Cookies on Plan and Manage Health and Care Research

We use some essential cookies to make this service work.

We’d like to set additional cookies so we can remember your settings, understand how people use the service and make improvements.

View cookies
Skip to main content
Beta

This is a new service – your feedback will help us to improve it.

Privacy notice

Updated: 10 December 2025

1. About Plan and manage health and care research 

Plan and manage health and care research is managed by the Health Research Authority on behalf of health and care research UK partners. The HRA is an arm’s length body of the Department of Health and Social Care (DHSC).

Mentions of ‘us’ and ‘we’ in this privacy notice refer to the HRA. 

The HRA is committed to protecting your privacy and taking care with your personal data.

Unless otherwise stated, all content (the text and information we provide and not the data that users enter)  on Plan and manage health and care research is subject to Crown copyright and is owned by the Health Research Authority (HRA). You may reuse Crown copyright material under the terms of the Open Government Licence v3.0, except where otherwise indicated.

If any content is not covered by the Open Government Licence, this will be clearly marked, and you must obtain permission before reuse.

Please note that logos, crests, and branding are excluded from the Open Government Licence and may not be reproduced without permission.

We do not give any guarantees, conditions or warranties about the accuracy or completeness of any content used by these products. We’re not liable for any loss or damage that may come from your use of these products.

As data controller we are responsible for how your information is used and explaining that to you.

 

2. What data we collect from you

We collect data to help us perform our regulatory function under the Care Act 2014, some of which will be personal data under the data protection legislation. The personal data we collect includes: 

  • personal information – name, email address, organisation
  • any other information required to process your research application such as details of your research sponsor
  • information you include within any enquiry you submit to us via our service desk 

The personal data the HRA collects will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We also process information to help us understand how our services operate so that we can deliver our services well and improve our services over time. 

To find out more information about GOV.UK One Login privacy, view their privacy notice here.

To find out more information about the service we use for our service desk HaloITSM’s privacy, view their 
privacy notice here.


3. Why we need your data

To fulfil our role as the health and social care research regulator, we must hold certain information about you and need to obtain this information fairly and lawfully.  

The services we provide where we record and / or process your personal data include:

  • processing applications for health and social care research
  • publication of investigator name and email address
  • publication of research information
  • checking your research application with you
  • scheduling attendance at a meeting, such as a research ethics committee
  • protecting research participants safety from participating in many research studies
  • coordinating technical assurance reviews
  • requesting information
  • seeking your feedback (including consultations and surveys).

The lawful basis for processing your personal data is dependent on the services and activities that the data is provided for. More information can be found in the relevant subsections.


4. Our legal basis for processing your data

The lawful basis for processing your personal data is dependent on the services and activities that the data is provided for. 

For the following category of information, the lawful basis is official authority under the Care Act 2014:

  • researcher data related to research application
  • researcher data related to confidentiality advisory group applications
  • committee and panel members' data
  • public involvement participants data
  • research participants data
  • Technical Assurance reviewers’ data
  • people who contact us

We also process sensitive personal data relating to diversity characteristics in delivering our services. The lawful basis for processing this personal sensitive data is to ensure we comply with the Equality Act 2010.

 

5. Who we share your information with

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of our services for us. We have contracts in  place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold your personal information securely and retain it for the period we instruct. 

In some circumstances we will share your information with:

  • organisations who are part of the approval process such as NHS organisations (and Health and Social Care (HSC) organisations in Northern Ireland), the Medicines and Healthcare products Regulatory Agency (MHRA), National Institute for Health and Care Research (NIHR), Human Tissue Authority (HTA), Administration of Radioactive Substances Advisory Committee (ARSAC), HM Prison and Probation Services, NHS Research Scotland, Health and Care Research Wales, and HSC R&D Approval Service, and Research Ethics Committees
  • organisations who perform research that furthers the HRA’s objectives
  • the National Fraud Initiative, to help prevent and detect fraud. More detail is available within the National Fraud Initiative privacy notice
  • people who request it, in circumstances detailed further Freedom of Information Act
  • any other organisation who has a legal right to it.

In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information, evidencing our decision making and ensure suitable legal documentation is in place.

 

6. How long we keep your information

Your information will be deleted from our systems as detailed in our Document control and records management policy.  

 

7. Where your information is processed and stored

We store and process your data with care and take the appropriate steps to protect it. Your information is securely stored in Microsoft data centres located in the UK, where it is protected by encryption and managed in compliance with UK data protection law.

In all circumstances, except Technical Assurance review service, we will not transfer your information outside the UK or European Economic Area (EEA), unless the EU has approved the country as having comparable data protection laws or if standard contractual clauses are in place.

In each case consent will be requested from the Technical Assurance reviewer before sharing their personal data with the research applicant.

In some circumstances we will share your information with:

  • organisations who are part of research management processes such as NHS organisations (and Health and Social Care (HSC) organisations in Northern Ireland)
  • the Medicines and Healthcare products Regulatory Agency (MHRA)
  • National Institute of Health and Care Research (NIHR)
  • Human Tissue Authority (HTA)
  • Administration of Radioactive Substances Advisory Committee (ARSAC)
  • HM Prison and Probation Services
  • NHS Research Scotland, Health and Care Research Wales, and HSC R&D Approval Service clinical trial registries.
  • We have partnered with ISRCTN Registry to register clinical trials of investigational medicinal products (CTIMPs) on behalf of sponsors. This applies to CTIMPs submitted through combined review.. For more information see the research registration page.

 

8. Your rights

The information you provide will be managed as required by Data Protection law. The rights available to you depend on our reason for processing your information.

You have the right to:

  • ask for copies of your personal information, commonly known as making a ‘subject access request’. This right always applies.
  • request your information be changed if you believe it inaccurate or incomplete
  • ask us to erase your personal information in certain circumstances
  • ask us to restrict the processing of your information in certain circumstances
  • object to the processing of your information. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.

There are some exceptions to these rights, for instance if we have a legal obligation to retain your personal information so we cannot delete it. All requests to exercise your rights will be considered on a case-by-case basis, depending on the circumstances. 

You can access your personal details by logging into Plan and Manage Health and Care Research.

Please contact us at data@hra.nhs.uk if you wish to make a request or contact our mainline on 020 797 2245.

 

9. Our contact details

There are many ways you can contact us, including by phone, email and post. More details can be find here.

Our postal address is:

Health Research Authority
2 Redman Place
Stratford
London
E20 1JQ

Queries about this privacy notice can be emailed to data@hra.nhs.uk or call our mainline on 0207 104 8000

Our Data Protection Officer is Stephen Tebbutt. You can contact him at data@hra.nhs.uk or via our postal address above. Please mark the envelope ‘Data Protection Officer’. Raising concerns about how we are processing your information.

We work to high standards when it comes to processing your personal information. If you have any queries or concerns, please contact us at data@hra.nhs.uk and we’ll respond.

If you continue to have concerns about the processing of your information, you can contact the Data Protection Regulator:

Information Commissioner’s Office
Wycliffe House
Wilmslow
SK9 5AF

Click here to get in touch with them

 

10. How do we look after your information?

We are committed to ensuring that your information remains secure. The information provided is stored on secure databases in secured locations. We take the necessary steps to ensure that our infrastructure performs as expected by running  health checks on these systems.

 

11. National Data Opt-Out 

The National Data Opt-Out (NDO) applies to flows of patient data supported under section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 202. 

As the HRA does not process patient information the national data opt-out does not apply to the data the HRA processes.

You can read more about the National Data Opt-Out on the NHS website.

 

12. Data protection impact assessments

The HRA uses data protection impact assessments to help us systematically and comprehensively analyse our data processing and help us identify and minimise data protection risks. A summary of these assessments is provided on our Data Protection Impact Assessment (DPIA) summaries page, which is reviewed regularly as part of our information governance processes. 

 

13. Change to this notice

We may change this privacy notice. In that case, the ‘last updated’ date of this document will also change. Any changes to this privacy notice will apply to you and your information immediately.

If these changes affect how your personal information is processed, we will let you know.