How can I access health data for research?
You can use the Health Data Research UK Innovation Gateway to discover and request access to health data for research.
Our Health Data Access Tool Kit will help you understand how to access routinely collected NHS data. The toolkit signposts the approvals required and explores the issues that you need to consider and address within a successful application.
Data and confidentiality law
In the UK, the use of identifiable information is primarily governed by the common law of confidentiality and data protection law.
Common law requires researchers to respect any ‘duty of confidence’ when accessing or sharing confidential information. Learn more about confidentiality and how it relates to data protection (including guidance on the legal avenues which allow the disclosure of confidential information to support medical research, without consent).
UK General Data Protection Regulation (GDPR) sits alongside the Data Protection Act 2018 to form primary data protection law in the UK. UK GDPR retains very similar principles, rights and obligations to those found in EU GDPR. If you collaborate with researchers in Europe, then EU GDPR may still directly apply to you.
You can find a summary of requirements in GDPR and research – an overview for researchers.
UK data protection law will be reformed when the Data Protection and Digital Information Bill passes through Parliament. Once passed, the new act will update current data protection legislation in the UK.
Collaborating with Europe
On 28 June 2021 the EU granted adequacy to the UK. Adequacy means that ‘personal data’ can continue to flow freely between the UK and the EEA. The UK recognised the EU and EEA member states as ‘adequate’ in 2020. The EU’s adequacy decisions for the UK are expected to last until 27 June 2025, with review by the EU planned in 2024. You can learn more in the Information Commissioner’s Office (ICO) adequacy guidance.
Key facts
Whilst researchers have an important role to play, for example, in respecting confidentiality and being clear, open and honest about how they intend to use data, ultimately organisations are responsible for compliance with GDPR.
In the UK, consent is unlikely to be the ‘lawful basis’ for research. It’s likely to be ‘public task’ (university and UKRI institutes) or ‘legitimate interests’ (charity and commercial) with an additional condition for special category data ‘research purposes’. See our GDPR animation (YouTube) and learn more about GDPR lawful basis, consent and confidentiality.
In health research the sponsor is likely to be the (data) controller. Find out more in Current thinking on Controllers and Processors in health research.
It is possible to anonymise pseudonymised data by controlling both content and context. Read more in:
- our guidance on identifiability and what to consider when you want to share data
- the UK Anonymisation Network website
- draft ICO guidance.
Being fair and transparent with research participants is important. You can learn more from ICO’s right to be informed guidance.
There is no legal requirement to delete research data. In fact, the ICO says you can keep ‘personal data’ for research indefinitely subject to ‘safeguards’. You can find further guidance on this in our retention framework for research data and records.
GDPR doesn’t stop you sharing data although you have to manage confidentiality in line with common law.
GDPR doesn’t stop you from using clinical data for research. In fact, any ‘personal data’ can be used for research, regardless of why it was initially collected.
Not all genetic data is ‘personal data’. It depends on uniqueness and identifiability both direct and indirect.
‘Safeguards’ are easily met for health research, if you follow relevant policies and good research governance practices. Learn more about the safeguards for research.
Data Protection Impact Assessments (DPIAs) are an organisational tool. You don’t commonly need one for every research project. Learn more in NHS Health Research Authority (NHS-HRA) DPIA guidance.
Learning resources
You can use the:
- Research, GDPR and confidentiality quiz to test yourself and earn a certificate
- Research, GDPR and confidentiality – what you really need to know to complete our bite-sized e-learning modules
- UK GDPR fact or fiction board game to test your knowledge of GDPR.
Further information
You can visit the following websites:
- NHS-HRA GDPR: technical guidance for data protection officers, information governance officers and research governance managers
- NHS-HRA GDPR guidance for researchers and study coordinators
- ICO web pages on GDPR – these are not necessarily research specific.
Working in partnership
We work with:
- Health Data Research UK to create appropriate infrastructure and increase the use of health data to enable research and innovation for patient benefit
- Research Advisory Group hosted by NHS Digital, where we and others are working with NHS Digital to help them improve their data and data services
- NHS-Higher Education Information Governance Working Group, comprising of three subgroups (Challenges in Information Governance, Trusted Research Environments, Legal and Contractual) which focus on a broad range of information governance and data access issues. We jointly lead the Challenges in Information Governance subgroup.
Still have a question?
If you have a specific question about using data in research which we haven’t answered here email: rsc@mrc.ukri.org
Last updated: 17 March 2023