Information resources for health researchers

These web resources are targeted at the wider public and the interpretations are not sector specific. However, the information provided and the questions addressed are relevant to all data controllers including health researchers.


Important notice when referring to UK guidance on GDPR

It should be noted that the UK implementation of GDPR in the context of health research is different to that of Ireland.

In particular, official guidance by the Health Research Authority to UK researchers is that, in most instances, the appropriate legal basis for health research activities in public institutions is either "Public Interest" or "Legitimate Interests" (i.e. not the legal basis of consent).   This only relates to the recommendation not to use consent as a legal basis for the purposes of GDPR. It does not lessen the ethical obligation on researchers to obtain consent.

In Ireland, researchers and institutions may choose any legal basis that they feel is most appropriate for them to use.  This includes consent, public interest or legitimate interests (although legitimate interest is not available as a legal basis for public bodies in the conduct of their public functions.)

However, in Ireland, the Health Research Regulations 2018 mandate "explicit consent" as one of the "suitable and specific measures" that must be undertaken when the processing of personal data (including health data) for the purposes of health research.

Therefore, regardless of what legal basis is chosen to justify the processing of personal data for health research purposes, the explicit consent of the data subject is required unless the researcher has been granted a consent declaration under the Health Research Regulations 2018 (Regulation 5) or under the Health Research Regulations 2018 transitional arrangements (Regulation 6).

GDPR Guidance in the UK

  • UK Information Commissioner’s Guide to the General Data Protection Regulation
  • The UK has passed a new Data Protection Act (2018). This implements the derogations and also brings the GDPR into domestic law in preparation for the UK leaving the EU.
  • The UK Government is also aiming to secure an ‘adequacy plus’ agreement (for information on adequacy agreements please click here) with the EU to ensure data is able to flow across borders after Brexit. It will argue for building GDPR guidanceon standard adequacy approaches to reflect the close partnership between the UK and the EU on data protection issues. This will be a matter for Brexit negotiations.
  • The Health Research Authority published detailed guidance for researchers on GDPR, covering: lawful bases for processing; safeguards; transparency; and data subject rights.
  • The MRC Regulatory Support Centre has also produced a helpful summary of the main changes for research activity in the UK.
  • The Information Governance Alliance has produced guidance for clinicians and those working within the health service.

GDPR in research journals

You can also find some reporting on the likely impact of GDPR on medical research in The Lancet, Science and the BMJ.


The BBMRI-ERIC is developing a Code of Conduct for health research, in line with GDPR Article 40.

This initiative aims to ensure there is authoritative sector-specific guidance on implementing GDPR that can apply across Member States. BBMRI-ERIC aims to have the Code ready for public consultation by Autumn 2018.

The UK Health Research Authority and Human Tissue Authority jointly produced a paper on “Consent to use human tissue and linked health data in health research - A Public Dialogue" which may provide useful background information.  


This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

It is intended to be general guidance for educational and informational purposes only.

It is not legal advice.