This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Data protection and information governance

Last updated on 6 Nov 2020

Currently applicable legislation

Legislation sets out when information about people can be processed for research and the safeguards that must be in place.

Health Service (Control of Patient Information) Regulations

Human Fertilisation and Embryology (Disclosure of Information for Research Purposes) Regulations

Abortion Regulations


HRA eLearning module on confidentiality and information governance considerations in research.

General Data Protection Regulation (GDPR)

The new EU General Data Protection Regulation (GDPR) came into force in the UK on 25 May 2018. The detail of its application in the UK is set out in the new Data Protection Act (2018).

For health and social care research, the new Regulation is not very different from the previous Act, and the Health Research Authority will not be adding to the existing effective safeguards. In particular, Research Ethics Committee (REC) approval and the legal gateway for processing confidential patient information on the advice of the Confidentiality Advisory Group (CAG)  will continue, as will the other common law provisions. A summary of the key changes for all data processing (not just research) is available from the Information Governance Alliance.

The Information Commissioner’s Office has published resources for GDPR preparation, but they are not specific to research. GDPR resources for the research community are available from the Medical Research Council.

The HRA has published guidance covering the GDPR

Our detailed guidance addresses operational arrangements that researchers and organisations may need to put in place.

We've also developed technical guidance intended for Data Protection Officers (DPO), research managers or information governance leads / security architecture leads, or equivalent. It may also be relevant for researchers. Some prior knowledge of terminology is assumed.

For further enquiries, please e-mail

Back to policies, standards & legislation