What permissions do we need before we can collect the data we use for our research?
Ethics approval
All research involving human participants in the UK, whether in the NHS or the private sector, must be approved by an independent research ethics committee. These committees protect the rights and interests of the people who will be the subject of the research study. Before we conduct any research, we submit a detailed plan of our proposed research (protocol) to a recognised research ethics committee. We cannot begin our studies until the appropriate ethics committee(s) have reviewed and approved it. The ethics committees that review clinical trials in the NHS are part of the Health Research Authority’s National Research Ethics Service (NRES). NRES publishes plain-language summaries of clinical trials so that the research is accessible to anyone who is interested.
Research and development (R&D) approval
For any research that involves NHS patients, we have to obtain permission from NHS Trusts to collect and use data from their patients. The Research and Development (R&D) Office(s) at each NHS Trust assesses the study carefully before approving it. All NHS organisations are required to give permission before research can begin within their organisation (this is in addition to ethical approval). Without this approval, indemnity/insurance cannot be assumed to be in place to cover the proposed research activity.
See more details about R&D approval on the Health Research Authority website.
Section 251 approval
In some circumstances informed consent for a research study cannot be obtained, and anonymised or de-identified (pseudonymised) data are not sufficient to answer the research question(s). In these circumstances, and if research is deemed to be in the interests of patients or the wider public, permission to use identifiable data can be exceptionally sought from bodies with legal responsibility for the protection of the interests of patients and the public in health research. In England and Wales, approval is obtained from the Confidentiality Advisory Group (CAG) of the Health Research Authority under Section 251 of the National Health Service Act 2006. The ‘Section 251 agreement’ (previously Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. In Scotland, approval can be sought from Caldicott Guardians and in Northern Ireland from Medical Directors.
We are also required to comply with the Data Protection Act 2018, the General Data Protection Regulations and other relevant standards about how data must be processed. Further details can be found on the Information Commissioner’s Office website and throughout this page.
Privacy Advisory Committee
In Scotland, permission from the Privacy Advisory Committee (PAC) is required to approve any information released by the Information Services Division (ISD). From 1st May 2015 a single application and scrutiny process is now operated across Scotland by the newly formed Public Benefit and Privacy Panel for Health and Social Care.