Skip navigation to content

Data legislation

In this section:

  1. Data protection and research data
  2. Freedom of information and research data
  3. Environmental Information Regulation

Data protection and research data

If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 2018 (The Act) and the the General Data Protection Regulation (GDPR). The Act gives individuals certain rights and imposes obligations on those who record and use personal information to be open about how information is used. There are six data protection principles concerning how personal data should be managed:

Data should be

  1. processed fairly and lawfully,
  2. obtained for specified and lawful purposes,
  3. adequate, relevant and not excessive,
  4. accurate and, where necessary, kept up-to-date,
  5. not kept for longer than necessary,
  6. kept and processed in a secure manner.

Lawful bases under which researchers can obtain personal data include

  1. collection is based on consent  by the data subject,
  2. collection is necessary for the performance of a contract,
  3. there is a legal obligation placed upon the data controller to collect the data,
  4. collection is necessary to protect vital interests of the data subject or another natural person,
  5. collection is carried out in the public interest or in the exercise of official authority,
  6. the data controller has a legitimate interest to collect the data.

For further information, please see the University's guidance on data protection and the General Data Protection Regulation. Additional guidance on legal and ethical issues with respect to research data is available from the UK Data Service


Freedom of information and research data

The Freedom of Information (Scotland) Act 2002 (FOI) gives the public a general right of access to information a public authority holds and places an obligation on the authority to provide the information that has been requested, subject to any valid exemptions. The University of St Andrews has adopted the Single Model Publication Scheme 2013 produced by the Scottish Information Commissioner who is responsible for enforcing the Freedom of Information (Scotland) Act 2002. Your research data may be covered by the terms of the Act.

In circumstances where you think there are legal, ethical or other valid reasons why you shouldn't supply data requested from you, or the request is specifically identified as a FOI request, you should consult the University's Freedom of Information Officer. The legislation requires the University to supply information, or a refusal notice within 20 working days from receipt of the request.


Environmental Information Regulation

You may additionally receive requests for data under Environmental Information (Scotland) Regulations 2004, through which the public can gain access to environmental information held by public authorities. Rules for requests of environmental data are similar to regular FOI requests.

Both FOI and EIR include a number of exemptions and exceptions to protect information such as confidentiality or sensitive data or financially valuable information. If you are concerned, consult the University's Freedom of Information Officer.


Please don't hesitate to contact the RDM team for further information and advice.