient and you must use it in preference to identifiable information wherever possible. If you disclose identifiable information, you must be satisfied that there is a legal basis for breaching confidentiality.
You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.
- The disclosure is required by law, including by the courts (see paragraphs 87 - 94).
- The patient has given explicit consent (see paragraph 95).
- The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103 - 105).
- The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106 - 112).
You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).
The Information Commissioner’s Office anonymisation code of practice (ICO code) considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified through its combination with other data.29 Simply removing the patient’s name, age, address or other personal identifiers is unlikely to be enough to anonymise information to this standard.30
The ICO code also makes clear that different types of anonymised data pose different levels of re-identification risk. For example, data sets with small numbers may present a higher risk of re-identification than large data sets. The risk of re-identification will also vary according to the environment in which the information is held. For example, an anonymised data set disclosed into a secure and controlled environment could remain anonymous even though the same data set could not be made publically available because of the likelihood of individuals being identified.
You should follow the ICO code, or guidance that is consistent with the ICO code, or seek expert advice, if you have a role in anonymising information or disclosing anonymised information.
Information may be anonymised by a member of the direct care team who has the knowledge, skills and experience to carry out the anonymisation competently, or will be adequately supervised.
If it is not practicable for the information to be anonymised within the direct care team, it may be anonymised by a data processor under contract, as long as there is a legal basis for any breach of confidentiality (see paragraph 80), the requirements of data protection law are met (see the legal annex) and appropriate controls are in place to protect the information (see paragraph 86).
If you decide to disclose anonymised information, you must be satisfied that appropriate controls are in place to minimise the risk of individual patients being identified. The controls that are needed will depend on the risk of re-identification, and might include signed contracts or agreements that contain controls on how the information will be used, kept and destroyed, as well as restrictions to prevent individuals being identified. You should refer to specialist advice or guidance when assessing risk, or considering what level of control is appropriate.31
In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.
Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.
You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.40
In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.
You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103 - 105, and the disclosure is not permitted, or has not been approved, under those regulations.
If the regulations described in paragraphs 103 - 105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.41
Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.42
When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:
- the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
- the disclosure is the minimum necessary for the purpose
- the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
- information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63 - 70).
You must keep a record of what information you disclosed, your reasons, and any advice you sought.
You should only disclose personal information for research if there is a legal basis for the disclosure and the research has been approved by a research ethics committee.
If you are applying for ethical approval for research, you should let the research ethics committee know if personal information will be disclosed without consent and tell them the legal basis for the disclosure.