Our phone lines will not be operated on Wednesday 25 April due to an all-staff training day.

We apologise for any inconvenience. 

Data protection and information governance

Last updated on 20 Apr 2018

Currently applicable legislation

Legislation sets out when information about people can be processed for research and the safeguards that must be in place.


General Data Protection Regulation (GDPR)

The new EU General Data Protection Regulation (GDPR) is expected to apply in the UK from 25 May 2018. The detail of its application in the UK will be set out in a new Data Protection Act, which Parliament has yet to agree. Applicants should therefore not submit GDPR-related amendments at this time.

For health and social care research, the new Regulation is not very different from the current Act and the Health Research Authority will not be adding to the existing effective safeguards. In particular, Research Ethics Committee (REC) approval and the legal gateway for processing confidential patient information on the advice of the Confidentiality Advisory Group (CAG)  will continue, as will the other common law provisions. A summary of the key changes for all data processing (not just research) is available from the Information Governance Alliance.

The Information Commissioner’s Office has published resources for GDPR preparation, but they are not specific to research. Preparation guidance for research community is available from the Medical Research Council.

The HRA has worked with partners  to develop further research-specific guidance on the following topics:

The suite is primarily intended for Data Protection Officers (DPO), research managers or information governance leads / security architecture leads, or equivalent. It may also be relevant for researchers. Some prior knowledge of terminology is assumed.

This guidance will be kept up to date in light of relevant national and European guidelines and the Data Protection Act 2018

We have also published detailed guidance about operational arrangements that researchers and organisations may need to put in place.

As guidance becomes available, we will publicise it and link to it from this page. 

For further enquiries, please e-mail hra.queries@nhs.net.

Back to policies, standards & legislation