The Health Research Authority is committed to protecting your privacy and taking care with your personal data.
As data controller we are responsible for how your information is used and explaining that to you. We use information systems to store the information we hold about you. These include:
- Integrated Research Application System (IRAS) - a single system for applying for the permissions and approvals for health and social care research in the UK
- The Over-Volunteering Prevention System (TOPS) database – for registering, updating and managing research volunteer records
- HRA Assessment Review Portal (HARP) – which helps us process and approve research applications
- Electronic Staff Record (ESR) – for processing job applications, secondments, payment of salaries and processing expenses for staff and members. Please note we collect personal data in ESR to enable us to reimburse our members for expenses incurred. Expenses are processed as part of the payroll process managed by NHS Shared Business Services, who are required to share data on all payments made with HMRC.
- Oracle accounting system – for processing payments including reimbursement of expenses
- Learning and development management systems - for supporting our staff, committee members and researchers in their learning and development needs
- Our website
- Electronic and physical document storage systems
Our contact details
There are many ways you can contact us, including by phone, email and post. More details can be find here.
Our postal address is:
Health Research Authority
2 Redman Place
Stratford
London
E20 1JQ
Queries about this privacy notice can be emailed to data@hra.nhs.uk or call our mainline on 0207 104 8000
Our Data Protection Officer is Stephen Tebbutt. You can contact him at data@hra.nhs.uk or via our postal address above. Please mark the envelope ‘Data Protection Officer’.
Why we process your information
To fulfil our role as the health and social care research regulator, we must hold certain information about you and need to obtain this information fairly and lawfully.
The services we provide where we record and / or process your personal data include:
- processing applications for health and social care research
- publication of investigator name and email address
- publication of research informaton
- checking your research application with you
- scheduling attendance at a meeting, such as a research ethics committee
- protecting research participants safety from participating in many research studies
- coordinating technical assurance reviews
- subscribing to our e-newsletter
- requesting information
- applying for a job with us
- payment of a salary
- applying to be a member of a committee, board or panel, including research ethics committees
- reimbursement of expenses
- learning and development records
- equality and diversity monitoring information
- seeking your feedback (including consultations and surveys).
The lawful basis for processing your personal data is dependent on the services and activities that the data is provided for. More information can be found in the relevant subsections.
What information do we collect?
We collect data to help us perform our regulatory function under the Care Act 2014, some of which will be personal data under the data protection legislation. The personal data we collect includes:
- personal information – name, email address, mailing address, organisation
- any other information required to process your research application such as details of your research sponsor
- information you include within any enquiry you submit to us
- information required to process your job application, application to be a member of a committee, board or panel, including research ethics committees or provide technical assurance services
- information required to make payments including salary and reimbursement of expenses
- information required to provide learning services including communicating with you about learning opportunities, tracking, responding to and recording bookings, monitoring participation rates, providing management information.
The personal data the HRA collects will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We also process information to help us understand how our services operate so that we can deliver our services well and improve our services over time.
Lawful basis
The lawful basis for processing your personal data is dependent on the services and activities that the data is provided for.
For the following category of information, the lawful basis is official authority under the NHS Care Act 2014:
- researcher data related to research application
- researcher data related to confidentiality advisory group applications
- committee and panel members' data
- public involvement participants data
- research participants data
- Technical Assurance reviewers’ data
- people who contact us
- HRA e-newsletter recipients
- learning and development participants.
We also process sensitive personal data relating to diversity characteristics in delivering our services. The lawful basis for processing this personal sensitive data is to ensure we comply with the Equality Act 2010.
Where we process your information
We store and process your data with care and take the appropriate steps to protect it.
In all circumstances, except Technical Assurance review service, your information will not be transferred outside the UK or European Economic Area (EEA), unless the EU has approved the country as having comparable data protection laws or if standard contractual clauses are in place.
In each case consent will be requested from the Technical Assurance reviewer before sharing their personal data with the research applicant.
In some circumstances we will share your information with:
- organisations who are part of the approval process such as NHS organisations (and Health and Social Care (HSC) organisations in Northern Ireland)
- the Medicines and Healthcare Products Regulatory Agency (MHRA)
- National Institute of Health Research (NIHR)
- Human Tissue Authority (HTA)
- Administration of Radioactive Substances Advisory Committee (ARSAC)
- Her Majesty’s Prison and Probation Service (HMPPS)
- the Scottish, Welsh and Northern Ireland equivalents of the HRA
- clinical trial registries. We have partnered with ISRCTN Registry to register clinical trials of investigational medicinal products (CTIMPs) on behalf of sponsors. This will apply to CTIMPs submitted through combined review from January 2022 onwards. For more information see the Research registration page.
Sharing your personal information
We will not share your information with any third parties for the purposes of direct marketing.
We use data processors who are third parties who provide elements of our services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold your personal information securely and retain it for the period we instruct.
In some circumstances we will share your information with:
- organisations who are part of the approval process such as NHS organisations (and Health and Social Care (HSC) organisations in Northern Ireland), the Medicines and Healthcare Products Regulatory Agency (MHRA), National Institute of Health Research (NIHR), Human Tissue Authority (HTA), Administration of Radioactive Substances Advisory Committee (ARSAC), Her Majesty’s Prison and Probation Service (HMPPS), the Scottish, Welsh and Northern Ireland equivalents of the HRA, and Research Ethics Committees
- organisations who perform research that furthers the HRA’s objectives
- the National Fraud Initiative, to help prevent and detect fraud. More detail is available within the National Fraud Initiative privacy notice.
- people who request it, in circumstances detailed further Freedom of Information Act
- any other organisation who has a legal right to it.
In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information, evidencing our decision making and ensure suitable legal documentation is in place.
Keeping your personal information
Your information will be deleted from our systems as detailed in our Document control and Records Management Policy.
Your rights
The information you provide will be managed as required by Data Protection law. The rights available to you depend on our reason for processing your information.
You have the right to:
- ask for copies of your personal information, commonly known as making a ‘subject matter request’. This right always applies.
- request your information be changed if you believe it inaccurate or incomplete
- ask us to erase your personal information in certain circumstances
- ask us to restrict the processing of your information in certain circumstances
- object to the processing of your information. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
There are some exceptions to these rights, for instance if we have a legal obligation to retain your personal information so we cannot delete it. All requests to exercise your rights will be considered on a case-by-case basis, depending on the circumstances.
You can access your personal details by logging into
Please contact us at data@hra.nhs.uk if you wish to make a request or contact our mainline on 020 797 2245
Concerns about how we are processing your information
We work to high standards when it comes to processing your personal information. If you have any queries or concerns, please contact us at data@hra.nhs.uk and we’ll respond.
If you continue to have concerns about the processing of your information, you can contact the Data Protection Regulator:
Information Commissioner’s Office
Wycliffe House
Wilmslow
SK9 5AF
www.ico.org.uk/global/contact-us/email
How do we look after your information?
We are committed to ensuring that your information remains secure. The information provided is stored on secure databases in secured locations. We take the necessary steps to ensure that our infrastructure performs as expected by running health checks on these systems.
National Data Opt-Out
The National Data Opt-Out (NDO) applies to flows of patient data supported under section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 202.
As the HRA does not process patient information the national data opt-out does not apply to the data the HRA processes.
You can read more about the National Data Opt-Out on the NHS website.
https://www.nhs.uk/your-nhs-data-matters
Data protection impact assessments
The HRA uses data protection impact assessments to help us systematically and comprehensively analyse our data processing and help us identify and minimise data protection risks. A summary of these assessments is provided on our DPIA summaries page, which is reviewed regularly as part of our information governance processes.