Currently applicable legislation
Legislation sets out when information about people can be processed for research and the safeguards that must be in place.
- Data Protection Act
- Data Protection (Processing of
Sensitive Personal Data) Order
- Health Service (Control of Patient
- Human Fertilisation and Embryology
(Disclosure of Information for Research Purposes) Regulations
- Abortion Regulations
- MRC Regulatory Support Centre – guidance and eLearning
- NHS Digital codes of practice for handling information in health and car
- Processing confidential patient information without consent
- Ethical review of research databases
General Data Protection Regulation (GDPR)
The new EU General Data Protection Regulation (GDPR) is expected to apply in the UK from 25 May 2018. The detail of its application in the UK will be set out in a new Data Protection Act, which Parliament has yet to agree. Applicants should therefore not submit GDPR-related amendments at this time.
For health and social care research, the new Regulation is not very different from the current Act and the Health Research Authority will not be adding to the existing effective safeguards. In particular, Research Ethics Committee (REC) approval and the legal gateway for processing confidential patient information on the advice of the Confidentiality Advisory Group (CAG) will continue, as will the other common law provisions. A summary of the key changes for all data processing (not just research) is available from the Information Governance Alliance.
The Information Commissioner’s Office has published resources for GDPR preparation, but they are not specific to research. Preparation guidance for research community is available from the Medical Research Council.
The HRA has worked with partners to develop further research-specific guidance on the following topics:
basis – consent, legitimate interests, tasks carried out in the public interest;
– privacy notices, fair processing, keeping records of data processing
The suite is primarily intended for Data Protection Officers (DPO), research managers or information governance leads / security architecture leads, or equivalent. It may also be relevant for researchers. Some prior knowledge of terminology is assumed.
We have also published detailed guidance about operational arrangements that researchers and organisations may need to put in place.
As guidance becomes available, we will publicise it and link to it from this page.
For further enquiries, please e-mail firstname.lastname@example.org.