The following guidance has been jointly developed by the HRA and the Medicines and Healthcare products Regulatory Agency (MHRA), in consultation with the Information Commissioner's Office (ICO), on behalf of the UK.
This guidance is for sponsors, contract research organisations (CROs) and participating NHS organisations when considering management of personal data processed for the purpose of healthcare research. It provides advice relating to data protection impact assessments (DPIAs), and is available at the following;
“For personal data processed for the purpose of a healthcare research project, the sponsor of the project is the controller and the participating NHS organisation is their processor[1]. DPIAs for the processing of personal data that is undertaken for the purpose of research are the responsibility of the sponsor.
Organisations that regularly sponsor research projects should undertake their DPIA(s) at the level of the Quality Management System. This should be via the policies, processes and systems and more by which they design and manage their research portfolios. Sponsors should operate on the basis of data protection by design, ensuring that their sponsor processes create compliant research projects, rather than attempting to work only reactively, on a study by study basis.”