GDPR and UK Privacy Notices
Some Sponsors and collaborators located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK) are subject to data protection laws such as the EU General Data Protection Regulation (GDPR), the UK GDPR, and the UK Data Protection Act 2018. This page explains how NIH investigators should respond when a Sponsor requests that information about these laws be provided to research participants.
Some Sponsors and collaborators located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK) are subject to data protection laws such as the EU General Data Protection Regulation (GDPR), the UK GDPR, and the UK Data Protection Act 2018. This page explains how NIH investigators should respond when a Sponsor requests that information about these laws be provided to research participants.
NIH's Position
NIH is a U.S. federal government agency and is not subject to the EU GDPR, UK GDPR, or UK Data Protection Act 2018.
As a result:
- NIH consent forms may not include language stating or implying that NIH complies with these laws.
- NIH investigators may not sign agreements stating that NIH complies with foreign privacy laws.
- NIH investigators must comply with applicable U.S. laws, regulations, and NIH policies governing privacy and confidentiality, including the Common Rule, the Privacy Act, Certificates of Confidentiality, and FDA requirements, when applicable.
When a Sponsor needs to provide information about its own obligations under these laws, OHSRP can work with the Sponsor to develop a separate Data Privacy Notice (DPN) that may be provided to participants on the Sponsor's behalf.
What Investigators Must Do
If a Sponsor, Contract Research Organization (CRO), or coordinating center provides a consent form that includes EU GDPR, UK GDPR, or UK Data Protection Act 2018 language:
1. Remove the foreign privacy language from the NIH consent.
NIH consent forms may not state or imply that NIH is subject to, or agrees to comply with, foreign privacy laws.
2. Contact your IRB team early.
Notify your IRBO team as soon as you become aware that the Sponsor requires GDPR or UK privacy information for participants.
3. Inform the Sponsor that the NIH consent will differ from the master consent.
Explain that NIH cannot include foreign-law compliance language in its consent forms. If needed, OHSRP will work with the Sponsor to develop a separate Data Privacy Notice for NIH participants.
4. Do not sign agreements stating that NIH complies with foreign privacy laws.
If a Sponsor asks you to sign a data processing agreement, compliance statement, standard contractual clauses, or similar document, contact the NIH Office of General Counsel before responding.
5. Do not serve as the Sponsor's privacy contact.
Participants with questions about the Sponsor's privacy practices or rights under foreign privacy laws should be referred to the Sponsor's Data Protection Officer or other privacy contact identified in the Data Privacy Notice.
Data Privacy Notice (DPN)
When required, OHSRP can work with the Sponsor to develop a separate Data Privacy Notice (DPN).
The DPN is a Sponsor-provided document that NIH investigators may distribute to participants on the Sponsor's behalf. It is separate from the NIH informed consent document and must be reviewed and cleared through OHSRP before it is provided to participants.
A Data Privacy Notice typically explains:
- What identifiable information the Sponsor will receive.
- How the Sponsor will use, retain, and share participant information.
- How long the Sponsor plans to retain the data.
- Any rights participants may have under the Sponsor's applicable privacy laws.
- How participants can contact the Sponsor regarding those rights.
The development of a DPN can occur in parallel with IRB review and will not delay IRB approval.
NIH Investigator Responsibilities
| NIH Investigators may... | NIH Investigators may not... |
|---|---|
| Provide an OHSRP-approved Data Privacy Notice to participants on the Sponsor's behalf. | Explain or interpret the EU GDPR, UK GDPR, or UK Data Protection Act 2018. |
| Obtain participant signatures acknowledging receipt of the Notice, when required. | Advise participants about their rights under foreign privacy laws. |
| Provide a copy of the signed Notice to the Sponsor, if required. | Serve as the Sponsor's Data Protection Officer or privacy contact. |
| Direct participants to the Sponsor's designated privacy contact listed in the Notice. | Forward, negotiate, or resolve participant privacy requests on the Sponsor's behalf. |
| Sign agreements stating that NIH complies with EU GDPR, UK GDPR, UK Data Protection Act 2018, or other foreign privacy laws. |
Key Takeaway
NIH consent forms may not include language stating or implying compliance with the EU GDPR, UK GDPR, or other foreign privacy laws. When a Sponsor needs to provide this information to participants, OHSRP can work with the Sponsor to develop a separate Data Privacy Notice that NIH investigators may distribute on the Sponsor's behalf.
Related Resources
Privacy and Confidentiality Requirements in Human Subjects Research - The Common Rule and Beyond
Presented by Heather Bridge
Regulation (EU) 2016/679, General Data Protection Regulation, including definitions of personal data, processing, controller, and processor
European Data Protection Board guidance on processing health data for scientific research
UK GDPR and Data Protection Act 2018 research provisions and safeguards