Research data containing ‘personal data’ will be subject to UK data protection law, which is regulated by the Information Commissioner’s Office (ICO). The law places obligations on you as a researcher. Details of particular circumstances can make a major difference, so conclusions reached in an individual case may well differ from those suggested here. This guide does not constitute, and should not be construed as, legal advice.
Introduction
In the UK, the Data Protection Act 1998 (DPA 1998) regulates the use of information that relates to an identifiable living individual, as well as information which, when combined with other data accessible to the researchers, would permit the individual’s identification (personal data). It places obligations on those who are responsible for determining the purposes for which the personal data is processed (data controllers), and gives rights to those who are the subject of that data (data subjects). Processing of personal data for research purposes falls under the general provisions of the Act, but some specific research-related exemptions are provided.
We assume that you are a researcher who works for, or with, or in a university or research institution, and you are concerned about the application of the UK data protection legislation to the collection, storage, use transfer and disposal of your research data, including requests for access to that data by data subjects (subject access requests) and third parties.
Undertaking research that involves processing personal data will normally bring you into contact with your institutional research ethics committee (RECs) as such research is usually considered as research with human subjects. The boundary between the legal requirements of the DPA 1998, and the ethical principles that your REC use to guide their processes overlap, although those legal requirements and ethical principles may have differing objectives and may not map precisely (see more information).
Different institutions, and indeed disciplines, may also work to different ethical understandings, eg social science researchers may have rather different understandings of the nature and scope of ethical review than researchers in the bio-medical sciences. This guide will concentrate primarily upon the legal issues, but will note where legal and ethical approaches sometimes diverge.
This guide is primarily designed to be accessible, and so may over-simplify complex issues. We assume there will be two primary contact points in your institution who can advise on this complexity: specific institutional 'DP practitioners' eg data protection officers, information rights officers, information compliance officers etc.; and institutional research ethics committees. Most institutions will have a data protection link on their homepage. This link will usually include a data protection policy or guide and details of your DP practitioner.
DP practitioners will be crucial in responding effectively to subject access requests (SARs). Additionally, your institution may have specific policies and procedures that you are obliged to follow when using personal data in your research, and you are advised to investigate those at the project development stage, and before applying for funding.
A survey of existing practice at universities indicates that, when designing a research methodology, it is usual for researchers to initially liaise with their REC to identify and address the DP issues it raises. However, where your research appears to pose a significantly higher level of risk, or if you receive a subject access request, or a request from a third party for information collected during your research that includes personal data (including Freedom of Information (FoI) and Environmental Information (EIR) requests), you should always involve your DP practitioner (often also your FoI/EIR expert).
Remember, this guide is not advice; it is simply guidance aiming to help you have a better-informed discussion with your REC or DP practitioner, or to consider steps you might take in advance.
Related issues outside the scope of this guide, but on which your REC or DP practitioner can advise, include issues relating to application of the Human Rights Act 1998, the law of confidence, and specific commitments made to sponsors under contract, or made via consent forms to research subjects.