Our approach: Data ethics and information governance

This outline is in draft and we are seeking views of people around our region about our approach to the ethics and information governance around data sharing. We welcome comments and feedback either on our social media channels, or our Discourse network (account required), or on email.

A PDF version of the framework is available here.


Here we describe the context for research and research uses of data for the Great North Care Record, and the people of the North East and North Cumbria who may be asked to participate in research, or whose data may be used for research purposes.

We also outline the Great North Care Record/Connected Health Cities role in developing processes for respectful, trustworthy, fair and transparent processes for facilitating research in the region.

Great North Care Record values

  1. Respect and trustworthiness
    a. Values-driven rationale, but also…
    b. Pragmatic – if we lose trust we will not be able to do research
  2. Transparency and fairness 
    a. Explain to people what You are doing (Privacy Notices)
    b. Only do what people expect you to do with their data
  3. Choice – ‘your data, your say’

Underpinning Great North Care Record/Connected Health Cities projects

  • Focus groups with people of North East and North Cumbria (Teesside and Newcastle Universities, Healthwatch)
  • Co-production workshops and People’s Panels (Newcastle University)
  • Healthy New Towns and Leadgate tool development

Defining primary and secondary health and social care research

  1. Primary research involves collecting new research data directly from individuals (e.g. health and/or social care service users) by involving them in observational, comparative, experimental or other types of research study.
  2. Secondary research uses existing data for research purposes which is not collected directly from the individual. Data may be derived from:
    a. Routinely collected data, e.g. medical and social care records, or
    b. Previously collected data from research studies or for research repositories.

Health and social care users’ role in primary and secondary research

  1. Primary research: individuals are recruited to take part in ethically approved research.
  2. Secondary research: data derived from individual’s medical and social care records or research participation are used for research purposes under appropriate data governance regulations and procedures including ethics.
Venn diagrams showing how primary and secondary research overlap

Data sharing: Uses of data for research

Primary research – research ethics and information governance considerations

Legal basis

Under General Data Protection Regulation (GDPR), the lawful basis for Public Authorities will most likely be Article 6 Public Interest and for a non-public authority or private company legitimate interest.  Article 9 Scientific Research should be used for all organisations.  This allows the derogations under GDPR for research to be used which allows certain protections against serious damage to research but also balances with rights of the individual.

Primary data collection: Using Scientific Research as the lawful basis to conduct medical research with patients requires valid ethics from the NHS Health Research Authority (HRA).  The Data Protection Act 2018 sets out in Section 19 what must be in place to lawfully conduct medical research.  Under GDPR you must also be transparent and fair.  This requires information given to the research participant prior to data collection.

The Common Law Duty of Confidentiality is formed by case law and covers all professions where there is an expectation of confidentiality.  Medical care and social care are both covered.  Common law requires consent to be able to share data outside of the care team or requires valid ethical approval using section 251 from the HRA and the Confidentiality Advisory Group (CAG).  Consent under common law is to participate in research and not for GDPR purposes.

Ethics requirement

Primary research which recruits participants will always require ethics approval. The storage, curation and/or sharing of data collected through primary research will be subject to the rules of data processing.


Bona fide researchers (NHS, university or industry, e.g. pharma) are responsible for seeking ethical approval of their project, including producing all participant information and consent materials, plus meeting all information governance requirements.

Participant recruitment

Researchers cannot directly approach potential research participants from health and social care services, regardless of ethical approval. Initial contact with potential participants from these organisations can only be made by service providers – e.g. GPs seek permission from their patients for researchers to make contact about their approved research.

Proactive recruitment

Identification and first contact by health or social care providers for recruitment to research may be facilitated by identifying individuals who are already interested in being approached to participate in research. Those who identify as interested in taking part in research and have given their permission to be contacted about research would be sent invitations for relevant research projects (i.e. for which they fit the selection/exclusion criteria).

Individuals can then choose whether or not they are interested in taking part in any particular research study in the normal way (i.e. through ethically approved informed consent processes for the particular research).

Although such proactive recruitment does not use consent as a legal basis under GDPR, it should on the grounds of respect for individuals, meet the requirements of consent by:

  • Give real choice and control
  • Use clear language, including being specific about what is asked
  • Be freely given – it should be clear that agreement is not a precondition of service
  • Be easy to change, review withdraw and refresh

Great North Care Record/Connected Health Cities role

Proactive recruitment captured electronically via a Great North Care Record portal.

Secondary research

Legal basis

The same lawful basis for data processing as for primary research applies. Data processing must also meet UK Common Law Duty of Confidentiality conditions.

Ethics requirement

A trusted research environment project facilitating access to health and social care data for secondary research will require ethical approval under the HRA.

Information governance and ethics requirements under GDPR are achieved under models currently used for data sharing governance of data derived from research studies, i.e. ethical governance devolved to a hierarchy of Data Access Committees (DAC), e.g. DARS, METADAC (human decision making for highly sensitive research).


Bona fide researchers apply to a DAC. A bona fide researcher, according to the Medical Research Council (MRC) definition is a person with:

  • The professional expertise and experience to conduct bona fide research and
  • A formal relationship with a bona fide research organisation that requires compliance with appropriate research governance and management systems

DAC criteria must be met:

  • Criteria for health and social care data need to be developed, which:
    • Ensure fairness, transparency, privacy and security
    • Allow research in the public interest (to meet GDPR/Data Protection Act (DPA) requirements for data processing for research/scientific purposes and the Common Law Duty of Confidentiality)
    • allow research uses which are commensurate with the public’s (reasonable) expectations
  • DAC criteria should be GDPR compliant and follow national and international principles for responsible data sharing (e.g. https://www.igt.hscic.gov.uk/Caldicott2Principles.aspx, https://www.ga4gh.org/genomic-data-toolkit/regulatory-ethics-toolkit/framework-for-responsible-sharing-of-genomic-and-health-related-data/https://www.metadac.ac.uk/, http://data-archive.ac.uk/, https://adrn.ac.uk/policies-procedures/)
  • DAC applications checked and triaged to the appropriate level of governance based on predefined criteria, e.g. sensitivity of research topic or research methods
    • Criteria for DAC level of governance (e.g. light touch end user licence through to full committee scrutiny of sensitive applications) need to be developed – meets GDPR/DPA and the Common Law Duty of Confidentiality requirements/expectations
    • Criteria for DAC processes need to be developed – would expect it to include at the very least: Check of bona fide research status, Researcher understandings of security/confidentiality requirements, Plain language summaries of all research for transparency, Reporting of outcomes/outputs – including plain language summaries of outcomes, Researcher ‘good standing’ – has met all requirements (e.g. reporting) and only conducted the research for which they have permission. Due diligence checks around information security and data governance.  Data minimisation – only the minimum set of data is requested to do the research.
  • Data distribution
    • Distribution of only those data required for the approved research, i.e. only those data required under the project; only data from individuals for whom there is no opt-out is in place; excluding/including (as relevant) data from individuals with recorded preferences.

Great North Care Record/Connected Health Cities role

Development of data governance processes and criteria

  • DAC criteria and processes need to be co-produced with the people’s, health and social care professionals, researchers, research ethics/IG/legal experts

Great North Care Record/Connected Health Cities role

Development of mechanisms to record individual’s preferences for secondary research

  • Co-produce with people of the North East and North Cumbria
  • People have already made it clear that they expect and want to choose

Great North Care Record/Connected Health Cities role

Address open questions

  • What is ‘public interest’ research from the peoples’ perspective?
  • What are people’s (reasonable) expectations of research?
  • What types of research are considered sensitive or exceptional?
  • What does granularity of consent/preference look like?
  • How can we encompass different preferences for decision making and granularity?
    • Opt in/out model
    • Choice of every possibility?
    • Preference-clusters accounting for known concerns/sensitive topics?
    • Human decision-making for decisions about sensitive research?

Great North Care Record/Connected Health Cities role

Engaging the people and professionals to co-produce criteria and processes for data sharing (including preference elicitation) and address open questions.