Data Protection and research activity

March 2007

1. Guidance overview

The following guidance provides an overview of the Data Protection Act and how it affects research activity. It also offers advice to those submitting research applications on measures that can be taken to ensure that the basic data protection requirements are fulfilled when undertaking research projects that involve the collection of personal data.

2. Provisions of the Data Protection Act

2.1 Purpose of the Act

The Data Protection Act exists to provide a framework for the proper management of personal data. The Act defines "personal data” as "data which relate to a living individual who can be identified from those data”. The Act places responsibilities upon individuals or organisations that process personal data[1] and establishes specific rights for "data subjects” (the individuals whom the data are about) in relation to their personal data.

2.2 Data Protection principles

The Act is based upon eight data protection principles. Any individual or organisation processing personal data is required by law to ensure that any data in their possession are managed in accordance with these principles. Data must be:

3. Personal Data Collected for Research Purposes: Data Protection Act requirements

3.1 Research and the Data Protection principles

Researchers are obliged in general to comply with the requirements established by the data protection principles when collecting and processing personal data for research purposes.

3.2 Data Protection Act exemptions for research data

Data gathered for the purposes of research activity, however, are exempt from being processed in accordance with the second and fifth data protection principles. This means that personal information can be (i) processed for purposes other than those for which it was originally obtained and (ii) held indefinitely. These exemptions only apply if the personal data are not processed to support measures or decisions relating to particular individuals or are not processed in such a way that substantial damage or distress may be caused to the data subject(s).

The exemptions laid down in the Act mean, for example, that individuals involved in research can keep records of questionnaires and contacts so that the research can be re-visited at a later date, or so that they can re-analyse the information in support of a research project looking at an associated area. Although these exemptions do exist, researchers must recognise that the Act does not provide a blanket exemption from all the data protection principles for data provided and/or used for research purposes. Researchers wishing to use personal data should be aware that most of the data protection principles still apply (notably the requirement to keep data secure) and that specific measures must be taken on each occasion data are collected for research purposes.

3.3 Fully Anonymised Data

If the data are completely and genuinely anonymised and no "key” to the identity of the data subject is held by (or is likely to come into the possession of) a researcher, then the Data Protection Act does not apply as such information is not considered to be "personal data” within the terms of the Act (i.e. data which relate to a living individual who can be identified from those data). It should be noted though that true anonymisation of data is difficult to achieve in practice and if identification is at all possible, the Act does still apply.

3.4 Data Protection Act compliance requirements

Generally, those collecting personal data as part of a research project are required to take the following measures as a minimum to ensure compliance with the Data Protection Act. It is expected that research applications will include an explanation and/or demonstration of how these measures will be taken.

3.4.1

In order to comply with the first and most important data protection principle, researchers must inform research subjects as far as possible of:

• the purpose of the research for which personal data about them will be collected;
• how their personal data will be used; and
• who will have access to their data.

If known, it may also be useful to state how long the data will be retained, although this is less important due to the exemption of the data protection principle relating to the retention of data.

3.4.2

Clear security measures must be established to ensure that personal data are protected from unauthorised access or accidental loss, damage or destruction. These measures should be communicated to data subjects as part of the information given to them relating to the nature of the research project and how data about them will be used.

Overall, the most appropriate approach is to ensure that, at the outset, research subjects are given as much information as is reasonably possible about their involvement in the project and about how information about them will be used and managed.

Researchers must also be mindful of a research subject’s right to object to the processing of data on the grounds that such processing would cause them (or has caused them) significant damage or distress.

3.5 Access to personal data by data subjects

Subject to specific procedures, the Data Protection Act provides all individuals with the right to request access to intelligible copies of personal data about them where they are identified as the data subject. Personal information gathered as part of research activity is exempt from such a disclosure where the data are managed in accordance with the relevant data protection principles and the results of the research are not made available in a form that identifies the data subject(s).

4. Contact Information

Specific queries about the role of the Data Protection Act in relation to research data should be directed to the University Records Manager as below:

[1] Please note that information processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles.