Processing Data for Research Purposes
Further guidance on the use of personal data in research is available in Section 6 of the Data Protection Code of Practice.
Data Protection: Researchers' Guidance
Respect for confidentiality is essential to maintain trust between the public and those engaged in research. All researchers intending to use personal data must comply with the requirements of data protection legislation, the University's Data Protection Code of Practice and any associated guidance. This guidance covers the data protection issues researchers should take into account and the actions to take to be compliant.
Whilst the University provides a generic Privacy Notice for Research this does not take the place of the project specific Privacy Notice that must be provided to participants.
Please read the guidance and complete the Researcher's Checklist, Oath of Confidentiality (if you are not an employed researcher who has signed an employment contract e.g. research postgraduate) and Privacy Notice. The checklist and oath are required internally by the supervisor, PI and/or Ethics Committee. The Privacy Notice must be provided to participants along with their participant information.
Research and Data Protection guidance
Please complete the Researcher's Data Protection Compliance Checklist (Pre-PIA) and send to firstname.lastname@example.org. If you have any queries whilst you are completing it please re-read the guidance document above or contact email@example.com.
We have also provided a template Privacy Notice for you to update and provide to your participants. The Information Governance team don't need to see or check this, but please think about how this reads to your participants and word it accordingly: Privacy Notice for Participants
Undergraduate and Taught Postgraduate Research / Dissertations
Please see: https://staff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/StudentAdvice.aspx
Students processing personal data for the purposes of undertaking their studies do so for their own personal purposes e.g. as part of their degree course dissertation. The student makes their own decisions about what work they will do, how this will be done and presented in their final submission, and therefore works on behalf of themselves and not the University. Whilst supervisors can advise on good research practice and data protection issues, and make suggestions about how the research is conducted, the final decision lies with the student. The University only becomes the Data Controller once the work is submitted.
If you are emailing proposed participants or participants you must NOT put a list of name in the "cc" field of the email - you must use "bcc", unless you have a specific reason that the participants need to see eachother's details.
When recruiting particpants you must think about what is fair and reasonable with regards to the use of their data e.g. would they expect to hear from you? It is good practice to let them know where you sourced their contact details from. Give them adequate information about what you are doing so that they are fully informed - this will reduce the risk of a complaint being made about your use of their information. It is always less risky to allow participants to 'self-select' rather than to target them from information gathered from sources other than directly from the person themselves. 'Self-select' means that you advertise your study/project and individuals make a decision to participate and provide their information voluntarily.
Practical guidance is available here: UG Dissertation & TPG Research Data Protection Advice
Further guidance is available from JISC https://www.jisc.ac.uk/guides/rdm-toolkit
The European Commission's guidance on Ethics and Data Protection is available here: http://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/ethics/h2020_hi_ethics-data-protection_en.pdf
All students conducting research at Edinburgh Napier University which involves processing personal data must directed to these intranet pages (Data Protection for Research), and sign an oath of confidentiality in relation to personal data to which they will have access in the course of their studies. This form should be retained by the area in which the research is being conducted for the period end of studies with the University plus 6 years.
Download the Oath of Confidentiality Form for Research Students
If PG Research students are processing any categories of
personal data they are required to complete an Oath of Confidentiality.
Standard Descriptions of Categories of Personal Data
The following is a list of standard descriptions of
categories of personal data examples:
Personal details, including any information that identiﬁes the data subject and
their personal characteristics, including: name, address, contact details, age,
date of birth, sex, and physical description.
Personal details issued as an identifier by a public authority, including
passport details, national insurance numbers, identity card numbers, driving
Family, lifestyle and social circumstances, including any information relating
to the family of the data subject and the data subject’s lifestyle and social
circumstances, including current marriage and partnerships, marital history,
details of family and other household members, habits, housing, travel details,
leisure activities, and membership of charitable or voluntary organisations.
Education and training details, including information which relates to the
education and any professional training of the data subject, including academic
records, qualiﬁcations, skills, training records, professional expertise,
student and pupil records.
Employment details, including information relating to the employment of the
data subject, including employment and career history, recruitment and
termination details, attendance records, health and safety records, performance
appraisals, training records, and security records.
Financial details, including information relating to the ﬁnancial affairs of
the data subject, including income, salary, assets and investments, payments,
creditworthiness, loans, beneﬁts, grants, insurance details, and pension
Goods or services provided and related information, including details of the
goods or services supplied, licences issued, and contracts.
Special category (sensitive) personal data concerns, reveals
or is about:
racial or ethnic origin
religious or philosophical beliefs
trade union membership
biometric data (if used to identify a natural person)
sex life or sexual orientation
criminal convictions and offences
none of the above
Processing Personal Data in the Public Domain
Processing information available in the public domain depends on purposes, the processing being done and legal
basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3
. Social media sites also have their own requirements set out in their Ts &
Cs which must be complied with. Of course, processing for research can take
place, but researchers must give due consideration to the requirements of the
legislation and rights of participants, which is done through the University’s
governance and ethics processes. There’s no problem with processing personal
data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.
Where you are recruiting participants using information which is publicly available, please advise them where you got their information from and your justification for using it for your project e.g. their connection to the topic, subject matter expert, etc.. Where personal data is collected from publicly available resources there is a higher risk of the individuals complaining about the use of their data, so please ensure that you don’t contact anyone who would consider the use of their data to be unreasonable and unfair.
Using Social Media for Research
If you are advertising your research on a LinkedIn 'message board' and providing links in there to participant information and the privacy notice, this is fine, as long as it complies with the rules for that group or channel (if in doubt contact the group/channel administrator to ask permission). It is advisable to use NoviSurvey to give potential participants a secure method of signing up to your study. You can use NoviSurvey as a means of providing participant information, the privacy notice, collecting consent, and, of course, disseminating your questionnaire/survey. Depending on the research project this could potentially all be done at the same time. Where it is not necessary to collect personal data you can use NoviSurvey in anonymous mode and collect consent via a 'tick box' without requesting name, contact details, etc. which would identify the participant.
doesn’t have any guidance specifically for research participant recruitment via
their messaging service (only for their own research). If you message members
you must make information about the research project (including privacy notice
information) available elsewhere online and provide a link in your intro
message so that they can review it before making their decision whether or not
to participate. If they do not respond you should not follow up more than once.
You must ensure that you comply with the LinkedIn Policies, Terms
and Conditions of use as well as Data Protection legislation. The following
Using Others' Photos for Research
1) Use of photos from social media sites. You need to determine if the social media site is a closed group (requires membership) e.g. LinkedIn or Facebook, or the information/photos published are publicly available e.g. Twitter. Either way, if using social media as a source then you will need to comply with the site provider’s terms and conditions of use. Where the social media site requires membership to view the images you will also need to check if there are group terms and conditions which are applicable - the smaller the group, the higher the expectation of privacy. Processing information available in the public domain depends on purposes, the processing being done and legal basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3. Of course, processing for research can take place, but researchers must give due consideration to the requirements of the legislation and rights of participants, which is done through the University’s governance and ethics processes. There’s no problem with processing personal data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.
2) The use of photos to generate information for the project e.g. as a discussion point not to be disseminated further and only available to the researcher and the participant/s, this is fine from a data protection perspective however, appropriate safeguards e.g. security, need to be observed and copyright requirements adhered to (see point 4).
3) The use of photos in outputs would require permission from the owner of the image (for copyright purposes, please see below), and if individuals can be identified in the photo then you must be able to prove that you have provided them with your Privacy Notice or that doing so would involve disproportionate effort. If photos are taken at public events there is a reduced expectation of privacy for individuals attending those events, however you must check if event organisers have notices up around the event advising attendees that photography will/may take place and if they have stipulated that photography may take place in their privacy notice, so worth checking with the event organiser if this is the case. If you are organising the event then please ensure you have notices up and that you have advised attendees in your event sign-up form and privacy notice that photographs will be taken. It is advisable to include a 'check box' in the event sign-up form where the attendee agrees that they understand that photography will take place and that their photo may be taken and used. You MUST provide them with instructions on how to opt out of having their photo taken - it may be that you reserve seats which will not be included in any photography or ask them to specifically request this on the day, so that you can identify them in any images and discard those. Depending on your individual circumstances you could include photos in your marked dissertation / thesis and redact them from any published versions – this is the safest scenario, as it is possible for complaints to arise if an individual is recognised in circumstances which may have consequences for them e.g. attending an event when they should have been at work. If processing someone else’s personal data that isn’t a direct participant it’s always a good idea to think about how you’d feel if that was your personal data e.g. is it fair, would they expect it, etc. and then by doing the pre-PIA process you can ensure the processing complies with the legislation.
If you are using photos in your outputs which include personal data (recognisable individuals) then you MUST have their written agreement to do this and taking of photos and their uses must be detailed in both the Participant Information and the Privacy Notice. You can either rely on Article 6(1)(e) (please see your DPIA checklist form) or rely on Article 6(1)(a) consent. In order to evidence this you can take a photo of the individual holding the Privacy Notice with their signed agreement or consent form, and ensure that those records are kept securely with your research consent forms.
4) Copyright in photos – please see our Library Guide here for more information: Copyright for researchers - Copyright guidance - LibGuides at Edinburgh Napier University. RIE (Research & Innovation Office (napier.ac.uk)) has also provided the following advice in answer to the question
You will need permission to use photos or ascertain whether permission has already been given - sometimes this is attached to the image under a Creative Commons License. As this is 3rd party IP, there will normally be some sort of rights over the use of the image even if researchers are not reproducing the actual content, they need the photos to generate discussion and descriptors as they will then be creating their own dataset on the back of this for their research. The photo is the background IP and the output is the foreground IP. We may have no rights to disseminate the foreground unless we sought these right at the start. If no CC license is given, researchers will need to ascertain their own permissions.
Page updated 17 February 2022