skip to content

This page contains core information about, and links to detailed sources of advice on, various matters pertaining to data protection in a research context:


Guidance on data protection and academic research

Academic research can rely upon exemptions from compliance with various parts of data protection legislation if certain conditions/safeguards are in place.  The ways in which these exemptions work are complicated.  The following University guidance is available:

In addition, guidance on compliance with data protection legislation when conducting academic research is offered by various national research organisations and professional bodies.  Much of this is discipline-specific (e.g. that issued by the NHS Health Research Authority), and these resources should be consulted in conjunction with the University's guidance.


Relationship with research ethics

Compliance with data protection legislation, and the application of the relevant exemptions as appropriate, is only one aspect of carrying out academic research legally and ethically.  Other legal and ethical requirements and standards - including the need for ethical review and adherence to the University's Policy on the Ethics of Research Involving Human Participants and Personal Data - will vary between disciplines, and guidance is provided at the links above.  Ethical review can also help to ensure that some of the accountability requirements in data protection legislation, which continue to apply notwithstanding the exemptions, are met.  In particular:

  • The research ethics application process, and records maintained by individual ethics committees, ensures that certain headline information about the personal data used by individual projects is captured, and so helps the University to meet its obligation to maintain records of the data processing that takes place across the organisation.

  • The research ethics review process itself acts as a preliminary or mini Data Protection Impact Assessment of a proposed project, and ethics committees can choose to refer applicants to (or themselves seek advice from) the Data Protection Officer and/or ask for a full DPIA where very high data protection risks emerge surrounding any particular project.

In many disciplines, there is an ethical expectation that research participants will be asked to consent to take part in a research project.  Such consents to participation are separate from consents to the processing of personal data under data protection legislation (the latter are not normally required or advisable in a research context).

Medical (and some other) researchers should also be aware of the importance of the common law duty of confidentiality, in particular when using patient records for research purposes.  This common law is separate from data protection legislation, and will often require the separate consent of the patient (or equivalent) for the duty of confidentiality to be set aside to allow the research to proceed.


Data protection and research contracts

Advice on contractual matters involving data protection in a research context (e.g. sharing datasets containing information about living identifiable individuals with researchers at other institutions, whether in the UK or overseas, and whether as part of a consortium/collaborative project or a one-off data transfer) should be sought from the relevant School team in the Research Operations Office.

Research datasets containing (or derived from) personal data are amongst the University’s core assets.  Research collaborations with external organisations will usually have data sharing considerations built into the collaboration agreement from the start.  The sharing of datasets with third parties not directly involved in a research project normally should be carried out under a standard data/material transfer agreement.  The templates used and/or negotiated by ROO will ensure that data protection matters, as well as other compliance issues (e.g. ethics, confidentiality, re-use and IP rights), are adequately considered and covered in the legal agreements.  Agreements are often required even if the dataset that will be shared is pseudonymised or fully anonymised.


Formal approvals of research projects by the Data Protection Officer

On occasion, research project funders, collaborators or other external organisations (especially EU funders and/or their ethical reviewers) ask researchers to supply them with a letter in the name of the University's Data Protection Officer confirming that their project methodology, or a specific aspect of it, conforms to data protection legislation.  Any researchers who are asked to supply such a letter should contact the Information Compliance Office.  Other research projects do not require approval from, or letters in the name of, the University's Data Protection Officer.