GDPR and research

As an NHS organisation we use personally-identifiable information to conduct research to improve health, care and services. Find out how we keep this information safe.

The General Data Protection Regulation (GDPR) came into force on 25th May 2018. It is designed to enable individuals to better control their personal data. The Health Research Authority (HRA) has published guidance about research and the general use of patient information.

As an NHS organisation we use personally-identifiable information to conduct research to improve health, care and services. As a publicly-funded organisation, we have to ensure that it is in the public interest when we use personally-identifiable information from people who have agreed to take part in research. This means that when you agree to take part in a research study, we will use your data in the ways needed to conduct and analyse the research study. Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible. In any case all research, using identifiable or non-identifiable data, would have to go through a governance process and may require approval by a Research Ethics Committee.

More information

GDPR and Research