The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

Core IG topics and legal provisions

Last updated on 25 Feb 2026

The Guide is structured around a set of core IG topics that sponsors should address in their IRAS submissions. These reflect the main areas that study-wide reviewers consider when assessing IG compliance in accordance with Section 5.1 of the UK Study-Wide Governance Criteria (‘Assessment of Information Governance, Data Protection Compliance and Data Security’).

The list below summarises the ten IG topics covered in this guidance, with the key legal provisions that underpin each. Each topic is then explored in more detail in the following ‘What good IG looks like and how to evidence it in IRAS’ section of The Guide.

  1. data minimisation and purpose limitation
    Legal provisions: UK GDPR Articles 5(1)(c) (data minimisation), 5(1)(e) (storage limitation), 89 (research safeguards)
  2. security
    Legal provisions: UK GDPR Article 32 (security of processing)
  3. lawfulness
    Legal provisions: UK GDPR Articles 6 (lawful bases), 9 (special category data), 24 (controller responsibility), 26 (joint controllers), 35 (data protection impact assessments); DPA 2018 s.8(c) (public interest basis); DPA 2018 Sch.1 Pt.1 para.1 (health/social care condition)
  4. transparency and Rights
    Legal provisions: UK GDPR Articles 1222 (information duties and individual rights); DPA 2018 s.44 (right of access limits) and Sch.2 para.27 (research exemptions)
  5. international transfers
    Legal provisions: UK GDPR Chapter V (Articles 44–49) (adequacy, safeguards, derogations)
  6. accountability
    Legal provisions: UK GDPR Articles 5(2) (accountability principle), 24 (responsibility of controller), 27 (representatives)
  7. processors
    Legal provisions: UK GDPR Article 28 (processor contracts)
  8. Privacy and Electronic Communications Regulations (PECR) compliance
    Legal provisions: PECR 2003 Reg.22 (electronic marketing/consent rules)
  9. confidentiality and common law duty of confidentiality
    Legal provisions: Common law duty (consent/expectation of confidence); NHS Act 2006 section 251 (statutory support for disclosure); the Caldicott Principles (ethical framework); DPA 2018 s.19 (special category conditions/APD)
  10. Artificial Intelligence and Machine Learning systems (AI/ML)
    Legal provisions: UK GDPR Articles 5 (principles), 22 (automated decisions/profiling), 25 (privacy by design/default), 35 (DPIAs); DPA 2018 ss.1314 (research safeguards)

Previous section | Next section

Introduction | What good IG looks like and how to evidence it in IRAS guidance

Back to pilot: a draft guide to providing effective ig assurances in iras submissions
© Copyright HRA 2026
Site by Big Blue Door