• Home
  • Login
  • Welcome to the Staff Intranet

​​​​​Processing Data for Research Purposes

Further guidance on the use of personal data in research is available in Section 6 of the Data Protection Code of Practice.

Page Contents

​1) Data Protection: Researchers' Guidance and forms

2) Oath of Confidentiality for Research Students

3) Standard Descriptions of Categories of Personal Data

4) Data Protection Legal Bases v Research Ethics Consent

5) Processing Personal Data in the Public Domain

6) Using Social Media for Research

7) Using Others' Photos for Research

8) Basic Pseudonymisation Guidance

9) Providing Participants with a Secure Method of Sending Their Personal Data to the Researcher/s

10) Undergraduate and Taught Postgraduate Research / Dissertations

​11) Transcription

12) Briefing Sessions

Sports Science Researcher1) Data Protection: Researchers' Guidanc​e and forms

Respect for confidentiality is essential to maintain trust between the public and those engaged in research.  All researchers intending to use personal data must comply with the requirements of data protection legislation, the University's Data Protection Code of Practice and any associated guidance. This guidance covers the data protection issues researchers should take into account and the actions to take to be compliant.

The University requires researchers to complete a 'Researcher's Data Protection Compliance Checklist' (which is also called a pre-DPIA or ROPA). Previous to June 2024, these checklists were provided in a Word document, however they will now be provided in a survey format using a system called OneTrust.

Please contact dataprotection@napier.ac.uk to request a form. We will need the title of your project to do this.


Whilst the University provides a generic Privacy Notice for Research this does not take the place of the project specific Privacy Notice that must be provided to participants.


Please read the guidance and complete the Researcher's Checklist, Oath of Confidentiality (if you are not an employed researcher who has signed an employment contract e.g. research postgraduate) and Privacy Notice. The checklist and oath are required internally by the supervisor, PI and/or Ethics Committee. The Privacy Notice must be provided to participants along with their participant information.

Research and Data Protection guidance

If you have any queries whilst you are completing your Researcher's Checklist (pre-DPIA/ROPA) please re-read the guidance document above or contact dataprotection@napier.ac.uk.

We have also provided a template Privacy Notice for you to update and provide to your participants. The Information Governance team don't need to see or check this, but please think about how this reads to your participants and word it accordingly: 

​Research Privacy Notice template​


Further guidance is available from JISC https://www.jisc.ac.uk/guides/rdm-toolkit​ 

The European Commission's guidance on Ethics and Data Protection is available here: http://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/ethics/h2020_hi_ethics-data-protection_en.pdf​


2) Oath of Confidentiality for Research Students

All students conducting research at Edinburgh Napier University which involves processing personal data must directed to these intranet pages (Data Protection for Research), and sign an oath of confidentiality in relation to personal data to which they will have access in the course of their studies.  This form should be retained by the area in which the research is being conducted for the period end of studies with the University plus 6 years.


Download the Oath of Confidentiality Form for Research Students


If PG Research students are processing any categories of personal data they are required to complete an Oath of Confidentiality. 

3) Standard Descriptions of Categories of Personal Data

The following is a list of standard descriptions of categories of personal data examples:

Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description.

Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving licence details.

Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances, including current marriage and partnerships, marital history, details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organisations.

Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records.

Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records, and security records.

Financial details, including information relating to the financial affairs of the data subject, including income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, and pension information.

Goods or services provided and related information, including details of the goods or services supplied, licences issued, and contracts.



Special category (sensitive) personal data concerns, reveals or is about:

racial or ethnic origin

political opinions

religious or philosophical beliefs

trade union membership

genetic data

biometric data (if used to identify a natural person)


sex life or sexual orientation

criminal convictions and offences

none of the above


4) Data Protection Legal Bases v Research Ethics Consent

Data Protection legal bases are distinct from research ethics consent in that the University has the legal power by law (statutory order) to conduct research and can therefore process personal data without specifically asking for consent, however research consent is required to ensure that the research is conducted in an ethical way and participants understand and agree to what is being asked of them or, you could say it is the accepted mechanism to ensure that research is conducted in an ethical way which upholds the rights of the participants e.g. to make an informed decision.

 There are some useful articles online:

Preparation for the implementation of the General Data Protection Regulation (GDPR): understanding the current legal situation (ukri.org)

"Informed, voluntary and fair consent is the cornerstone of ethical research involving people. It is a mechanism, to ensure the rights of individual participants can be respected. It is through the consent process that research participants can understand what taking part in a specific study will mean for them, so they can make an informed choice and feel able to express their wishes." 

GDPR Brief: What is the difference between research ethics consent and data protection consent? (ga4gh.org)

5) Processing Personal Data in the Public Domain

Processing information available in the public domain depends on purposes, the processing being done and legal basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3 . Social media sites also have their own requirements set out in their Ts & Cs which must be complied with. Of course, processing for research can take place, but researchers must give due consideration to the requirements of the legislation and rights of participants, which is done through the University’s governance and ethics processes. There’s no problem with processing personal data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.​

Where you are recruiting participants using information which is publicly available, please advise them where you got their information from and your justification for using it for your project e.g. their connection to the topic, subject matter expert, etc.. Where personal data is collected from publicly available resources there is a higher risk of the individuals complaining about the use of their data, so please ensure that you don’t contact anyone who would consider the use of their data to be unreasonable and unfair.

6) Using Social Media for Research


If you are advertising your research on a LinkedIn 'message board' and providing links in there to participant information and the privacy notice, this is fine, as long as it complies with the rules for that group or channel (if in doubt contact the group/channel administrator to ask permission). It is advisable to use NoviSurvey to give potential participants a secure method of signing up to your study. You can use NoviSurvey as a means of providing participant information, the privacy notice, collecting consent, and, of course, disseminating your questionnaire/survey. Depending on the research project this could potentially all be done at the same time. Where it is not necessary to collect personal data you can use NoviSurvey in anonymous mode and collect consent via a 'tick box' without requesting name, contact details, etc. which would identify the participant.

LinkedIn doesn’t have any guidance specifically for research participant recruitment via their messaging service (only for their own research). If you message members you must make information about the research project (including privacy notice information) available elsewhere online and provide a link in your intro message so that they can review it before making their decision whether or not to participate. If they do not respond you should not follow up more than once.

You must ensure that you comply with the LinkedIn Policies, Terms and Conditions of use as well as Data Protection legislation. The following links refer:

-https://www.linkedin.com/legal/professional-community-policies (Conduct Policy), which says: Comply with the law: You must comply with all applicable laws, including, for example, privacy laws

- https://www.linkedin.com/help/linkedin/answer/61106/linkedin-messaging-overview?lang=en

7) Using Others' Photos for Research


1) Use of photos from social media sites. You need to determine if the social media site is a closed group (requires membership) e.g. LinkedIn or Facebook, or the information/photos published are publicly available e.g. Twitter. Either way, if using social media as a source then you will need to comply with the site provider’s terms and conditions of use. Where the social media site requires membership to view the images you will also need to check if there are group terms and conditions which are applicable - the smaller the group, the higher the expectation of privacy. Processing information available in the public domain depends on purposes, the processing being done and legal basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3. Of course, processing for research can take place, but researchers must give due consideration to the requirements of the legislation and rights of participants, which is done through the University’s governance and ethics processes. There’s no problem with processing personal data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.

2) The use of photos to generate information for the project e.g. as a discussion point not to be disseminated further and only available to the researcher and the participant/s, this is fine from a data protection perspective however, appropriate safeguards e.g. security, need to be observed and copyright requirements adhered to (see point 4). 

3) The use of photos in outputs would require permission from the owner of the image (for copyright purposes, please see below), and if individuals can be identified in the photo then you must be able to prove that you have provided them with your Privacy Notice or that doing so would involve disproportionate effort. If photos are taken at public events there is a reduced expectation of privacy for individuals attending those events, however you must check if event organisers have notices up around the event advising attendees that photography will/may take place and if they have stipulated that photography may take place in their privacy notice, so worth checking with the event organiser if this is the case. If you are organising the event then please ensure you have notices up and that you have advised attendees in your event sign-up form and privacy notice that photographs will be taken. It is advisable to include a 'check box' in the event sign-up form where the attendee agrees that they understand that photography will take place and that their photo may be taken and used. You MUST provide them with instructions on how to opt out of having their photo taken - it may be that you reserve seats which will not be included in any photography or ask them to specifically request this on the day, so that you can identify them in any images and discard those. Depending on your individual circumstances you could include photos in your marked dissertation / thesis and redact them from any published versions – this is the safest scenario, as it is possible for complaints to arise if an individual is recognised in circumstances which may have consequences for them e.g. attending an event when they should have been at work. If processing someone else’s personal data that isn’t a direct participant it’s always a good idea to think about how you’d feel if that was your personal data e.g. is it fair, would they expect it, etc. and then by doing the pre-PIA process you can ensure the processing complies with the legislation.

If you are using photos in your outputs which include personal data (recognisable individuals) then you MUST have their written agreement to do this and taking of photos and their uses must be detailed in both the Participant Information and the Privacy Notice. You can either rely on Article 6(1)(e) (please see your DPIA checklist form) or rely on Article 6(1)(a) consent. In order to evidence this you can take a photo of the individual holding the Privacy Notice with their signed agreement or consent form, and ensure that those records are kept securely with your research consent forms.

4) Copyright in photos – please see our Library Guide here for more information: Copyright for researchers - Copyright guidance - LibGuides at Edinburgh Napier University. RIE (Research & Innovation Office (napier.ac.uk)) has also provided the following advice in answer to the question

You will need permission to use photos or ascertain whether permission has already been given - sometimes this is attached to the image under a Creative Commons License. As this is 3rd party IP, there will normally be some sort of rights over the use of the image even if researchers are not reproducing the actual content, they need the photos to generate discussion and descriptors as they will then be creating their own dataset on the back of this for their research. The photo is the background IP and the output is the foreground IP. We may have no rights to disseminate the foreground unless we sought these right at the start. If no CC license is given, researchers will need to ascertain their own permissions. ​


8) Basic Pseudonymisation Guidance

Please see guidance document here: Basic_Pseudonymisation_Guidance


​​9) Providing Participants with a Secure Method of Sending Their Personal Data to the Researcher/s

Researchers have a responsibility to provide participants with a secure method of providing you with their personal data. One way of doing this is by using a survey tool. The University has several tools available including Novi Survey and MS Forms – further information about these is available here: https://my.napier.ac.uk/it-support/how-do-i/survey-software

When creating your survey you can divide it into sections/pages and use these pages in the following way:

Page 1 – Provide participants with information about your project (Participant Information Sheet)

Page 2 – Provide participants with a Privacy Notice (template available here: http://napierstaff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/statement.aspx)

Page 3 – Consent form

Page 4 – Collection of personal data e.g. name, contact details, and any other information required for you to confirm that they are suitable candidates in order for you to meet your research objectives (if this is necessary for your project)

Page 5 – Collection of research data via a questionnaire (if this is appropriate at this stage of the project)

Page 6 – Debrief information (if necessary)

You can then provide participants with a link to your survey in your project promotion communications and participants can provide the information directly to you securely and without having to provide it by email or via a third party (gate-keeper, etc.).​

It is likely that when you collect your research data you will also be collecting personal data, particularly if you are recording audiovisual interviews. Using University provided and approved systems to collect your research data ensures that the security checks have already been done by Information Services, although you still need to take resonable care that you are using the systems provided correctly. You need to consider security at all stages of processing personal data e.g. collection of participant information during recruitment, administration of the 'research instruments' (survey's interviews, etc. etc.), during any sharing of data with others or transfer of data between systems or parties, right through to destruction. The ICO (UK data protection regulator) requires personal data to be encrypted at all stages of processing.

10) Undergraduate and Taught Postgraduate Research / Dissertations


Please see: http://napierstaff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/StudentAdvice.aspx​​ 

This section is guidance for UG & TPG students who are not receiving a stipend from the University or engaged in a University sponsored or other third party funded research project.

Students processing personal data for the purposes of undertaking their studies do so for their own personal purposes e.g. as part of their degree course dissertation. The student makes their own decisions about what work they will do, how this will be done and presented in their final submission, and therefore works on behalf of themselves and not the University. Whilst supervisors can advise on good research practice and data protection issues, and make suggestions about how the research is conducted, the final decision lies with the student. The University only becomes the Data Controller once the work is submitted.

If you are emailing proposed participants or recruited participants you must NOT put a list of names in the "cc" field of the email - you must use "bcc", unless you have a specific reason that the participants need to see eachother's details.

When recruiting particpants you must think about what is fair and reasonable with regards to the use of their data e.g. would they expect to hear from you? It is good practice to let them know where you sourced their contact details from. Give them adequate information about what you are doing so that they are fully informed - this will reduce the risk of a complaint being made about your use of their information. It is always less risky to allow participants to 'self-select' rather than to target them from information gathered from sources other than directly from the person themselves. 'Self-select' means that you advertise your study/project and individuals make a decision to participate and provide their information voluntarily.

You must ensure all participant personal data is adequately secure e.g. encrupted at all stages of processing whether at rest or in transit. Do not use systems which are not reputable or do not provide adequate security.

It is recommended that you provide participants with information about what you need their personal data for (usually called a Privacy Notice), any third parties that you are sharing it with, your rationale for the length of time you will keep their personal data before destroying it and if you are tranferring it outside the UK (not recommended), along with your participant information outlining the purpose, aims and objectives of your research project. Further information is provided in the document linked below.

Remember to always treat others' personal data with the same respect that you would expect your own personal data to be treated with and not do anything with the personal data that they would not expect you to do. 

Practical guidance is available here: UG Dissertation & TPG Research Data Protection Advice​​

11) Transcription

Microsoft Teams and Word online can both record and transcribe for you, and Webex also has transcription facilities. MS Word online can both record and transcribe and you can also upload a recording for MS Word to transcribe. It is very easy to use - please see insrtuctions online here: https://support.microsoft.com/en-us/office/transcribe-your-recordings-7fc2efec-245e-45f0-b053-2a97531ecf57

It will:

1) Concurrently produce an audio file (mp3) and transcript.

2) Accept an uploaded mp3, perhaps created on Audacity or a hand-held recorder, and produce a transcript from it.

3) it will be saved to a personal space on the Napier network (on Sharepoint).

​This can be used imm​ediately by any researchers with a Napier identity.

Information Services are also investigating other options for Researchers using services like NVivo and Caption Ed.


Currently the University has 2 contracted external services for transcriptions:

  • Trusty Transcriptionists, and 
  • 1st Class Secretarial​

If you have made an audio visual recording, you must only provide the external transcription service with the audio file. To convert the MS Teams file to an mp3 audio file you will need to download a copy of the recording into an ENU network area/folder and convert it to mp3 format.

12) Briefing Sessions for Researchers

Every 6 weeks the Information Governance team run "Data Protection for Researchers" briefing sessions. These are arranged via RIE. Further information is available via the RIE sharepoint site here:


And all events can be booked via Eventbrite - https://www.eventbrite.co.uk/organizations/events

Contact RIEevents@napier.ac.uk if you have any questions​

Page updated 4 June 2024