5.1 Assessment of Information Governance, Data Protection Compliance and Data Security

5.1.1 Study-wide review - key considerations

5.1.1.1 Personal data

• is it clear what personal data participating NHS/HSC organisations will be required to collect, process and disclose during the research study?
• is it clear at what point data should no longer be considered personal data?
• how is the data changed to no longer be considered personal data?
• what safeguards are in place to prevent re-identification of the data in context?

5.1.1.2 Lawful basis for processing personal data under UK GDPR/DPA 2018

• is it clear which UK GDPR Article 6 lawful basis the sponsor is relying on for the purposes of data processing?
• if applicable, is it clear which UK GDPR Article 9 condition the sponsor is relying on for processing special category personal data for the research?

5.1.1.3 Confidentiality, security and lawful use of health and care information

• has the sponsor confirmed that it will ensure that the study does not involve the unlawful disclosure of confidential patient information at any stage of the research?
• the sponsor should instruct sites to ensure that there is no unlawful disclosure of confidential patient information. Instruction can be issued through the use of contractual agreements, be described in the protocol or in other study documentation
• has the sponsor explained how it will ensure the confidentiality and security of confidential patient information during the study? This explanation should cover all stages of the study, including publication. Furthermore, it should account for the context of the study. For example, if the study involves participants with rare conditions that could increase the risk of identification. Where confidentiality cannot be guaranteed, this should be explained in the PIS
• if the research requires the disclosure of confidential patient information without consent, is an alternate common law legal mechanism in place? For example, Section 251 support via the Confidentiality Advisory Group (in England/Wales) or Public Benefit & Privacy Panel for Health and Social Care support in Scotland

5.1.1.4 Data Controller Responsibilities

• has the sponsor confirmed that it will act as the data controller for the purposes of the research?
• are any joint data controllership arrangements appropriate for the study?

5.1.1.5 Information provided by sponsor to sites

• has the sponsor provided information to participating NHS/HSC organisations so they can fulfil their responsibilities as data processors for research purposes in accordance with UK GDPR Article 28(2) [2] and Article 30(2) [3]? This information is often provided in the IRAS form, protocol or study contract but could be provided in other documentation

5.1.1.6 Software / Hardware Installation

• does the study require specific software to be installed on NHS systems?
• does the study require the use of hardware that is not part of usual NHS equipment?
• is the use of software and/or hardware in line with NHS/HSC expectations and data protection and confidentiality policies?
• are there data safeguards to ensure that software/hardware is used legally and in line with NHS/HSC expectations and policies?

5.1.1.7 Transfers of Personal Data

• has the sponsor confirmed that personal data in the research shall only be processed within usual NHS systems? This includes processing in electronic systems
• has the sponsor confirmed that no data will leave usual NHS systems before it is made anonymous in context (i.e. no longer reasonably likely to identify a living individual to the recipient)?
• where it is necessary for the purpose of the study for personal data to leave NHS systems, has the security and appropriateness of these arrangements for transfer been described and assured?
• where personal data will leave the UK for research purposes has the sponsor explained satisfactorily why this is necessary for the purpose of the research and explained the UK GDPR Chapter V basis for any restricted transfer, ensuring that the personal data of NHS patients, service users and staff is afforded protections no less than within the UK? Where such protections cannot be guaranteed under UK GDPR Chapter V, the only option may be to rely on a limited exception, such as obtaining the data subject’s explicit consent under Article 49(1)(a). This can only be used after the individual has been clearly informed about the potential increased risks of the restricted transfer
• where data related to research participants will leave the UK for research purposes, is it clear that, by the time of any export of data, this would no longer be personal data in context (i.e. it would have been rendered not reasonably likely to identify an individual living person to the recipient)? Alternatively, where there would be a restricted transfer, are the relevant safeguarding mechanisms (for example, Standard Contractual Clauses (SCCs), International Data Transfer Agreements (IDTAs), etc.) in place and clearly described?

5.1.1.8 Appointment of a UK representative

• does the sponsor need a UK representative under GDPR?
• has the sponsor appointed a UK representative able to represent its obligations?
• have data subjects been provided with contact details for this representative?

5.1.1.9 Transparency requirements

• how will the sponsor meet its obligations for transparent processing? This should include providing participants with the information required under the right to be informed. For example, by using the HRA recommended transparency wording, or other approved transparency wording in its participant information available to participants. This could be either in the participant information sheet or other information provided with a layered approach
• does the participant information sheet provide additional relevant information to participants, including:

1. the purposes for which the data are to be processed and by whom
2. what data are to be collected and from where
3. who the information will be disclosed to
4. where applicable, information around any automated decision making about the participant including its significance and any expected consequences of this including whether their data will be used for or by Artificial Intelligence (AI) or Machine Learning (ML) systems
5. whether any uses or disclosures are optional (in which case suitable clauses should be included in the study consent forms to enable these options to be exercised)
6. the length of time data will be retained following the end of the study, or the criteria that will be used to determine such period
7. whether the data will be published, and if so, how the published data will be made anonymous

5.1.1.10 Data Subject Rights

• is it clear how the sponsor will fulfil its responsibilities to afford data subjects their rights? These rights may be limited in a research context

5.1.1.11 Sponsor-Site Agreements

• is the sponsor planning to use an unmodified model agreement or have they proposed a modified or bespoke agreement?
• does the modified/bespoke agreement include appropriate contractual safeguards? These safeguards should ensure that personal data is treated in line with NHS/HSC expectations. The safeguards should also ensure that any non-identifiable data is protected from re-identification

5.1.1.12 PECR Compliance

• are there any messages being sent to potential participants to alert them to the opportunity to engage with the research?
• are those messages non-promotional to ensure there is no direct marketing for the purpose of PECR (for REC studies, the non-promotional nature of the messages will be for the REC to consider)?

Back to the contents.

5.1.2 Introduction

Across the UK, the NHS treats more than 1.7m patients and service users daily. The NHS is also one of the largest employers in the world, with more than 1.5m members of staff. The NHS looks after a vast repository of patient, service user and staff data.

A complex range of legal and professional obligations covers the use and disclosure of this data. NHS and HSC organisations, and persons working with and within them, are required by law:

• to protect the way that personal data is handled in accordance with:
• the Data Protection Act 2018 (DPA)
• the UK General Data Protection Regulation (UK GDPR) and
• the Privacy and Electronic Communications Regulations 2003 (PECR)
• to respect privacy in accordance with the Human Rights Act 1998, and
• to meet their obligations of confidentiality in common law in accordance with the duty of confidentiality

NHS and HSC organisations, and persons working with and within them, are also expected to:

• handle confidential patient information as per the Caldicott Principles or local equivalent [4] and the NHS Confidentiality Code of Practice (2003) - noting that Scotland has its own NHS Confidentiality Code of Practice and each NHS Board must appoint a Caldicott Guardian, and Northern Ireland follows the Code of Practice on Protecting the Confidentiality of Service User Information Use NHS record management and information security codes of practice to manage records securely

There are also an array of nation and profession specific information governance codes and expectations.

5.1.2.1 Study wide review

UK study wide review of information governance, data protection compliance and data security issues provides assurance to NHS/HSC organisations involved in research activities, and persons working with and within them, that approved studies have been designed to be compliant with the law and applicable expectations. UK study wide review removes the need for individual NHS and HSC organisations to conduct a separate information governance review for themselves for those areas set out as reviewed in this section. Study wide review also supports the arrangements that they need to make to comply with their responsibilities as participating organisations.

5.1.2.2 Data types and flows

In health and care research in the UK, data about participants is usually considered personal data, confidential patient and service user information or both. It should be clear to participating NHS/HSC organisations what types of data they need to collect or otherwise process and how it will flow across the study lifecycle.

The flow of data usually begins with collection by the NHS/HSC organisation. The data is usually collected from study participants or their NHS/HSC records. The data collected will then be processed by the NHS/HSC organisation and then flow out of the NHS/HSC and be sent to the sponsor.

The sponsor should clearly explain the flow of data. It should be clear:

• who will access confidential patient information and/or personal data
• what information different organisations will be able to access
• whether this is covered by clear legal bases under common law and/or UK GDPR at all stages of the research
• when data is not, or is no longer, considered confidential patient information and/or personal data [5]

Parties should ensure clarity as to when the data is no longer considered personal data under data protection law, or confidential information under common law, including how this has been achieved and the safeguards to maintain it as such. 

Back to the contents.

5.1.3 Personal data

UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018 only apply to the processing of personal data.

Personal data is defined as:

The phrase ‘natural person’ means a living person. The following is a non-exhaustive list of data that may identify a person:

• name
• address
• NHS number
• date of birth

In practice, this may also include all data which are or can be assigned to a person in any kind of way. For example:

• telephone number
• credit card details
• personnel number
• account data
• car number plate
• appearance
• customer number

5.1.3.1 Special categories of personal data

There are some types of personal data that are more sensitive than others. UK GDPR tells us that those more sensitive types of personal data need extra protection. These types of data are called ‘special categories of personal data’. The special categories of personal data include but are not limited to:

• race or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data [6]
• biometric data [7]
• data concerning health
• data concerning a natural person’s sex life or sexual orientation

Data concerning health is defined by UK GDPR as:

5.1.3.2 Using health and care data about people in research

Determining whether information collected in a health and care setting qualifies as personal data under data protection law and confidential patient information under the common law is not always straightforward. When making the decision, all factors should be considered including the context in which the data is collected, any additional data available now or in the future, and the potential for individuals to be identified directly or indirectly.

The sponsor should be clear about:

• what data will be collected?
• how long this will remain identifiable data?
• will the data collected be made anonymous?
• when will the data collected be made anonymous?
• how will the data collected be made anonymous?

The sponsor should consider:

• how will personal data and/or confidential patient information flow in the study?
• will any data leave usual NHS systems?
• will any data leave the NHS?
• will data leaving the NHS or its usual systems be identifiable data or will the recipient be unable to identify people from the data?

A data flow diagram is an effective means of communicating this information. It is good practice to include a data flow diagram in the IRAS submission documentation and local information pack provided to sites.

5.1.3.3 Pseudonymisation

Identifiable data can be made anonymous. This means it has undergone processes such that it is no longer reasonably likely to be used by a recipient to identify an individual living person in the context and, in that case, it is no longer personal data to them. When considering whether the recipient could be reasonably likely to identify living individuals, you should consider both the collected data on its own, and in combination with other data reasonably likely to be in possession of the recipient. Sometimes the mix of details in a dataset, or the possibility of linking it with other datasets, can still point to a particular person depending on the context and who is using it. The ICO anonymisation guidance states that ‘Pseudonymisation is a way of reducing risk and improving security’. It is not a way of transforming personal data to the extent the law no longer applies. Pseudonymised data is personal data to someone who holds the additional information (i.e. the key). If you share pseudonymised data (but not the additional information) with another organisation, it may be anonymous information to them. The section “Do we need to consider who else may be able to identify people from the data?” provides further information on assessing the identifiability of pseudonymised data that is shared, without also sharing the ‘key’, with another organisation.

Data that is pseudonymised (‘coded’) is still considered personal data to the person or organisation who hold the ‘key’ to re-identify the data from the code. This means that if the data and ‘key’ are held within the same legal entity, the pseudonymised data remains personal data to the employees of that entity. If the pseudonymised data is sent to a separate legal entity, with which contractual safeguards are in place, then the pseudonymised data is unlikely to be personal data to that recipient. The contractual safeguards should state that the recipients will not access the ‘key’ and will not attempt to re-identify the data.

Back to the contents.

5.1.4 Lawful basis for processing personal data and condition for processing special category personal data

UK GDPR article 6 requires the controller to have a lawful basis for the processing of personal data. This includes processing conducted by a processor on the controller’s behalf. Additionally, any personal data concerning health falls under Article 9 of the UK GDPR and is known as ‘special category data’. Special category data must be afforded special protections under UK GDPR. These protections include the requirement to identify a lawful basis under Article 6, and an additional condition for processing under Article 9.

The UK health authorities (the Department of Health and Social Care (DHSC), the devolved health departments and their national health service bodies) and the ICO expect that sponsors which are public bodies [8] rely on ‘task performed in the public interest’ as their lawful basis. Sponsors that are not public bodies [9] are expected to rely upon ‘legitimate interests’. Both public and non-public bodies should rely upon Article 9(2)(j) - processing necessary for research purposes in the public interest with appropriate safeguards - as the Article 9 condition.

Consent to participate in a research study will often be received from research participants. This consent is for, amongst other reasons, ethical requirements and compliance with the common law duty of confidentiality. Consent should not be relied upon as a UK GDPR lawful basis for research. Similarly, ‘explicit consent’ should not be relied upon as an Article 9 special category condition for data processing for research.

It is possible that the sponsor may choose to rely on consent for the purposes of the initial collection of study data. All subsequent processing would likely then be on the bases described above. This arrangement should be discouraged and can be difficult to describe to participants. The Participant Information Sheet (PIS) should explicitly state when the sponsor relies upon consent and explicit consent as the legal basis and special condition under UK GDPR for the initial collection of personal data. Furthermore, the following must be addressed:

• why the sponsor is unable to rely upon a more appropriate lawful basis? It is expected that consent would only be used where a lawful basis more appropriate to research is not available. This is when the processing is neither in the public interest, nor for a legitimate interest of the sponsor
• how the sponsor will ensure that processing immediately ceases once consent is withdrawn [10]? What lawful basis and transparency arrangements will be used for further processing after the withdrawal of consent [11]?
• data may be lost once the lawful basis to process it has been withdrawn. How has the sponsor protected the scientific validity of the study without over-recruitment or introducing bias to the study?
• consent for data processing in a clinical setting may create an imbalance of power between the participant and clinician. How has the sponsor addressed this?

Further information on why consent should not be used as the lawful basis or condition under UK GDPR is available in Appendix 2.

Back to the contents.

5.1.5 Common law duty of confidentiality

Sponsors should ensure that privacy is respected in accordance with the Human Rights Act 1998 as well as the Data Protection Act 2018 and UK GDPR.  Furthermore, sponsors and their participating NHS/HSC organisations should satisfy the common law duty of confidentiality.

This legal obligation relates to safeguarding the disclosure of confidential patient and service user information collected by health and care providers (for ease, collectively referred to below as “CPI”). In research, a duty of confidence may also apply to information about individuals other than patients and service users - such as research staff or non-patient participants - where the circumstances give rise to a reasonable expectation of information-confidentiality by the individual.

The common law duty of confidentiality endures even after the person that the CPI relates to has died. This is different to personal data under UK GDPR and the Data Protection Act, which only relates to living people.

5.1.5.1 Definitions

In England and Wales (noting that Scotland and Northern Ireland use their own but broadly similar definitions), CPI is defined by section 251 of the NHS Act 2006 as follows:

The ‘care team’ is defined in line with the National Data Guardian’s 2013 Information Governance Review (noting that Scotland and Northern Ireland set this out through their own but broadly similar guidance). This states that:

Accessing information without a legitimate care relationship or alternative common law legal basis may result in a breach of confidentiality. It is the responsibility of the NHS organisation to determine which staff are part of the care team and therefore have a legitimate relationship with the individual concerned for their care.

Back to the contents.

5.1.6 Data confidentiality and security

Access to CPI requires a common law legal basis. Generally, when this access is by someone who does not have a legitimate relationship with the patient for their care [12] (including care delivered through research), this is satisfied by gaining the explicit consent of the patient involved. If consent is not going to be requested another common law legal basis is required.

It should be made clear by the sponsor what the legal basis is under common law for any access to CPI prior to participants consenting to participate in the study. Usually this is included in the protocol but could be in another suitable document. Furthermore, sponsors should describe how only those with a legitimate relationship to the patient for their care will access CPI before consent. This is likely to be included when describing how potential participants are identified.

This description can be done in different ways such as:

• by setting out in the protocol
• through staff training
• in another suitable place

Patient or service user records may be used to identify potential participants. This process could involve the use of condition-specific clinical registries. This is distinct from sign-up registers, where individuals have explicitly consented to be contacted about research options (and may also have consented for their medical records to be accessed for this purpose). This can be done in accordance with the common law duty of confidentiality by meeting any of these criteria:

• those with a legitimate relationship for the patient’s care obtain explicit consent from every patient with a record in the population pool being assessed, allowing the researcher to review their records on the basis of explicit consent
• the search is conducted by a health or social care professional (or other member of staff) who has a legitimate relationship with the patient for their care – which can include any care delivered through research - and there is no disclosure of CPI beyond these individuals prior to explicit consent. For example, those with a legitimate relationship would contact potential participants about the research. The potential participant would then contact the researcher directly if they wish to receive further information
• the search makes use of Privacy Enhancing Technologies (PETs) operating entirely within existing clinical systems whose primary purpose remains care, with strict NHS oversight and in-house governance. They must include safeguards to ensure that there is no access to CPI beyond those with a legitimate relationship to the patient without consent. PETs must be designed to avoid bulk extraction of data, limit access to the minimum necessary information, and be implemented in line with criteria agreed with Research Ethics Committees to prevent patients being surprised when invited to a study

Under common law, the signing of an honorary or other contract of employment does not provide a legal basis for access to CPI. Assurances of maintaining confidentiality, no matter how binding, also do not provide a legal basis (and while the common law position differs across the devolved nations, in practice the same principles apply throughout the UK). Once an appropriate legal basis under the common law duty of confidentiality is in place, however, binding assurances or an honorary or other contract of employment may be considered suitable additional safeguards.

Research participant data needs to be maintained confidentially and securely. Particular consideration should be given to situations where there is a risk of access to full medical records. This is due to the risk of access to sensitive health information such as mental or sexual health data. Additionally, consideration should be given where there is a possibility of identification due to a small dataset, for example because of the rarity of a given condition or a specific location. At the same time, even basic contact details - such as a postal address, phone number or email address - can constitute CPI when used to approach people for a research study. This is because in that context they are linked to study criteria such as diagnosis.

Back to the contents.

5.1.7 Use of confidential patient information without consent

In Great Britain, but not in Northern Ireland, the common law duty of confidentiality may be set aside. This allows CPI to be accessed outside of those with a legitimate relationship for the patient’s care without consent. This can only be done under certain circumstances and with the necessary approvals. For example, in England and Wales, Regulation 5 support under the Control of Patient Information Regulations 2002 provides such a legal basis under the common law duty of confidentiality.

Common law consent is not required when using data that is not, or is no longer, CPI.

In England and Wales researchers may seek support from the Health Research Authority following advice from the Confidentiality Advisory Group (CAG). In Scotland researchers may seek approval from the Public Benefit and Privacy Panel (PBPP) for access to NHS Scotland originated data for research.

In Northern Ireland there is currently no equivalent to CAG or PBPP, therefore consent must be sought. Researchers should refer to the Privacy Advisory Committee (Northern Ireland) Code of Practice and seek advice from the Privacy Advisory Committee. Researchers will then need to approach each Trust’s Personal Data Guardians or Senior Information Risk Owner.

UK GDPR, DPA 2018 and other legislation still apply after receiving support from the HRA following CAG advice, PBPP approval or their equivalent. There must still be a lawful basis and condition under UK GDPR. Transparency information should still be made appropriately available and safeguards implemented.

Back to the contents.

5.1.8 Data controller and data processor roles and responsibilities

The sponsor is the data controller for data processing in a research study. Amongst other things the sponsor decides:

• what data is processed
• the purposes of the processing
• how the data is processed
• how the data is stored
• how long the retention periods for the data are

The participating care organisation is the sponsor’s data processor for the research study.

Outside of the research, the care organisation is separately the controller of personal data processing for its own purposes. For instance, its processing purpose would normally be in the context of providing clinical care to a patient.  This means that the same data may be controlled by two separate organisations, each determining the purposes and means of processing within their respective roles. This is a case of separate controllership, not joint controllership.

5.1.8.1 Joint controllers

Joint controllership in research is possible. Where a study is jointly sponsored, all sponsor responsibilities (including controllership) will be joint. Where a study is co-sponsored, the sponsor responsibilities will be divided and allocated to each sponsor organisation. If a study is co-sponsored, the sponsor-site agreement should define the sponsorship responsibilities taken on by each co-sponsor so that it is clear to the site which organisation holds the different responsibilities such as data controller, study indemnity or reporting of serious adverse events. Co-sponsors may agree to be joint data controllers where they jointly determine the purposes and means of data processing.

Non-sponsors may act jointly as controllers with a research sponsor. For instance, a clinical trials unit may advise a legally separate research sponsor and be considered a joint controller, without becoming a joint or co-sponsor. In such a case, the joint controllers should document a clear division of responsibilities, including which organisation will take responsibility in the event of a data breach.

It would not usually be necessary to present this agreement to the study wide reviewer or to participating NHS organisations unless joint controllership impacts on how the NHS should act. For example, the agreement may say which organisation the NHS should accept processing instructions from. In this scenario, the study wide review should ensure that this has been made clear. Generally, exceptions to the sponsor being the sole controller of a research study only occur in non-commercial research.

5.1.8.2 Information provided to sites as processors

It is the sponsor’s responsibility, as data controller, to provide information to research-participating NHS/HSC organisations - notably sites and participant identification centres - acting on its behalf in processing personal data for research purposes.

This information should enable them to meet their obligations as data processors in the research study. Specifically, it should be clear:

• whether the participating NHS/HSC organisations are allowed to subcontract data processing activities and under what circumstances they can do so. For example, the participating organisation may subcontract a Participant Identification Centre. The sponsor may make this clear in the proposed Site Agreement for the study or via other means (UK GDPR Article 28(2)).
• how the participating NHS/HSC organisations will be provided with information to meet their UK GDPR Article 30(2) (‘records of processing activities’) responsibilities without further review. This information may be provided within the IRAS dataset, protocol, contract, or through other documents. The information the sponsor should provide is:
  • the ‘category’ of the processing to be undertaken, i.e. research
  • the name and contact details of the controller
  • where the sponsor is not established in the UK, the name and contact details of the sponsor’s UK representative
  • the name and contact details of the sponsor’s Data Protection Officer (DPO), where applicable
  • whether the participating NHS/HSC organisation will be required to export personal data outside of the UK and to which countries/organisations. Where a UK GDPR Article 49(1) safeguard is relied upon, what this is (for example, explicit consent) [13]
  • where the sponsor requires or allows the NHS/HSC organisation to process personal data outside of its usual NHS/HSC systems and processes, the sponsor should provide a general description of the technical and organisational security measures that the sponsor will put in place and/or expect the NHS/HSC organisation to put in place. This description is not normally required when no processing of personal data will take place outside of the usual NHS/HSC systems and processes

5.1.8.3 Software/Hardware Installation

Where a study requires the installation of specific software on NHS systems, or the use of hardware additional to standard NHS equipment, this should meet NHS/HSC expectations, data protection, and confidentiality policies. It should be clear what data security safeguards are in place. If the sponsor does not yet know what hardware or software will be used at the point of submission of an IRAS application, it should clearly set out its expectations regarding data security safeguards and provide assurances on how these will be met once the relevant details are known.

Back to the contents.

5.1.9 Data protection impact assessments (DPIA)

The Data Protection Act 2018 states that:

DPIAs for the processing of personal data that is undertaken for the purpose of research are the responsibility of the sponsor. A data protection by design approach should be followed. This approach means that sponsor’s research systems, processes and templates are designed and risk assessed. Following a data protection by design approach also allows DPIAs to be completed at a quality management system level, rather than at the individual study level. Research studies should then be designed to reflect the outcomes of the sponsor’s risk assessments and quality management system DPIA, recognising that these will vary between organisations and systems.  Occasionally, studies may need to deviate from established processes or policies, such as when using a novel technology or introducing new risks. Under these exceptional circumstances, the sponsor may be required to conduct a study-specific DPIA.

On rare occasions, study wide reviewers may request additional details from the sponsor relating to their DPIA. This would usually arise in the context of novel study designs, or where new or innovative information technologies are being used to process personal data.

Research sites taking part in a study should take assurance from the sponsor’s appropriate mitigation of high risks, as set out in its system level DPIAs, processes and policies, as well as the subsequent study wide review conducted on the project. Therefore, research sites should not need to carry out a study specific DPIA nor expect to receive sponsor’s study or system level DPIAs.

Back to the contents.

5.1.10 Transfers of personal data

5.1.10.1 Transfer of personal data outside of NHS systems to other systems within the UK

Ideally, in NHS research, personal data should only be processed within NHS systems. This includes electronic NHS systems. It is better if data only leaves these systems once it is no longer identifiable to the recipient. If the study requires personal data to leave NHS systems or the NHS entirely, the sponsor should be able to justify this and to explain how the data will be kept secure.

5.1.10.2 Transfer of personal data to a country or territory outside of the UK

Occasionally, studies will require the international transfer of personal data. This is done under the controllership of the sponsor. The participating NHS/HSC organisation is a data processor. Usually, the participating organisation will transfer data to the sponsor or another of the sponsor’s data processors within the UK. The sponsor, or alternate processor, will then initiate the international transfer of data.  For example, where the site transposes data into an eCRF, the entity (which may not be the sponsor) managing the eCRF is operationally responsible for the further processing and transfer to the sponsor.

UK GDPR requires that a restricted transfer of personal data out of the UK can only take place if certain conditions are met. This includes where personal data is then transferred onward to another country. The required conditions are laid out in Chapter V of UK GDPR. The sponsor is responsible for ensuring that any restricted transfer is made in compliance with Chapter V. They should have a legal mechanism in place to manage a restricted transfer. This could be an International Data Transfer Agreement (IDTA). UK GDPR Chapter V arrangements for export are therefore a matter for the sponsor as controller. The NHS/HSC organisation is not usually the exporter. No attempt should be made to place upon the NHS/HSC UK GDPR Chapter V responsibilities for restricted transfers where the data is not personal data or the NHS/HSC is not the exporter. This includes the use of UK GDPR Article 46 SCCs or IDTAs with the NHS/HSC as party.

The sponsor should explain whether personal data disclosed by participating organisations will leave the UK. If so, what Chapter V condition will be used. The available conditions are:

• Article 45, Transfers on the basis of an adequacy decision
• Article 46, Transfers subject to appropriate safeguards
• Article 49, Derogations for specific situations

Section 5.1 Appendix 3 provides further details of the chapter V conditions expected to be used for restricted transfers of personal data out of the UK for the purpose of a research project.

Back to the contents.

5.1.11 Appointment of a UK Representative

Where the sponsor:

• is a non-public body

and

• is based outside of the UK

and

• does not have a branch, office or other establishment in the UK

the sponsor should appoint a UK representative. A UK representative will represent the sponsor’s obligations under UK GDPR. The details of the UK representative should be provided to study participants whose personal data is processed for the study.

The appointment of a UK representative should not be confused with the appointment of a UK Legal Representative. A UK Legal Representative is a mandate under the Clinical Trial Regulations. This role is not directly linked to data protection law obligations. Sponsors who are not established in the EU or UK must appoint an EU- or UK based legal representative if they wish to conduct their clinical trial in the UK.

Back to the contents.

5.1.12 Appointment of a Data Protection Officer

A DPO is an independent expert responsible for ensuring that an organisation complies with data protection laws, such as the UK GDPR. Their key responsibilities include:

• monitoring internal compliance with data protection regulation
• advising on data protection obligations and providing input on DPIAs, including advising the controller and confirming on behalf of the organisation that privacy risks are sufficiently reduced and/or that the residual risk is accepted
• acting as a contact point for research participants and regulatory authorities
• managing and organising the implementation of data protection strategies within the organisation
• ensuring accountability and facilitating compliance with data protection laws
• DPOs can be existing employees or externally appointed

Back to the contents.

5.1.13 Retention of personal data after the study has ended

Data retention is specifically covered in Article 5(1)(e) of UK GDPR. This means that retention periods will vary depending on why and how data is being used, and what other legislative requirements relate to it.

• you must not keep personal data for longer than you need it and there should be clear processes for routine review and management of retention
• you need to think about and be able to justify how long you keep personal data. This will depend on your purposes for holding the data
• you need a policy, setting standard retention periods wherever possible, to comply with documentation requirements
• you should also periodically review the data you hold, and erase or make it anonymous when you no longer need it, even if it is stored in a secure data environment)
• you must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data
• you can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes

It should be made clear in the participant information either:

• the maximum number of years that personal data will be kept before it is made anonymous and securely archived or destroyed
• the conditions for determining how long personal data will be stored for before it is either made anonymous and securely archived, or destroyed [14]

Back to the contents.

5.1.14 Appendix 1 - Transparency requirements

The sponsor (as controller) obtains personal data directly from data subjects:

• when the data is collected at the instruction of the sponsor

and

• intended to be used for research purposes at the time it is collected.

This includes, but is not limited to:

• personal data obtained on behalf of the sponsor by clinical staff at a site or a research laboratory,
• personal data provided by the participant to employees or other agents of the sponsor. For example, when tests are being undertaken for a person consented to a research study and the results are transcribed into a case report form
• personal data relating to study personnel from within the NHS/HSC, where this will be processed for the purposes of the research

The sponsor (as controller) obtains personal data indirectly when the personal data was originally collected under a different controller relationship, and is later used for research. For example, when data is being collected from the medical records of a person consented to a research study for tests that were undertaken prior to their consent.

Whether the sponsor obtains data directly or indirectly affects the transparency information they should provide. Exemptions to this provision of transparency information can apply in some cases if personal data is obtained indirectly. An example is in the case of retrospective case study research where consent is not obtained, when one of the following applies:

• providing information to affected people is impossible or requires disproportionate effort,

or

• providing information will seriously impair or render impossible the objective for which you are processing that personal data. This would mean researchers are not able to deliver their research objectives

Where such an exemption is relied upon, the receiving sponsor should ensure that:

• technical and organisational safeguards are in place that respect the principle of data minimisation, where possible. For instance, pseudonymisation

and

• the reason for relying on an exemption, along with any required approvals obtained as necessary (for example, from Caldicott Guardians), is clearly documented

In line with Caldicott Principle 8, participants should still be informed as far as possible about how their data may be used and accessed, so there are no surprises - even if direct contact is difficult.

The HRA (on behalf of the four nations) has published recommended transparency wording, depending on whether the sponsor is acting as a public body [8] or a non-public body [9]. This information should be provided in a layered format.

Some information should be integrated into the PIS (and similar documents, such as pregnant partner information sheet). Other information will be provided in other places, for example on the sponsor’s website.

Where the standard text is used as intended, no further review of transparency is required. A number of commercial and non-commercial sponsors have had their alternative proposed wording agreed by the HRA on behalf of the UK nations. Agreed wording can then be used in other studies that are sponsored by the same organisation.

Study wide review should assess the data transparency information provided. Where the sponsor has not used the HRA’s recommended wording, or other pre-approved wording, the study wide review will consider whether the information provided meets the requirements detailed below and public involvement requirements. It is not usually necessary to review the higher-level information used by the sponsor where information has been provided there in line with HRA recommendations. Where the sponsor has chosen to provide higher level information in the PIS, this should be reviewed in line with the below IG requirements.

5.1.14.1 How to Meet Transparency Requirements in a Health and Care Research Study

This section explains how sponsors can meet UK GDPR (Article 13 and 14) transparency obligations using layered participant information.

5.1.14.1.1 Name of Controller and Contact Details

If personal data is obtained directly or indirectly:

• include in the PIS the name of the study sponsor
• the sponsor should state that they are the Data Controller
• include contact information for the DPO
  • this can be generic (for example corporate DPO email)
  • if no DPO exists, justification should be included at study-wide review
• the sponsor may advise participants to initially contact their study doctor, with escalation to sponsor/DPO if needed

5.1.14.1.2 Purposes of Processing and Legal Basis

If personal data is obtained directly or indirectly:

• the PIS should explain:
  • the specific purpose of the study
  • the general purpose of research (can be done at higher level)
  • where data are obtained indirectly, the source of the additional data
• the UK GDPR lawful basis and, where relevant, the common law legal basis should be clearly stated (in supplement or layered info)
  • sponsors may use simpler language than legal terms in participant materials

5.1.14.1.3 Legitimate Interests (if applicable)

If relying on legitimate interests:

• the sponsor must:
  • indicate this lawful basis.
  • explain what the legitimate interests are
  • typically, include this in a higher-level layer

5.1.14.1.4 Categories of Personal Data

If personal data is obtained indirectly (or directly, though optional):

• the sponsor should:
  • include a general description of data categories in the PIS
  • avoid listing specific data fields unless necessary
  • generic statements are usually sufficient

5.1.14.1.5 Recipients or Categories of Recipients

If personal data is obtained directly or indirectly:

• include in the higher-level supplement:
  • who will access the data
  • where the data will go

The sponsor should explain:

• data will be sent to the sponsor, usually in pseudonymised form only, with no directly identifiable details disclosed. Identifiable information remains under the control of the NHS/HSC organisation and is not transferred to the sponsor, except in limited and justified circumstances where the research purpose specifically requires it
• data may be shared with regulators (for example, the MHRA) in coded form
  • do not reference REC receiving data unless accurate
• sponsor representatives may check study data to make sure it is accurate
  • monitoring may take place onsite, remotely, or a mix of both, depending on what is appropriate
  • onsite, this can involve access to medical records under the site’s control. In this context, sponsor representatives may temporarily view the minimum necessary information for verification, but they do not obtain, copy, record, or remove identifiable details
  • remote monitoring may occur by direct log-in to an electronic health record, by ‘guided access’ (video-calling and screensharing) or by uploading to a sponsor provided portal. If use is made of a sponsor provided portal, only coded or redacted information is accessible, with no identifiable details visible to sponsor representatives. Whatever form remote monitoring takes, the underlying principle is that identifiable patient information must not be exposed to sponsor representatives unless strictly necessary and only within the NHS/HSC systems
• any data that is shared will be limited to the minimum necessary, and access will be on a strict need-to-know basis with safeguards in place to keep it secure

5.1.14.1.6 Retention Period

If personal data is obtained directly or indirectly:

• the higher-level supplement should explain:
  • how long personal data will be kept after study ends
  • common durations: 15 or 25 years, or state the conditions that apply
• the sponsor must:
  • justify retention as necessary under legal obligations
  • delete data once no longer needed
• for scientific research, if the data can be made anonymous such that it is no longer personal data (or confidential patient information), it may be retained indefinitely. Where data cannot be made anonymous, retention should be for as long as required and must be properly justified, not “just in case.”

5.1.14.1.7. Data Subject Rights under UK GDPR

If personal data is obtained directly or indirectly:

• the PIS and higher level supplement should indicate that rights may be limited
  • this should be consistent with the legal basis and special category condition chosen by the sponsor (see Appendix 2 of Section 5.1 for more information)
  • a basic statement of rights and that these may be limited can be included in the PIS. Further information can be provided in the higher level supplement.
• it is important that patients are not led to believe they have rights that they do not have
  • for example, sponsors may choose to offer participants the opportunity to access data but this should not be expressed as an unqualified right where it is not
  • we recommend sponsors use wording along the lines of ‘you have the right to request access’ instead of ‘you have the right to access’

5.1.14.1.8. Right to lodge a complaint with the ICO

If personal data is obtained directly or indirectly:

• the sponsor should state that the participant has the right to complain to the ICO if they:
  • are not happy with the sponsors response
  • believe the sponsor is processing data in a way that is not right or lawful

5.1.14.1.9. Personal Data from Public Sources

If data is obtained indirectly:

• transparency information should be included at a higher level (for example, on a website or in general information on sources)

5.1.14.1.10. Automated Decision-Making[15]

If personal data is obtained directly or indirectly:

• the PIS should state:
  • whether any automated decision-making is involved including if Artificial Intelligence (AI) and machine learning (ML) is used
  • the logic, significance, and consequences of it
• if using HRA wording, the sponsor will need to add their own wording to cover any automated decision-making taking place as part of the study

5.1.14.1.10. International Transfers and Safeguards

If personal data is obtained directly or indirectly:

• if data is transferred out of the UK:
  • the PIS (or higher-level supplement) must state:
    • that appropriate safeguards are in place
    • what those safeguards are (or link to sponsor website for detail)

Back to the contents.

5.1.15 Appendix 2 - Data subject rights and appropriate additional safeguards

UK GDPR sets out the rights of data subjects. Some rights may be lawfully limited if their full exercise may significantly impede the achievement of the research purpose. The extent to which data subject rights may be limited depends on the Article 6 and Article 9 lawful bases and conditions selected.

5.1.15.1 Article 6 lawful basis and data subject rights

5.1.15.1.1 Consent

Sponsors have the option to use consent as the lawful basis for data processing. However, in the UK we would strongly recommend not doing so. This is because participants have the option to withdraw their consent. If participants withdraw their consent to the processing of their personal data, any further processing of their personal data would be done without a lawful basis. There may be significant ethical, scientific and legal implications if consent is relied upon as the lawful basis and that consent is withdrawn. A sponsor wishing to rely upon consent as the lawful basis will be required to provide a robust justification at study wide review, addressing how it will mitigate these potential implications in the context of the particular study. Significant delay in approval may therefore arise. If it is agreed that a sponsor may use consent as their lawful basis for processing of personal data in a particular study, participants would have the following rights that would need to be communicated to them by the sponsor as part of the UK GDPR transparency wording. This could be in the main PIS or in supplementary or higher-level wording such as the privacy notice of their website or additional leaflet.

• right to be informed
  • yes. There is a requirement to state that consent can be withdrawn by the participant. Any processing that takes place before the withdrawal remains lawful after the withdrawal
• right of access
  • yes
• right of rectification
  • yes
• right to erasure
  • yes. If consent is withdrawn by the participant and there are no other legal grounds for not erasing the participant’s data
• right to restriction
  • yes
• right to portability
  • yes. Participants have the right to portability where the processing is automated. This means that any physical processing, such as using paper files, is excluded from the right to portability
• right to object
  • no. Participants do not have the right to object to processing but can withdraw their consent to the processing

5.1.15.1.2 Legal Obligation

Legal obligation can only be used as a lawful basis for Clinical Trials of an Investigational Medicinal Product. This lawful basis affords participants the following rights that would need to be communicated by sponsors in their GDPR transparency wording:

• right to be informed
  • yes
• right of access
  • yes
• right of rectification
  • yes
• right to erasure
  • no
• right to restriction
  • yes. For example, while the accuracy of the data is contested.
• right of portability
  • no
• right to object
  • no

5.1.15.1.3 Public Task

Public task can only be used as a lawful basis by sponsors that are or are acting as public bodies [8]. This is our recommended lawful basis in such cases. This lawful basis affords participants the following rights that would need to be communicated by sponsors in their GDPR transparency wording:

• right to be informed
  • yes
• right of access
  • yes
• right of rectification
  • yes
• right to erasure
  • no
• right to restriction
  • yes. This right applies in principle. However, if the sponsor relies on Article 9(2)(j), it may be restricted where exercising it would seriously impair or prevent the research and appropriate safeguards are in place. In all cases, processing must be restricted while any objection request is being considered
• right of portability
  • no
• right to object
  • yes. Where the sponsor relies on Article 9(2)(j), this right may be restricted if exercising it would seriously impair or prevent the research and appropriate safeguards are in place

5.1.15.1.4 Legitimate interests

Legitimate interests can only be used as a lawful basis by sponsors acting as non-public bodies [9]. This is our recommended lawful basis in such cases. This lawful basis affords participants the following rights that would need to be communicated by sponsors in their UK GDPR transparency wording:

• right to be informed
  • yes. With this right comes a requirement to specify the legitimate interests of the sponsor
• right of access
  • yes
• right of rectification
  • yes
• right to erasure
  • yes, unless the legitimate interests of the sponsor outweigh the rights of the participant (the sponsor’s balancing assessment must be documented, with a summary available to participants on request)
• right to restriction
  • yes. Additionally, if a participant exercises their right to object to processing, the processing should be restricted whilst the objection request is considered
• right of portability
  • no
• right to object
  • yes. The sponsor must stop processing unless it can demonstrate compelling legitimate grounds that override the participant’s interests, rights and freedoms. Unlike public task, this right cannot be restricted under the research provisions

5.1.15.2 Article 9 condition and data subject rights

Where special category personal data (for example, information relating to healthcare) is being processed, there must also be an Article 9 condition, which has further interactions with the rights that flow from the Article 6 basis.

5.1.15.2.1 Explicit consent

Sponsors may have the option to use explicit consent as the condition for special category data processing. However, in the UK we would strongly recommend not doing so. This is because participants have the option to withdraw their consent. If participants withdraw their explicit consent to the processing of their personal data, any further processing of their personal data would be done without a condition. There may be significant ethical, scientific and legal implications if explicit consent is relied upon as a condition and that consent is withdrawn. A sponsor wishing to rely upon consent as a condition will be required to provide a robust justification at study wide review, addressing how it will mitigate these potential implications. Significant delay in approval may therefore arise. If it is agreed that a sponsor may use explicit consent as their condition for processing of personal data, participants would have the following rights that would need to be communicated to them by the sponsor as part of the GDPR transparency wording.  This could be in the main PIS or in supplementary or higher-level wording such as the privacy notice of their website or additional leaflet.

• right to be informed
  • yes. There is a requirement to state that consent can be withdrawn by the participant. Any processing that takes place before the withdrawal remains lawful after the withdrawal
• right of access
  • yes
• right of rectification
  • yes
• right to erasure
  • yes. If explicit consent is withdrawn by the participant and there are no other legal grounds for not erasing the participant’s data
• right to restriction
  • yes
• right to portability
  • yes. Participants have the right to portability where the processing is automated. This means that any physical processing, such as using paper files, are excluded from the right to portability
• right to object
  • no. Participants do not have the right to object to processing but can withdraw their consent to the processing

5.1.15.2.2 Research purpose in the public interest

All sponsors processing special category data for research are expected to rely on the condition of research purposes in the public interest under Article 9(2)(j) UK GDPR, with appropriate safeguards. This condition affords participants the following rights that would need to be communicated by sponsors in their UK GDPR transparency wording:

• right to be informed
  • yes, but some information may be exempted from this where providing it would seriously impair or prevent the research
• right of access
  • no*
• right of rectification
  • no*
• right to erasure
  • no*
• right to restriction
  • no*
• right of portability
  • no
• right to object
  • no*

* These rights can be restricted where exercising them would seriously impair or prevent the research, provided the DPA 2018 research conditions and safeguards are met.

5.1.15.3 Limiting data subject rights

It is important that potential participants are not led to believe that they have unqualified rights where, in the research context, those rights may lawfully be restricted. Sponsors may choose to offer participants the ‘right’ to request to access data, etc. but these should be expressed as a qualified right (e.g. “you have the right to request access”) rather than as an absolute right (e.g. “you have the right to access”).

Data subject rights may be limited only where ‘appropriate safeguards’ to the processing of personal data are in place and based on an assessment of the individual request. For health and care research, these require the following:

• the research is not likely to cause substantial damage or distress to the data subject. For example, substantial physical harm, financial loss or psychological pain. The Research Ethics Committee (REC) will consider this condition
• if processing data is to do something to or decide something about a person, the medical research needs approval from a REC. The REC must be in accordance with the DPA definition
• the data controller has technical and organisational safeguards in place. These safeguards must ensure respect for the principle of data minimisation [16]. Furthermore, exemptions to data subjects’ rights cannot be exercised unless the rights are likely to render impossible or seriously impair the achievement of the purposes of the processing
• processing special category personal data must rely on the condition in Article 9(2)(j): research purposes in the public interest with appropriate safeguards, which is separate from the ‘public task’ lawful basis under Article 6

5.1.15.4 Why UK consent should not be used as the GDPR legal basis or condition for health and care research

It is important to understand why the HRA and the ICO advise against using UK GDPR consent as the lawful basis for processing personal data (or explicit consent as the condition for processing special category data) in research.

Ethical consent to participate in a research study remains essential. This is not the same as relying upon consent for compliance with data protection law. Using UK GDPR consent as the legal basis creates risks that are particularly problematic in research:

• consent can be withdrawn at any time
  • this would require all further processing of personal data to stop immediately. This could undermine the ability to retain or reuse data, even where future research is in the public interest
  • once consent is withdrawn, it is not lawful to continue processing the data unless another valid legal basis was established from the outset - you cannot switch bases later
• the ICO confirms that consent is only appropriate where individuals genuinely have a choice. In many research settings, especially where participation is encouraged for public benefit, this threshold may not be met due to power imbalances or regulatory constraints
• the European Data Protection Board (EDPB) has echoed this view in its guidance on clinical trials. They have stated that GDPR consent is rarely appropriate for lawful data processing in regulated research contexts

Instead, researchers should rely on:

• Article 6(1)(e) (public task) or 6(1)(f) (legitimate interests). The appropriate article depends on whether the data controller sponsor is acting as a public body or not for the study
• Article 9(2)(j) for special category data. This applies where research is conducted with appropriate safeguards in the public interest. This includes NHS REC approval and alignment with Article 89 UK GDPR and the UK Data Protection Act 2018

This approach ensures that participants' rights are protected through transparency, ethical oversight, and data minimisation. It also avoids the legal and practical limitations that follow from using consent as a UK GDPR lawful basis.

Back to the contents.

5.1.16 Appendix 3 - Restricted transfers of personal data outside the UK (Chapter V conditions)

5.1.16.1 Article 45, Transfers on the basis of an adequacy decision

The UK regards the EEA states (including all EU member states) as adequate for data protection purposes. The EU also regards the UK as adequate. No further condition is necessary for a restricted transfer of personal data from the UK to EEA/EU states or from an EEA/EU state into the UK.

In addition to the EU and EEA states, adequacy decisions are currently in place for

• Andorra
• Argentina
• Canada (commercial organisations) [17]
• Faroe Islands
• Gibraltar
• Guernsey
• Iceland
• Isle of Man
• Israel
• Japan (partial) [18]
• Jersey
• New Zealand
• Switzerland
• The Republic of Korea
• United States of America (partial) [19]
• Uruguay

5.1.16.2 Article 46 Restricted transfers subject to appropriate safeguards

Article 46 sets out safeguards that may be relied upon for transfers to third countries for which no adequacy decisions are in place:

• legally binding and enforceable instrument (for example, a contract) between public authorities or bodies
• binding corporate rules in accordance with Article 47
• standard data protection clauses adopted or approved by the Commissioner
• an approved code of conduct or certification mechanism, together with binding and enforceable commitments from the controller/processor in the third country (no relevant codes of conduct or certification mechanisms are yet in place)

For public sector sponsored research, personal data may be transferred to public authorities in third countries under appropriate contracts. Commercial or charitably sponsored research relying upon an Article 46 safeguard for a restricted transfer would need to evidence that it is doing so under appropriately approved contract clauses or binding corporate rules.

5.1.16.3 Article 49 Derogations for specific situations

Where an adequacy decision does not exist and there are no appropriate Article 46 safeguards suitable, personal data can be transferred under an Article 49 derogation. This is very likely to be Article 49(1)(a):

Article 49 derogations are intended for exceptional use only. They are not a substitute for adequacy or safeguards and should be relied upon only for occasional, non-repetitive transfers where no other mechanism is available.

Back to the contents.