Blog: Seven proposals for improving Information Governance assurances

Last updated on 9 Aug 2024
alison knight.jpg

Dr Alison Knight, Data and Privacy Specialist at the HRA

Here at the HRA, one of our core functions is to make it easier to do research that people can trust.

Information Governance (IG) exists so that people can trust how information about them will be handled and used. Therefore, upholding high IG standards is key to protecting the privacy rights of research participants.

As a regulator of health and social care research, we publish guidance on the application of data protection and the common law duty of confidentiality to be used by sponsors and sites. We have a responsibility to continuously review and enhance our IG assurances in relation to research that we review, to enable good decision making in this area.

However, we know that IG processes can sometimes be seen as a blocker to getting studies set up. For that reason, we conducted a survey in 2022 to gather information about the types of local IG reviews research sites do, and why they do them.

Our aim was to better understand local needs, so that we can meet these with our central review or, where this is not possible, issue clear guidance on making local arrangements. Our vision is to protect the rights of research participants while enabling faster, more streamlined study set-up at research sites.

The survey and the joint IG awareness statement (by the HRA, Clinical Research Network and Research and Development Forum) that followed promote existing IG standards against which research studies submitted for approval are assessed, and awareness of how obtaining HRA and HCRW approval indemnifies sites against losses arising from incorrect assurance.

We are now ready to report on the survey findings and next steps toward improvement.

Themes from the survey

The survey was conducted with NHS Research and Development offices in England, and the three Devolved Administrations adapted the survey for sending to their own NHS or Health and Social Care Research and Development offices.

We found:

  • concern about how the UK Study-wide governance criteria (SWGC) that relate to IG are assessed during the HRA and Health and Care Research Wales (HCRW) approval process, and the degree of detail, linked to the level of IG assurance communicated to applicants as part of the outcomes of review
  • lack of consensus on data protection impact assessment (DPIA) requirements and lack of awareness of HRA, MHRA and ICO guidance, resulting in unnecessary study specific DPIAs being created, especially at the local level
  • uncertainty over IG assurances related to data flows and ensuring appropriate security arrangements, especially involving local level software installation and data extraction
  • overlaps between research governance and IG reviews based on uncertainty over roles and assurance mechanisms specific to IG in research
  • concern around the use of modified or bespoke IG clauses in research agreements by sponsors.

These concerns highlight the need for improvement to processes to avoid duplication and unnecessary complexity.

We’ve been analysing the themes from the survey and have come up with seven new proposals, which we believe will help sponsors and research sites understand where they can take assurances, and what is required from them.

They should facilitate easier study set-up without duplicative and inconsistent IG checks.

Our proposals

  • update model research agreement expectations – We will work with our devolved nation counterparts to do more to align UK-wide expectations of unmodified (or centrally negotiated modified) model research agreements used for non-commercial research. This will build on work already undertaken for commercial research, and include updated guidance on how model agreements comply with IG requirements.

  • clarify guidance on when to carry out DPIAs – The HRA will lead on creating new guidance, working alongside commercial and non-commercial sponsors of varying sizes, on what a quality management system level DPIA should look like. This will set out the expectations on sponsors as controllers to build in data protection ‘by default’ at the research design stage. This should preclude the need for additional DPIAs except where a study being sponsored has features that deviate from established processes/policies (such as using a novel technology for the processing of personal data, introducing new risks).

  • update SWGC and reviewer training – The HRA will work with devolved nation colleagues, and with sponsors and sites, to update the SWGC as they relate to IG. We will ensure that our central IG review remains understandable, fit for purpose, and provides sufficient guidance on requirements for compliance and assurances to NHS participating sites. A similar review of the study wide reviewer staff training will then be conducted.

  • update the approval letter – Steps will be taken to update the template of the HRA and HCRW approval letter to include space for the study-wide reviewer comments in relation to IG for each study. This will include assurances that are provided as part of the approval and the considerations that a participating NHS site may need to make.

  • include an indemnitystatement – The HRA and HCRW approval letter template will be expanded to includes an explicit IG indemnity statement for each study.

  • review local level guidance – The HRA will gather views and work with stakeholders across the UK to prepare guidance to help sites conduct local-level IG related assessments, where these cannot be undertaken centrally. This guidance will include clarification on the circumstances under which local security assessments should be completed, and how sites should use information provided in the HRA and HCRW approval letter to support those assessments and arrangements. This is an area that HRA and HCRW approval (and indemnity) does not cover because of the inability for central assessment of the local environment, including organisation-specific information systems.

  • cross-sector engagement - The HRA will engage with key partners to ensure input into new HRA IG guidance, including in the SWGC, and alignment across the UK.

What’s next?

Compliance with IG standards is the responsibility of all stakeholders involved in health and care research.

Yet, the survey responses tell us there is a need for more alignment and clarity over the responsibilities of both sponsors and sites. Overall, we hope that these proposals will be a positive step in reducing duplication of work and helping to achieve simple and consistent compliance with IG standards for research across the NHS.

At the same time, we recognise that ongoing engagement is needed with the community on how organisations participating in research assess IG risk in the context of assurances that can be taken from HRA and HCRW approval and related IG guidance.

Share your feedback on the proposals

For now, we would like to get feedback around the above proposals, and how we can ensure that our messages and assurances target all the right people, including non-research staff involved in IG.

If you would like to share your views you can contact me by email at Alison.Knight@hra.nhs.uk.

We also recognise there will need to be a phased implementation approach due to interdependencies between the proposals. We therefore welcome views on which proposals should take priority.

You will also have the opportunity to provide feedback once changes are introduced, as we plan to engage with relevant stakeholders across the UK (including sponsors, site staff, clinical trial units, and other relevant user groups) to help you with implementation.

Back to news and updates