This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Data protection changes in 2018: what does that mean for research?

Last updated on 20 Dec 2017

For detailed guidance about operational arrangements that researchers and organisations may need to put in place, please read our more recent news story.

Whether it’s gathering questionnaire responses from carers or analysing medical records, personal data is central to so much health and social care research.

Existing law sets out clear rules around how that personal data should be processed, but those rules will change on 25 May 2018, when the new EU General Data Protection Regulation (GDPR) comes into force. The detail of the application of the GDPR in the UK will be set out in a new Data Protection Act, which Parliament has yet to agree.

With details of the law still to be confirmed, it is important that researchers, research active organisations and sponsors do NOT yet submit any amendments to research studies to comply with the new legislation until further detailed guidance is published by the Health Research Authority in 2018.

The HRA has published a suite of briefing documents that explain the legislation as it applies to health and social care research. These documents have been prepared for the health and social care research community, supported by a UK-wide working group from a wide range of expert bodies including the Information Commissioner’s Office. They are aimed at those working in research in the NHS, universities, research council and charity institutes and commercial companies. They do not address other functions of these organisations, such as teaching or clinical care, as the data protection requirements differ.  The suite is primarily intended for Data Protection Officers (DPO), research managers or information governance leads / security architecture leads, or equivalent. It may also be relevant for researchers. Some prior knowledge of terminology is assumed.

While we know the law will change, there are a number of detailed aspects of the new rules that are still being clarified by Parliament. We have been clear where such decisions remain. Each document has been versioned and dated, so please keep visiting these pages for up-to-date information.

1.            Legal basis and health research

2.            Transparency

3.            Safeguards

4.            Subject rights and research exemptions

The HRA will be publishing further detailed guidance about operational arrangements that researchers and organisations may need to put in place as soon as we have a clearer picture on precise details of the new law, though we are reliant on decisions made by Parliament. It is important that you don’t submit amendments to research studies to comply with the new legislation before this further detailed guidance is published. We expect that for most existing studies you will NOT need to submit amendments. 

While there is uncertainty, the law change should not bring a significant impact on most research studies.  The new data protection legislation only addresses some of the requirements relating to handling of personal data, and other important considerations are not changing: common law – law made through courts - has an important role in how personal data should be handled, and aspects such as the duty of confidentiality are not changed by the new legislation. Similarly, ethical as aspects of confidentiality, privacy and consent also remain the same and will continue to be reviewed by Research Ethics Committees in the same way.

Useful links:

EU Commission working party

Information Commissioner’s Office guidance

Back to news & updates