In brief

The UK’s Health Research Authority (HRA) has unveiled new guidance that signposts the three essential steps to access health and care data for research purposes. The guidance delves into a point that researchers often miss: the common law duty of confidentiality runs in parallel to data privacy laws, and each regime needs to be considered separately to ensure data access requests can stand up to regulatory scrutiny.

Step 1: Scoping what are the data requirements for your project?

The GDPR principle of “data minimisation” is key in scoping out data requirements, i.e., you should only process the minimum data necessary to fulfil your purpose. Wherever possible, you should only access anonymous or synthetic data. Where identifiable data needs to be used, this should be pseudonymised (where direct identifiers have been removed, but it may be possible to re-identify individuals if you link that dataset with other available datasets).

The guidance differentiates between legal bases for disclosure under each of: (a) the common law duty of confidentiality; and (b) the UK GDPR.

  • The common law duty of confidentiality applies to the sharing of identifiable patient or service user information. The legal basis to justify disclosure for research is usually consent, but there are certain statutory grounds available, such as under Section 251 of the NHS Act 2006.
  • In addition to requirements under the common law duty of confidentiality, the UK GDPR also requires a legal basis for processing personal data in under Article 6 of the UK GDPR, and a ground under Article 9 in respect of health data. UK GDPR consent is a legal basis that appears under Articles 6 and 9, but others are available (and are often more appropriate).

Step 2: Clearly document how you plan to manage data

This step maps out the documentation you need to put in place, including the following:

  • A Data Management Plan that should be incorporated into your research protocol. This should describe the data processing and management activities throughout the lifecycle of a research study.
  • A Data Protection Impact Assessment may be needed that assists with systematically analysing, identifying, and minimising the data protection risks of a project or plan.
  • A Data Flow Diagram that can support research applications (particularly for section 251 support).
  • A Data Sharing Agreement/Data Processing Agreement that addresses the rights and obligations between two or more parties when processing personal data (controller-to-controller, or controller-to-processor, as relevant).

Step 3: Reach out to data providers

It is important to have a dialogue with your data provider where possible. This will help manage timelines and assess (for example) variables missing in datasets that could cause issues for your project.

New streamlined process for accessing health data?

In parallel, the HRA is trialling a streamlined process for accessing health data for research (see here).

All research studies that need advice from the Confidentiality Advisory Group (CAG), also need a Research Ethics Committee (REC) opinion. Traditionally, applying for these has always been two separate processes. However, the HRA is trialling a new approach to align both CAG and REC reviews via a single electronic submission, so researchers can save time and communications are easier to manage (great news for researchers!).


Jaspreet Takhar is a senior associate in Baker McKenzie' London office and advises market-leading tech and healthcare companies on issues at the cutting-edge of digital health.