Clinical Research Office. A partnership between Sheffield Teaching Hospitals NHS Foundation Trust and the University of Sheffield

How your data is handled in research

A briefing on the General Data Protection Regulation for Research

The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018.

It is supported by a new UK Data Protection Act.

As an EU regulation, GDPR is directly enforced in the UK. However, it allows certain elements to be determined by legislation in individual countries, and research is one of the areas where UK legislation is also relevant.

We use GDPR to refer to the EU legislation and the UK Data Protection Act together.

How does this affect health and care research? 

The new legislation was developed primarily to respond to growing use of personal information for marketing, social media and profiling. It means important changes for those sectors in terms of the information that has to be provided to people about how their information will be used, and it sets a higher bar for the consent that has to be obtained for using people’s information or contacting them for these purposes.

Health and care research has worked within robust regulatory systems for many years, and has set clear expectations about informing participants in research about how information about them is used.

For more details on the use of Patient information and health and care research please visit:

The information leaflet below also explains how health researchers use information from patients:

When Sheffield Teaching Hospitals NHS Foundation Trust is the sponsor for a Research study


As an NHS organisation we use personally-identifiable information to conduct research to improve healthcare and services.


As a publicly-funded organisation, we have to ensure that it is in the public interest when we use personally-identifiable information from people who have agreed to take part in research.


This means that when you agree to take part in a research study, we will use your data in the ways needed to conduct and analyse the research study.


Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate.


If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.


Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care Research.


If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO).


Our Data Protection Officer is Michael Maginnis and you can contact him at