skip to content

This page contains basic information about, and links to detailed sources of advice on, various matters pertaining to data protection in a research context:


Guidance on data protection and academic research

Academic research can rely upon exemptions from compliance with various parts of data protection legislation if certain conditions/safeguards are met.  The ways in which these exemptions work are complicated.  The following University guidance is available:

In addition, guidance on compliance with data protection legislation when conducting academic research is offered by various national research organisations and professional bodies.  Much of this is discipline-specific (e.g. that issued by the NHS Health Research Authority), and these resources should be consulted in conjunction with the University's guidance.


Relationship with research ethics

Compliance with data protection legislation, and the application of the relevant exemptions as appropriate, is only one aspect of carrying out academic research legally and ethically.  Other legal and ethical requirements and standards - including the need for ethical review and adherence to the University's Policy on the Ethics of Research Involving Human Participants and Personal Data - will vary between disciplines, and guidance is provided at the links above.  Ethical review can also help to ensure that some of the accountability requirements in data protection legislation, which continue to apply notwithstanding the exemptions, are met.  In particular:

  • The research ethics application process, and records maintained by individual ethics committees, ensures that certain headline information about the personal data used by individual projects is captured, and so helps the University to meet its obligation to maintain records of the data processing that takes place across the organisation.

  • The research ethics review process itself acts as a preliminary or mini Data Protection Impact Assessment of a proposed project, and ethics committees can choose to seek advice from the Data Protection Officer and/or ask for a full DPIA where very high data protection risks emerge surrounding any particular project.

In many disciplines, there is an ethical expectation that research participants will be asked to consent to take part in a research project.  Such consents to participation are separate from consents to the processing of personal data under data protection legislation (the latter are not normally required or advisable in a research context).

Medical (and some other) researchers should also be aware of the importance of the common law duty of confidentiality, in particular when using patient records for research purposes.  This common law is separate from data protection legislation, and will often require the separate consent of the patient (or equivalent) for the duty of confidentiality to be set aside to allow the research to proceed.


Data protection and research contracts

Advice on contractual matters involving data protection in a research context (e.g. sharing datasets containing information about living identifiable individuals with researchers at other institutions, whether in the UK or overseas, and whether as part of a consortium/collaborative project or a one-off data transfer) should be sought from the Research Operations Office.


Formal approvals of research projects by the Data Protection Officer

On occasion, research project funders, collaborators or other external organisations (especially EU funders and/or their ethical reviewers) ask researchers to supply them with a letter in the name of the University's Data Protection Officer confirming that their project methodology, or a specific aspect of it, conforms to data protection legislation.  Any researchers who are asked to supply such a letter should contact the Information Compliance Office.  Other research projects do not require approval from, or letters in the name of, the University's Data Protection Officer.