This information governance (IG) Guide (The Guide) is designed to support sponsors and National Health Service / Health and Social Care (NHS/HSC) organisations participating in research. The Guide is split into different sections that are structured to work together to promote transparency, proportionality and consistency in study-wide IG assurance. The sections are intended to be used by different groups for different purposes.
Introduction, and what good IG looks like and how to evidence it in IRAS
- this section offers practical guidance on effective IG responses in IRAS applications, drawing on the planning and safeguards already established at sponsor or study level
- it is intended to be used by anyone interesting in or working on research in the NHS or HSC. This includes representatives from sponsors, participating organisations. contract research organisations, IG specialists and Data Protection Officers
- sponsors and those preparing or supporting IRAS applications (including contract research organisations and sponsor-side IG specialists) can use this guidance to inform their IRAS application
- participating NHS/HSC organisations, IG specialists and Data Protection Officers can use this guidance so they can understand and rely on the assurances provided through study-wide review without duplicating checks locally
additional advice for sponsors
- this section is focused on the earlier stage of study design and planning, supporting early implementation of Data Protection by Design and Default in research projects, through system-level data protection impact assessments (DPIAs) and planning, proportionate safeguards, and clear delegation of IG responsibilities and oversight
- it is intended to be used by representatives of commercial and non-commercial organisations who sponsor research taking place in the NHS or HSC
additional advice for NHS/HSC participating organisations
- this section helps local NHS/HSC teams draw appropriate assurance from study-wide reviews and IRAS submissions, with sponsor support through an optional standalone IG Annex. The term “IG Annex” is used here to describe a simple, sponsor-defined document or file (rather than a prescribed template) that brings together sponsor IG assurances for participating organisations. This includes information reviewed as part of study-wide review and any other supporting information provided to help participating organisations meet local operational requirements, for example, where local implementation or integration is relevant. This may include documentation such as a Processor Matrix and reference to the sponsor’s system-level DPIA
- it is intended to be used by NHS and HSC organisations who are taking part in externally sponsored research
- this section provides contextual information and summarises key England-specific assurance frameworks used in NHS research such as the Data Security and Protection Toolkit (DSPT), Digital Technology Assessment Criteria (DTAC) and Clinical Safety Standards, which reflect broader UK-wide IG and safety principles. This is not to introduce new or additional requirements beyond those already considered
- it is intended to be used by anyone interesting in or working on research in the NHS or HSC. This includes representatives from sponsors, participating organisations. contract research organisations, IG specialists and Data Protection Officers
appendix 2 – glossary of acronyms
- this section provides a glossary of the acronyms used throughout The Guide to be used as a reference tool
- it is intended to be used by anyone interesting in or working on research in the NHS or HSC. This includes representatives from sponsors, participating organisations. contract research organisations, IG specialists and Data Protection Officers
The Guide explains what good IG for research looks like and how sponsors should evidence their compliance with relevant standards and safeguards, both in IRAS submissions and in information shared with participating NHS/HSC organisations. The Guide clarifies what the Health Research Authority (HRA), and equivalent reviewers in the devolved nations, will assess as part of the UK study-wide review. It makes clear what is and is not checked at a national level, so that NHS/HSC organisations can take assurance from the UK study-wide review, without duplicating checks. The Guide also clarifies what can only be assessed locally, based on the systems and operational environment in place within local organisations, to ensure national and local responsibilities are clearly understood.
The Guide has been developed on a UK-wide basis and reflects shared expectations for good information governance across England, Scotland, Wales and Northern Ireland. Where examples or tools are referenced (such as the Data Security and Protection Toolkit (DSPT)), these illustrate how certain requirements are implemented in specific administrations. The principles themselves apply UK-wide, and we will continue to draw on equivalent approaches across the four nations as The Guide evolves.
In England, The Guide constitutes formal regulatory guidance, under Regulation 111, subsections 6 and 7 of The Care Act 2014, to which NHS Trusts and Foundation Trusts must have regard. It also constitutes guidance that NHS providers in England must comply with for commercial contract research under section 2 of the NHS England national directive on commercial contract research studies.
The study-wide review is intended to ensure that IG information in IRAS is complete and fit for purpose before approval is issued. In cases where the IG-related responses in the originally-submitted IRAS form are changed or clarified during the regulatory review, or subsequent amendment, sponsors should ensure that such changes are summarised and reflected in the IG Annex. The IG Annex should be included within the initial IRAS submission or any relevant subsequent IRAS amendment with potential relevance to IG assurances provided under the original review. The IG Annex should be kept updated and reshared with participating NHS/HSC organisations where relevant information changes, including at site set-up and following any subsequent amendments. This ensures that participating NHS/HSC organisations have access to accurate, up-to-date assurance information reflecting the national review outcome, supporting proportionate local checks and clarifying local responsibilities.
The Guide is aligned with, and should be read in conjunction with, Section 5.1 of the UK Study-Wide Governance Criteria (Assessment of IG, Data Protection Compliance and Data Security).
For further detail, reference can be made to the HRA’s UK General Data Protection Regulation (GDPR) guidance (for researchers and study coordinators) and Technical guidance (for data protection officers (DPOs), IG officers and research governance managers), and links to additional resources at Data protection and information governance.
The Guide complements the general IRAS Help & FAQs, which cover broader aspects of using IRAS, by providing topic-specific advice to support IG compliance and IRAS submissions, such as:
- lawful basis for processing data – guidance on selecting the appropriate lawful bases under Articles 6 and 9 UK GDPR
- roles and responsibilities – clarity on controller, joint controller, and processor roles in research
- transparency wording templates – model text to support participant information materials
- Data Protection Impact Assessments (DPIAs) – when they are required, whose responsibility they are and how to approach them in a proportionate way
- legal requirements for using health and care data – overview of the legal requirements for using health and care data in the development and deployment of data-driven technologies
- accessing health and care data: step by step guide and glossary - overview of the process for accessing health and social care data for research of data-driven technologies
Together, these resources provide practical support to help sponsors prepare clear, well-evidenced IRAS responses that meet the expectations set out in The Guide.
Clarification on scope and application
This Guide is not intended to set governance requirements for universities or other non-NHS research organisations in respect of their own internal systems and processes. Those organisations remain responsible for determining and meeting their own information governance, data protection and security obligations under applicable law and guidance.
The guidance is relevant where NHS or HSC organisations are participating in research, including where they are disclosing NHS data to universities or other non-NHS sponsors or processors. In those circumstances, the Guide is intended to support clarity about what assurance NHS/HSC organisations should take from national study-wide review, and what local responsibilities remain when providing data or enabling access to NHS systems.