• Home
  • Login
  • Welcome to the Staff Intranet
 

Processing Data for Research Purposes


Further guidance on the use of personal data in research is available in Section 6 of the Data Protection Code of Practice.

Page Contents

​1) Data Protection: Researchers' Guidance and forms

2) Oath of Confidentiality for Research Students

3) Standard Descriptions of Categories of Personal Data

4) Data Protection Legal Bases v Research Ethics Consent

5) Processing Personal Data in the Public Domain

6) Using Social Media for Research

7) Using Others' Photos for Research

8) Basic Pseudonymisation Guidance

9) Providing Participants with a Secure Method of Sending Their Personal Data to the Researcher/s

10) Undergraduate and Taught Postgraduate Research / Dissertations


Sports Science Researcher1) Data Protection: Researchers' Guidanc​e and forms


Respect for confidentiality is essential to maintain trust between the public and those engaged in research.  All researchers intending to use personal data must comply with the requirements of data protection legislation, the University's Data Protection Code of Practice and any associated guidance. This guidance covers the data protection issues researchers should take into account and the actions to take to be compliant.

 

Whilst the University provides a generic Privacy Notice for Research this does not take the place of the project specific Privacy Notice that must be provided to participants.

 

Please read the guidance and complete the Researcher's Checklist, Oath of Confidentiality (if you are not an employed researcher who has signed an employment contract e.g. research postgraduate) and Privacy Notice. The checklist and oath are required internally by the supervisor, PI and/or Ethics Committee. The Privacy Notice must be provided to participants along with their participant information.

Research and Data Protection guidance

Please complete the Researcher's Data Protection Compliance Checklist (Pre-PIA)​​ and send to dataprotection@napier.ac.uk. If you have any queries whilst you are completing it please re-read the guidance document above or contact dataprotection@napier.ac.uk.

We have also provided a template Privacy Notice for you to update and provide to your participants. The Information Governance team don't need to see or check this, but please think about how this reads to your participants and word it accordingly: 

​Research Privacy Notice template​

​​ 

Further guidance is available from JISC https://www.jisc.ac.uk/guides/rdm-toolkit​ 

The European Commission's guidance on Ethics and Data Protection is available here: http://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/ethics/h2020_hi_ethics-data-protection_en.pdf​

 

2) Oath of Confidentiality for Research Students

All students conducting research at Edinburgh Napier University which involves processing personal data must directed to these intranet pages (Data Protection for Research), and sign an oath of confidentiality in relation to personal data to which they will have access in the course of their studies.  This form should be retained by the area in which the research is being conducted for the period end of studies with the University plus 6 years.

 

Download the Oath of Confidentiality Form for Research Students

 

If PG Research students are processing any categories of personal data they are required to complete an Oath of Confidentiality. 


3) Standard Descriptions of Categories of Personal Data

The following is a list of standard descriptions of categories of personal data examples:

Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description.

Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving licence details.

Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances, including current marriage and partnerships, marital history, details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organisations.

Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records.

Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records, and security records.

Financial details, including information relating to the financial affairs of the data subject, including income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, and pension information.

Goods or services provided and related information, including details of the goods or services supplied, licences issued, and contracts.

etc.     

 

Special category (sensitive) personal data concerns, reveals or is about:

racial or ethnic origin

political opinions

religious or philosophical beliefs

trade union membership

genetic data

biometric data (if used to identify a natural person)

health

sex life or sexual orientation

criminal convictions and offences

none of the above

 

4) Data Protection Legal Bases v Research Ethics Consent


Data Protection legal bases are distinct from research ethics consent in that the University has the legal power by law (statutory order) to conduct research and can therefore process personal data without specifically asking for consent, however research consent is required to ensure that the research is conducted in an ethical way and participants understand and agree to what is being asked of them or, you could say it is the accepted mechanism to ensure that research is conducted in an ethical way which upholds the rights of the participants e.g. to make an informed decision.

 There are some useful articles online:

Preparation for the implementation of the General Data Protection Regulation (GDPR): understanding the current legal situation (ukri.org)

"Informed, voluntary and fair consent is the cornerstone of ethical research involving people. It is a mechanism, to ensure the rights of individual participants can be respected. It is through the consent process that research participants can understand what taking part in a specific study will mean for them, so they can make an informed choice and feel able to express their wishes." 

GDPR Brief: What is the difference between research ethics consent and data protection consent? (ga4gh.org)


5) Processing Personal Data in the Public Domain

Processing information available in the public domain depends on purposes, the processing being done and legal basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3 . Social media sites also have their own requirements set out in their Ts & Cs which must be complied with. Of course, processing for research can take place, but researchers must give due consideration to the requirements of the legislation and rights of participants, which is done through the University’s governance and ethics processes. There’s no problem with processing personal data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.​

Where you are recruiting participants using information which is publicly available, please advise them where you got their information from and your justification for using it for your project e.g. their connection to the topic, subject matter expert, etc.. Where personal data is collected from publicly available resources there is a higher risk of the individuals complaining about the use of their data, so please ensure that you don’t contact anyone who would consider the use of their data to be unreasonable and unfair.


6) Using Social Media for Research


LinkedIn 

If you are advertising your research on a LinkedIn 'message board' and providing links in there to participant information and the privacy notice, this is fine, as long as it complies with the rules for that group or channel (if in doubt contact the group/channel administrator to ask permission). It is advisable to use NoviSurvey to give potential participants a secure method of signing up to your study. You can use NoviSurvey as a means of providing participant information, the privacy notice, collecting consent, and, of course, disseminating your questionnaire/survey. Depending on the research project this could potentially all be done at the same time. Where it is not necessary to collect personal data you can use NoviSurvey in anonymous mode and collect consent via a 'tick box' without requesting name, contact details, etc. which would identify the participant.

LinkedIn doesn’t have any guidance specifically for research participant recruitment via their messaging service (only for their own research). If you message members you must make information about the research project (including privacy notice information) available elsewhere online and provide a link in your intro message so that they can review it before making their decision whether or not to participate. If they do not respond you should not follow up more than once.

You must ensure that you comply with the LinkedIn Policies, Terms and Conditions of use as well as Data Protection legislation. The following links refer:

-https://www.linkedin.com/legal/professional-community-policies (Conduct Policy), which says: Comply with the law: You must comply with all applicable laws, including, for example, privacy laws

- https://www.linkedin.com/help/linkedin/answer/61106/linkedin-messaging-overview?lang=en


7) Using Others' Photos for Research

 

1) Use of photos from social media sites. You need to determine if the social media site is a closed group (requires membership) e.g. LinkedIn or Facebook, or the information/photos published are publicly available e.g. Twitter. Either way, if using social media as a source then you will need to comply with the site provider’s terms and conditions of use. Where the social media site requires membership to view the images you will also need to check if there are group terms and conditions which are applicable - the smaller the group, the higher the expectation of privacy. Processing information available in the public domain depends on purposes, the processing being done and legal basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3. Of course, processing for research can take place, but researchers must give due consideration to the requirements of the legislation and rights of participants, which is done through the University’s governance and ethics processes. There’s no problem with processing personal data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.

2) The use of photos to generate information for the project e.g. as a discussion point not to be disseminated further and only available to the researcher and the participant/s, this is fine from a data protection perspective however, appropriate safeguards e.g. security, need to be observed and copyright requirements adhered to (see point 4). 

3) The use of photos in outputs would require permission from the owner of the image (for copyright purposes, please see below), and if individuals can be identified in the photo then you must be able to prove that you have provided them with your Privacy Notice or that doing so would involve disproportionate effort. If photos are taken at public events there is a reduced expectation of privacy for individuals attending those events, however you must check if event organisers have notices up around the event advising attendees that photography will/may take place and if they have stipulated that photography may take place in their privacy notice, so worth checking with the event organiser if this is the case. If you are organising the event then please ensure you have notices up and that you have advised attendees in your event sign-up form and privacy notice that photographs will be taken. It is advisable to include a 'check box' in the event sign-up form where the attendee agrees that they understand that photography will take place and that their photo may be taken and used. You MUST provide them with instructions on how to opt out of having their photo taken - it may be that you reserve seats which will not be included in any photography or ask them to specifically request this on the day, so that you can identify them in any images and discard those. Depending on your individual circumstances you could include photos in your marked dissertation / thesis and redact them from any published versions – this is the safest scenario, as it is possible for complaints to arise if an individual is recognised in circumstances which may have consequences for them e.g. attending an event when they should have been at work. If processing someone else’s personal data that isn’t a direct participant it’s always a good idea to think about how you’d feel if that was your personal data e.g. is it fair, would they expect it, etc. and then by doing the pre-PIA process you can ensure the processing complies with the legislation.

If you are using photos in your outputs which include personal data (recognisable individuals) then you MUST have their written agreement to do this and taking of photos and their uses must be detailed in both the Participant Information and the Privacy Notice. You can either rely on Article 6(1)(e) (please see your DPIA checklist form) or rely on Article 6(1)(a) consent. In order to evidence this you can take a photo of the individual holding the Privacy Notice with their signed agreement or consent form, and ensure that those records are kept securely with your research consent forms.

4) Copyright in photos – please see our Library Guide here for more information: Copyright for researchers - Copyright guidance - LibGuides at Edinburgh Napier University. RIE (Research & Innovation Office (napier.ac.uk)) has also provided the following advice in answer to the question

You will need permission to use photos or ascertain whether permission has already been given - sometimes this is attached to the image under a Creative Commons License. As this is 3rd party IP, there will normally be some sort of rights over the use of the image even if researchers are not reproducing the actual content, they need the photos to generate discussion and descriptors as they will then be creating their own dataset on the back of this for their research. The photo is the background IP and the output is the foreground IP. We may have no rights to disseminate the foreground unless we sought these right at the start. If no CC license is given, researchers will need to ascertain their own permissions. ​

 

8) Basic Pseudonymisation Guidance


Please see guidance document here: Basic_Pseudonymisation_Guidance


 

​​9) Providing Participants with a Secure Method of Sending Their Personal Data to the Researcher/s


Researchers have a responsibility to provide participants with a secure method of providing you with their personal data. One way of doing this is by using a survey tool. The University has several tools available including Novi Survey and MS Forms – further information about these is available here: https://my.napier.ac.uk/it-support/how-do-i/survey-software

When creating your survey you can divide it into sections/pages and use these pages in the following way:

Page 1 – Provide participants with information about your project (Participant Information Sheet)

Page 2 – Provide participants with a Privacy Notice (template available here: https://staff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/statement.aspx)

Page 3 – Consent form

Page 4 – Collection of personal data e.g. name, contact details, and any other information required for you to confirm that they are suitable candidates in order for you to meet your research objectives (if this is necessary for your project)

Page 5 – Collection of research data via a questionnaire (if this is appropriate at this stage of the project)

Page 6 – Debrief information (if necessary)

You can then provide participants with a link to your survey in your project promotion communications and participants can provide the information directly to you securely and without having to provide it by email or via a third party (gate-keeper, etc.).​


It is likely that when you collect your research data you will also be collecting personal data, particularly if you are recording audiovisual interviews. Using University provided and approved systems to collect your research data ensures that the security checks have already been done by Information Services, although you still need to take resonable care that you are using the systems provided correctly. You need to consider security at all stages of processing personal data e.g. collection of participant information during recruitment, administration of the 'research instruments' (survey's interviews, etc. etc.), during any sharing of data with others or transfer of data between systems or parties, right through to destruction. The ICO (UK data protection regulator) requires personal data to be encrypted at all stages of processing.


10) Undergraduate and Taught Postgraduate Research / Dissertations

 

Please see: https://staff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/StudentAdvice.aspx​​ 

 

Students processing personal data for the purposes of undertaking their studies do so for their own personal purposes e.g. as part of their degree course dissertation. The student makes their own decisions about what work they will do, how this will be done and presented in their final submission, and therefore works on behalf of themselves and not the University. Whilst supervisors can advise on good research practice and data protection issues, and make suggestions about how the research is conducted, the final decision lies with the student. The University only becomes the Data Controller once the work is submitted.

If you are emailing proposed participants or participants you must NOT put a list of name in the "cc" field of the email - you must use "bcc", unless you have a specific reason that the participants need to see eachother's details.

When recruiting particpants you must think about what is fair and reasonable with regards to the use of their data e.g. would they expect to hear from you? It is good practice to let them know where you sourced their contact details from. Give them adequate information about what you are doing so that they are fully informed - this will reduce the risk of a complaint being made about your use of their information. It is always less risky to allow participants to 'self-select' rather than to target them from information gathered from sources other than directly from the person themselves. 'Self-select' means that you advertise your study/project and individuals make a decision to participate and provide their information voluntarily. 

Practical guidance is available here: UG Dissertation & TPG Research Data Protection Advice​​



Page updated 23 Nov 2022

​​​​​​​​​​​​​​