Data protection and information governance

Last updated on 30 Jun 2021

Currently applicable legislation

Legislation sets out when information about people can be processed for research and the safeguards that must be in place.

Data Protection Act (2018)
Health Service (Control of Patient Information) Regulations
Human Fertilisation and Embryology (Disclosure of Information for Research Purposes) Regulations
Abortion Regulations


MRC Regulatory Support Centre – guidance and eLearning
NHS Digital codes of practice for handling information in health and care
Processing confidential patient information without consent
Ethical review of research databases
HRA eLearning module on confidentiality and information governance considerations in research.

General Data Protection Regulation (GDPR)

The new EU General Data Protection Regulation (GDPR) came into force in the UK on 25 May 2018. The detail of its application in the UK is set out in the new Data Protection Act (2018).

For health and social care research, the new Regulation is not very different from the previous Act, and the Health Research Authority will not be adding to the existing effective safeguards. In particular, Research Ethics Committee (REC) approval and the legal gateway for processing confidential patient information on the advice of the Confidentiality Advisory Group (CAG)  will continue, as will the other common law provisions. A summary of the key changes for all data processing (not just research) is available from the Information Governance Alliance.

The Information Commissioner’s Office has published resources for GDPR preparation, but they are not specific to research. GDPR resources for the research community are available from the Medical Research Council.

The HRA has published guidance covering the GDPR

Our detailed guidance addresses operational arrangements that researchers and organisations may need to put in place.

We've also developed technical guidance intended for Data Protection Officers (DPO), research managers or information governance leads / security architecture leads, or equivalent. It may also be relevant for researchers. Some prior knowledge of terminology is assumed.

For further enquiries, please e-mail

Back to policies, standards & legislation