Good Information Governance (IG) in research is about more than legal compliance. It underpins public trust, participant confidence, and research integrity. It also enables regulators, other review bodies and Research Ethics Committees (RECs), to review research studies, and NHS/HSC organisations to set-up and run research studies, with clarity and confidence.
The Guide has been developed to help research sponsors, and National Health Service/Health and Social Care (NHS/HSC) organisations participating in research, understand and apply effective IG practice in the context of IRAS submissions. It is designed to:
- support sponsors in preparing clear and comprehensive responses to IG questions and supporting materials as part of their IRAS submissions, demonstrating that IG safeguards are embedded into study design
- help participating NHS/HSC organisations draw assurance from study-wide reviews, and well-prepared sponsor submissions, and understand what additional information can reasonably be requested locally
Clearer and more consistent sponsor submissions will also enable the Health Research Authority (HRA) and equivalent devolved nation reviewers (collectively ‘study-wide reviewers’) to work more efficiently and with confidence in reviewing the IG elements of research applications. The guidance complements and builds on existing frameworks, drawing on:
- the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018 and the Privacy and Electronic Communications Regulations (PECR) 2003
- the common law duty of confidentiality and relevant statutory provisions such as section 251 NHS Act 2006 that in England and Wales provides a legal basis under the Health Service (Control of Patient Information) Regulations 2002 (‘section 251 support’) for processing confidential patient information without consent for medical purposes, subject to review by the Confidentiality Advisory Group (CAG)
- the Caldicott Principles and wider expectations of transparency in health and care research
- guidance from the HRA, the Information Commissioner’s Office (ICO), and the office of the National Data Guardian (NDG)
- other national standards relevant to digital and data assurance, including the Data Security and Protection Toolkit (DSPT), Digital Technology Assessment Criteria (DTAC), and clinical-safety standards, which together underpin technical assurance for research systems (see Appendix 1 below)
When assessing an IRAS submission, study-wide reviewers look for clear evidence that the sponsor has:
- addressed key IG issues in a way that ensures legal compliance and respects participant privacy
- embedded IG into the research lifecycle from design through to dissemination
- provided clear justification for the type and scope of data being collected
- applied proportionate safeguards appropriate to the risks
- set out robust governance arrangements, including oversight and accountability structures
A strong IRAS submission will therefore not only demonstrate compliance but also reassure study-wide reviewers and participating NHS/HSC organisations that data handling has been carefully planned, transparently justified, and proportionately safeguarded.
The Guide is structured around core IG topics and provides:
- practical examples of ‘what good looks like and how to evidence it’ in IRAS submissions
- detailed sponsor-level advice on embedding Data Protection by Design and Default and providing participating organisation-level reassurance
- guidance for participating NHS/HSC organisations on how to take confidence from HRA and equivalent devolved nation review and approvals, as well as strong sponsor submissions, and where additional local actions may be needed
By bringing these perspectives together, The Guide promotes transparency, proportionality, and consistency in IG assurance across the UK health and care research landscape.
It also clarifies how national and local levels of IG assurance interact. Study-wide reviewers confirm sponsor-level assurances once nationally, while participating NHS organisations focus only on local integration or operational checks, where these are needed. For the purposes of this guidance, “integration” refers to situations where sponsor-provided software, hardware or services connect to, interface with, or are implemented within local NHS/HSC IT environments or infrastructure (for example through network connectivity, authentication, system-to-system data exchange, or deployment on NHS-managed devices or networks). This does not include routine use of NHS clinical or administrative systems when delivering research, unless the sponsor system itself is being deployed within or connected to those NHS environments. This also does not include standalone sponsor systems that operate entirely outside NHS/HSC infrastructure and do not interact with local IT.
This approach avoids duplication, ensures consistent standards across the UK, and supports proportionate assurance. Assurance should therefore be provided once, at sponsor level, through national review under Section 5.1 of the UK Study-Wide Governance Criteria, with participating NHS/HSC organisations referencing that evidence to meet their own DSPT or operational requirements. Study-wide reviewers will expect sponsors to explain, at a high level, whether and how sponsor systems interact with NHS/HSC environments, so that any genuine local integration considerations can be identified early and unnecessary local re-assessment avoided. This reflects the HRA’s principle of ‘assure once, use many times’.
Sponsors are responsible for determining which national or international standards apply to their study and for demonstrating alignment with them, which may be through recognised national assurance frameworks such as DSPT, ISO 27001, Cyber Essentials Plus, DTAC, or internationally recognised frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, depending on their organisational context. Study-wide review confirms that the sponsor has described and provided sufficient information to demonstrate alignment with national standards. It does not itself certify compliance with such frameworks, which remain sponsor responsibilities.