Data protection and information governance

Understanding how information governance principles - such as those set out in the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018 and the common law duty of confidentiality - interact with research governance principles is vital to enabling research across the NHS. In England, the Health Research Authority (HRA) are bound under regulation 111, subsections 6 and 7 of The Care Act 2014 to publish guidance on the principles of good practice in the management and conduct of health and social care research.

Good Information Governance (IG) in research is about more than legal compliance. It underpins public trust, participant confidence, and research integrity. It also enables the HRA as the regulator of health and care research and Research Ethics Committees (RECs) to review research studies, and NHS/HSC organisations to set-up and run research studies, with clarity and confidence.

The HRA reviews all studies that receive HRA and HCRW Approval to ensure compliance with UK GDPR, data protection legislation and information governance requirements, in line with section 5.1 of the UK study-wide governance criteria.

HRA and HCRW Approval(and devolved nation equivalent study-wide review approvals) provide study-specific assurance of legal compliance to all parties involved in research, removing the need for duplicative local reviews by organisations participating in research studies. NHS organisations that undertake duplicative reviews may no longer be covered by the indemnity provided through the HRA’s (and equivalent national) reviews.

HRA guidance resources

The HRA supports different organisations to meet their IG responsibilities in research through a variety of guidance, tools, and assurance mechanisms:

New IG guide pilot

We're running a pilot to get feedback on our new draft Information Governance (IG) guide.

We've created the guide to reduce uncertainty and duplication to support study set up. You can view the draft guide on our website.

The pilot will run until 30 April 2026. Please send your feedback to pilot.testing@hra.nhs.uk.

General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018

The General Data Protection Regulation (GDPR) came into force in the UK on 25 May 2018. The detail of its application in the UK is set out in the Data Protection Act (2018). The Information Commissioner’s Office provides guidance and resources on UK GDPR covering all purposes, not just research on their website.

The HRA has published guidance covering research applications of UK GDPR for the health research community. Our detailed guidance addresses operational arrangements that researchers and organisations may need to put in place. We also developed technical guidance intended for Data Protection Officers (DPO), research managers or information governance leads / security architecture leads, or equivalent. It may also be relevant for researchers. Some prior knowledge of terminology is assumed. Further GDPR resources for the research community are available from the Medical Research Council.

Other currently applicable legislation

Legislation sets out when information about people can be processed for research and the safeguards that must be in place.

Data Protection Act (2018)

UK General Data Protection Regulations Health Service (Control of Patient Information) Regulations

Human Fertilisation and Embryology (Disclosure of Information for Research Purposes) Regulations

Resources

MRC Regulatory Support Centre – guidance and eLearning

NHS Digital codes of practice for handling information in health and care

Processing confidential patient information without consent

Ethical review of research databases

For further enquiries, please e-mail queries@hra.nhs.uk.