General Data Protection Regulations

GDPR is a new EU regulation which has been designed to update the existing Data Protection Directive. Enacted in 1995, the existing directive was established before the days of widespread internet use, which has fundamentally changed the way we create, use, share, and store information in Clinical Research.

With the draft implementation of the GDPR (General Data Protection regulation) moving into law on the 25th of May 2018 the Clinical Informatics Research Unit (CIRU) at the University of Southampton (UoS) have been working to produce documentation to support the transition for our subscribing organisations.

The implementation of GDPR raises a number of questions about how data processors and data controllers will work together moving forward. Many of these are addressed through the Data Protection schedule of the EDGE Master Service Agreement.

More information can be found regarding GDPR, EDGE and the Clinical Informatics Research Unit in the document below:

GDPR Information FAQ’s

Need More Information?

We hope that this has provided you with the details regarding GDPR.

If you would like to know more the NHS Digital and Information Commissioners websites provide further information.

If you would like to speak with us directly about GDPR please contact us at

Information Governance

Demographic data collection, facilitated by EDGE, allows NHS organisations to fulfil their duty of care to patients enrolled in clinical studies. The Research Governance Framework section 3.10 states that:

"It is the responsibility of organisations providing health or social care in England to be aware of all research undertaken in their organisation, or involving participants, organs, tissue or data obtained through the organisation."

The Information Commissioner’s Office has confirmed that Schedule 3(8) is likely to be an applicable condition for the collection and processing of the EDGE patient data set.

Although the condition for processing outlined in Schedule 3(1) (“explicit consent”) of the DPA is likely to be impractical, this does not remove the overarching requirement of fairness under the First Principle of the DPA. In general, this means ensuring individuals are aware of how their data will be used. This is usually provided to individuals by way of a “fair processing notice” or “privacy notice” when their personal data is first collected. Organisations should, as a matter of routine, provide a generic statement on their public website or via leaflets on data handling and processing in their organisation.

To access our Information Governance White paper please click the following link:

IG White Paper

Need More Information?

We hope that this has provided you with the basic information you need in regards to EDGE. If you would like to know more, please contact us at