3. Additional advice for NHS/HSC participating organisations

Contents

Who this section is for

What study-wide review considers and what it does not consider

Understanding the role of participating NHS/HSC organisations

Drawing assurance from national reviews of IG compliance

Assurance from the IG part of Study-Wide Review and Approval

Assurance from a sponsor’s IRAS submission

When additional participating organisation-specific arrangements may be needed

Open communication and oversight

Summary

What study-wide review considers and what it does not consider

Study-wide reviewers consider whether appropriate Information Governance (IG) and data protection assurances are in place for systems used in research, including confirmation that technical and organisational measures are adequate and proportionate. As part of this, sponsors should confirm that the systems they use or provide are compatible with relevant National Health Service (NHS) national digital and cyber standards such as the Data Security and Protection Toolkit (DSPT), the Digital Technology Assessment Criteria (DTAC), Cyber Essentials Plus, and the NHS Secure Boundary.

Study-wide review does not directly itself certify an NHS organisation’s compliance with operational IT standards (such as DSPT or local cyber controls) as these relate to the implementation and configuration of systems within the NHS operational IT environment and remain the responsibility of NHS England and individual Trusts. However, as part of study-wide review, reviewers do assess whether the sponsor has identified and described the relevant national or organisational assurance frameworks that apply to the systems used, and whether appropriate reliance has been placed on those assurances. Sponsors should make clear within their IRAS application which assurance frameworks apply to the systems used. This nationally reviewed information should be relied upon by participating organisations and should not be re-assured locally, and should then be provided to participating organisations as clear, up-to-date IG documentation, enabling them to focus only on local implementation or integration issues that cannot be addressed through study-wide review.

Understanding the Role of Participating NHS/HSC Organisations

Clarity on the role of participating organisations in respect of IG helps to avoid duplication, protect indemnity, and ensure respective responsibilities are understood.

Although most of the IG arrangements in a study are reviewed nationally, participating organisations remain responsible for how information is managed within their organisation, as set out below. There are also participating organisation-specific elements relevant to IG compliance that can only be addressed locally, such as the security of interactions between local NHS digital systems and sponsor-provided hardware and software.

In research studies, participating organisations act as processors on behalf of the sponsor (as controller), while often also continuing to act as controllers for non-research uses of the same information (for example, direct care or service management).

Participating organisations demonstrate their responsibility for how information is managed within their organisation by:

• ensuring that local data handling practices (for example, storage, access, and retention) comply with organisational policies and procedures
• providing training for local staff who will handle data, in line with IG and data protection requirements
• monitoring day-to-day compliance and reporting any breaches or incidents through established local governance processes

As part of their local responsibilities, NHS/Health and Social Care (HSC) organisations must meet the requirements of the DSPT. For research studies, this is normally achieved by recording the local research information asset and associated data flows at an appropriate level - with responsibility for maintaining these records sitting with the organisation’s Data Protection Officer (DPO) or a function delegated by them (for example, the research office) - and by cross-referencing sponsor-provided assurance documentation. This supports DSPT compliance without duplicating sponsor-level assurance or repeating assessments already completed through study-wide review.

Sponsors should support participating organisations by providing clear up-to-date IG documentation alongside the IRAS application, for example through a standalone IG Annex, that clearly sets out participating organisation-level responsibilities and clarifications. Where IG-related information is added or changed following study-wide review or subsequent amendments, sponsors should ensure that this is reflected in the IG Annex, re-shared with participating organisations as appropriate, and included within the relevant IRAS submission or amendment where the change falls within the scope of study-wide review.

Participating organisations should not repeat or re-validate sponsor assurances that have already been provided and acknowledged through national review – including those describing compliance with data protection or security frameworks (for example, DSPT, ISO 27001, or DTAC) - unless integration of research technology with local digital systems introduces new, participating organisation-specific risks that depend on the configuration or operation of the local IT environments and therefore cannot be assessed through study-wide review alone. For the purpose of this guidance, “integration” refers to a technical or operational connection with local NHS/HSC systems or networks (for example, access via the NHS network, deployment on NHS-managed devices, interfaces with local clinic or administrative systems, or automated data exchange) rather than simple use of a sponsor system in parallel. Participating organisations should instead focus on ensuring that they continue to meet their own local operational and policy requirements, using the sponsor’s nationally reviewed documentation (for example, IRAS responses and any IG Annex) to confirm whether such integration exists, rather than requesting new or duplicative assurance directly from the sponsor.

These local responsibilities sit outside study-wide review, as they relate to the NHS’s operational IT environment and the implementation of digital and cyber standards overseen by NHS England and individual Trusts. While not part of national review, a model of shared validation of implementation within the local environment can provide an efficient way for Trusts to meet these obligations where IG collaboration arrangements already exist.

For example, one organisation within a group that routinely manages IG collaboratively may conduct a single technical or cyber validation and others record reliance on that assurance. Under the DSPT, one NHS organisation may perform such validation for a particular system that is used across multiple NHS organisations, provided each records its reliance on that assurance and remains accountable for its own local implementation. This model promotes consistency and efficiency while maintaining local accountability. For research, it means that while sponsors evidence system-level assurance, participating organisation’s retain responsibility for validating implementation of sponsor provided software or hardware within their own environment and for documenting that reliance as part of their local DSPT assurance. Participating organisations should ensure that any research systems used locally are compatible with these standards and that reliance or assurance is appropriately documented.

Drawing Assurance from National Reviews of IG Compliance

Participating NHS and HSC organisations play a crucial role in ensuring that health and care research is conducted in line with the law and participant expectations. While responsibility for study-wide IG arrangements rests primarily with the sponsor, participating organisations remain accountable for how information is implemented and managed within their own organisation. This includes ensuring that local handling of research information complies with organisational policies, that staff are appropriately trained, that incidents are managed through local governance routes, and that any integration with local NHS/HSC digital systems is secure and appropriate.

Participating organisations are not responsible for re-assessing or re-validating sponsor-level IG arrangements that have already been reviewed and assured through study-wide review, including lawful basis, DPIAs or other system-level security assurance, or third-party processor assessments, which remain the responsibility of the sponsor.

The term ‘national’ is used to distinguish the study-wide review, and associated national processes, from local participating organisation activities and to emphasise that duplication is neither necessary nor appropriate.

Participating organisations should therefore rely on national review for assurance. The UK Policy Framework for Health and Social Care Research makes clear (section 8, Principle 13) that Health Research Authority (HRA) review provides an indemnity to participating organisations, protecting them from liability where they do not repeat checks already completed. This does not prevent participating organisations from raising concerns where they identify an apparent inconsistency, error, or issue relating to matters already considered through study-wide review. Where such concerns arise, they should be escalated to the HRA or the relevant study-wide review body (and, where appropriate, discussed with the sponsor), rather than being addressed through local re-assessment or re-validation. Escalation of concerns through national review processes preserves indemnity; duplication of assurance activities does not. If participating organisations duplicate assurance activities already undertaken in the national review, those protections are removed and liability rests with the participating organisation alone.

Assurance from the IG Part of Study-Wide Review and Approval

The study-wide review process provides important assurance for participating organisations that the sponsor has met the standards in Section 5.1 of the UK Study-Wide Governance Criteria (‘Assessment of Information Governance, Data Protection Compliance and Data Security’), in alignment with health and care research best practice and the UK Policy Framework for Health and Social Care Research.

In particular, study-wide review confirms that:

• lawful bases and safeguards for personal data processing have been identified and justified
• transparency to participants has been addressed, with information sheets presented in plain language and aligned to UK General Data Protection Regulation (GDPR) standards
• where relevant, a Data Protection Impact Assessment (DPIA) has been completed or a clear explanation given. In line with HRA guidance, a sponsor should only complete a study specific DPIA if the planned processing is likely to result in a high risk to participants not already accounted for in sponsor system-level DPIAs (for example, use of new technology, large-scale use of health data, or data linkages). In most cases, referencing an existing system-level DPIA conducted by the sponsor is sufficient unless new or higher risks are introduced
• appropriate safeguards for third-party processors and any international data transfers have been reviewed

In practice, HRA and Health and Care Research Wales (HCRW) Approval – and study-wide review in Scotland and Northern Ireland – confirms that the sponsor has addressed the key legal requirements under the UK GDPR, the Data Protection Act 2018, and the common law duty of confidentiality. Participating organisations should therefore restrict local activity to:

1. making arrangements to meet these obligations in practice, acting as processors on the sponsor’s instructions, rather than repeating central assessments

and

1. undertaking whatever checks are necessary of compatibility between sponsor provided software and hardware and local NHS systems, alongside other activities that by their nature cannot be undertaken singly at study-wide review, given that they require knowledge of local digital or other systems

Assurance from a Sponsor’s IRAS Submission

A strong sponsor submission in IRAS, reviewed as part of the study-wide review process, should give participating organisations confidence that IG has been properly embedded into the study. Key signs of this include:

• clarity on data handling – the submission sets out how participant data will be collected, processed, stored, and protected
• evidence of proportionality – only the data needed for research purposes is collected, with clear justification
• robust IG arrangements – the submission references security standards, incident management procedures, and staff training
• commitment to transparency – participants are informed in plain language about how their data will be used and their rights

Participating Organisations can reasonably take reassurance from this, provided the sponsor’s information is consistent with local policies and infrastructure. Compatibility in this context is normally established through the sponsor’s description of how systems will be used, whether they integrate with NHS networks, devices or clinical systems, and which national or organisational assurance frameworks apply, as set out in the IRAS submission and any supporting IG Annex. Sponsors are expected to provide sufficient detail to participating organisations with the IRAS submission to enable sites to determine whether any local implementation or integration checks are required so that further dialogue is rarely required.

Participating organisations should confirm alignment with their own DSPT compliance but are not responsible for conducting DPIAs on sponsor processing or carrying out study-specific DPIAs locally. These responsibilities rest with the sponsor and are addressed through national review. Where concerns arise, they should be raised promptly with the study-wide review body where they fall within scope of that review (and otherwise with the sponsor) rather than re-checking matters already covered.

When Additional Participating Organisation-Specific Arrangements May Be Needed

There may be circumstances where participating organisations request further information from sponsors, but this should remain the exception and be limited to issues clearly outside the scope of study-wide review.

Where studies involve sponsor-supplied devices, apps, or digital tools that will be used by NHS/HSC staff or connect to NHS systems, participating organisations should expect early discussion during feasibility or site selection about how those tools will operate within the local environment. This includes consideration of device management, network access, and compatibility with local policies that implement national security baselines. Participating organisations should facilitate a proportionate and streamlined local implementation process by involving relevant local teams (for example IT, IG, or digital services) early, so that practical integration issues can be identified and resolved efficiently. These discussions relate to local implementation and integration only, and should not involve re-assessing sponsor system-level assurance already considered through study-wide review.

Examples of circumstances where local discussion may be needed, from a local security and technical perspective, include the following:

• checking network or firewall compatibility – where local systems require external connectivity (for example, sponsor databases). Participating organisations will normally liaise with their IT teams to enable this, but may need the sponsor to confirm system specifications or IP details
• local data storage and access – confirmation of encryption standards, access controls, and audit logs
• third-party processors – clarity on which suppliers are involved and the roles they play when their systems interface with local systems (for example, when local private-network connectivity is required). Responsibility for contracting and assessing third-party data protection arrangements sits with the sponsor; participating organisations only need assurance that those arrangements exist when there is direct interface with participating organisation systems and that their own local boundaries are secure

Sponsors are responsible for selecting and assuring the systems used for research. Local NHS and HSC organisations are responsible for ensuring that, if their staff are required to use those systems, or those systems directly interface with their own, the use/interface complies with national NHS technical and digital standards, as reflected in their local policies. This responsibility is met through proportionate local implementation checks (for example confirming network access, device management, or configuration), and does not require re-assessment of sponsor system assurance already reviewed nationally. Where participating organisations rely on sponsor assurances taken through study-wide review, their indemnity under the UK Policy Framework for Health and Social Care Research is preserved.

This responsibility applies only where the system is accessed by NHS/HSC staff, deployed on NHS devices, or integrates with NHS networks or clinical systems. Where sponsor systems are used solely for research data collection or data management outside the NHS operational environment (for example, accessed only by sponsor staff or participants directly, with no connection into NHS networks), NHS/HSC organisations are not required and should not assure or approve those systems. The assurance of such systems remains entirely the responsibility of the sponsor.

Where researchers use participating organisation equipment or networks, local IG and IT policies may legitimately apply to how they access or integrate with the NHS systems. This may include practical constraints around identity management, email domains, access controls, or licensing arrangements where NHS infrastructure or services are being used. However, use of local systems is a sponsor choice, and sponsors may choose instead to make use of their own systems, even when such use is not directly covered by local policies. Whilst processing personal data outside of NHS systems should be minimised, data minimisation will have been assessed at study-wide review. Accordingly, operational constraints such as local email-domain requirements or local licensing models should be addressed through early feasibility or site-set up discussions only where NHS systems are involved, and should not be used to re-assess or require substitution of a sponsor’s assured research system where it is not deployed within or connected to the NHS environment.

So, for example, the sponsor choice of video-calling software, participant e-diary or any other system may involve paid access or licensing arrangements as a consequence of the sponsor’s system choice but should not require a participating organisation to procure licenses, create NHS-managed user accounts, or onboard sponsor systems into local identity or email-domain arrangements, where the sponsor system is accessed independently of NHS/HSC operational systems. In such cases access should be arranged and funded by the sponsor as a feasibility and contracting matter, including where local platform preferences, local licensing arrangements or organisational email-domain restrictions would otherwise limit access. In such cases, local checks should focus only on integration, access and network safety where technical integration with NHS systems exists, and should not duplicate sponsor system-level assurance already considered through study-wide review.

Study-wide review will assess that a sponsor has assured a system against recognised standards and demonstrated that it meets equivalent or higher security than standard NHS platforms. Participating organisations should accept its use rather than requiring substitution to a local platform. Local checks should focus on integration and network safety, only where integration exists, not on re-assessing system assurance already evidenced by the sponsor.

Where a participating organisation’s local policies set standards or requirements that a research study cannot meet, for example a sponsor requirement to use Zoom rather than a participating organisation’s standard use of Microsoft Teams. Sponsors can set out the relevant information in an IG Annex provided to participating organisations that cross-references the sponsor system-level DPIA. The IG Annex should be made available to participating organisations for their records and local assurance purposes. This should be kept up-to-date and reshared with participating organisations where relevant information changes, including after any clarifications made during the study-wide review or following any study amendments. This ensures that participating organisations have access to accurate, up-to-date assurance information reflecting the national review outcome. In turn, this enables participating organisations to record data flows in their Information Asset and Flow Register and meet DSPT requirements, without producing study-specific DPIAs or requiring substitution of sponsor-assured systems.

It should be noted that assessment of identifiability and data flows sits firmly within study-wide review. Participating organisations should not re-determine whether data is personal or anonymous. The only operational responsibility at participating organisation level is to follow agreed procedures - for example, participating organisations should follow sponsor instructions on what identifiers (if any) are removed or coded locally before transfer - with sponsors providing this information to avoid duplication or uncertainty.

Open Communication and Oversight

Good sponsors also maintain open communication with participating organisations throughout the study on IG where necessary. This includes:

• providing clear points of contact for participating organisation-specific IG (for example, software compatibility or local implementation issues)
• sharing timely updates on relevant regulatory or protocol changes
• demonstrating a commitment to ongoing monitoring and oversight of IG practices across all participating organisations

This reassures participating organisations that IG remains a live consideration throughout the study, while reducing the need for ad hoc queries by ensuring sufficient information is provided upfront.