Skip to main content

Data protection

As researchers in the NHS you need to be aware of the General Data Protection Regulations (GDPR), which came into effect on 25 May 2018. 

In research we hold personal data surrounding our participants and therefore need to be aware of data protection regulations when carrying out our day-to-day work. We are already used to working within a highly regulated environment, but the GDPR will make us think differently about the data we hold.

The GDPR was primarily brought about to establish control over the ‘social media world’ and the cold-callers who seem to gain our personal data without our explicit permission. Unfortunately, as is often the case with legislation of this kind, this has led to some confusing terminology.

One aspect of the GDPR, surrounding our lawful basis for using and processing data, is proving a difficult concept for researchers.

Under the new legislation we will need a legal basis to process personal data (including name, address, postcode) and an additional legal basis to process special category personal data, including health data. We also need to ensure that all additional legal requirements are met – for example, the need to be fair and transparent, and to comply with the common law duty of confidence.

Under the new law, the most relevant legal basis for researchers processing personal data for university, NHS or Medical Research Council (MRC) institutes will usually be:

“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” Article 6(1)(e) ‘task in the public interest’.

As we are mostly processing special category personal data, under the regulations the most relevant additional legal basis would be:

“Processing is necessary for archiving purposes, scientific or historical research purposes or statistical purposes.” Article 9(2)(j).

As we are used to gaining consent from our participants you may think that our legal basis would be consent but this is mostly not the case. If consent is used as the legal basis for processing data then, for example, if a participant withdraws consent all of their data must stop being processed, which includes data already collected that must be destroyed. This would make the research untenable.

So why do we gain consent from our participants? This is to give the common law right of access to personal information and provides participants with sufficiently detailed information on a research study so they can make an informed, voluntary and rational decision to participate or not. This is an ethical requirement under our research legislation, guidance and policy and also demonstrates being fair and transparent to participants. The MRC have produced a short animation further explaining this.

If you have any questions or concerns about your research, or a particular study, please contact researchGDPR@uhs.nhs.uk for further advice and guidance.

There is also information available from the Health Research Authority and the MRC.

Further to this, all chief investigators sponsored by UHS will be contacted to ensure studies are compliant with the new regulations. Principle investigators or study teams may be contacted by their sponsors with measures they wish to carry out for their studies. If there are any concerns or if information is received from external sponsors then please do contact the email address above for advice.