Guidelines on academic research and the Data Protection Act 1998
Personal data which is used for the purposes of academic or statistical research must be dealt with in compliance with the Data Protection Act 1998. There are, however, some exemptions.
Other than the three following exceptions, the Data Protection Act applies in full to all personal data held and used for research purposes. This means that the obligations to obtain consent before using data, to collect only necessary and relevant data, to ensure that all data held is accurate and to hold data securely and confidentially must be complied with.
1. Further processing of personal data
Personal data which has been collected for one piece of research may be used for other research without breaching the Act. However, this only applies to research data that is not being used to support measures or decisions with respect to particular individuals and which is not processed in such a way that is likely to cause substantial damage or distress to the relevant individual. This means that personal data collected for one piece of research could be used for an associated research project or area.
2. Retention of personal data
Personal data collected in connection with research can be kept indefinitely. This means that staff and students involved in academic research can retain records containing personal data so that research can be reconsidered or the data re-analysed at a later date.
3. Subject access requests
The individuals whose personal data is being used in research do not have the right to see their data or be supplied with details of it provided that the results of the research or any resulting statistics do not identify the individuals concerned. Basically, research data should be anonymised or the usual rights of the data subject to view information held about them will apply.
General rules of compliance
The main issues to be considered in relation to research projects are as follows:
Participants in research projects should be told in clear terms (preferably in writing) exactly what information is being collected, what it will be used for and to whom it may be released. They should also be told whether and in what form the data will be published. The individual should be asked to sign a statement agreeing to the use of their personal data for these purposes. Elizabeth Richardson can advise on the wording of such a statement. If research data is being supplied by a third party source, such as a GP, it is important to check that they have secured permission to supply any personal data to the University in connection with the research project.
2. Data collection
Researchers need to ensure that they only collect personal data that is strictly necessary for the research that is being undertaken. Any irrelevant or excessive information should not be retained. Particular care should be taken in relation to sensitive personal data (e.g. that relating to race, political opinion, religious belief, trade union membership, physical or mental health, sexuality or criminal offences). Such data should only be used where specific consent (in writing) has been obtained. Unless necessary for the research, details such as names and addresses should not be collected at all.
It is vital that all personal data being used for research is held securely and that access is restricted to the staff or students engaged in the research. If any data is being processed by a third party, that third party should enter into a written agreement with the University to ensure compliance with the Data Protection Act 1998.
As well as ensuring that data is held securely at the University, it is important that security is also considered if any data is to be processed off-site. Security issues also apply to the destruction of data and any personal records which are no longer required should be destroyed confidentially.
In order to avoid causing any damage or distress to data subjects, researchers should ensure that the results of the research are anonymised when published and that no information is published that would enable the data subject to be identified. Results of the research can be published on the web but if this includes any personal data then the consent of the data subject must be obtained first. Similarly no personal data should be sent outside the European Economic Area without specific consent.