• Home
  • Login
  • Welcome to the Staff Intranet

Processing Data for Research Purposes

Further guidance on the use of personal data in research is available in Section 6 of the Data Protection Code of Practice.

Sports Science ResearcherData Protection: Researchers' Guidance

Respect for confidentiality is essential to maintain trust between the public and those engaged in research.  All researchers intending to use personal data must comply with the requirements of data protection legislation, the University's Data Protection Code of Practice and any associated guidance. This guidance covers the data protection issues researchers should take into account and the actions to take to be compliant.


Whilst the University provides a generic Privacy Notice for Research this does not take the place of the project specific Privacy Notice that must be provided to participants.


Please read the guidance and complete the Researcher's Checklist, Oath of Confidentiality (if you are not an employed researcher who has signed an employment contract e.g. research postgraduate) and Privacy Notice. The checklist and oath are required internally by the supervisor, PI and/or Ethics Committee. The Privacy Notice must be provided to participants along with their participant information.

Research and Data Protection guidance

Please complete the Researcher's Data Protection Compliance Checklist (Pre-PIA)​ and send to dataprotection@napier.ac.uk. If you have any queries whilst you are completing it please re-read the guidance document above or contact dataprotection@napier.ac.uk.


 Undergraduate and Taught Postgraduate Research / Dissertations


Please see: https://staff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/StudentAdvice.aspx​​ 


Students processing personal data for the purposes of undertaking their studies do so for their own personal purposes e.g. as part of their degree course dissertation. The student makes their own decisions about what work they will do, how this will be done and presented in their final submission, and therefore works on behalf of themselves and not the University. Whilst supervisors can advise on good research practice and data protection issues, and make suggestions about how the research is conducted, the final decision lies with the student. The University only becomes the Data Controller once the work is submitted.


Practical guidance is available here: UG Dissertation & TPG Research Data Protection Advice​


Further guidance is available from JISC https://www.jisc.ac.uk/guides/research-data-management 


The European Commission's guidance on Ethics and Data Protection is available here: http://ec.europa.eu/research/participants/data/ref/h2020/grants_manual/hi/ethics/h2020_hi_ethics-data-protection_en.pdf


Oath of Confidentiality for Research Students

All students conducting research at Edinburgh Napier University which involves processing personal data must directed to these intranet pages (Data Protection for Research), and sign an oath of confidentiality in relation to personal data to which they will have access in the course of their studies.  This form should be retained by the area in which the research is being conducted for the period end of studies with the University plus 6 years.


Download the Oath of Confidentiality Form for Research Students


If PG Research students are processing any categories of personal data they are required to complete an Oath of Confidentiality. 

Standard Descriptions of Categories of Personal Data

The following is a list of standard descriptions of categories of personal data examples:

Personal details, including any information that identifies the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description.

Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving licence details.

Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject’s lifestyle and social circumstances, including current marriage and partnerships, marital history, details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organisations.

Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualifications, skills, training records, professional expertise, student and pupil records.

Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records, and security records.

Financial details, including information relating to the financial affairs of the data subject, including income, salary, assets and investments, payments, creditworthiness, loans, benefits, grants, insurance details, and pension information.

Goods or services provided and related information, including details of the goods or services supplied, licences issued, and contracts.

Personal data relating to criminal convictions and offences



Special category (sensitive) personal data concerns, reveals or is about:

racial or ethnic origin

political opinions

religious or philosophical beliefs

trade union membership

genetic data

biometric data (if used to identify a natural person)


sex life or sexual orientation

criminal convictions and offences

none of the above


Processing Personal Data in the Public Domain

Processing information available in the public domain depends on purposes, the processing being done and legal basis used, etc. The ICO has guidance here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-common-issues-might-come-up-in-practice/#id3 . Social media sites also have their own requirements set out in their Ts & Cs which must be complied with. Of course, processing for research can take place, but researchers must give due consideration to the requirements of the legislation and rights of participants, which is done through the University’s governance and ethics processes. There’s no problem with processing personal data as long as due regard is taken for the legislation and appropriate safeguards are put in place to protect participants' rights, the security of the personal data e.g. encrypted at all times and data minimisation is observed throughout the project e,g, collect only what is needed and pseudonymise personal data as early as possible.​

Using Social Media for Research


If you are advertising your research on a LinkedIn 'message board' and providing links in there to participant information and the privacy notice, this is fine, as long as it complies with the rules for that group or channel (if in doubt contact the group/channel administrator to ask permission). It is advisable to use NoviSurvey to give potential participants a secure method of signing up to your study. You can use NoviSurvey as a means of providing participant information, the privacy notice, collecting consent, and, of course, disseminating your questionnaire/survey. Depending on the research project this could potentially all be done at the same time. Where it is not necessary to collect personal data you can use NoviSurvey in anonymous mode and collect consent via a 'tick box' without requesting name, contact details, etc. which would identify the participant.

LinkedIn doesn’t have any guidance specifically for research participant recruitment via their messaging service (only for their own research). If you message members you must make information about the research project (including privacy notice information) available elsewhere online and provide a link in your intro message so that they can review it before making their decision whether or not to participate. If they do not respond you should not follow up more than once.

You must ensure that you comply with the LinkedIn Policies, Terms and Conditions of use as well as Data Protection legislation. The following links refer:

-https://www.linkedin.com/legal/professional-community-policies (Conduct Policy), which says: Comply with the law: You must comply with all applicable laws, including, for example, privacy laws

- https://www.linkedin.com/help/linkedin/answer/61106/linkedin-messaging-overview?lang=en


Page updated 19 January 2022