The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

Appendix B: Footnotes

Last updated on 25 Sep 2025
  1. where a PI on a CTIMP is not a medically qualified doctor (or, where appropriate, dentist) the PI must delegate certain activities (e.g. determination of causality of adverse events) to a research team member who is so qualified
  2. Article 28(2) states that ‘The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.’
  3. Article 30(2) states that ‘Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller…’
  4. the Caldicott Principles are not legally binding but represent expected best practice in England, where Caldicott Guardians are mandatory under statutory guidance and supported by the National Data Guardian. Outside England, for example in Northern Ireland, the principles are recognised as good practice but lack the same legal embedding - there is no statutory mandate for Caldicott Guardians or central oversight
  5. data that is not considered confidential patient information or personal data is not subject to the common law duty of confidentiality or UK GDPR/Data Protection Act respectively
  6. genetic data is defined in UK GDPR Article 4(13). A biological sample itself (such as a blood or tissue sample) is not considered personal data under UK GDPR. It only becomes personal data once it has been analysed to produce genetic information and that information can be linked back to an identifiable individual
  7. biometric data is defined in UK GDPR Article 4(14)
  8. sponsors acting as public bodies include NHS/HSC organisations, Higher Education Institutions when carrying out their public functions, and research councils
  9. sponsors that not acting as public bodies include commercial companies and charities
  10. when consent is withdrawn, the legal basis for processing ceases
  11. destruction, return and anonymisation are all forms of processing
  12. a legitimate relationship with the patient for their care means someone who has a legitimate relationship through their direct involvement in providing, supporting or advising on the patient's care. This can include care delivered through research
  13. it is generally expected that any data exported to another country would no longer be personal data. The data is usually rendered no longer identifiable to the recipient. Furthermore, it is not usually the participating NHS/HSC organisation exporting the data. The data processing is under the controllership of the sponsor and the NHS/HSC organisation would usually be providing this data to a party in the UK prior to export
  14. the Clinical Trial Regulations state that the clinical trial master file data must be kept for 25 years after the end of the study. The clinical trial master file usually contains a significant amount of personal data
  15. in this context automated decision-making refers to use of personal data in machine learning or other technologies that will result in a decision about the individual, e.g. a diagnosis. Electronic randomisation technologies are not included
  16. UK GDPR Article 5(1)(c) defines data minimisation as ‘Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.’
  17. commercial Organisations in Canada follow PIPEDA. PIPEDA lays out the rules for how commercial organisations collect, use and disclose personal information
  18. Japan’s adequacy decision only covers private sector organisations subject to Japan’s Act on the Protection of Personal Information
  19. USA’s adequacy decision only covers US organisations certified as part of the EU-US Data Privacy Framework. These organisations are listed on the Data Privacy Framework website
  20. in the Medicines for Human Use (Clinical Trials) Regulations 2004, adults are defined as those aged 18 and over
  21. the term ‘nearest relative’ is defined in the Mental Health (Scotland) Act 1984. The act provides a hierarchy of relationships. In decreasing order of closeness, these are: Spouse, Child, Father or mother, Brother or sister, Grandparent, Grandchild, Uncle or aunt, nephew, or niece
  22. Minimal risk has been defined by the Council of Europe as a risk that ‘will result, at the most, in a very slight and temporary negative impact on the health of the person concerned’. The Council defines minimal burden on participants as that where it is ‘to be expected that the discomfort will be, at the most, temporary and very slight for the person concerned. ‘Negligible’ is interpreted as equivalent to ‘minimal’. - MRC ETHICS GUIDE 2007, Medical research involving adults who cannot consent
  23. please see paragraph 32 of the HTA Code of Practice A for details at Code A: Guiding principles and the fundamental principle of consent | Human Tissue Authority
  24. a person (aged 12 and over) can, before death, nominate a person or persons to represent them after their death. Nominees can authorise post-mortem examination and the removal/retention of organs or tissues for research
  25. further information on the order of priority can be found at Regulatory Support Centre Summary Of Legal Requirements For Research With Human Tissues In Scotland
  26. the transfer of a research participant is expected to be facilitated by the ‘transferring’ organisation, providing all relevant information to the ‘receiving’ organisation to support the receiving organisation’s continuation of the research. The sponsor should factor this into the study design so that the activities do not differ significantly from what is already in place
  27. formal confirmation and capacity may need to be done quickly to ensure the patient’s continued participation on the study
  28. HRA Organisational Information Document(s) completed for these studies should clearly state that the study is covered under the Consortium Agreement
  29. this applies where the processing is being undertaken as a research activity. Where this processing is undertaken under an existing service level agreement then the arrangements detailed at example 8 will apply

Previous section | Next section

Appendix A: Areas of review in HRA assessment which are additional to the UK study wide governance criteria | Appendix C: Summary of Changes

Back to uk study-wide governance criteria
© Copyright HRA 2025
Site by Big Blue Door