UK Data protection law and the common law of confidentiality

In the UK, the use of identifiable information is governed by:

UK Data protection law - ‘UK GDPR’ sits alongside the Data Protection Act 2018 to form primary data protection law in the UK (from 11pm, 31 December 2020). In practice there is little change to the principles, rights and obligations found in GDPR (and if you collaborate with researchers in Europe, then EU GDPR may still directly apply to you).  What is likely to change, is how EEA to UK transfers of personal data are managed. For more please visit the ICO’s end of transition guidance.

Common law - The requirement to respect any duty of confidence when accessing or sharing confidential information for health research, will not change. Learn more about confidentiality (PDF, 239KB).

You’ll find a summary of requirements in GDPR and Research – An Overview for Researchers.

Key facts

Whilst researchers have an important role to play (e.g. in respecting confidentiality and being clear, open and honest about how they intend to use data), ultimately, organisations are responsible for compliance with GDPR.

• In the UK, consent is unlikely to be the ‘lawful basis’ for research. It’s likely to be ‘public task’ (university and UKRI institutes) or ‘legitimate interests’ (charity and commercial) with an additional condition for special category data (‘research purposes'). See our GDPR animation and learn more about GDPR lawful basis (PDF, 239KB).
• In health research the sponsor is likely to be the (data) Controller, find out more in Current thinking on Controllers & Processors in health research (PDF, 83KB).
• It is possible to anonymise pseudonymised data by controlling both content and context, more in Identifiability, anonymisation and pseudonymisation (PDF, 163KB) and UK Anonymisation Network.
• Being fair and transparent with research participants is important.
• There is no requirement to delete research data. In fact, the ICO says you can keep ‘personal data’ for research indefinitely (subject to ‘safeguards’).
• GDPR doesn't stop you sharing data (although you have to manage confidentiality in line with common law).
• GDPR doesn’t stop you using clinical data for research. In fact, any ‘personal data’ can be used for research, regardless of why it was initially collected.
• Not all genetic data is ‘personal data’. It depends on uniqueness and identifiability (both direct and indirect).
• Research safeguards are not difficult in health research, if you follow relevant policies and good research governance practices, you will be well placed to meet them. Learn more about the safeguards for research (PDF, 102KB).
• Data Protection Impact Assessments (DPIAs) are an organisational tool, you don’t commonly need one for every research project.  Learn more in HRA DPIA guidance.

Learning resources

• Research, GDPR and confidentiality quiz - test yourself with our quiz
• Research, GDPR and confidentiality – what you really need to know - 10 bite-sized modules accompanied by supplementary resources

Further information

• HRA GDPR: Technical guidance for Data Protection Officers, Information Governance Officers and Research Governance Managers
• HRA GDPR guidance for researchers and study coordinators
• ICO webpages on GDPR - not necessarily research-specific

Still have a question?

If you have a specific question about how data protection and/or confidentiality law apply for research which we haven’t answered here, you can ask us at: rsc@mrc.ukri.org.