skip to content

Guidance on data protection and academic research

Academic research can rely upon exemptions from compliance with various parts of data protection legislation if certain conditions/safeguards are met.  The ways in which these exemptions work is complicated.

The University's principal source of detailed guidance on the topic is the page on academic research involving personal data on the Research Integrity website.  This page contains a Quick Guide as well as the detailed guidance.  Some basic slides about the GDPR and academic research from the Information Compliance Office also provide a brief introduction.

As part of its GDPR preparations, the University published a preliminary guidance document for researchers in March 2018; this document is consistent with the detailed guidance and will remain available.  (Note that this preliminary document refers to the Data Protection Bill; on 23 May 2018 this received Royal Assent to become the Data Protection Act 2018.)

Detailed GDPR-standard guidance is yet to be published by the national research organisations, with the exception of the NHS Health Research Authority, which has created guidance in relation to medical research.


Relationship with research ethics

Compliance with data protection legislation, and the application of the relevant exemptions as appropriate, is only one aspect of carrying out academic research legally and ethically.  Other legal and ethical requirements and standards - including the need for ethical review and adherence to the University's Policy on the Ethics of Research Involving Human Participants and Personal Data - will vary between disciplines, and further guidance is provided by the Research Office (and, on the topic of research data management, by the University Library and Research Office.)  Ethical review can also help to ensure that some of the accountability requirements in data protection legislation, which continue to apply notwithstanding the exemptions, are met (e.g. the research ethics review process acts as a preliminary or mini Data Protection Impact Assessment of a proposed project.)

In particular, in many disciplines there is an ethical expectation that research participants will be asked to consent to take part in a research project.  Such consents to participation are separate from consents to the processing of personal data under data protection legislation (the latter are not normally required or advisable in a research context).

Medical (and some other) researchers should also be aware of the importance of the common law duty of confidentiality, in particular when using patient records for research purposes.  This common law is separate from data protection legislation, and will often require the separate consent of the patient (or equivalent) for the duty of confidentiality to be set aside to allow the research to proceed.


Data protection and research contracts

Advice on contractual matters involving data protection in a research context (e.g. sharing datasets containing information about living identifiable individuals with researchers at other institutions, whether in the UK or overseas, and whether as part of a consortium/collaborative project or a one-off data transfer) should be sought from the Research Operations Office.


Formal approvals of research projects by the Data Protection Officer

On occasion, research project funders (especially EU funders and/or their ethical reviewers) ask researchers to supply them with a letter in the name of the University's Data Protection Officer confirming that their project methodology conforms to data protection legislation.  Any researchers who are asked to supply such a letter should contact the Information Compliance Office.  Other research projects do not require approval from the University's Data Protection Officer.