The following guidance provides an overview of the Data Protection Act
and how it affects research activity. It also offers advice to those
submitting research applications on measures that can be taken to ensure
that the basic data protection requirements are fulfilled when undertaking
research projects that involve the collection of personal data.
2. Provisions of the Data Protection Act
2.1 Purpose of the Act
The Data Protection Act exists to provide a framework for the proper
management of personal data. The Act defines "personal data” as "data which
relate to a living individual who can be identified from those data”. The
Act places responsibilities upon individuals or organisations that process
personal data 
and establishes specific rights for "data subjects” (the individuals whom
the data are about) in relation to their personal data.
2.2 Data Protection principles
The Act is based upon eight data protection principles. Any individual or
organisation processing personal data is required by law to ensure that any
data in their possession are managed in accordance with these principles.
Data must be:
Data Protection Principle
processed fairly (i.e. the data subject
is aware how their data will be used) and
obtained for a specified and lawful
purpose and not processed in any manner
incompatible with the purpose;
adequate, relevant and not excessive
for the purpose;
accurate and up-to-date;
not kept for longer than necessary for
processed in accordance with the data
kept safe from unauthorised processing,
or accidental loss, damage or destruction;
not transferred to a country or
territory outside the European Economic Area
unless that country has equivalent levels of
protection for personal data.
3. Personal Data Collected for Research Purposes: Data
Protection Act requirements
3.1 Research and the Data Protection principles
Researchers are obliged in general to comply with the requirements
established by the data protection principles when collecting and processing
personal data for research purposes.
3.2 Data Protection Act exemptions for research data
Data gathered for the purposes of research activity, however, are exempt
from being processed in accordance with the second and fifth data protection
principles. This means that personal information can be (i) processed for
purposes other than those for which it was originally obtained and (ii) held
indefinitely. These exemptions only apply if the personal data are not
processed to support measures or decisions relating to particular
individuals or are not processed in such a way that substantial damage or
distress may be caused to the data subject(s).
The exemptions laid down in the Act mean, for example, that individuals
involved in research can keep records of questionnaires and contacts so that
the research can be re-visited at a later date, or so that they can
re-analyse the information in support of a research project looking at an
associated area. Although these exemptions do exist, researchers must
recognise that the Act does not provide a blanket exemption from all the
data protection principles for data provided and/or used for research
purposes. Researchers wishing to use personal data should be aware that most
of the data protection principles still apply (notably the requirement to
keep data secure) and that specific measures must be taken on each occasion
data are collected for research purposes.
3.3 Fully Anonymised Data
If the data are completely and genuinely anonymised and no "key” to the
identity of the data subject is held by (or is likely to come into the
possession of) a researcher, then the Data Protection Act does not apply as
such information is not considered to be "personal data” within the terms of
the Act (i.e. data which relate to a living individual who can be identified
from those data). It should be noted though that true anonymisation of data
is difficult to achieve in practice and if identification is at all
possible, the Act does still apply.
3.4 Data Protection Act compliance requirements
Generally, those collecting personal data as part of a research project
are required to take the following measures as a minimum to ensure
compliance with the Data Protection Act. It is expected that research
applications will include an explanation and/or demonstration of how these
measures will be taken.
In order to comply with the first and most important data protection
principle, researchers must inform research subjects as far as possible of:
the purpose of the research for which personal data
about them will be collected;
how their personal data will be used; and
who will have access to their data.
If known, it may also be useful to state how long the data will be
retained, although this is less important due to the exemption of the data
protection principle relating to the retention of data.
Clear security measures must be established to ensure that personal data
are protected from unauthorised access or accidental loss, damage or
destruction. These measures should be communicated to data subjects as part
of the information given to them relating to the nature of the research
project and how data about them will be used.
Overall, the most appropriate approach is to ensure that, at the outset,
research subjects are given as much information as is reasonably possible
about their involvement in the project and about how information about them
will be used and managed.
Researchers must also be mindful of a research subject’s right to object
to the processing of data on the grounds that such processing would cause
them (or has caused them) significant damage or distress.
3.5 Access to personal data by data subjects
Subject to specific procedures, the Data Protection Act provides all
individuals with the right to request access to intelligible copies of
personal data about them where they are identified as the data subject.
Personal information gathered as part of research activity is exempt from
such a disclosure where the data are managed in accordance with the relevant
data protection principles and the results of the research are not made
available in a form that identifies the data subject(s).
4. Contact Information
Specific queries about the role of the Data Protection Act in relation to
research data should be directed to:
Information Assurance Manager
IT Services, University of Essex, Wivenhoe Park
Colchester, CO4 3SQ United Kingdom
 Please note that information processed by an individual only for the
purposes of that individual’s personal, family or household affairs (including
recreational purposes) are exempt from the data protection principles.
Freedom of Information TeamInformation is available on request.