skip to content

Exemptions from the data protection principles

Research, which includes statistical and historical studies, can claim certain exemptions from the Data Protection Act if two safeguards are met. The safeguards are that:

  • the data are not processed to support measures or decisions with respect to particular individuals; and
  • the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

If these safeguards are met, then the following exemptions apply:

  • personal data can be used for research even if they were not originally obtained for that purpose;
  • the data can be retained indefinitely; and
  • subject access rights do not apply if the research results are not made public in a form which identifies the research subjects.

The data protection principles still apply to research data (except data for "historical research"). The data must have been obtained for one or more specified and lawful purposes. Processing for the research purposes must still meet one of the conditions for processing, for example that it is necessary for the purposes of legitimate interests of the University, or that the data subject has consented. The processing of sensitive personal data for research, except historical research (see below) requires one of the additional conditions for processing sensitive personal data to be met.

When data collected for another purpose are used for research, the data subject should be contacted and informed of this, unless this would involve 'disproportionate effort', in which case this should be documented.

Transfers of data abroad can only take place if certain conditions are met: usually either that the subject has consented to the transfers, or the conditions of the transfer ensure that their rights and freedoms are preserved.

"Historical research" is subject to further, significant, exemptions; in essence only principles 7 (appropriate security) and 8 (restricting transfer outside the EEA) apply to personal data processed for this purpose.

Medical research

  • Sensitive personal data (which includes information about someone's physical or mental health) may be processed on the basis that it is necessary for medical purposes, including medical research undertaken by a health professional or someone with an equivalent duty of confidentiality.
  • Where confidential personal data derived from NHS care is processed by researchers other than the doctor who treats the patient, then informed consent should usually be given by the subject for this.
  • Health records (i.e. records relating to physical or mental health that have been made by or on behalf of a health professional in connection with the care of that individual) are subject to specific Department of Health and NHS guidance which emphasises the common law duty of confidentiality that applies to all staff working for the NHS.
  • All research proposals involving access to patient records require clearance by an NRES Research Ethics Committee.
  • Several organisations such as the MRC, the BMA and the GMC have published guidance on personal information and medical research. Up-to-date copies are available from their websites.

Research checklist

Does the project involve personal data, i.e. relating to a living individual who can be identified from that data or other information in the possession of, or likely to come into the possession of the data controller? If no then the Data Protection Act 1998 does not apply to the project.
Does the project meet the definitions in the Data Protection Act 1998, i.e. for research, historical or statistical purposes? If no, then the DPA 1998 applies in full
If yes, then research exemptions may apply
Who is the data controller for the personal data, that is the person who controls the purposes and manner of processing? If it is the University, you need take no further action (the University has notified that Information Commissioner that it processes personal information for research purposes.)
If the data controller is not the University (and note that each College is an independent data controller), you must tell this other data controller who will check whether a further notification is required.
Check Schedule 2 and decide which condition for processing you are relying on for the project.
Is any of the data sensitive personal data?
If so, check the conditions in Schedule 3 and decide which you are relying on for your project (this in addition to a Schedule 2 condition).
Will any personal data be transferred overseas as part of the research project? If so, you will need to demonstrate that the transfer preserves the subject's rights and freedoms.
Were individuals told at the time data were collected that their data would be used for research? If no, either arrange to have them informed of this, or if this would involve disproportionate effort you must document the reason why this is so.
Will the results of the research be used to make any decisions about the research subjects? If so, no exemptions apply and the Act applies in full.
Could the data processing being carried out result in any damage or distress to individual subjects? If it could, no exemptions apply and the Act applies in full.
Will the results of the research be made public in anonymised form only? If so, subject access rights do not apply to the personal data used in research.

This list is extracted from a longer checklist in Data Protection Law and Practice, by Rosemary Jay and Angus Hamilton (Sweet and Maxwell, 1999).