Key Roles in the Governance and Management of Health Research

The Framework clarifies the roles and responsibilities of key stakeholders in the research governance and management process:

A responsible legal entity is the body that, either alone or with another entity, has ultimate responsibility for the study. The term ‘sponsor’ is used for the responsible legal entity for regulated clinical trials. For other types of studies, the legal responsibility for the various aspects of the study (e.g. contractual, financial, data protection), may reside with one or several parties (i.e. the organisation responsible for accepting and managing the research funding, the clinical investigators and their employers, and the data controller(s) may be any one or all of the participating organisations). Data Protection Law requires clear, factual and formal identification of controllership (e.g. sole / separate / joint controllers, data processors). 


In alignment with the HRB’s Clinical Trials and Interventions Research Governance Policy, the term ‘sponsor’ in this Framework is defined as “the legal entity which has ultimate responsibility for the study and compliance with the regulations, principles and standards of good practice that governs clinical research”. It applies to clinical trials and interventions, and includes regulated and non-regulated trials. The sponsorship responsibilities for CTIMPs and clinical investigations of medical devices are governed by legislation.  

The sponsor (as the legal entity) takes responsibility for the initiation, management, financing (or arranging the financing) and reporting of the clinical trial and interventions, but the principal investigator conducts the investigation. The sponsor is responsible for ensuring appropriate inclusion of patient, service user and public involvement in a study, and for providing access to the relevant training and support. The sponsor also accepts responsibility as data controller for the clinical trial, and for ensuring that appropriate insurance or indemnity is in place to cover liabilities, which may arise in relation to the design, management and conduct of the clinical trial or intervention.  

The sponsor may delegate some responsibilities to qualified third-parties, and this must be appropriately documented. The sponsor retains ultimate responsibility for the quality and integrity of the study data and must ensure oversight of all delegated activities. 

All clinical trials must have a sponsor regardless of the level of risk. A sponsor can be a third-level institution, a hospital, a pharmaceutical company or another legal entity.  

The level of oversight required during the implementation of the clinical trial should be assessed carefully and be commensurate with the clinical trial’s risk level. All oversight arrangements must be disclosed at the time of proposal registration with the RGMS function. All parties collaborating on the research study must, prior to starting the study, enter into an agreement that defines the roles and responsibilities of each of the collaborating organisations in the research study based on a factual analysis of their participation and the participation of their employees. Any subsequent changes made to the sponsorship arrangements during the lifetime of the research study must be notified to the relevant RGMS function and captured in an amendment to the above mentioned agreement.  

The responsibilities of sponsors are very significant. Therefore, public hospitals and other health and social care providers, should only take on the role of sponsor of clinical trials and interventions if they have developed appropriate RGMS functions to a maturity level that allows the organisation to provide appropriate sponsorship oversight commensurate with the level of risk and complexities of the research study, or when they are in the position to delegate these responsibilities appropriately with the agreement of the delegated entity or organisation. The role of sponsor cannot be assumed by default (e.g. a clinical trial cannot commence without approval on the assumption that the principal investigator’s employer is the default sponsor), and the RGMS function should carefully assess the organisation’s ability to deliver on the sponsor role.  

For research other than clinical trials, one or more legal entity may be responsible for the various aspects of the research study. They may include the following: 

  • the employer or employers of the researchers, 
  • the organisation that accepts the research funds and establishes a contractual relationship with the funder, 
  • the data controller and processor, 
  • the researchers themselves in certain circumstances (i.e For example, when the researcher acts in a private contractor capacity, such as a general practitioner (GP) 

As there may be one or more legal entities, it is therefore essential that the responsibilities of each entity with regard to the different aspects of the research study are articulated and agreed in advance. These aspects include:  

  • financial responsibility, 
  • responsibility for the indemnity and insurance for the research, 
  • responsibility for compliance with data protection legislation, 
  • responsibility for research misconduct, 
  • responsibility for rights related to intellectual property generated from the research, 
  • responsibility for compliance with HSE policies and procedures and other standards of good practice.  

Principal Investigator, Co-Principal Investigator, Chief Investigator and Collaborator  

The principal investigator (PI) is responsible for the day-to-day management of the research study at the research site. The PI retains ultimate responsibility for the management of the research study, even if tasks are delegated to other research staff.  

The PI is responsible for all research activities at the site. These responsibilities include ensuring that the study is conducted in accordance with all regulatory requirements including compliance with GCP (for clinical trials) and GMP, data protection legislation, and with all the relevant HSE national and local policies and governance protocols as they apply to the research activity. It has to be pointed out that a data controller is determined as a matter of fact on the basis of the particular circumstances that apply. If, as is usually the case, the data controller is not the PI, the actual controller cannot escape its responsibilities by assigning them all to the PI. 

Where HSE staff hold a dual affiliation, they must decide which organisation (i.e. the HSE or the academic/other organisation) they will represent for the entire duration of the research study, and this determination must be done and confirmed in writing with the RGMS before the start of the research study. This is a vital requirement for the correct determination of controllership between the collaborative organisations.  

In the case of multisite studies, the lead researcher who takes overall responsibility for the research study is referred to as the chief investigator, and the lead researcher within each site is referred to as the PI. If there is more than one PI at one site, they are referred to as co-PIs. All co-PIs have the same PI responsibilities, as described above. Other investigators involved in the research study, but who do not share the PI responsibilities, may be referred to as collaborators.  

Research Site (Host Site) 

A research site is a facility, location or service (e.g. hospital) where the research is being conducted. This includes: 

  1. the organisation or organisations where the research is taking place, and/or,  
  2. the organisation who’s service users, patients or staff are involved in the research and/or 
  3. the organisation that provides research staff, primary data, infrastructure or premises to facilitate the research.  

When research is taking place across academic Clinical Research Facilities/Centres (CRFs/Cs) and hospitals, the associated hospital would generally be considered to be the research site.  

Research Site Responsible Officer  

External research studies (i.e. third-level institution projects led by a PI who is not a member of staff) taking place within a research site should involve an employee of such a site (i.e. research site responsible officer). The level of involvement will depend on the nature of the research study and the responsibilities and requirements placed on such an employee of the site.  

The research site responsible officer could be a co-PI, a collaborator, a site access supervisor, or a provider of access to data. Regardless of the level of involvement, this person will ensure that, at a minimum, the research taking place at the site is conducted in a manner that complies with the requirements of this Framework and with any relevant local protocols, and HSE policies. The PI must be an employee of the HSE or funded organisations if insurance is to be provided by the SCA scheme (see Section 3.9). For all other scenarios, additional insurance and indemnity cover certificates will have to be provided.  

The specific roles and responsibilities of the research site responsible officer for each study should be articulated at the time of study registration with the RGMS function.  

Research Ethics Committees 

RECs are responsible for the independent assessment of all ethical considerations of a study before the study can commence. They are also responsible for ongoing oversight of research studies when amendments or changes to the original protocol or other relevant study documentation are required, or when safety issues arise. RECs are normally established by the HSE, hospitals, or third-level institutions, and there should be formal legal documentation underpinning the establishment and operation of a REC, in particular addressing composition, governance, indemnity and independence matters. A further description of RECs’ role is included in Section 4.1. of the RGMS framework.  

Health Products Regulatory Authority  

The HPRA is the agency in Ireland responsible for the regulation of CTIMPs and regulated clinical investigations of medical devices. The HPRA requires that all regulated clinical trials and investigations are designed, conducted and reported in accordance with the principles of GCP and in compliance with all relevant legislation (e.g. clinical trials of medicinal products and clinical investigations of medical devices legislation, GMP).  

Research Funders 

The funder is the organisation or group of organisations providing funding for the research study. They can be commercial or non-commercial (i.e. national, international or EU funding agencies, philanthropy sources and research charities).  

Commercial Funders 

Commercial funders generally take on the sponsor role and they dictate the purpose of the study and the terms and conditions of participation. Commercial funders/sponsors are expected to provide assistance with any enquiry, audit or investigation related to the funded work. 

Non-Commercial Funders 

Non-commercial funders generally fund investigator-led studies. Through their competitive peer-reviewed awarding processes, they establish whether the research proposal can be funded based on pre-determined criteria (e.g. high scientific quality, management, socio-economic impact, scientific and translational impact, value for money). They should do this via an independent expert review that assesses:  

  • the quality of the research as proposed,  
  • the experience and expertise of the PI and other key researchers, 
  • whether there is appropriate research infrastructure for the study: for example, management and governance arrangements; access to potential participants (or their organs, tissue or data); specialised facilities, such as equipment, materials or support staff; and, for clinical trials on medicines, expert clinical trial management and the capacity to comply with the principles of GCP, 
  • the societal and economic impact of the study,  
  • The quality of PPI approach for the research 
  • other criteria that may be specific to the call for proposals.  


Employers are defined as the organisations employing the PI and members of the research team. Employers are responsible for the actions of their employees, and they should have governance arrangements in place which place that ensure that they are always aware of what activities their employees are engaged in, especially employee activities that involve working with third-parties. Many different arrangements may impact on the role of an employer in relation to a specific research activity, and it is therefore essential that the employer’s responsibilities are articulated clearly at the time of research study registration.  

Employers are expected to:  

  1. encourage a high-quality research culture, 
  2. provide appropriate governance of the research for which they are responsible, 
  3. ensure that researchers understand and fulfil their responsibilities, 
  4. take proportionate, effective action in the event of errors and breaches, or if misconduct or fraud are suspected, 
  5. ensure that research activity does not interfere with the delivery of health and social care services in the relevant site,  
  6. provide adequate training to their employees and registered students on good research practice, research integrity, data protection, 
  7. ensure employees and students conducting research have been Garda vetted prior to conducting health research.  

State Claims Agency 

Under the National Treasury Management Agency (Amendment) Act 2000, the National Treasury Management Agency (Amendment) Act 2014 and various Delegation Orders, the management of claims for personal injury, property damage and legal costs against delegated State authorities (DSAs), and of the underlying risks, was delegated to the National Treasury Management Agency. For a list of delegated State authorities, visit the SCA website.

When performing these functions, the National Treasury Management Agency is known as the State Claims Agency (SCA).  

The SCA operates two schemes: 

  • Clinical Indemnity Scheme: this refers to the scheme under which the SCA manages personal injury claims arising from the provision of, or the failure to provide, professional medical services by those State authorities and persons covered by the scheme.  
  • General Indemnity Scheme: this refers to the scheme under which the SCA manages personal injury and property damage claims against certain State authorities covered by the scheme.  

The definition of professional medical services includes the conduct of research – S.I. No. 628/2007 – National Treasury Management Agency (Delegation of Functions) (Amendment) Order, 2007.1 The SCA provides indemnity cover to the HSE and delegated State Authorities (DSAs) for health research as follows:  

Clinical Indemnity Scheme (CIS): 

  • CIS cover automatically applies to DSA-approved non-interventional health research that is conducted by DSA staff in a DSA premises where the trial/research subjects are HSE patients.  
  • Health research undertaken as part of third-level institution research studies, i.e. PhD/MSc studies, is subject to the requirements of the HSE Framework for the Governance, Management and Support of Research. Patient interventions must be supervised by a DSA clinician in order for the CIS to apply. Other appropriate insurance may be required and must be provided by the third-level institution.  
  • A number of conditions must be met in order for the CIS to apply to clinical trials, interventional trials, or studies and regulated research where there is a third-party sponsor, e.g. a third-level institution, pharmaceutical company or other commercial company. This includes research ethics approval, a DSA clinician acting as the PI, a signed clinical trial indemnity form, and clinical trial insurance and product liability cover with adequate limits of indemnity. These conditions must be verified by the SCA or a designated representative of the SCA. 
  • In situations where a DSA acts as the sponsor of clinical trials, interventional trials or studies, or regulated research, there may be added insurance requirements independent of the General Indemnity Scheme/CIS cover, e.g. product liability insurance, no fault compensation. Please contact the SCA for further guidance.  

General Indemnity Scheme (GIS): 

  • GIS cover applies to the health research activities of a DSA and its staff. External parties must have their own insurance in place to cover the activities of their organisation/staff, i.e. employers’ insurance and public liability insurance policies with adequate limits of indemnity. 

Further details and guidance can be found at, or by emailing the SCA: 

Data Controller 

The role of data controller is outlined in the General Data Protection Regulation (GDPR),2 and additional obligations of data controllers apply in the context of health research. These additional obligations are outlined in S. 36(2)(Health Research) of the Data Protection Act 201812 and subsequent amendments. Legal responsibility for complying with the Data Protection Law is the responsibility of the Controller. 

  • The HSE is always the data controller of the personal data it holds for the performance of its statutory functions, including the provision of healthcare. An employee of the HSE will act as an employee of the data controller in the normal course of their duties (i.e. healthcare, clinical audit, quality management) but NOT always for research.  
  • The HSE is not the data controller for personal/health data held in Section 38 acute hospitals that are legally independent organisations with respect to compliance with data protection legislation.  
  • The data controller for a research study is the organisation that determines the purpose and the manner by which personal data are processed for the research study (i.e. ‘Whom’, ‘Why’, ‘How’). If the organisation takes these decisions with another organisation, they must specify the nature of their respective controllership (i.e. separate or joint controllers). Controllership is determined based on the factual elements and the circumstances of the research study, and the type of controllership determines the roles and responsibilities of the organisation. 
  • For the purpose of this Framework, ‘personal/health data’ refers to any information, including sensitive information, (e.g. health, genetic, biometric), relating to an identified or identifiable individual, where the individual can be identified or is identifiable directly from the information in question, or indirectly from that information in combination with other information, (e.g. pseudonymised personal data remain personal data in the hands of the data controller). 
  • A PI employed by a healthcare delivery organisation (i.e. hospital, community or national services), acts as an employee of the data controller and is not, (in their own right), the data controller of personal data in patient records held by the organisation employing them. In such cases, the PI acts on behalf of the data controller and is responsible, along with the data controller, for ensuring compliance with GDPR and S. 36(2)(Health Research) of the Data Protection Act 201812 and subsequent amendments.  
  • When the data controller is the HSE, the relevant head or manager of a HSE site is responsible for ensuring data protection compliance within the site that they manage. 
  • In limited circumstances, it is possible for the PI to act as data controller if not acting as an employee of the HSE (i.e when the researcher acts in a private contractor capacity such as a GP). 
  • Where HSE staff hold a dual affiliation, they must decide which organisation (i.e. the HSE or the academic/other organisation) they will represent for the whole duration of the research study, and this determination must be done and confirmed in writing with the RGMS before the start of the research study. This is a vital requirement for the correct determination of controllership between the collaborative organisations.  
  • When the researcher is not a staff member of the research site, a research site responsible officer should be engaged to coordinate access to data for research purposes in an appropriate and legally compliant manner.  
  • Investigators should engage with their regional Deputy DPO for advice as required. 

Data Processor 

A data processor is anyone who processes personal data on behalf of the data controller following strict instructions. Data processors should solely process data as requested by the data controller and must be a separate legal entity from the data controller. A processor becomes a controller if it does not follow the controller’s instructions.  

  • When an employee of the HSE collaborates on a research study with a third-party, the HSE governance arrangements should ensure that such a situation is appropriately registered. An appropriate determination of controllership must be done based the factual elements and the circumstances of the research study, to determine if the HSE, (and the PI or researcher it employs acting on its behalf), acts as a controller or a processor for the purpose of the research study.3 
  • For the avoidance of doubt, an employee of the HSE cannot act as a data processor of personal data for the provision of health care.  
  • A data processor is defined as the organisation that processes personal data on behalf of, and under the instruction of, the data controller (i.e. two distinct organisations). Disclosure of personal data that is held by the HSE to a third-party is a processing operation, but such disclosure does not make the HSE a data processor. 

Research Governance, Management and Support (RGMS) Functions 

RGMS functions refers to the collection of activities that are required to provide institutional governance and oversight for research including registration, assessment of institutional risk, impact on the site, identity and insurance requirements, data protection compliance, contractual requirements, financial management and compliance with funder requirements. 

Many of these activities currently take place in an uncoordinated manner and cause significant delays to project start up. The implementation of the framework will require the development of Research Offices at local, regional and national levels to coordinate these services and support staff to obtain the relevant approvals, as well as a streamlined involvement of the relevant Data Protection officers for the services when required.   

HSE National Research and Development  

HSE National Office for Research and Development will play a leading role in the development of the HSE national research policies, protocols, guidance and targeted training that need to be put in place to support the implementation of this Framework. The team will also support existing and future RGMS functions and RECs in developing their capacity to comply with this Framework. The office will also promote and support good practice in ensuring patients, carers, families, service users, and the public are involved in the planning, design, conduct, management, dissemination and translation of research.