This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Find out more here.

Privacy notice

The Health Research Authority is committed to protecting your privacy and taking care with your personal data.

As data controller we are responsible for how your information is used and explaining that to you. We use information systems to store the information we hold about you. These include:

  •  Integrated Research Application System (IRAS) -  a single system for applying for the permissions and approvals for health and social care research in the UK
  • The Over-Volunteering Prevention System (TOPS) database – for registering, updating and managing research volunteer records
  • HRA Assessment Review Portal (HARP) – which helps us process and approve research applications
  • Electronic Staff Record (ESR) – for processing job applications or secondments
  • Oracle accounting system – for processing payments including reimbursement of expenses
  • Our website 
  • Electronic and physical document storage systems


Our contact details

There are many ways you can contact us, including by phone, email and post. More details can be find here.

Our postal address is:
Health Research Authority
Skipton House
80 London Road
SE1 6LH

Queries about this privacy notice can be emailed to hra.data@nhs.net or call our mainline on 020 797 2245

Our Data Protection Officer function is provided by NHS Business Services Authority and is Chris Gooday. You can contact him at hra.data@nhs.net or via our postal address above. Please mark the envelope ‘Data Protection Officer’. 


Why we process your information

To fulfil our role as the health and social care research regulator, we must hold certain information about you and need to obtain this information fairly and lawfully.  

The services we provide where we record and / or process your personal data include:

  • Processing applications for health and social care research
  • Checking your research application with you
  • Scheduling attendance at a meeting, such as a research ethics committee
  • Protecting research participants safety from  participating in many research studies
  • Subscribing to our e-newsletter
  • Requesting information
  • Applying for a job with us
  • Payment of a salary
  • Applying to be a member of a committee, board or panel, including research ethics committees
  • Reimbursement of expenses
  • Equality and Diversity monitoring information
  • Seeking your feedback (including consultations and surveys)

The lawful basis for processing your personal data is dependent on the services and activities that the data is provided for. More information can be found in the relevant subsections.


What information do we collect ?

We collect data to help us perform our regulatory function under the Care Act 2014, some of which will be personal data under the data protection legislation. The personal data we collect includes: 

  • Personal information – name, email address, mailing address, organisation
  • any other information required to process your research application such as details of your research sponsor
  • information you include within any enquiry you submit to us 
  • information required to process your job application
  • application to be a member of a committee, board or panel, including research ethics committees or provide technical assurance services
  • information required to make payments including salary and reimbursement of  expenses

The personal data the HRA collects will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We also process information to help us understand how our services operate so that we can deliver our services well and improve our services over time. 


Lawful basis

The lawful basis for processing your personal data is dependent on the services and activities that the data is provided for. 

For the following category of information, the lawful basis is official authority under the NHS Care Act 2014:

  • Researcher data related to research application
  • Researcher data related to confidentiality advisory group applications
  • Committee members, panel members and technical assurance reviewers data
  • Public involvement participants data
  • Research participants data
  • HRA e-newsletter recipients

The lawful basis for processing staff data is contractual obligations.


Where we process your information

We store and process your data with care and take the appropriate steps to protect it.

Your information will not be transferred outside the European Economic Area (EEA), unless the EU has approved the country as having comparable data protection laws.


Sharing your personal information

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of our services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold your personal information securely and retain it for the period we instruct. 

In some circumstances we will share your information with:

  • organisations who are part of the approval process such as NHS organisations (and Health and Social Care (HSC) organisations in Northern Ireland), the Medicines and Healthcare Products Regulatory Agency (MHRA), National Institute of Health Research (NIHR), Human Tissue Authority (HTA), Administration of Radioactive Substances Advisory Committee (ARSAC), Her Majesty’s Prison and Probation Service (HMPPS), the Scottish, Welsh and Northern Ireland equivalents of the HRA, and Research Ethics Committees
  • the National Fraud Initiative, to help prevent and detect fraud,
  • people who request it, in circumstances detailed in our Freedom of Information Act
  • any other organisation who has a legal right to it.


Keeping your personal information

Your information will be deleted from our systems as detailed in our Document control and Records Management Policy.  


Your rights

The information you provide will be managed as required by Data Protection law. The rights available to you depend on our reason for processing your information.

You have the right to:

  • ask for copies of your personal information, commonly known as making a ‘subject matter request’. This right always applies.
  • request your information be changed if you believe it inaccurate or incomplete
  • ask us to erase your personal information in certain circumstances
  • ask us to restrict the processing of your information in certain circumstances
  • object to the processing of your information. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. if we are able to process your information because the process forms part of our public tasks, or is in our legitmate interests

There are some exceptions to these rights, for instance if we have a legal obligation to retain your personal information so we cannot delete it.  All requests to exercise your rights will be considered on a case-by-case basis, depending on the circumstances. 

You can access your personal details by logging into

Please contact us at hra.data@nhs.net if you wish to make a request or contact our mainline on 020 797 2245


Concerns about how we are processing your information

We work to high standards when it comes to processing your personal information. If you have any queries or concerns, please contact us at hra.data@nhs.net and we’ll respond.

If you continue to have concerns about the processing of your information, you can contact the Data Protection Regulator:

Information Commissioner’s Office
Wycliffe House
Wilmslow
SK9 5AF

www.ico.org.uk/global/contact-us/email


How do we look after your information?

We are committed to ensuring that your information remains secure. The information provided is stored on secure databases in secured locations. We take the necessary steps to ensure that our infrastructure performs as expected by running  health checks on these systems. 


The HRA is in compliance with the national data opt-out policy

The national data opt-out allows people to opt out of their confidential patient information being used for research and planning. You can read more about it on the NHS website

https://digital.nhs.uk/services/national-data-opt-out-programme/guidance-for-health-and-care-staff