Currently applicable legislation
Legislation sets out when information about people can be processed for research and the safeguards that must be in place.
- Data Protection Act (2018)
- Data Protection (Processing of
Sensitive Personal Data) Order
- Health Service (Control of Patient
- Human Fertilisation and Embryology
(Disclosure of Information for Research Purposes) Regulations
- Abortion Regulations
- MRC Regulatory Support Centre – guidance and eLearning
- NHS Digital codes of practice for handling information in health and car
- Processing confidential patient information without consent
- Ethical review of research databases
General Data Protection Regulation (GDPR)
The new EU General Data Protection Regulation (GDPR) came into force in the UK on 25 May 2018. The detail of its application in the UK is set out in the new Data Protection Act (2018).
For health and social care research, the new Regulation is not very different from the previous Act, and the Health Research Authority will not be adding to the existing effective safeguards. In particular, Research Ethics Committee (REC) approval and the legal gateway for processing confidential patient information on the advice of the Confidentiality Advisory Group (CAG) will continue, as will the other common law provisions. A summary of the key changes for all data processing (not just research) is available from the Information Governance Alliance.
The Information Commissioner’s Office has published resources for GDPR preparation, but they are not specific to research. GDPR resources for the research community are available from the Medical Research Council.
The HRA has published guidance covering the GDPR
Our detailed guidance addresses operational arrangements that researchers and organisations may need to put in place.
We've also developed technical guidance intended for Data Protection Officers (DPO), research managers or information governance leads / security architecture leads, or equivalent. It may also be relevant for researchers. Some prior knowledge of terminology is assumed.