The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

GDPR transparency wording for all sponsors

Last updated on 4 Apr 2025

To help ensure research participants have all the information they need to make an informed decision about the use of their data, we have developed the below GDPR template that we expect sponsors to use.

This template was updated on Tuesday 1 April 2025. Visit the HRA Now page for all updates regarding this new template.

The information on this page covers:

When you should use this GDPR wording

From 1 April 2025, for any new research applications submitted via IRAS you will be expected to either:

This template is designed to help you in your communications to research participants. Read a blog about how we worked alongside Expert Citizens to involve the public in developing the template.

If you decide to use your own bespoke GDPR wording

If you use bespoke wording, it should follow the four principles as follows:

Principle 1: Involve the right people. We expect sponsors to work with, listen to and learn from people with a range of different experiences of taking part in health and social care research (including those with no experience), and people with a range of views and perspectives on data collection and sharing. Due to experiences of exclusion and marginalisation, we anticipate that a range of people might have relevant concerns about GDPR, and we want to know if the information is clear and accessible enough for people, with enough information to decide whether or not to take part

Principle 2: Involve enough people. We consider, generally, that researchers should involve enough people to be confident that there is diversity of experience and perspectives.

Principle 3: Involve those people enough. Sponsors should ideally have two rounds of involvement, depending on the extent of changes being made, one to hear the different concerns and questions people might have, make changes accordingly, and then a second to review the revised version and test out comprehension of the key points to ensure the changes they have made have the right effect.

Principle 4: Describe how it helped. We expect sponsors to be able to explain what feedback was received regarding their bespoke GDPR wording, and what changes were made to their document(s) as a result, from formatting to content.

This would mean carrying out your own public involvement work and clearly explaining in your application how this has made a difference to your bespoke GDPR wording.

If your study is taking place inside the NHS or HSC, we also need to know why the sponsor cannot use the HRA's transparency wording. We will check that your bespoke wording meets the requirements of GDPR as part of our study-wide assurances to the NHS and HSC, and that it meets the four principles of meaningful involvement. If we approve the use of bespoke wording, the sponsor will receive a letter to confirm this. The bespoke wording can then be used in all future submissions.

If your study is taking place outside the NHS and HSC, the REC will check that the wording meets the four principles of meaningful involvement. Each study will be checked on a case by case basis.

If you want to update the GDPR wording in your open studies

There is no need to update the GDPR wording in your open studies. If you choose to do this, you can update it to the HRA’s transparency wording as a non-substantial, non-notifiable amendment. This means that you do not need to notify the REC, national coordinating functions or research management functions of participating NHS and HSC organisations. You should work with your research delivery teams to enable this to be provided to participants as appropriate.

If you have bespoke GDPR transparency wording which was approved for submissions before 1 April 2025 and you want to update it, you should do one of the following:

  • use the HRA’s new GDPR transparency wording. You can do this as a non-substantial, non-notifiable amendment
  • update your own bespoke wording. If you choose this option, we expect you to justify why you cannot use the HRA’s GDPR transparency wording and demonstrate how your own wording meets the principles of meaningful involvement. You can update your wording when you submit your next full application.

Instructions for use

It is expected that somewhere in the Participant Information Sheet (PIS), the name of the sponsor organisation is given. It should therefore be clear to readers that any reference to ‘we’ means the sponsor and not the local site. As appropriate you should reinforce who ‘we’ refers to as readers are likely to assume that the site is the only organisation involved in the study.

We recommend that you provide information in a layered way so that potential participants can access the level of information they wish. The information below should be included as part of wider study or research information. The summary PIS provides brief information, the main PIS provides more information for those who are interested in taking part.

We also expect that the wider PIS provides more information about exactly what sort of information is collected, whilst the GDPR statement should provide categories of data. The PIS should also provide information on any automated decision making - you should add this if it is happening in your study.

The patient leaflet about the use of confidential data in research provides more technical information in a layered way. All studies should refer to this, either by providing a document or leaflet in paper form, or by linking to the website, as appropriate to the study and participants.

The wording provided gives information about:

  • the legal basis for processing
  • who will receive the data (outside of international transfers)
  • more information about participants' rights
  • contact details for the Information Commissioner’s Office (for complaints)

This guidance and the accompanying generic text is compatible with the opinion published (23 January 2019) by the European Data Protection Board (EDPB) on the interplay between the clinical trials regulation and GDPR.

Text in bold is instructions. Text in [square brackets] should be used as relevant. Terms such as NAME, OTHER, or X should be replaced with the relevant words.

In the summary PIS

We recommend that potential participants are provided with a summary sheet that provides a simple outline of the study. If you use such a summary the text about use of personal data should be kept brief and simple.

In this research study we will use information from [you] [your medical records] [your GP] [OTHER]. We will only use information that we need for the research study. We will let very few people know your name or contact details, and only if they really need it for this study.

Everyone involved in this study will keep your data safe and secure. We will also follow all privacy rules. 

At the end of the study we will save some of the data [in case we need to check it] AND/OR [for future research]. 

We will make sure no-one can work out who you are from the reports we write.

The information pack tells you more about this.

In the PIS or document provided to participants

How will we use information about you? 

We will need to use information from [you] [from your medical records] [your GP] [OTHER] for this research project.

This information will include your [initials/ NHS number/ name/ contact details/ provide a bullet list of identifiers held by site and/or sponsor for the research]. People will use this information to do the research or to check your records to make sure that the research is being done properly.

OPTION where applicable: People who do not need to know who you are will not be able to see your name or contact details. Your data will have a code number instead.

OPTION if not already stated: [insert name of sponsor] is the sponsor of this research.

[insert name of sponsor] is responsible for looking after your information. We will share your information related to this research project with the following types of organisations:

  • [in bullet points, list the organisation types]

We will keep all information about you safe and secure by:

  • in bullet points, concisely list some of the steps you will take to keep information secure

International transfers

Option 1 if data will not be shared outside the UK: Your data will not be shared outside the UK.

OR

Option 2 if data might or will be transferred outside the UK. This includes for future reuses of pseudonymised data for legitimate research-related purposes, where the data for transfer risks becoming re-identifiable to the recipient. This option applies to the rest of this section:

We may share or provide access to data about you outside the UK for research related purposes to:

  • in bullet points, concisely list the reasons why you will send data out of the UK

If this happens, we will only share the data that is needed. We will also make sure you can’t be identified from the data that is shared where possible. This may not be possible under certain circumstances – for instance, if you have a rare illness, it may still be possible to identify you. If your data is shared outside the UK, it will be with the following sorts of organisations:

  • in bullet points, list the organisation types who may access participant data outside the UK

We will make sure your data is protected. Anyone who accesses your data outside the UK must do what we tell them so that your data has a similar level of protection as it does under UK law. We will make sure your data is safe outside the UK by doing the following [delete as applicable]:

  • [some of] the countries your data will be shared with have an adequacy decision in place. This means that we know their laws offer a similar level of protection to data protection laws in the UK
  • we use specific contracts approved for use in the UK which give personal data the same level of protection it has in the UK. For further details visit the Information Commissioner’s Office (ICO) website: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
  • we do not allow those who access your data outside the UK to use it for anything other than what our written contract with them says
  • we need other organisations to have appropriate security measures to protect your data which are consistent with the data security and confidentiality obligations we have. This includes having appropriate measures to protect your data against accidental loss and unauthorised access, use, changes or sharing
  • we have procedures in place to deal with any suspected personal data breach. We will tell you and applicable regulators when there has been a breach of your personal data when this is legally required. For further details about UK breach reporting rules visit the Information Commissioner's Office (ICO) website: https://ico.org.uk/for-organisations/report-a-breach
  • [insert other ways data stays safe outside the UK]

How will we use information about you after the study ends?

Once we have finished the study, we will keep some of the data so we can check the results. We will write our reports in a way that no-one can work out that you took part in the study.

Option 1 where data is stored for a set number of years: We will keep your study data for a maximum of [insert number] of years. The study data will then be fully anonymised and securely archived or destroyed.

Option 2 where conditions determine how long data is stored for: We will keep your study data for the minimum period of time required by [state the conditions that will be used to determine this time period]. The study data will then be fully anonymised and securely archived or destroyed.

What are your choices about how your information is used?

  • you can stop being part of the study at any time, without giving a reason, but we will keep information about you that we already have
  • OPTION if follow up data will be collected after withdrawal: If you choose to stop taking part in the study, we would like to continue collecting information about your health from [central NHS records / your hospital / your GP]. If you do not want this to happen, tell us and we will stop
  • you have the right to ask us to access, remove, change or delete data we hold about you for the purposes of the study. You can also object to our processing of your data. We might not always be able to do this if it means we cannot use your data to do the research. If so, we will tell you why we cannot do this
  • OPTION if data will be used for future research: If you agree to take part in this study, you will have the option to take part in future research using your data saved from this study. [Insert details of any specific bank / repository]

Where can you find out more about how your information is used?

Option 1 if data will not be shared outside the UK: You can find out more about how we use your information:

Option 2 if data might or will be transferred outside of the UK: You can find out more about how we use your information, including the specific mechanism used by us when transferring your personal data out of the UK:

  • our leaflet [X]
  • by asking one of the research team
  • by sending an email to [email], or
  • by ringing us on [phone number].
  • OPTION if the sponsor has appointed a UK representative: by contacting our UK representative at [provide name and contact details of the UK representative]

NOTE: At least one of these sources must be able to point people directly to the sponsor’s Data Protection Officer.

For [X] sponsors can either provide the HRA link: www.hra.nhs.uk/patientdataandresearch or if this is available on sponsor website, the sponsor may choose to include their own website link. 

Communicating GDPR information to children and young people

You must provide children with the same information about what you will do with their personal data as you would give to adults. Even where you're seeking consent from a parent or guardian, there is an expectation that you give children information about what you'll do with their personal data. You can view the guidance from the Information Commissioner's Officer (ICO) for further information.

Article 12 of the GDPR states that information provided to individuals should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is particularly important for any information addressed specifically to a child, as this allows them to be as involved as possible in any consent decision.

The HRA has partnered with the Penta Foundation, University College London and UK Research and Innovation MRC Clinical Trials to create an engaging and age-appropriate GDPR resource for children and young people. This resource is intended to help them understand what will happen to their personal data if they take part in a research study. The HRA recommends that sponsors use this resource as the basis for any GDPR information provided to children as part of the consent process for taking part in research.

Back to templates
© Copyright HRA 2025
Site by Big Blue Door