Skip to main content

BETA This is a new service - your feedback (opens in a new tab) will help us to improve it.

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England


Adopters - Complying with the UK GDPR Steps 1 - 7: an introduction- Step 5: Determine if your activities are research

Reviewed: 13 January 2023

Reviewed by: Health and Care IG Panel

During adoption of the technology, there could be various activities that could be considered research. See understanding the difference between research and non-research activities for more information.

If you will be doing research, including technology development activities, you need prior approvals from various organisations. These organisations include the Health Research Authority (HRA) and Health Care Research Wales (HCRW).

The HRA oversees responsible use of NHS health and (adult) social care data in research. It does this by providing the Research Ethics Service. This service is made up of many independent NHS Research Ethics Committees (RECs) that review health and social care research to provide ethics approval. The HRA also receives expert advice from the Confidentiality Advisory Group (CAG), an independent body that reviews applications for the use of confidential patient and service-user information for research (and non-research) uses. The HRA provides decisions based on this advice involving research, and issues approvals on behalf of the NHS for studies that are accessing data from NHS Trusts or GP practices.

More information:

Do you need research approval?

Read Is my study research? and Do I need NHS REC review? to help decide if you need approval from a REC. Even if you do not, you may still separately require approval from the HRA/HCRW.

Sometimes you may also need separate approval from the CAG, in addition to REC approval.

What approvals do I need?

If you plan to use data from NHS organisations for a research activity, you normally need to get approval from:

  • a REC, and/or
  • the HRA/HCRW (depending on whether your research will take place in England and/or Wales)

Important note: HRA/HCRW approval will be needed even if the data you will use has been rendered anonymous before use. You should apply for HRA/HCRW approval if the data is from NHS patients or staff and will be provided by an NHS organisation, or if NHS resources or staff will be involved in your research.

You need to obtain the explicit consent of an individual to receive confidential patient and service-user information about them for re-use in your research, if you are not part of their direct care team. When it can be demonstrated that obtaining consent is impossible (for example, because the individual has died without giving consent) or highly impractical in the situation, the information holder will need to make an application to CAG for a section 251 (NHS Act 2006) review to set aside the common law duty of confidentiality. If granted, this would provide a legal basis that allows you to receive this information for your research without consent.

Note that this type of consent (to have confidential information shared with you) is separate from UK GDPR consent. See the HRA’s guidance on consent in research.

How to apply for research approvals

You can apply for HRA and HCRW approval, REC review and CAG review using the Integrated Research Application System (IRAS).

Being transparent with research

The HRA has a legal duty to promote research transparency. When applying for HRA and HCRW approval you should think about how you will share your findings and how you plan to involve patients and members of the public in the research. This is separate to recruiting patients and members of the public as research participants.

For practical resources and information about how to involve the public in research, read:

Make it public: transparency and openness in health and social care research

HRA’s best practice in public involvement

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England


Get more support

To discover how the regulatory organisations can assist you and for contact details, visit our 'Get Support' page.

Is this article useful?

How can we improve this piece?

Error:Select how we can improve this piece

Thank you for your feedback!

To share additional insights about this page, please use the following link (opens in a new tab) to submit your observations.

Print this guidance (opens a PDF in a new tab)

Regulations are regularly updated. For the latest information, check the website as printed documents may be outdated.