Page: 1 2
6. Use of Personal Data in Research
6.3 Factors to be Considered When Processing Personal Data for Research Purposes
6.3.1 Researchers are required to carry out an adequate review in advance of processing, to ensure that the requirements of Data Protection Legislation and in particular the Data Protection Principles can be adhered to.
6.3.2 Research subjects are to be fully and clearly informed about the purpose of the research for which their personal data will be collected, how their data will be used and who will have access to it.
6.3.3 Adequate security measures, consistent with the sensitivity of the personal data and the format in which it is held, must be in place to ensure that personal data is protected from unauthorised access, accidental loss, damage or destruction. These measures should be communicated to the subjects as part of the information given to them relating to the nature of the research project and how data about them will be used.
6.3.4 Research subjects have a right to object to the processing of their personal data.
6.3.5 Researchers must be aware that processing of personal data which has been coded or anonymised, but for which links to an individual can still be made by reference to a key to the code or to other identifiers, remains subject to Data Protection Legislation, this Code of Practice and any associated guidance.
6.3.6 Subject to specific procedures, Data Protection Legislation provides all individuals with the right to request access to intelligible copies of personal data about them where they are identified as the data subject. Personal information gathered as part of research activity is exempt from such a disclosure where the data is managed in accordance with the relevant data protection principles and the results of the research are not made available in a form that identifies the data subject(s).
6.3.7 Particular care must be taken when the processing involves special category personal data, for which Data Protection Legislation imposes more stringent conditions. See Section 4.4 for further guidance.
6.3.8 Research carried out for the NHS or under contract for a commercial organisation is subject to notification by that body and to that organisation's own Data Protection policies. However, any data which has not been fully anonymised and is downloaded with permission from an NHS or other external system to a University system constitutes a University database and has to be registered and treated as such.
6.3.9 A review of the processing must be carried out at least annually to ensure that compliance with Data Protection Legislation is being maintained and documented.
It is recommended that researchers refer to the Research and Data Protection Guidance document before embarking on any research project.
6.4 Processing Special Category Personal Data
6.4.1 The processing of special category personal data may be carried out provided the conditions prescribed in Data Protection Legislation are met e.g. explicit consent has been obtained. Further guidance is available in Section 4.4 of this Code.
6.4.2 In addition, the legislation permits processing for research purposes 'in the substantial public interest' where it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
6.5 Online Research with Human Subjects
6.5.1 For many on-line research projects, existing ethical guidelines will already meet the requirements of the data protection legislation. However researchers seeking to gather research data online must be aware that this environment generates significant amounts of background information e.g. data logs, IP address collection, cookies and caches which are classed as 'personal data' under the legislation and must be kept and processed securely.
6.5.2 Where internet research tools and computer systems are used, researchers are required to identify and address potential technical and administrative problems e.g. poor research tool configuration and inappropriate levels of system security or integrity. A Privacy Impact Assessment must be completed for online tools, with approval from the University's Information Services department for system security measures.
6.5.3 Researchers are thereafter required to seek confirmation from the University's Research Office, Programme Leader or Project Supervisor that any proposed on-line project involving personal data meets the University's ethical and data protection guidelines.
6.6 Provision of Research Data to Third parties
The University is required to consider requests for research data under the Freedom of Information (Scotland) Act 2002. The following factors must be considered in order to comply with Data Protection legislation:
- Can individuals be identified from personal data in the data requested or are they likely to be identifiable from that data in combination with other information likely to be available to the third party.
- If there is a risk of identification of an individual, can that risk be removed by:
- Redaction of the data
- Provision of the data in statistical form
- Provision of the data in statistical form after it has been appropriately anonymised to disguise subjects' identities when information consists of low numbers
- Is the cost of providing the data in appropriately anonymised form reasonable.
Advice and guidance must be sought from the University's Information Governance Manager before any data is disclosed.
Page: 1 2