You must comply with the Data Protection Act whenever you gather or collect personal data for University-related purposes. This includes data obtained for Academic Research.

There are three general rules of compliance that you should follow when collecting data.

Identify the lawful basis that you are relying on to collect the data, as you may be asked to specify this. There are only six permitted lawful bases and at least one must apply.

1. Public task – this means that the processing is necessary for the University to perform a task in the public interest or as part of its official functions, (most of our research comes under this).
2. Legitimate interests - the processing is necessary for the legitimate interests of the University or a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
3. Contract – the processing is necessary for a contract the University has with the individual, or because they have asked the University to take specific steps before entering into a contract.
4. Legal obligation – the processing is necessary for the University to comply with the law.
5. Vital interests – the processing is necessary to protect the vital interest of someone, this means to protect someone’s life.
6. Consent – the individual has given clear consent for the University to process their personal data for a specific purpose.

If you plan to gather any special category data ensure that you also meet one of the additional conditions for processing special category data.

Ensure that you comply with the six Data Protection Act Principles. This will include you limiting any personal data collected to that which you genuinely need and taking positive steps to make sure that all personal data are held securely.

Consent and ethical issues

All University of Bath students and staff provide their general consent to their personal data being processed for certain, limited, necessary purposes:

• Data protection statement for student registration
• Human resources data protection statement

If you intend to collect data that is not covered by this general consent, or from individuals who are not students or staff, you must ensure that you get their permission.

For advice and sample consent wording email the Data Protection Officer at dataprotection@bath.ac.uk

Limit the personal data you collect

Ensure you only collect personal data that is strictly necessary, be especially mindful of any data of a sensitive nature or special category data. Any irrelevant or excessive information should not be gathered or retained.

Keep data secure

All personal data gathered must be held securely. Use a computing services server to store data wherever possible. Don't put the data onto a mobile device unless it is secure - password protected and, where appropriate, encrypted.

Restrict access to data and maintain confidentiality by:

• only allowing other staff to access the data if necessary
• not transferring data to a third party unless you have consent
• taking care not to lose data
• ensuring data is kept securely, whether on or off campus