Data legislation and information governance

This section pulls together guidance and legislation on the use of personal data in health research.

The pages include links to external sites, reference documents and explanatory text; many also provide links to other areas of the site, where related information can be found.

We have created these to give you extra detail on key themes, and many of them can be reached from more than one page in the site.

We have also made them searchable, have created a search category of Resources, and have grouped them together on this page for ease of access.

Future developments

The new EU General Data Protection Regulation is expected to apply in the UK from 25 May 2018, when it will replace the Data Protection Act 1998.

For health and social care research, the new regulation is not very different from the current Act and the Health Research Authority will not be adding to the existing effective safeguards. In particular, research ethics committee approval and the legal gateway for processing confidential patient information on the advice of the Confidentiality Advisory Group will continue, as will the other common law provisions. A summary of the key changes for all data processing (not just research) is available from the Information Governance Alliance.

The Information Commissioner’s Office has published resources for GDPR preparation, but they are not specific to research. Preparation guidance for research managers is available from the Medical Research Council.

The HRA is working with partners to develop further research-specific guidance over the coming months. Topics we expect to cover include:

  • legal basis – consent, legitimate interests, tasks carried out in the public interest
  • safeguards
  • transparency – privacy notices, fair processing, keeping records of data processing activities
  • data subjects’ rights.

As guidance becomes available, we will publicise it and link to it from this page. For further enquiries, please e-mail