Sponsors and CROs

Legally Trained Consultants

Compliance support for sponsors and CROs

Research is subject to a very complex legal and regulatory environment in the UK. All research related activities carried out by commercial and non-commercial organisations that involve the processing of patients’ data are caught in a complex interplay between the pillars of different principles, laws and regulations, including:

  • Statutory law: in addition to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018, research related activities may be subject, depending on the circumstances, to the NHS Act 2006, the Human Rights Act 1998, The Medicines for Human Use (Clinical Trials) Regulations 2004 (which implemented the Clinical Trials Directive 2001/20/EC into UK Law), the Human Tissue Act 2004, Mental Capacity Act 2005;
  • Common law: research related activities may also need to satisfy the requirements of the common law, particularly those relating to the duty of confidentiality, in accordance with importance precedents such as Coco v. A. N. Clark (Engineers) Ltd, Hunter v Mann, Source Informatics Ltd, Re An Application for Judicial Review, as well as W, X, Y And Z, R (on the application of) v The Secretary of State for Health & Ors.
  • Caldicott Principles: it is possible that these research related activities will need to comply with the Caldicott Principles, as interpreted particularly by Dame Fiona Caldicott in her 1997 ‘Report on the Review of Patient-Identifiable Information’ and 2013 ‘Information: To share or not to share? The Information Governance Review’.
  • Regulatory requirements and guidance from supervisory authorities: depending on the circumstances, research related activities may be subjected to different supervisory authorities, including the Information Commissioner’s Office (ICO), the Health Research Authority (HRA), the Medicines and Healthcare products Regulatory Agency (MHRA), the Human Tissue Authority (HTA), each with different guidelines and rules potentially applying.
  • NHS Codes of Practice: these research related activities may also need to adhere to the different NHS Codes of Practice, including the 2003 ‘Confidentiality: NHS Code of Practice’, the 2018 ‘Information Security Management: NHS Code of Practice‘ and the 2021 ‘Records Management Code of Practice’.
  • Other potentially applicable guidelines: finally, it is possible that other guidelines apply these research related activities, including the respected International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) Guidelines, the General Medical Council (GMC) ‘Good practice in research – ethical guidance’ etc.

From the obligations applicable to the use of identifiable data to those around the process of rendering data contextually anonymised for research purposes, passing through the requirements around transparency, fairness and patient consent, organisations undertaking the role of sponsor or Clinical Research Organisation (CROs) need to be able to navigate through all these principles, laws and regulations to ensure that they comply with their obligations under the law, respect individuals’ privacy, confidentiality and data protection rights, and undertake research in an ethical manner.


We offer comprehensive compliance support to commercial companies, such as pharmaceutical companies or medical device manufacturers, and non-commercial organisations, such as NHS Trusts, academic institutions and charities, whether based in the UK or overseas, that wish to set up research studies.

Our support may include:

    • supporting the drafting of the information governance elements relating to:
    • research documents, such as Study Protocols and Integrated Research Application System (IRAS) forms;
    • legal documents, such as Patient Information Sheets (PIS) and Informed Consent Forms (ICF) to ensure these documents meet the appropriate legal standards;
    • contractual arrangements, including HRA-approved model contracts (e.g. model Clinical Trial Agreement – mCTA; model Non-commercial Agreement – mNCA) and bespoke agreements (e.g. Data Sharing Agreements and Data Processing Agreements);
    • data capturing documents, such as Case Report Forms (CRF) templates and questionnaires;
    • documentation required for applications to Research Ethics Committees (REC);
  • drafting documentation required for the Confidentiality Advisory Group (CAG) application process;
  • drafting Data Protection Impact Assessments (DPIA) for research projects;
  • carrying out Vendor Risk Management for the purposes of assuring systems, applications and services provided by third-parties, including:
    • Electronic Data Capture (EDC) systems;
    • Interactive Response Technology (IRT);
    • Randomization and Trial Supply Management (RTSM);
    • electronic Patient-Reported Outcomes (ePRO) systems;
    • transcription services;
  • advising on pseudonymisation and anonymisation techniques from a data protection perspective as well as from a confidentiality standpoint;
  • advising on technical and organisational measures applicable to data transfers and data storage from a data protection perspective;
  • advising on international transfers of data and how to satisfy the corresponding requirements under data protection legislation;
  • designing procedures for compliance with data subjects’ rights under the data protection laws and providing advice thereafter.

At IGS, we can support your organisation to navigate through the legal and regulatory complexities of setting up research studies in the UK. Whether you are acting as a sponsor or as a CRO, we can help ensure that your research study is designed in compliance with the law and in an ethical manner.

Legally Trained Consultants

Compliance support to sponsors and CROs

We are here to assist:

Our Services

We provide a full data protection and information governance consultancy service to all our clients who engage with us. We provide flexible packages and services to make sure that you only pay for what you need, so you aren’t paying for unnecessary services. Whatever you and your organisation need, we are here to help.

Data Protection Advice and Consultancy

Data Protection Impact Assessment (DPIA)

External Independent Reviews


Data Protection Officer Services

Fair Processing Materials

Data Protection Health Check

Assistance with Policy Development

Data Security and Protection Toolkit (DSPT)

Record of Processing Activities (ROPA) & Information Asset Registers (IAR)

Packaged Services

Other Services

Send Us A Message