This page contains core information about, and links to detailed sources of advice on, various matters pertaining to data protection in a research context:
Guidance on data protection and academic research
Academic research can rely upon exemptions from compliance with various parts of data protection legislation if certain conditions/safeguards are in place. The ways in which these exemptions work are complicated. The following University guidance is available:
-
Academic research involving personal data - main guidance from the Research Office, including the full legal background and sections on consent forms, participant information sheets, interactions with research ethics and the separate law of confidentiality, and data re-use
-
Data protection and academic research - presentation from the Information Compliance Office summarising the main guidance
-
Research integrity and research ethics - broader guidance from the Research Office (including the University's Policy on the Ethics of Research Involving Human Participants and Personal Data)
-
Medical research and information governance - guidance for medical researchers from the School of Clinical Medicine (including the Clinical School's Information Governance Policy and HRA-authorised templates for providing privacy notices in participant information sheets)
-
Research data management - guidance from the Research Data Management Team (including the University's Research Data Management Policy Framework and guidance on data management plans)
-
Research data storage - guidance from University Information Services
-
Data security for researchers - training and guidance from University Information Services
In addition, guidance on compliance with data protection legislation when conducting academic research is offered by various national research organisations and professional bodies. Much of this is discipline-specific (e.g. that issued by the NHS Health Research Authority), and these resources should be consulted in conjunction with the University's guidance.
Relationship with research ethics
Compliance with data protection legislation, and the application of the relevant exemptions as appropriate, is only one aspect of carrying out academic research legally and ethically. Other legal and ethical requirements and standards - including the need for ethical review and adherence to the University's Policy on the Ethics of Research Involving Human Participants and Personal Data - will vary between disciplines, and guidance is provided at the links above. Ethical review can also help to ensure that some of the accountability requirements in data protection legislation, which continue to apply notwithstanding the exemptions, are met. In particular:
-
The research ethics application process, and records maintained by individual ethics committees, ensures that certain headline information about the personal data used by individual projects is captured, and so helps the University to meet its obligation to maintain records of the data processing that takes place across the organisation.
-
The research ethics review process itself acts as a preliminary or mini Data Protection Impact Assessment of a proposed project, and ethics committees can choose to refer applicants to (or themselves seek advice from) the Data Protection Officer and/or ask for a full DPIA where very high data protection risks emerge surrounding any particular project.
In many disciplines, there is an ethical expectation that research participants will be asked to consent to take part in a research project. Such consents to participation are separate from consents to the processing of personal data under data protection legislation (the latter are not normally required or advisable in a research context).
Medical (and some other) researchers should also be aware of the importance of the common law duty of confidentiality, in particular when using patient records for research purposes. This common law is separate from data protection legislation, and will often require the separate consent of the patient (or equivalent) for the duty of confidentiality to be set aside to allow the research to proceed.
Data protection and research contracts
Advice on contractual matters involving data protection in a research context (e.g. sharing datasets containing information about living identifiable individuals with researchers at other institutions, whether in the UK or overseas, and whether as part of a consortium/collaborative project or a one-off data transfer) should be sought from the relevant School team in the Research Operations Office.
Research datasets containing (or derived from) personal data are amongst the University’s core assets. Research collaborations with external organisations will usually have data sharing considerations built into the collaboration agreement from the start. The sharing of datasets with third parties not directly involved in a research project normally should be carried out under a standard data/material transfer agreement. The templates used and/or negotiated by ROO will ensure that data protection matters, as well as other compliance issues (e.g. ethics, confidentiality, re-use and IP rights), are adequately considered and covered in the legal agreements. Agreements are often required even if the dataset that will be shared is pseudonymised or fully anonymised.
Formal approvals of research projects by the Data Protection Officer
On occasion, research project funders, collaborators or other external organisations (especially EU funders and/or their ethical reviewers) ask researchers to supply them with a letter in the name of the University's Data Protection Officer confirming that their project methodology, or a specific aspect of it, conforms to data protection legislation. Any researchers who are asked to supply such a letter should contact the Information Compliance Office. Other research projects do not require approval from, or letters in the name of, the University's Data Protection Officer.