Skip to main content

Complying with the Data Protection Act as an academic researcher

The rules you should follow when conducting research and supervising research students in order to comply with the Data Protection Act.

Academics' duties

Academics involved in supervising students whose work incorporates 'personal data' have a duty to ensure that their students are aware of the requirements of the Data Protection Act, specifically:

Identify the Lawful Bases that they are relying on to collect the data.

There are only six permitted lawful bases and at least one must apply. Researchers must be explicit about what this basis is and document it both as part of their ethics application and in the information they provide to research participants.

For the vast majority of research undertaken at the University, the appropriate legal basis for processing personal data will be Article 6(1)(e), i.e. the ‘public task’ basis. This applies where the processing is necessary for the University to perform a task in the public interest or for our official functions (which in accordance with our Royal Charter includes research), and the task or function has a clear basis in law.

While it is the University’s view that the correct lawful basis for most of its research should be the ‘public task’ (and not ‘consent’ which is an alternative lawful basis), it is imperative to note that when we talk about consent as a legal basis, we are referring to only that – the legal basis – we are not referring to ‘ethical informed consent’ which will still be required in addition to the legal basis.

If you or someone you are supervising is collecting personal data for research purposes, to get ethical approval for the project and to comply with accepted ethical standards for research, you will normally still need to obtain informed consent from each individual participant for their involvement in the research. In essence, to use personal data for research you need two bases; the legal basis and the ethical basis. For example, a person may be asked to consent to participate in research (ethical basis) and told that, if they agree to participate, data about them will be processed for a task in the public interest (legal basis).

Meet one of the Additional Conditions for processing Special Category Data, if they plan on collecting any such Special Category Data.

It is the University’s view is that the most appropriate legal basis to rely upon when processing ‘special category personal data’ for research purposes is normally Article 9(2)(j), i.e. where the processing is necessary for ‘archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’. If researchers intend to rely on this condition they will also need to ensure that the processing meets the public interest test and ‘appropriate safeguards’ are in place. These ‘appropriate safeguards’ include:

  • using ‘technical and organisational measures’ to ensure data minimisation, for example pseudonymisation
  • using anonymised data where possible
  • not processing in ways that are likely to cause substantial damage or distress to individuals
  • not supporting measures or decisions with respect to individual
  • having the assurance that research ethics committee approval is in place where needed

Ensure compliance with the six Data Protection Act Principles.

This will include limiting any personal data collected to that which is genuinely required and taking positive steps to make sure that all personal data are held securely.

Anonymise the results so that individual research participants cannot be identified.

Academics should follow our guidance to ensure compliance with the Act.

If you have any questions, email or contact the Data Protection Officer directly.

Obtaining ethical consent

Participants in research projects must be told in clear terms, preferably in writing:

  • exactly what information of theirs is being collected
  • what it will be used for
  • to whom it may be released
  • whether and in what form the data will be published.

The individuals must normally be asked to sign a statement agreeing to the use of their personal data for these purposes. Contact the Research Data Team in the library for advice on consent forms and participant information sheets. Email

If research data is being supplied by a third party source, such as a GP, it is important to check that they have secured permission to supply any personal data to the University. A data sharing agreement may also be required.

Collecting data

Researchers need to ensure that they only collect personal data that is strictly necessary for the research being undertaken, in line with our guidance on gathering data. Unless necessary for the research, details such as names and addresses and other identifying information, must not be collected at all.

Data security

It is vital that all personal data being used for research is held securely and that access is restricted to the staff or students engaged in the research.

If any data is to be processed by or shared with a third party, that third party will need to enter into a written agreement with the University to ensure compliance with the Data Protection Act. Contact the Data Protection Officer for assistance with the wording of this agreement.

It is important that data security is considered, and appropriate safeguarding measures are implemented if any data is to be processed or taken off-site or kept on mobile devices.

Publishing results

Researchers must ensure that the results of the research are anonymised when published and that no information is published that would enable a Data Subject to be identified.

Exemptions from the Act

There are exemptions to the general rules on data protection that apply to academic research.

Further processing of personal data

Personal data which has been collected for one piece of research can be used for other research without breaching the Act.

However, this only applies to research data that is:

  • not being used to "support measures or decisions with respect to particular individuals"
  • not processed in such a way that is likely to cause substantial damage or distress to the relevant individual.

Retention of personal data

Personal data collected in connection with research can be kept indefinitely so that research can be reconsidered or the data re-analysed at a later date.

Subject access requests

Research data collected must be anonymised or the usual rights of the Data Subject to view information held about them will apply.

Individuals whose personal data is being used in research do not have the right to see the data or be supplied with details of it, provided that the results of the research or any resulting statistics do not identify the individuals concerned.

Contact us

If you have any questions, please contact us.

On this page