Page: 1 2
6. Use of Personal Data in Research
Download this section as a print-friendly PDF document.
The Act sets out to ensure that researchers may only process data about other living individuals where they have a clear legal purpose for doing so and subject to certain prescribed exemptions, the use of personal information for research falls within its remit. Staff and students engaged in research at the University are obliged therefore to comply with the requirements of the eight data protection principles, this Code of Practice, the Code of Practice on Research Integrity, and any associated guidance, when collecting and processing personal data for research purposes. In addition to computerised records these requirements apply to written records held in a structured filing system, digital and microfiche records and video recordings. Students who are authorised to hold or process personal data on computer, online or in manual format are also required to sign an Oath of Confidentiality at the start of their research project.
There are two options to consider in using personal data for research:
a) Comply with the Act; or
b) Anonymise the data to be used so that it no longer falls within the Act's definition of personal data.
6.1.1 Option a) means that all the requirements of the Act must be met and sections 6.2 to 6.5 below apply.
6.1.2 Option b) means that the personal data to be used must be completely anonymised. This will only be achieved if it is impossible to identify the subjects from that information together with any other information that the University holds or is likely to hold. If that is the case then the data may be used without making arrangements to comply with the Act since the data will no longer fall within the Act's definition of personal data.
Guidance on anonymisation has been published by the UK Information Commissioner's Office in a Code of Practice on Anonymisation.
6.2.1 Where processing for research purposes (including statistical or historical purposes) is not used to support measures or decisions targeted at particular individuals, and will not cause substantial distress or damage to a data subject, the data gathered for research purposes is exempt from being processed in accordance with the second and fifth data protection principles.
6.2.2 This means that personal information can be:
- processed for purposes other than those for which it was originally obtained. e.g. researchers can keep records of questionnaires and contacts so that the research can be re-visited at a later date or so that the information can be re-analysed in support of a research project looking at an associated area; and
- held indefinitely
6.2.3 Whilst an exemption may be applied researchers must be aware that there is no blanket exemption from observing the remaining Data Protection Principles. This means therefore that:
- Research subjects should be informed of any new data processing purposes, that the University is the Data Controller and any disclosures that may be made
- Research subjects must be able to meaningfully exercise their right to object to the data processing on the ground that it would cause or has caused them significant damage or distress
- Requirements for appropriate security of data must be observed, particularly those for the security of sensitive data
- Data may not be transferred to researchers outwith the European Economic Area (EEA) unless:
o that country has adequate data privacy protections
o the explicit consent of the subject(s) has been obtained; or
o there is an appropriate data protection contract with the data recipient
6.2.4 There is also an exemption from an individual's right of access where:
- Personal data is not processed to support measures or decisions with respect to particular individuals
- Personal data is not processed in a way that substantial damage or distress is or is likely to be caused to any individual
- The research results, or any associated statistics, are effectively anonymised
6.2.5 However, the University may still choose to disclose the information to the data subject, unless by doing so this would breach another individual's data protection rights.
6.2.6 The legislation recognises that the value of access to personal data in research may outweigh an individual's desire to exercise a high level of control over the use of their data. Researchers wishing to use sensitive personal data should be able to do so, if they can demonstrate a significant public interest, they have secured the approval of the Faculty Research Integrity Committee and they adhere to the procedural safeguards required by law.
Page: 1 2