Processing Data for Research Purposes
Further guidance on the use of personal data in research is available in 
Section 6 of the Data Protection Code of Practice.
Page Contents
1) Data Protection: Researchers' Guidance and forms
2) Oath of Confidentiality for Research Students
3) Standard Descriptions of Categories of Personal Data
4) Data Protection Legal Bases v Research Ethics Consent
5) Processing Personal Data in the Public Domain
6) Using Social Media for Research
7) Using Others' Photos for Research
8) Basic Pseudonymisation Guidance
9) Providing Participants with a Secure Method of Sending Their Personal Data to the Researcher/s
10) Undergraduate and Taught Postgraduate Research / Dissertations
11) Transcription
12) Briefing Sessions
1) Data Protection: Researchers' Guidance and forms
Respect for confidentiality is essential to maintain trust between the public and those engaged in research. All researchers intending to use personal data must comply with the requirements of data protection legislation, the University's Data Protection Code of Practice and any associated guidance. This guidance covers the data protection issues researchers should take into account and the actions to take to be compliant.
Whilst the University provides a generic Privacy Notice for Research this does not take the place of the project specific Privacy Notice that must be provided to participants.
Please read the guidance and complete the Researcher's Checklist, Oath of Confidentiality (if you are not an employed researcher who has signed an employment contract e.g. research postgraduate) and Privacy Notice. The checklist and oath are required internally by the supervisor, PI and/or Ethics Committee. The Privacy Notice must be provided to participants along with their participant information.
Research and Data Protection guidance
Please complete the
Researcher's Data Protection Compliance Checklist (Pre-PIA) and send to dataprotection@napier.ac.uk. If you have any queries whilst you are completing it please re-read the guidance document above or contact dataprotection@napier.ac.uk.
We have also provided a template Privacy Notice for you to update and provide to your participants. The Information Governance team don't need to see or check this, but please think about how this reads to your participants and word it accordingly:
Research Privacy Notice template
Further guidance is available from JISC https://www.jisc.ac.uk/guides/rdm-toolkit
The European Commission's guidance on Ethics and Data Protection is available here: http://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/ethics/h2020_hi_ethics-data-protection_en.pdf
All students conducting research at Edinburgh Napier University which involves processing personal data must directed to these intranet pages (Data Protection for Research), and sign an oath of confidentiality in relation to personal data to which they will have access in the course of their studies. This form should be retained by the area in which the research is being conducted for the period end of studies with the University plus 6 years.
Download the Oath of Confidentiality Form for Research Students
If PG Research students are processing any categories of
personal data they are required to complete an Oath of Confidentiality.
3) Standard Descriptions of Categories of Personal Data
The following is a list of standard descriptions of
categories of personal data examples:
☐
Personal details, including any information that identifies the data subject and
their personal characteristics, including: name, address, contact details, age,
date of birth, sex, and physical description.
☐
Personal details issued as an identifier by a public authority, including
passport details, national insurance numbers, identity card numbers, driving
licence details.
☐
Family, lifestyle and social circumstances, including any information relating
to the family of the data subject and the data subject’s lifestyle and social
circumstances, including current marriage and partnerships, marital history,
details of family and other household members, habits, housing, travel details,
leisure activities, and membership of charitable or voluntary organisations.
☐
Education and training details, including information which relates to the
education and any professional training of the data subject, including academic
records, qualifications, skills, training records, professional expertise,
student and pupil records.
☐
Employment details, including information relating to the employment of the
data subject, including employment and career history, recruitment and
termination details, attendance records, health and safety records, performance
appraisals, training records, and security records.
☐
Financial details, including information relating to the financial affairs of
the data subject, including income, salary, assets and investments, payments,
creditworthiness, loans, benefits, grants, insurance details, and pension
information.
☐
Goods or services provided and related information, including details of the
goods or services supplied, licences issued, and contracts.
etc.
Special category (sensitive) personal data concerns, reveals
or is about:
☐
racial or ethnic origin
☐
political opinions
☐
religious or philosophical beliefs
☐
trade union membership
☐
genetic data
☐
biometric data (if used to identify a natural person)
☐
health
☐
sex life or sexual orientation
☐
criminal convictions and offences
☐
none of the above
4) Data Protection Legal Bases v Research Ethics Consent
Data Protection legal bases are distinct from research
ethics consent in that the University has the legal power by law (statutory
order) to conduct research and can therefore process personal data without
specifically asking for consent, however research consent is required to ensure
that the research is conducted in an ethical way and participants understand
and agree to what is being asked of them or, you could say it is the accepted
mechanism to ensure that research is conducted in an ethical way which upholds
the rights of the participants e.g. to make an informed decision.
There are some useful articles online:
Preparation for the implementation of the General Data
Protection Regulation (GDPR): understanding the current legal situation
(ukri.org)
"Informed,
voluntary and fair consent is the cornerstone of ethical research involving people.
It is a mechanism, to ensure the rights of individual participants can be
respected. It is through the consent process that research participants can
understand what taking part in a specific study will mean for them, so they can
make an informed choice and feel able to express their wishes."
GDPR Brief: What is the difference between research
ethics consent and data protection consent? (ga4gh.org)
5) Processing Personal Data in the Public Domain
Processing information available in the public domain depends on purposes, the processing being done and legal
basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3
. Social media sites also have their own requirements set out in their Ts &
Cs which must be complied with. Of course, processing for research can take
place, but researchers must give due consideration to the requirements of the
legislation and rights of participants, which is done through the University’s
governance and ethics processes. There’s no problem with processing personal
data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.
Where you are recruiting participants using information which is publicly available, please advise them where you got their information from and your justification for using it for your project e.g. their connection to the topic, subject matter expert, etc.. Where personal data is collected from publicly available resources there is a higher risk of the individuals complaining about the use of their data, so please ensure that you don’t contact anyone who would consider the use of their data to be unreasonable and unfair.
6) Using Social Media for Research
LinkedIn
If you are advertising your research on a LinkedIn 'message board' and providing links in there to participant information and the privacy notice, this is fine, as long as it complies with the rules for that group or channel (if in doubt contact the group/channel administrator to ask permission). It is advisable to use NoviSurvey to give potential participants a secure method of signing up to your study. You can use NoviSurvey as a means of providing participant information, the privacy notice, collecting consent, and, of course, disseminating your questionnaire/survey. Depending on the research project this could potentially all be done at the same time. Where it is not necessary to collect personal data you can use NoviSurvey in anonymous mode and collect consent via a 'tick box' without requesting name, contact details, etc. which would identify the participant.
LinkedIn
doesn’t have any guidance specifically for research participant recruitment via
their messaging service (only for their own research). If you message members
you must make information about the research project (including privacy notice
information) available elsewhere online and provide a link in your intro
message so that they can review it before making their decision whether or not
to participate. If they do not respond you should not follow up more than once.
You must ensure that you comply with the LinkedIn Policies, Terms
and Conditions of use as well as Data Protection legislation. The following
links refer:
-https://www.linkedin.com/legal/professional-community-policies
(Conduct Policy), which says: Comply with
the law: You must comply with all applicable laws, including,
for example, privacy laws
-
https://www.linkedin.com/help/linkedin/answer/61106/linkedin-messaging-overview?lang=en
7) Using Others' Photos for Research
1) Use of photos from social media sites. You need to determine if the social media site is a closed group (requires membership) e.g. LinkedIn or Facebook, or the information/photos published are publicly available e.g. Twitter. Either way, if using social media as a source then you will need to comply with the site provider’s terms and conditions of use. Where the social media site requires membership to view the images you will also need to check if there are group terms and conditions which are applicable - the smaller the group, the higher the expectation of privacy. Processing information available in the public domain depends on purposes, the processing being done and legal basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3. Of course, processing for research can take place, but researchers must give due consideration to the requirements of the legislation and rights of participants, which is done through the University’s governance and ethics processes. There’s no problem with processing personal data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.
2) The use of photos to generate information for the project e.g. as a discussion point not to be disseminated further and only available to the researcher and the participant/s, this is fine from a data protection perspective however, appropriate safeguards e.g. security, need to be observed and copyright requirements adhered to (see point 4).
3) The use of photos in outputs would require permission from the owner of the image (for copyright purposes, please see below), and if individuals can be identified in the photo then you must be able to prove that you have provided them with your Privacy Notice or that doing so would involve disproportionate effort. If photos are taken at public events there is a reduced expectation of privacy for individuals attending those events, however you must check if event organisers have notices up around the event advising attendees that photography will/may take place and if they have stipulated that photography may take place in their privacy notice, so worth checking with the event organiser if this is the case. If you are organising the event then please ensure you have notices up and that you have advised attendees in your event sign-up form and privacy notice that photographs will be taken. It is advisable to include a 'check box' in the event sign-up form where the attendee agrees that they understand that photography will take place and that their photo may be taken and used. You MUST provide them with instructions on how to opt out of having their photo taken - it may be that you reserve seats which will not be included in any photography or ask them to specifically request this on the day, so that you can identify them in any images and discard those. Depending on your individual circumstances you could include photos in your marked dissertation / thesis and redact them from any published versions – this is the safest scenario, as it is possible for complaints to arise if an individual is recognised in circumstances which may have consequences for them e.g. attending an event when they should have been at work. If processing someone else’s personal data that isn’t a direct participant it’s always a good idea to think about how you’d feel if that was your personal data e.g. is it fair, would they expect it, etc. and then by doing the pre-PIA process you can ensure the processing complies with the legislation.
If you are using photos in your outputs which include personal data (recognisable individuals) then you MUST have their written agreement to do this and taking of photos and their uses must be detailed in both the Participant Information and the Privacy Notice. You can either rely on Article 6(1)(e) (please see your DPIA checklist form) or rely on Article 6(1)(a) consent. In order to evidence this you can take a photo of the individual holding the Privacy Notice with their signed agreement or consent form, and ensure that those records are kept securely with your research consent forms.
4) Copyright in photos – please see our Library Guide here for more information: Copyright for researchers - Copyright guidance - LibGuides at Edinburgh Napier University. RIE (Research & Innovation Office (napier.ac.uk)) has also provided the following advice in answer to the question
You will need permission to use photos or ascertain whether permission has already been given - sometimes this is attached to the image under a Creative Commons License. As this is 3rd party IP, there will normally be some sort of rights over the use of the image even if researchers are not reproducing the actual content, they need the photos to generate discussion and descriptors as they will then be creating their own dataset on the back of this for their research. The photo is the background IP and the output is the foreground IP. We may have no rights to disseminate the foreground unless we sought these right at the start. If no CC license is given, researchers will need to ascertain their own permissions.
8) Basic Pseudonymisation Guidance
9) Providing Participants with a Secure Method of Sending Their
Personal Data to the Researcher/s
Researchers have a responsibility to provide participants with a
secure method of providing you with their personal data. One way of doing this
is by using a survey tool. The University has several tools available including
Novi Survey and MS Forms – further information about these is available here: https://my.napier.ac.uk/it-support/how-do-i/survey-software
When creating your survey you can divide it into sections/pages
and use these pages in the following way:
Page 1 – Provide participants with information about your
project (Participant Information Sheet)
Page 2 – Provide participants with a Privacy Notice
(template available here: http://napierstaff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/statement.aspx)
Page 3 – Consent form
Page 4 – Collection of personal data e.g. name, contact
details, and any other information required for you to confirm that they are
suitable candidates in order for you to meet your research objectives (if this
is necessary for your project)
Page 5 – Collection of research data via a questionnaire
(if this is appropriate at this stage of the project)
Page 6 – Debrief information (if necessary)
You can then provide participants with a link to your
survey in your project promotion communications and participants can provide
the information directly to you securely and without having to provide it by
email or via a third party (gate-keeper, etc.).
It is likely that when you collect your research data you will also be collecting personal data, particularly if you are recording audiovisual interviews. Using University provided and approved systems to collect your research data ensures that the security checks have already been done by Information Services, although you still need to take resonable care that you are using the systems provided correctly. You need to consider security at all stages of processing personal data e.g. collection of participant information during recruitment, administration of the 'research instruments' (survey's interviews, etc. etc.), during any sharing of data with others or transfer of data between systems or parties, right through to destruction. The ICO (UK data protection regulator) requires personal data to be encrypted at all stages of processing.
10) Undergraduate and Taught Postgraduate Research / Dissertations
Please see: http://napierstaff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/StudentAdvice.aspx
This section is guidance for UG & TPG students who are not receiving a stipend from the University or engaged in a University sponsored or other third party funded research project.
Students processing personal data for the purposes of undertaking their studies do so for their own personal purposes e.g. as part of their degree course dissertation. The student makes their own decisions about what work they will do, how this will be done and presented in their final submission, and therefore works on behalf of themselves and not the University. Whilst supervisors can advise on good research practice and data protection issues, and make suggestions about how the research is conducted, the final decision lies with the student. The University only becomes the Data Controller once the work is submitted.
If you are emailing proposed participants or recruited participants you must NOT put a list of names in the "cc" field of the email - you must use "bcc", unless you have a specific reason that the participants need to see eachother's details.
When recruiting particpants you must think about what is fair and reasonable with regards to the use of their data e.g. would they expect to hear from you? It is good practice to let them know where you sourced their contact details from. Give them adequate information about what you are doing so that they are fully informed - this will reduce the risk of a complaint being made about your use of their information. It is always less risky to allow participants to 'self-select' rather than to target them from information gathered from sources other than directly from the person themselves. 'Self-select' means that you advertise your study/project and individuals make a decision to participate and provide their information voluntarily.
You must ensure all participant personal data is adequately secure e.g. encrupted at all stages of processing whether at rest or in transit. Do not use systems which are not reputable or do not provide adequate security.
It is recommended that you provide participants with information about what you need their personal data for (usually called a Privacy Notice), any third parties that you are sharing it with, your rationale for the length of time you will keep their personal data before destroying it and if you are tranferring it outside the UK (not recommended), along with your participant information outlining the purpose, aims and objectives of your research project. Further information is provided in the document linked below.
Remember to always treat others' personal data with the same respect that you would expect your own personal data to be treated with and not do anything with the personal data that they would not expect you to do.
Practical guidance is available here: UG Dissertation & TPG Research Data Protection Advice
11) Transcription
Microsoft Teams and Word online can both record and transcribe for you, and Webex also has transcription facilities. MS Word online can both record and transcribe and you can also upload a recording for MS Word to transcribe. It is very easy to use - please see insrtuctions online here: https://support.microsoft.com/en-us/office/transcribe-your-recordings-7fc2efec-245e-45f0-b053-2a97531ecf57
It will:
1) Concurrently produce an audio file (mp3) and transcript.
2) Accept an uploaded mp3, perhaps created on Audacity or a hand-held recorder, and produce a transcript from it.
3) it will be saved to a personal space on the Napier network (on Sharepoint).
This can be used immediately by any researchers with a Napier identity.
Information Services are also investigating other options for Researchers using services like NVivo and Caption Ed.
Currently the University has 2 contracted external services for transcriptions:
- Trusty Transcriptionists, and
- 1st Class Secretarial
If you have made an audio visual recording, you must only provide the external transcription service with the audio file. To convert the MS Teams file to an mp3 audio file you will need to download a copy of the recording into an ENU network area/folder and convert it to mp3 format.
12) Briefing Sessions for Researchers
Every 6 weeks the Information Governance team run "Data Protection for Researchers" briefing sessions. These are arranged via RIE. Further information is available via the RIE sharepoint site here:
https://livenapierac.sharepoint.com/sites/Grp_RIO-ResearcherDevelopmentchannel/SitePages/Researcher-Development-Programme.aspx
And all events can be booked via Eventbrite - https://www.eventbrite.co.uk/organizations/events
Contact RIEevents@napier.ac.uk
if you have any questions
Page updated 14 Nov 2023