You must process personal data in accordance with the DPA 1998. The eight ‘data protection principles’ are the basic rules which provide a framework for compliance, they are:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- Personal data shall be processed in accordance with the rights of data subjects under this Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Fair and lawful processing
For you to process personal data fairly and lawfully, issues such as how the data is collected (ie were data subjects deceived or misled as to the purpose of the processing), and the information you will provide to data subjects (eg who is the data controller, the purpose for which it is to be processed, any information especially relevant to the particular processing and third parties to whom the data may be supplied) must be considered.
Additionally, the DPA 1998 sets out six conditions for processing of personal data: you must meet at least one of these before the processing can be considered fair and lawful. Two of those conditions are usually appropriate for researchers:
- The data subject has given their consent to the processing
- The processing is necessary for the purposes of legitimate interests pursued by the data controller or by third parties to whom the data are disclosed, unless it would prejudice the rights and freedoms or legitimate interests of the data subject.
For most research projects involving personal data, consent would be the normal condition under which empirical research is conducted, but if the nature of your research makes it impracticable or otherwise undesirable to attempt to seek/obtain such consent, you could consider establishing a reasoned case that the processing is necessary for the purpose of a legitimate interest, and would not unfairly damage the interests of the data subjects. This would provide an alternative condition for the conduct of research.
The ICO suggests that where a condition specifies that processing must be necessary for the purpose stated; you should be able to show that it would not be possible to achieve your purpose(s) with a reasonable degree of ease without the processing of personal data. Where you could achieve, with a reasonable degree of ease, a purpose using data from which the personal identifiers have been removed, that would be the more appropriate course of action.
Telling data subjects the reasons for collecting their data
When collecting data from research subjects it will normally be expected for you tell people who you are, the name of the institution that will hold the data, what you are going to do with their information and who it will be shared with.
However, you may wish to tell them more than this, eg information about their rights of access to their personal data, or your arrangements for keeping their data secure. If you think the person would be surprised by a potential use of their personal data by you, you should make a point of explaining it.
Providing such information will normally be expected as part of the process of obtaining ‘informed consent’ for ethical purposes: it will also ensure that information is collected and used fairly for data protection purposes.
It is good practice to try to put yourself in the position of the people you're collecting information about, eg information notices should be written taking into account the likely language skills and reading levels of the average member of the research subject cohort, and should not resort to legal or academic jargon.
Simply telling most research subjects that “your data will be processed in conformity with the DPA 1998” is pointless. Unless they are data protection experts, research subjects will often have little idea what this means either in terms of their rights or of your obligations. That is inadequate for both ethical and legal purposes.
Detailed guidance on privacy notices has been produced by the Information Commissioner’s Office in Privacy Notices: Code of Practice (2009).
Research ethics committees (RECs) will usually expect that you will provide research participants:
- Who you are and your institutional affiliation
- Who, if anyone, is funding the research
- What you are asking the participant to do or provide (and how long this will take)
- That participation is voluntary and that participants can withdraw from participation at any time (although you should be careful to spell out what this means in practice, ie, do participants have the right to withdraw any data they have already given you? Up to what point in the research process will this right hold good?)
- How you plan to store the data (including details on any anonymisation process)
- What you will do with the data (including details on how it will be used in any subsequent publications)
- What will happen to the data once the research is concluded (i.e. secure archiving or destruction). This may also be influenced by external considerations, such as open access requirements.
It is important that prospective participants understand the information being conveyed to them in order to obtain their consent. Materials you produce for the purpose of informing research participants should be appropriately drawn up for those who have poor, or non-existent, levels of literacy, or for whom English is not their native language.
Based on your assessment of the characteristics of their research participants, you should provide an assessment of whether particular difficulties or risks may arise in the provision of appropriate information about the research, and if so, how you intend to convey your information to facilitate understanding, eg written documentation might be supplemented with audio and/or visual aids, language barriers might be addressed by the use of an intermediary who has the necessary language skills to ensure effective communication etc.
REC requirements for consent
As we’ve already noted, consent is not the only DP condition under which personal data can be processed, so if you can satisfy another condition applicable to research, this is not a barrier to your research. However, prior informed consent is seen as a key component of most human subject research, and your REC may be reluctant to grant ethical approval to a research methodology which does not seek prior informed consent.
However, there are circumstances where a REC may accept you delaying informing research subjects about your collection of research data, where informed consent may be obtained for ethical purposes without a formal recording, or in rare cases where obtaining informed consent is simply not possible eg seeking consent itself poses a risk to research subjects. It is essential to consult your REC in advance in circumstances where you plan not to seek prior informed consent.
Detailed guidance on consent and ethical approval has been produced by the UK Data Archive in the consent and ethics section of their website.
Obligation to check that third party data was obtained in an appropriate manner
This will depend on issues such as: where and when the data was collected, what information was provided to data subjects, the expectations of data subjects about how their data would be used, the potential impact of reuse on data subjects’ rights and freedoms, the importance of the data to the research and the importance of the research to the public interest.
Whether you can use the data will depend not just upon the position at law, but also upon your institution’s ethical viewpoint. For example, if you receive recent data from an overseas institution where you know that written consent was not obtained and/or the collector was in a position of authority relative to the participants at the time, regardless of the DP position, it is unlikely that your REC would consider the data collection to be ethical.
Where you reuse data collected by a third party for research purposes, you have a degree of exemption from some DP rules (See Q9), but you still have obligations to data subjects (See Q9a, Q10), including the primary obligation to process their data ‘fairly’.
If you know the data was not obtained fairly, then by definition you are not in conformity with the DP Principles. It would be reasonable to expect you to have engaged in at least some investigation of the circumstances in which the personal data was obtained.
Where you are using historical personal data collected at a time prior to DP legislation and/or when ethical standards for collection of research data were different, you should still decide prior to processing whether research use of the data is fair, whether data subjects could reasonably be informed of the reuse of their data, and what risks the proposed reuse poses for data subjects. It is good practice to keep a record of your decisions and the reasons for them.
Where you are receiving personal data as part of a research consortium, it will be expected that you have ensured that your partners will be collecting the data in conformity with both relevant DP law and ethical practice.
Additionally, If you are a primary investigator/lead institution in a multi-partner research project, funders may require you to ensure the data protection arrangements of your partners and any service providers are appropriate, even if you are satisfied that your home institution won’t handle any personal data.
Informing data subjects as part of covert or deceptive research
Covert research is where you collect research data without the consent or knowledge of research participants or subjects. Deceptive research involves the deliberate deception of participants, where you don’t reveal the true purpose of the study (or reveal it only after the study is completed). Both forms of research are controversial, not least because neither involves obtaining prior informed consent from research participants.
The DPA 1998 permits a delay in disclosure of the information you should provide to data subjects as long as such disclosure takes place as soon as practicable after the time you first process the data. Clearly, with covert or deceptive research, such disclosure will not take place during the data collection phase, but if practicable should take place as soon as the research methodology permits.
Even where the DPA 1998 permits the covert or deceptive methods to be employed, RECs may refuse to approve such research, or if it is permitted, may require you to clearly identify:
- How the covert or deceptive methods will be employed
- Why other approaches cannot be utilised to collect the data
- What post-collection information provision and consent processes will be utilised, and why eg participant, proxy or community debriefing; provision to participants of the LREC’s contact details; participant ability to provide informed consent or to withdraw data.
It is essential to consult your REC in advance in circumstances where you plan to undertake research with human subjects using covert or deceptive methods.
Recording online conversations
If you're lurking in an internet chat room, do you have to let all the participants know you're recording their conversations? Disappointingly for those seeking a definitive answer, both legally and ethically the answer is ‘it depends on the context’. The internet is increasingly a site for research, and studies of and on the internet cut across all academic disciplines. Indeed, the term ‘internet research’ covers a wide range of technologies, devices, capacities, uses, and social spaces. Examples of internet research with DP implications include:
- Collecting data or information, eg through online interviews, surveys, archiving, or automated means of data scraping
- Studying how people use and access the internet, eg through collecting and observing activities or participating on social network sites, listservs, web sites, blogs, games, virtual worlds, or other online environments or contexts
- Using visual and textual analysis, semiotic analysis, content analysis, or other methods of analysis to study the web and/or internet-facilitated images, writings, and media forms.
The temptation with much internet data is to argue ‘But the data is already public…’, this overlooks both the legal requirement that personal data must be processed not just ‘lawfully’ but also ‘fairly’, and the ethical principle that, as far as possible, researchers should avoid causing harm to their research subjects.
Your REC will almost certainly want you to consider the specifics of your project, including its risks to data subjects and its social benefits, in addition to considering the practicality of communicating information about your research to the subjects of that research for DP purposes.
A good discussion of this topic can be found in: