Research guidelines: Data protection and research

The Data Protection Act 1998 governs the processing of personal data. The term 'processing' covers collecting, recording, retrieval, consultation, use and disclosure of data. You need to be aware that any research you do involving identifiable living individuals is subject to the provisions of the Act, including the eight data protection principles listed below.

Section 33 of the Act does provide some exemptions specifically for data processing for research (the definition of which includes historical and statistical analysis). These are not blanket exemptions from the data protection principles, however, and you must be aware of where and when they apply. NB: The criteria for these exemptions differ where sensitive personal data is processed.

General advice

Where you are collecting data from individuals for your research project, you should explain clearly, and preferably in writing:

  • What information you are collecting.
  • What it will be used for.
  • Who it is likely to be released to.
  • Whether and how the data is likely to be published.

It would be advisable to get participants to sign a statement to the effect that they know and understand all of the above.

Take particular care where you are processing 'sensitive personal data' (see below). You must get consent as described above.

Unless it is absolutely necessary for your research, do not collect names and addresses.

Where you can, you should anonymise the data using a coding system. You should be aware, however, that as long as you hold the key that ties those codes to individuals, under data protection law, the data would not be regarded as anonymised. To properly anonymise the data, the key must be destroyed.

Using data for new purposes

Principle 2 in Schedule 1 of the Act says that:

  • personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.

However the second part of this principle does not apply to further processing of data only for research purposes, provided that:

  • the data is not processed to support measures or decisions with respect to particular individuals; and
  • the data is not processed in such a way that substantial damage or distress is likely to be caused to any individual.

Keeping data indefinitely

Principle 5 in Schedule 1 of the Act says that:

  • personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.

However this does not apply to personal data processed only for research purposes, provided that:

  • the data is not processed to support measures or decisions with respect to particular individuals; and
  • the data is not processed in such a way that substantial damage or distress is likely to be caused to any individual.

Subject access requests

Section 7 of the Act gives an individual the right to be informed by someone using personal data about him or her: what data is held, the purposes for which it is held and the people to whom it may be disclosed.

However this does not apply to personal data processed only for research purposes, provided that:

  • the data is not processed to support measures or decisions with respect to particular individuals; and
  • the data is not processed in such a way that substantial damage or distress is likely to be caused to any individual; and
  • the results of the research or any resulting statistics are not made available in a form which identifies individuals.

Personal data and sensitive personal data

"Personal data" means data which relate to a living individual who can be identified:

  1. from those data, or
  2. from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

"Sensitive personal data" means personal data consisting of information as to:

  1. the racial or ethnic origin of the data subject,
  2. his political opinions,
  3. his religious beliefs or other beliefs of a similar nature,
  4. whether he is a member of a trade union
  5. his physical or mental health or condition,
  6. his sexual life,
  7. the commission or alleged commission by him of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Where sensitive personal data are to be processed ONE of the following conditions needs to be met:

  • The individual concerned has given explicit consent (ideally in writing).
  • Medical research is being carried out by a health professional.
  • The research is an analysis of racial/ethnic origins carried out for the purpose of equal opportunities.

The principles

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
    1. at least one of the conditions in Schedule 2 is met, and
    2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.