The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

Transparency wording for all sponsors

Last updated on 23 Oct 2024

To help ensure research participants have all the information they need to make an informed decision about the use of their data we have developed the below GDPR template that we recommend sponsors use.

This template was last updated on Wednesday 23 October 2024.

There is no requirement for sponsors who have used previous wording published in 2021 to amend their GDPR wording for historic or current studies unless they wish to. If sponsors do decide to update their GDPR wording it is classed as a non-notifiable amendment and does not need to be submitted.

There will be a transition period from 23 October 2024 to 31 March 2025 where you can continue to use previous wording or your own bespoke wording if it has been approved by the HRA.

From 1 April 2025 any new research applications submitted via IRAS from the 1 April 2025 you will be expected to either:

  • use the new GDPR Transparency Wording Template for all sponsors
  • demonstrate how your own bespoke wording meets the four principles for meaningful involvement of patients and the public in health and social care research

Any new bespoke wording submissions during the transition period will be dealt with on a case-by-case basis, but you will be asked to justify why you cannot immediately move to using the new GDPR Transparency Template Wording for all sponsors.

Instructions for use

It is expected that somewhere in the Participant Information Sheet (PIS), the name of the sponsor organisation is given. It should therefore be clear to readers that any reference to ‘we’ means the sponsor and not the local site. As appropriate you should reinforce who ‘we’ refers to as readers are likely to assume that the site is the only organisation involved in the study.

We recommend that you provide information in a layered way so that potential participants can access the level of information they wish. The information below should be included as part of wider study or research information. The summary PIS provides brief information, the main PIS provides more information for those who are interested in taking part.

We also expect that the wider PIS provides more information about exactly what sort of information is collected, whilst the GDPR statement should provide categories of data. The PIS should also provide information on any automated decision making.

The patient leaflet about the use of confidential data in research provides more technical information that all studies should refer to, either by providing a document or leaflet in paper form, or by linking to the website, as appropriate to the study and participants.

The wording provided gives information about:

  • the legal basis for processing
  • who will receive the data (outside of international transfers)
  • more information about participants' rights
  • contact details for the Information Commissioner’s Office (for complaints)

This guidance and the accompanying generic text is compatible with the opinion published (23 January 2019) by the European Data Protection Board (EDPB) on the interplay between the clinical trials regulation and GDPR.

Text in bold is instructions. Text in [square brackets] should be used as relevant. Terms such as NAME, OTHER, X or EVENT should be replaced with the relevant words.

In the summary PIS

We recommend that potential participants are provided with a summary sheet that provides a simple outline of the study. If you use such a summary the text about use of personal data should be kept brief and simple.

In this research study we will use information from [you] [your medical records] [your GP] [OTHER]. We will only use information that we need for the research study. We will let very few people know your name or contact details, and only if they really need it for this study.

Everyone involved in this study will keep your data safe and secure. We will also follow all privacy rules. 

At the end of the study we will save some of the data [in case we need to check it] AND/OR [for future research]. 
We will make sure no-one can work out who you are from the reports we write.

The information pack tells you more about this.

In the PIS or document provided to participants

How will we use information about you? 

We will need to use information from [you] [from your medical records] [your GP] [OTHER] for this research project.

This information will include your [initials/ NHS number/ name/ contact details/ provide a bullet list of identifiers held by site and/or sponsor for the research]. People will use this information to do the research or to check your records to make sure that the research is being done properly.

OPTION where applicable: People who do not need to know who you are will not be able to see your name or contact details. Your data will have a code number instead.

OPTION if not already stated: [insert name of sponsor] is the sponsor of this research, and is responsible for looking after your information. We will keep all information about you safe and secure by:
In bullet points, concisely list some of the steps you will take to keep information secure

International transfers

[IF NO TRANSFERS OUT OF UK WILL OCCUR] Your data will not be shared outside the UK.

OR

[IF TRANSFERS OUT OF UK WILL OCCUR, WHICH IF IT REMAINS A POSSIBILITY E.G. IN THE FUTURE – INCLUDING SHARING IN DE-IDENTIFIED FORM WITH OTHER RESEARCHERS - SHOULD BE INCLUDED AND ABOVE DELETED]

We may share data about you outside the UK for research related purposes to:

In bullet points, concisely list the reasons why you will send data out of the UK

If this happens, we will only share the data that is needed. We will also make sure you can’t be identified from the data that is shared where possible. This may not be possible under certain circumstances – for instance, if you have a rare illness, it may still be possible to identify you. If your data is shared outside the UK, it will be with the following sorts of organisations:

  • [insert list e.g. our partners who analyse your data, companies to pay your expenses, organisations who store your data]

We will make sure your data is protected. Anyone who accesses your data outside the UK must do what we tell them so that your data has a similar level of protection as it does under UK law. We will make sure your data is safe outside the UK by doing the following [DELETE AS APPLICABLE]:

  • (some of) the countries your data will be shared with have an adequacy decision in place. This means that we know their laws offer a similar level of protection to data protection laws in the UK
  • we use specific contracts approved for use in the UK which give personal data the same level of protection it has in the UK. For further details visit the Information Commissioner’s Office (ICO) website
  • we do not allow those who access your data outside the UK to use it for anything other than what our written contract with them says
  • we need other organisations to have appropriate security measures to protect your data which are consistent with the data security and confidentiality obligations we have. This includes having appropriate measures to protect your data against accidental loss and unauthorised access, use, changes or sharing
  • we have procedures in place to deal with any suspected personal data breach.  We will tell you and applicable regulators when there has been a breach of your personal data when we legally have to. For further details about UK breach reporting rules visit the Information Commissioner's Office (ICO) website
  • [OTHER]

Once we have finished the study, we will keep some of the data so we can check the results. We will write our reports in a way that no-one can work out that you took part in the study.

DELETE one option in square brackets: We will keep your study data for the minimum period of time required by [state the conditions that will be used to determine this time period] OR [we will keep your study data for a maximum of XX years]. The study data will then be fully anonymized and securely archived or destroyed.

What are your choices about how your information is used?

  • you can stop being part of the study at any time, without giving a reason, but we will keep information about you that we already have
  • OPTION if follow up data will be collected after withdrawal: If you choose to stop taking part in the study, we would like to continue collecting information about your health from [central NHS records / your hospital / your GP]. If you do not want this to happen, tell us and we will stop
  • you have the right to ask us to remove, change or delete data we hold about you for the purposes of the study. We might not always be able to do this if it means we cannot use your data to do the research. If so, we will tell you why we cannot do this
  • OPTION if data will be used for future research: If you agree to take part in this study, you will have the option to take part in future research using your data saved from this study. [Insert details of any specific bank / repository]

Where can you find out more about how your information is used?

You can find out more about how we use your information, including the specific mechanism used by us when transferring your personal data out of the UK.

  • our leaflet [X]
  • by asking one of the research team
  • by sending an email to [email], or
  • by ringing us on [phone number].
  • OPTION if the sponsor has appointed a UK representative: By contacting our UK representative at [provide name and contact details of the UK representative]

NOTE: At least one of these sources must be able to point people directly to the sponsor’s Data Protection Officer.

For [X] sponsors can either provide the HRA link: www.hra.nhs.uk/patientdataandresearch or if this is available on sponsor website, the sponsor may choose to include their own website link. 

Communicating GDPR information to children and young people

You must provide children with the same information about what you will do with their personal data as you would give to adults. Even where you're seeking consent from a parent or guardian, there is an expectation that you give children information about what you'll do with their personal data. You can view the guidance from the Information Commissioner's Officer (ICO) for further information.

Article 12 of the GDPR states that information provided to individuals should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is particularly important for any information addressed specifically to a child, as this allows them to be as involved as possible in any consent decision.

The HRA has partnered with the Penta Foundation, University College London and UK Research and Innovation MRC Clinical Trials to create an engaging and age-appropriate GDPR resource for children and young people. This resource is intended to help them understand what will happen to their personal data if they take part in a research study. The HRA recommends that sponsors use this resource as the basis for any GDPR information provided to children as part of the consent process for taking part in research.

Back to templates
© Copyright HRA 2024
Site by Big Blue Door