We are creating a unified UKRI website that brings together the existing research council, Innovate UK and Research England websites.
If you would like to be involved in its development let us know.

Site search

UK Data protection law and the common law of confidentiality

In the UK, the use of identifiable information is governed by:

UK Data protection law - ‘UK GDPR’ sits alongside the Data Protection Act 2018 to form primary data protection law in the UK (from 11pm, 31 December 2020). In practice there is little change to the principles, rights and obligations found in GDPR (and if you collaborate with researchers in Europe, then EU GDPR may still directly apply to you).  What is likely to change, is how EEA to UK transfers of personal data are managed. For more please visit the ICO’s end of transition guidance.

Common law - The requirement to respect any duty of confidence when accessing or sharing confidential information for health research, will not change. Learn more about confidentiality (PDF, 239KB).

You’ll find a summary of requirements in GDPR and Research – An Overview for Researchers.

Key facts

Whilst researchers have an important role to play (e.g. in respecting confidentiality and being clear, open and honest about how they intend to use data), ultimately, organisations are responsible for compliance with GDPR.

Learning resources

Further information

Still have a question?

If you have a specific question about how data protection and/or confidentiality law apply for research which we haven’t answered here, you can ask us at: rsc@mrc.ukri.org.