GDPR Guidance  >   What the law says >

The following guidance has been jointly developed by the HRA and the Medicines and Healthcare products Regulatory Agency (MHRA), in consultation with the Information Commissioner's Office (ICO), on behalf of the UK.

This guidance is for sponsors, contract research organisations (CROs) and participating NHS organisations when considering management of personal data processed for the purpose of healthcare research. It provides advice relating to data protection impact assessments (DPIAs).

‘Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.’ General Data Protection Regulation (GDPR) Article 35(1); DPA 2018 Section 64(1).'

Data Protection Act 2018

For personal data processed for the purpose of a healthcare research project, the sponsor of the project is the controller and the participating NHS organisation is their processor[1]. DPIAs for the processing of personal data that is undertaken for the purpose of research are the responsibility of the sponsor.

Organisations that regularly sponsor research projects should undertake their DPIA(s) at the level of the Quality Management System. This should be via the policies, processes and systems and more by which they design and manage their research portfolios. Sponsors should operate on the basis of data protection by design, ensuring that their sponsor processes create compliant research projects, rather than attempting to work only reactively, on a study by study basis.


Individual projects should be designed and delivered in accordance with the sponsor processes that are already subject to DPIA. The sponsor should have checks in place to satisfy itself that each study is compliant, assuring itself that the study has been designed and will be delivered in accordance with the processes already subject to DPIA.

Where the study deviates from the established processes (for example, where it is intended that a project uses a new technology for the processing of personal data, or requires that safeguards set out in standing policies cannot be applied), the sponsor should consider whether a study specific DPIA is appropriate to address the level of risk, or whether updating existing DPIA(s) will be sufficient.

Participating NHS organisations are not responsible for the DPIA of the processing activities that they will undertake on behalf of research sponsors. They are responsible for ensuring that they process data only in accordance with appropriate technical and organisational measures. NHS organisations are held to high standards of data protection in each of the four UK nations. Sponsors should therefore take assurance that the measures taken by the NHS are appropriate when relying upon existing NHS processes, systems, etc. for the processing of personal data (as opposed to when study specific provisions are required by the sponsor, such as Electronic Case Report Forms (eCRF) ).

To support the assurance to sponsors, all NHS organisations should ensure that their policies, processes, systems, etc., upon which their processing of personal data depends, take proper account of their foreseeable use in processing personal data for research.

NHS organisations should ensure that their own DPIAs, at the organisational, sub-organisational and/or individual system (such as Electronic Health Records (EHR)) level, explicitly account for participation in research, including projects sponsored by external organisations.

As with DPIA expectations on sponsors, an approach to data protection by design, including proper consideration of research specific needs, should ensure that individual studies need only be assessed for fit with anticipated requirements, already accounted for in local DPIA. The need to undertake more detailed project specific evaluation and provide bespoke arrangements should be reduced to an absolute minimum.

In the case of both sponsors and participating NHS organisations, the expectation that individual studies are checked against existing arrangements does not replace the requirement that those arrangements are themselves regularly revisited. For example. sponsors should ensure that their systems and processes are regularly reviewed to ensure that they, and their associated DPIAs, remain fit for purpose. Participating organisations should similarly regularly revisit their DPIAs and in so doing take account of any changes in foreseeable research needs, for example the move to more remote access to EHR for study monitors.


  1. The controller is the party that determines the purpose and means of the processing (GDPR Article 4(7)) and the sponsor is the party that takes overall responsibility for the research (Policy Framework for Health and Social Care, 9.10). Whilst the sponsor may take advice from other parties in determining the means and purpose of the data processing, it is ultimately responsible for deciding whether and how to act upon that advice. Further general guidance on data protection in healthcare research is available on our website.
Back to what the law says