The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

2. Additional advice for sponsors

Last updated on 27 Feb 2026

Contents

Who this section is for

Achieving data protection by design and default

Embedding IG early in study design

Proportionate and purposeful data collection

Safeguarding participant privacy

Security and risk management

Governance, documentation and accountability

Managing third parties and processors

International transfers

Supporting participating NHS/HSC organisations

Summary

Who this section is for

This section is for sponsors and focuses on how to embed good information governance into study design and delivery and how to provide assurances to study-wide reviewers and participating NHS/HSC organisations.

Achieving data protection by design and default

For sponsors, meeting the standards set out in Section 5.1 of the UK Study-Wide Governance Criteria (‘Assessment of Information Governance, Data Protection Compliance and Data Security’) is about more than drafting good answers in IRAS. It requires embedding Information Governance (IG) into the way a study is conceived, designed, and delivered.

This section provides additional advice to help sponsors demonstrate Data Protection by Design and by Default, while also supporting participating National Health Service (NHS)/Health and Social Care (HSC) organisations in meeting their responsibilities.

Embedding IG Early in Study Design

IG should be considered from the outset, not as an add-on once protocols are finalised. Early planning should include:

  • defining what personal data will be collected and why
  • consulting with the sponsor’s Data Protection Officer (DPO) and IG teams to confirm lawful bases and safeguards
  • assessing whether a Data Protection Impact Assessment (DPIA) is required. In most cases, sponsors should reference an existing system-level DPIA (for example, for a study platform, electronic data capture tool, research database, or electronic case report form (eCRF) system). Only where a study departs from these established processes (for example, introducing new technology or unassessed high risks) should a sponsor complete a study-specific DPIA, in line with HRA and MHRA guidance developed with the Information Commissioner’s Office (ICO)
  • co-designing with people with lived experience, to help identify acceptability issues early, shape proportionate safeguards, and support transparency and public trust around how personal data will be used in the study

Proportionate and Purposeful Data Collection

Sponsors should consider upfront whether every data item collected has a justifiable scientific purpose:

  • avoid collecting information ‘just in case’
  • demonstrate proportionality by linking data fields directly to research outcomes
  • plan data retention and disposal in line with the principle of storage limitation

Safeguarding Participant Privacy

Wherever possible, sponsors should build in privacy-enhancing approaches (including use of privacy-enhancing technologies, ‘PETs’, when necessary):

  • use pseudonymisation and anonymisation techniques where directly identifiable data is not required
  • apply pseudonymisation carefully, with secure and restricted key management
  • record the rationale for chosen methods
  • be clear about ‘identifiable to whom’ - what matters is whether information that leaves the participating organisation is identifiable to the recipient (for example, the sponsor), even if the information that stays at the participating organisation remains identifiable to the organisation

Transparency and Participant Information

Trust depends on participants being properly informed:

  • use clear, layered information sheets and consent forms that explain data use and rights
  • apply the HRA’s standard UK GDPR transparency wording where personal data will be processed, adapting only if there is a justified need and only then with appropriate patient and public involvement. Where no personal data is involved, applicants should confirm that the UK General Data Protection Regulation (UK GDPR) wording is not required
  • alternatively, sponsors may develop their own transparency wording, provided this has been informed by appropriate patient and public involvement, and is demonstrably clear and accurate. If this approach is taken, study-wide reviewers will expect a short explanation of why the UK GDPR template wording was not used and how the sponsor has met each of the ICO transparency requirements (including through a layered approach), as well as how the sponsor has met the 4 principles for meaningful involvement of patients and the public

Security and Risk Management

Sponsors are responsible for ensuring data is protected throughout the research lifecycle, with a particular focus on any non-NHS-standard or sponsor-mandated systems. Where usual NHS systems are used, responsibility is met by selecting the NHS as processor, as these systems already meet national security requirements.

Sponsors must take responsibility for ensuring data is protected throughout the research lifecycle:

  • reference technical and organisational safeguards, such as encryption, access controls, and audit trails
  • align with national standards (for example, Data Security and Protection Toolkit (DSPT) compliance, ISO 27001 certification)
  • put in place incident management procedures to respond to data breaches quickly and effectively
  • address risks from mobile devices or ‘bring your own’ device use where relevant
  • where studies involve sponsor-supplied devices or apps, consider early how these will operate within local NHS/HSC device-management arrangements. Compatibility with local policies should be discussed during feasibility or site selection, rather than being reassessed through study-wide IG review. Sponsors are not expected to design to individual local policies, but should ensure their approach can operate within nationally expected security baselines (for example those evidenced through DSPT)
  • demonstrate alignment with recognised best practice – for example, by referencing Cyber Essentials, the NHS Cyber Security Strategy, or similar frameworks – and by requiring suppliers to sign up to the Cyber security charter for suppliers to the NHS, which sets out minimum standards and responsibilities (for example, patching, access management, and incident reporting)
  • ensure that any systems requiring local integration are clearly identified so that participating NHS/HSC organisations understand where local IT checks remain necessary and where national or sponsor assurance already applies

Governance, Documentation and Accountability

Sponsors should be able to demonstrate good governance for the systems and processes they require beyond standard NHS environments. Where usual NHS systems are used as processors, baseline governance is already assured, but sponsors remain accountable for describing how these arrangements apply in their study.

Good governance should be demonstrable and recorded:

  • map data flows through the study to show where and how information is managed, including when and to whom it is personal data and/or confidential patient information
  • maintain appropriate organisational records of processing and system-level DPIAs, and lawful basis assessments as necessary, with clear cross-reference in IRAS rather than submission of full documents
  • where required through national approval or assurance processes, be able to provide documented evidence of these assurances to support participating organisations in relying on national review
  • maintain evidence of staff training and oversight mechanisms

Managing Third Parties and Processors

Where sponsors involve external suppliers in a study, sponsors remain accountable:

  • conduct due diligence before appointing processors (choosing NHS organisations to process data within their usual systems does not require additional due diligence, given the safeguards in place to ensure such systems already comply with legal and policy requirements and expectations)
  • use only the appropriate UK model agreement/s (including their Data Processing Agreement clauses) for NHS/HSC participating organisations and Participant Identification Centres, as specified at approval, with no modification unless justified, documented and approved under HRA and Health and Care Research Wales Approval, or equivalent review in Scotland or Northern Ireland
  • complete and share documented information on processors, such as in a Processor Matrix or equivalent overview of third-party processing and assurance routes, within an IG Annex. This gives study-wide reviewers and participating organisations clarity on the nature and scope of third-party processing relied upon for the study so they can rely on national assurance without needing to re-check supplier arrangements locally. The Matrix should provide a proportionate study-level overview identifying the software, websites, devices, or digital tools used in the study that involve third-party processing. Where known at the point of IRAS submission, it should identify each supplier, their role and purpose, the type of data processed and whether data will be identifiable. The Matrix should also confirm that appropriate safeguards and contractual arrangements are in place, or refer to relevant sponsor system-level or organisational assurance (for example a system-level DPIA). Where details are not yet confirmed, the information provided should describe the expected processing activities and the minimum data protection and security requirements that will apply once suppliers are finalised, rather than requiring vendor-specific assurance to be recreated at study level. This supports transparency, demonstrates sponsor-level due diligence and enables participating organisations to rely on study-wide review, avoiding unnecessary local duplication

International Transfers

Where relevant, sponsors should:

  • identify whether transfers of personal data outside the UK are required

where they are required, confirm that transfers:

  • serve a clearly defined and lawful research purpose
  • comply with data minimisation
  • are supported by an appropriate legal basis under UK GDPR and, where relevant, the common law duty of confidentiality - where consent is relied upon, include clear and specific information about the international transfer in the participant information

Where relevant, sponsors should also:

  • transfers should be restricted to what is strictly necessary for the sponsor’s research purposes and made in the least identity-disclosive form practicable (for example, avoiding transfer of direct identifiers unless demonstrably required)
  • make clear in the IRAS submission if no international transfers of data are planned and make clear where international transfers of data do not involve the transfer of personal data, including explanation of the safeguards to be used to ensure that the data is not identifiable to the recipients
  • consider the need for appropriate safeguards, such as adequacy decisions, International Data Transfer Agreements (IDTAs), as well as Transfer Risk Assessments (TRAs)

Supporting Participating NHS/HSC Organisations

Participating NHS/HSC organisations must be able to rely on the sponsor’s assurances, as reviewed by study-wide review. Good sponsors:

  • provide clear IG assurances where needed in and alongside their IRAS submission, clarifying local expectations on storage, access, and pseudonymisation, and providing sufficient information on research flows. This should include a brief statement of which assurance frameworks (for example, DSPT, ISO 27001, Digital Technology Assessment Criteria (DTAC), or other national or international equivalents such as the NIST Cybersecurity Framework) the sponsor has applied, so that participating organisations can rely on those assurances and focus local checks only where integration with local IT means that sponsor consideration and study-wide review cannot completely address potentially arising local risks. The information provided should give participating organisations enough detail and assurances to update their Information Asset and Flow Register and meet their DSPT requirements, without producing study-specific DPIAs
  • cross-reference local requirements to the sponsor’s system-level DPIA

Good sponsors also offer clear points of contact for locally-specific IG queries (for example, software compatibility or local implementation issues):

  • general queries about IG aspects covered by the study-wide review should be directed to the HRA or equivalent study-wide review body, not the sponsor
  • this is intended to reduce duplicated queries and avoid delays during site set-up, rather than introduce additional steps
  • sponsors and study-wide review bodies are not expected to provide real-time advice, but to support proportionate clarification where genuinely needed within existing review and approval processes

Good sponsors also:

  • provide timely updates on any changes to regulatory requirements, sponsor policies, or IG safeguards, to support participating organisations in maintaining compliance throughout the study
  • clarify that participating organisations are not expected to re-validate sponsor-assured systems already reviewed nationally, unless integration with local IT means that sponsor consideration and study-wide review cannot completely address potentially arising local risks
  • include in an IG Annex a brief summary of any residual risks and agreed mitigations, so that participating organisations are aware of remaining local considerations and can record proportionate actions where necessary

Summary

For sponsors, good IG means more than answering IRAS questions correctly. It means showing that:

  • data protection has been embedded by design from the start
  • privacy and proportionality are actively considered in every decision
  • security, governance, and accountability are demonstrable
  • participating organisations are supported with clear documentation, and communication
  • DPIAs are confirmed - referencing system-level DPIAs where available, with a study-specific DPIA only if new or higher risks are introduced
  • the full data lifecycle is covered - collection, storage, linkage, analysis, publication, retention, and disposal - with safeguards at each stage
  • early engagement with Patient and Public Involvement and Engagement groups is undertaken, for example on transparency wording and the acceptability of data uses

By adopting these practices, sponsors provide confidence not only to study-wide reviewers, but also to participating organisations and research participants, whose trust is fundamental to research. Sponsors should provide sufficient information upfront so that participating organisations can rely on it without needing further clarification.

Previous section | Next section

1.What good IG looks like and how to evidence it in IRAS guidance | 3. Additional advice for NHS/HSC participating organisations

Back to pilot: a draft guide to providing effective ig assurances in iras submissions
© Copyright HRA 2026
Site by Big Blue Door