The Health Research Authority have released further operational guidance on their website for researchers and study coordinators on the implications of the GDPR for the delivery of research in the UK. The guidance has been prepared in collaboration with a range of stakeholders, and reviewed by the Information Commissioner’s Office. The HRA is the body nominated to publish guidance on the implementation of the General Data Protection Regulation and Data Protection Act 2018 for health and care research. In most cases the impact on individual research projects will be limited. The guidance is aimed specifically at researchers and study coordinators managing individual research projects, and will therefore be of interest to site and sponsor research managers supporting them. Please visit the website to find out more - https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/
Key points to note:
- Under existing arrangements there are already robust systems and controls supporting the use of personal data in research, so in most cases the impact on individual research projects will be limited.
- For the purposes of the GDPR, the legal basis for processing data for health and social care research should NOT be consent. This means that requirements in the GDPR relating to consent do NOT apply to health and social care research
- Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research, unless you have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales or similar arrangements elsewhere in the UK.
- The GDPR requires each activity of processing data to have a legal basis under this legislation, in addition to the common law basis.
- For universities, NHS organisations, Research Council institutes or other public authority the processing of personal data for research should be a ‘task in the public interest’.
- For commercial companies and charitable research organisations the processing of personal data for research should be undertaken within ‘legitimate interests’.
- The HRA guidance includes specific templates and forms of wording that Sponsors can use within relevant documents to ensure that such notifications can be managed as non-notifiable and non-substantial amendments.