Data Protection

Academic research

Academics involved in supervising students whose work uses personal information have a duty to ensure that their students are aware of the requirements of the Data Protection Act, specifically:

  • the need to obtain the consent of the Data Subjects of the research
  • the need to ensure all personal information received is held confidentially and securely
  • the fact that results must be anonymised and not identify individual research participants.

Academics should follow our guidance to ensure compliance with the Act.

Email questions to or contact the team directly.

Obtaining consent

Participants in research projects must be told in clear terms, preferably in writing:

  • exactly what information is being collected
  • what it will be used for
  • to whom it may be released
  • whether and in what form the data will be published.

The individual must be asked to sign a statement agreeing to the use of their personal data for these purposes. Contact the Data Protection team for advice on the wording of such a statement.

If research data is being supplied by a third party source, such as a GP, it is important to check that they have secured permission to supply any personal data to the University.

Collecting data

Researchers need to ensure that they only collect personal data that is strictly necessary for the research being undertaken, in line with our guidance on gathering data. Unless necessary for the research, details such as names and addresses must not be collected at all.

Data security

It is vital that all personal data being used for research is held securely and that access is restricted to the staff or students engaged in the research.

If any data is to be processed by, or shared with, a third party, that third party will need to enter into a written agreement with the University to ensure compliance with the Data Protection Act 1998. Contact the Data Protection team for assistance with wording this agreement.

It is important that data security is considered if any data is to be processed or taken off-site or kept on mobile devices.

Publishing results

Researchers must ensure that the results of the research are anonymised when published and that no information is published that would enable the Data Subject to be identified.

Exemptions from the Act

There are exemptions to the general rules on data protection that apply to academic research.

Further processing of personal data

Personal data which has been collected for one piece of research can be used for other research without breaching the Act.

However, this only applies to research data that is:

  • not being used to “support measures or decisions with respect to particular individuals”
  • not processed in such a way that is likely to cause substantial damage or distress to the relevant individual.

Retention of personal data

Personal data collected in connection with research can be kept indefinitely so that research can be reconsidered or the data re-analysed at a later date.

Subject Access Requests

Research data must be anonymised or the usual rights of the Data Subject to view information held about them will apply.

Individuals whose personal data is being used in research do not have the right to see their data or be supplied with details of it, provided that the results of the research or any resulting statistics do not identify the individuals concerned.