Developers - How to comply with the UK GDPR as a developer- Step 5: Getting research approvals, if needed

Throughout the development of your technology, there could be various activities that could be considered research. Research in this context means any activity involving health and care data when your intention is to ‘attempt to derive generalisable or transferable new knowledge to answer or refine relevant questions with scientifically sound methods’. National Clinical Audits of practice and service evaluation are not research. See the HRA’s decision tool for do I need NHS REC review?

If you will be doing research under this definition, including technology development activities, you need prior approvals from various organisations. These organisations include the Health Research Authority (HRA) and Health Care Research Wales (HCRW).

The HRA oversees responsible use of NHS health and (adult) social care data in research. It does this by providing the Research Ethics Service. This service is made up of many independent NHS Research Ethics Committees (RECs) that review health and social care research to provide ethics approval. The HRA also receives expert advice from the Confidentiality Advisory Group (CAG), an independent body that reviews applications for the use of confidential patient and service-user information for research uses. The HRA provides decisions based on this advice and issues approvals on behalf of the NHS for studies that are accessing data from NHS Trusts or GP practices.

More information: HRA Approval - Health Research Authority.

Examples of activities that could be research (and require approval): pre-market

The development of data-driven technologies (pre-market entry) would very likely be deemed research from an HRA perspective. For example, activities that could be considered research include:

• generating evidence to demonstrate that a data-driven technology, idea design or concept is workable
• testing, training or validating a technology in a live health environment (including clinical investigations)
• deploying a technology that is already on the market in a new setting (for example, moving from a hospital to a care home) or with a new population who are not represented in the data used in training or validating the technology

Examples of activities that could be research (and require approval): post-market

Some activities at the post-market stage may also be considered research. This includes post-market surveillance if a technology is being used outside of its intended purpose, or within its intended purpose but involving a change to standard care.

Important note: the definition of research used here to determine whether approval is required is narrower than the definition of research used by the ICO used in a data protection legislation context. However, the 2 definitions of research are not in conflict as they relate to your regulatory obligations.

Determining whether you are doing research as defined by the ICO is important to enable you to determine whether the research provisions that can be found in the UK GDPR and the DPA 2018 apply in any specific case. These provisions are aimed at helping you do your research more easily when appropriate safeguards are put in place in accordance with an appropriate legal basis.

Therefore, you should also check whether your activities pre- and post-market are research and, if so, what this means for your data protection obligations and your choice of UK GDPR legal basis. From an ICO perspective, for example, the development of a technology and the post-market surveillance of how that technology is performing when deployed will be seen as the development of a commercial product, using a lawful basis such as legitimate interests, rather than research.

For more information, see the ICO's guidance on research provisions, which gives advice on the application of data protection in this context.

Do you need research approval?

Read Is My Study Research and Do I need NHS Ethics approval to help decide if you need approval from a REC. Even if you do not, you may still separately require approval from the HRA/HCRW.

Sometimes you may also need separate approval from the Confidentiality Advisory Group, in addition to REC approval.

Read: HRA approval and the Confidential Advisory Group

What approvals do I need?

If you plan to use data from NHS organisations for a research activity, you will normally need to get approval from:

• a REC, and/or
• the HRA/HCRW (depending on whether your research will take place in England and/or Wales).

Important note: HRA/HCRW approval will be needed even if the data you will use has been rendered anonymous when it is from NHS patients or staff and will be provided by an NHS organisation; alternatively, if NHS resources/staff will be involved in your research.

You need to obtain the explicit consent of an individual to receive confidential patient and service-user information about them for re-use in your research, if you are not part of their direct care team. When it can be demonstrated that obtaining consent is impossible (for example, because the individual has died without giving consent) or highly impractical in the situation, the information holder will need to make an application to the CAG for a section 251 (NHS Act 2006) review to set aside the common law duty of confidentiality. If granted, this would provide a legal basis that allows you to receive this information for your research without consent.

Note that this type of consent (to have confidential information shared with you) is separate from UK GDPR consent. Read the HRA’s guidance on consent in research.

How to apply for research approvals

You can apply for HRA and HCRW approval, REC review and CAG review using the Integrated Research Application System (IRAS).

Being transparent with research

The HRA has a legal duty to promote research transparency. When applying for HRA and HCRW approval you should think about how you will share your findings and how you plan to involve patients and members of the public in the research. This is separate to recruiting patients and members of the public as research participants.

For practical resources and information about how to involve the public in research, read:

Make It Public: transparency and openness in health and social care research

HRA's best practice in public involvement