Cookies

We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Information Governance

Research Using Personal Data

Introduction

This guidance aims to help researchers to understand data protection legislation, including the General Data Protection Regulations (GDPR), and how it affects the collection and use of personal data in their research. An online glossary provides explanation of key definitions and terms used in this guidance.

Data protection legislation, like the GDPR, gives living people control over the use of their personal data. Organisations are permitted to collect and use personal data but must comply with the data protection principles and other provisions in the legislation. The requirements for compliance increase with the sensitivity of the personal data.

If you intend to use personal data as part of a research project, considering the requirements of data protection legislation in the early stages of your project's development is in line with the principle of ‘data protection by design and default’. Doing this can lessen the risk of:

  • Project delays
  • Extra expense
  • The need to re-contact research subjects
  • The need to re-acquire personal data
  • Reduced integrity or reliability of data and findings.
  • Non-compliance with data protection legislation

The impact of data protection legislation will always be dependent upon the nature of the research project and how personal data will be collected and used. Whilst this guide will not answer every question or indeed guarantee that a research project is compliant, it will guide you on the key aspects of the legislation that affect research projects and it may help you to identify further advice you require.

It is also important to understand that Durham University, as a Data Controller, is legally responsible for ensuring that its employees and students comply with the legislation and is also responsible for any personal data processed by its employees or anyone else that processes personal data on behalf of the University, known as data processors. Non-compliance with data protection legislation places the University at significant legal, financial and reputational risks. Individuals can also be held responsible for their actions and non-compliance can undermine your reputation and the esteem of your research.

Durham University has a Data Protection Officer in place who manages compliance with data protection legislation, including maintaining a Data Protection Policy and providing specialist advice.

Data protection legislation and its application

The EU General Data Protection Regulation (GDPR) applies to the University processing of personal data as a UK institution, regardless of whether that processing takes place within the EU or not.

The GDPR provides some opportunity for national governments within the EU Member States to make certain provisions for how they apply the GDPR. The GDPR includes special rules and derogations (relaxations or exemptions) for processing personal data for research, history and statistical purposes. The Data Protection Act 2018 addresses the Member State options of the GDPR, including the rules around processing for research or statistical purposes. DPA 2018 clarifies where the derogation would not apply (Part 2, Chapter 2, Section 19 Specific processing situations) as follows:

“(2) Such processing does not satisfy the requirement in Article 89(1) of the GDPR for the processing to be subject to appropriate safeguards for the rights and freedoms of the data subject if it is likely to cause substantial damage or substantial distress to a data subject.

(3) Such processing does not satisfy that requirement if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject, unless the purposes for which the processing is necessary include the purposes of approved medical research.”

The DPA provides further information on “approved medical research” referred to above.

Any agreed exemptions will only apply to the data used for research but not where the data is used elsewhere. It is still necessary to comply with all other aspects of the legislation. The Data Protection Act 2018 must be applied alongside the GDPR.

Changes resulting from the GDPR

Personal data and special category data (formerly ‘sensitive personal data’) are defined in the online Glossary. This includes coded information even if you personally do not have the code or direct access to the code.

The data protection legislation recognises that the use of sensitive personal data can potentially have a greater effect on the rights and freedoms of the individual than "mere‟ personal data. This guide is written with the assumption that sensitive personal data will be used in most research projects.

Using personal data for research, history and statistical purposes

The GDPR text regarding research derogations is as follows:

Article 89 Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

2. Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

3. Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

4. Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.

Note: Article 89(2) references the following other Articles:

  • Article 15: Right of access by the data subject
  • Article 16: Right to rectification
  • Article 18: Right to restriction of processing
  • Article 21: Right to object

For the derogations in Article 89(2) to apply, personal data used in your research project must:

  • Be used for research purposes only and have no other use or intended use
  • Not be used to support measures or decisions about individuals
  • Not cause substantial damage or substantial distress to an individual
  • Not be made available in any way that identifies individuals.

If you will only use personal data in this way, then limited relief from the legislation is provided as follows:

Further use of personal data

Normally, personal data collected for one use cannot be further used for different reasons. Under the rules, personal data may be used for further research purposes. However, it will still be necessary to provide individuals with a privacy notice.

Personal data should be retained no longer than necessary

Personal data collected for research purposes only may be kept indefinitely. However, this does not mean that the personal data should necessarily be kept indefinitely. How long you keep the personal data should be decided early in the project. You may want to make this clear on a privacy notice or consent form.

Rights of individuals

Normally, individuals will have a right to access the personal data you hold about them. Personal data used for research purposes does not have to be provided but you could still voluntarily allow access. It is important to note, however, that individuals do retain other rights under data protection legislation which are outside of the research purposes rules. For instance, individuals can still revoke consent or request that their personal data is no longer used.

Other legislation and regulation frameworks

There are likely to be other legislation and regulations that affect your academic discipline and area of research which are beyond the scope of this guide. It is important to note that several data protection principles make clear that any use of personal data must be lawful and therefore any unlawful use would be in violation. For instance, using personal data for research purposes that was recorded under conditions where a duty of confidence is owed (e.g. recorded by health professionals) may breach common law of confidence. Personal data must be used fairly and lawfully, therefore a breach of common law of confidence will breach the first principle under the GDPR as well. Consideration of the effect of other legislation or regulations upon the collection and use of personal data may require ethical or legal advice.

Use of anonymised or pseudonymised information

In many research projects, some personal data is coded in order to protect the identity of individuals. However, this does not render the personal data anonymous information and thus remove the obligation to comply with data protection legislation. This is because personal data is information about a person who can be identified directly or with help of other accessible resources. This means that even if you hold only the non-identifying information it still must be treated as personal data as long as a colleague, collaborator or contractor holds the means to identify the person.

However, separating identifying information is still good practice under data protection legislation because:

  • It makes personal data more secure
  • It helps to assure individuals that decisions will not be made in relation to them
  • It can reduce harm if personal data is lost or if it is used without authorisation or unlawfully.

Refer to the University’s guidance on Anonymisation and Pseudonymisation for further information about the topic, including techniques, re-identification, risks and more.

To make personal data fully anonymous you would need to irrevocably destroy any code which would link the identifying information to the other aspects of personal data. In practice this would be a rare occurrence. It is also important to note that rendering personal data fully anonymous would need to be declared to the individual in a privacy notice.

Ways to collect personal data

You will most likely collect personal data in one of four ways.

From the individual

A common method of collecting personal data is directly from the individual, usually through:

  • Direct observation
  • Surveys
  • Questionnaires
  • Interviews

In these cases, you, or someone assisting you, will have the opportunity to engage with the individual to fully explain what you are doing and what information you require and make sure they agree to participate. This should include providing written information to the individual and producing a signed agreement. If this is how you will be collecting personal data you should carefully review the guidance on:

If, upon review, you decide that you would not be able to fully inform the individual or seek explicit consent because it would prejudice your research, then substantial additional justification will be required and you may require ethical approval or legal advice.

Re-use of personal data from a previous study

If you have collected personal data for one research project and then either change the nature of the project or intend to use the personal data for a new project it is necessary to consider the data protection legislation implications anew. In these cases, you will need to provide a new privacy notice to each individual and obtain consent again unless to do so would require disproportionate effort. Deciding whether effort is disproportionate is based on the nature of the research and may require ethical approval or legal advice. This is a good reason why it is important to fully consider all intended and potential uses of personal data prior to its collection.

From publicly available sources

You may use personal data for research purposes from publicly available sources if it has been made public with the consent of the individual. This does not include covert observations of the private activities of identifiable individuals from or in public spaces. You should still consider whether the processing is lawful and ensure compliance with the other data protection principles not covered by the research purposes rules.

From external sources

If you will be collecting personal data for research purposes from an external body, a formal agreement will be required. The agreement will need to detail what personal data will be provided and include guarantees that it will be used only for specified purposes. The external body, in order to make their own data protection compliance assessments, may require from you specific details of the nature of your research. As each research project is different you may require ethical approval or legal advice.

Privacy Notices

A basic premise of data protection legislation is that individuals have a right to know what you intend to do with information about them. A privacy notice is your way of telling the individual who you are and what you are doing with their personal data. It can be as simple as a verbal explanation or a sign on the wall. For a research project where sensitive personal data is collected, a written privacy notice is required which will contain extensive and explicit information about the research project. If you are collecting information directly from the individual you will be required to provide a privacy notice. Any other situation will require ethical approval or legal advice. Where a researcher plans to issue a “participant information sheet” this can incorporate a privacy notice.

What do you put in a privacy notice?

Privacy notices should be easy to read and understand and must, at a minimum, include:

  • Name and address of the Data Controller (i.e. Durham University)
  • Identity of any data processors, i.e. contractors, collaborators or partners not employed by the University who will collect the information or have access to it
  • The purposes for which you will be processing the information.

In addition, you will need to provide the individual with any other information necessary to ensure that their personal data will be processed lawfully. You should put yourself in the position of the individual and ask, “What would I want to know if this were my information being collected?” This may include information about:

  • Any sensitive personal data being collected
  • The length of time the personal data will be kept
  • How to keep contact details up to date
  • The anticipated means of publication of the personal data or results and anticipated timeframe for doing so
  • Other individuals or organisations who will be provided with the personal data
  • Whether the personal data will be transferred to a non-EEA country
  • The source of funding for the research
  • How the personal data will be stored
  • Whether the personal data will be anonymised after collection and before processing
  • Whether any decision making will be completely automated, i.e. machines will make decisions without human intervention.

The contents of a privacy notice will depend on the nature of your research project and it should be developed on a case by case basis.

The University’s Research and Innovation Services (RIS) office have prepared some templates that can assist you, including:

When are Privacy Notices not necessary?

If you are not collecting personal data directly from the individual, you may not be required to provide a privacy notice if it would require a disproportionate effort to do so. In these circumstances you will need to carefully consider why it is disproportionate to provide a privacy notice and why the processing is otherwise lawful. The test of proportionality may take into account many factors, such as:

  • The nature of the personal data
  • The age of the personal data
  • The ability to locate or identify the individual
  • The cost of providing a privacy notice
  • Whether an individual was deceived or misled about the purposes for processing
  • Whether the individual knows or reasonably expects the processing to occur
  • The potential for harm or distress to be caused to the individual.

If you wish to use sensitive personal data you should normally contact all individuals to provide a privacy notice and seek explicit consent, even if disproportionate effort is required. As each research project will be different you may require ethical approval or legal advice.

Explicit consent

When you are collecting personal data from an individual directly for research purposes, you should always seek explicit consent. Explicit consent means getting a positive, unambiguous response from the individual after the full details of the privacy notice has been provided to them. Usually this will include a signature. It will also require that the individual is not obliged, and does not feel obliged, to participate and understands that consent can be withdrawn at a later point. Where a researcher plans to issue a “participant information sheet” this can incorporate an explicit consent form.

In short, data protection legislation expects that in giving explicit consent the individual:

  • Gives consent freely
  • Is fully informed about what they are consenting to
  • May withdraw consent at any time.

Explicit consent is not always required in order to use personal data. If you can demonstrate why you would be justified in proceeding with your research project without explicit consent or in the face of the individual's express objections, you may still be able to collect and use personal data. As each research project will be different you may require ethical approval or legal advice. Further information about explicit consent follows.

Freely given consent

Freely given consent requires that the individual is not under any duress or obligation to provide consent. You should ask yourself whether failure or refusal to consent would put the individual at an actual or implied disadvantage. In developing a research project this may affect the pool of potential research subjects. A further consideration is whether the individual is capable of giving consent due to age or mental capacity. Is the individual old enough to understand what you are doing and how they may be affected?

Fully informed consent

Fully informed consent requires that the individual is made explicitly aware of the full nature and conditions of your research project and provided with the information required to make a decision to give explicit consent. Providing a full privacy notice to the individual should qualify.

If some aspect of the nature of the research project needs to be withheld from the individual then you should not seek explicit consent but instead find another lawful basis for collecting personal data. This may require ethical approval or legal advice.

Withdrawal of consent

Even after you have received consent you may encounter individuals who ask to withdraw consent for their personal data to be used in the research project. If this occurs, you will need to swiftly assess how and to what degree you can comply. You may want to consider this during the project planning stage and determine the impact that any withdrawals of consent might have on the research project. In significantly advanced or published research you may find it particularly difficult to change statistical or qualitative results. If the individual is not satisfied with your response you may need to seek further advice.

Consent not required

When personal data is collected directly from the individual you should obtain explicit consent at the same time. However, explicit consent is not always required in order to use personal data. If you can demonstrate why you would be justified in using personal data without explicit consent or in the face of the individual's objections, you may still be able to collect and use personal data. As each research project will be different it may require ethical approval or legal advice.

Security for research data

In the public sector there are all too many examples of memory sticks, media discs, laptops and other electronic data storage devices containing personal data that have gone missing, been stolen or inadvertently had their contents made public. There are also cases of paper files of sensitive information being disposed of in general waste or personal data being released without authorisation, either intentionally or otherwise. All of these are breaches of data protection legislation. The University is legally responsible for taking proportionate steps to prevent such occurrences when it processes personal data. Refer to the (a href="/ig/password/is/classification/">Information Security Classification and Handling Standard to see controls that are to be implemented for information across its lifecycle. Technical controls will also be applied at application, device and infrastructure levels.

The nature of the security measures required will depend on the nature of the personal data and the potential for harm or distress to be caused to the individual. However, there are three primary areas of security which must be addressed:

  • Technological and physical security measures appropriate to the nature of the personal data and to the cost of implementing the measures
  • Appropriate training for staff who handle personal data
  • The University is also legally responsible for the contractual processing of personal data by third parties and must ensure that contractors comply with the requirements of data protection legislation.

In practice, basic security measures for personal data security should include:

  • Storing paper records in locked filing cabinets or secure rooms
  • Keeping coded keys in locked areas separate to the personal data
  • Password protecting electronic file stores
  • Always encrypting personal data to be stored on removable devices
  • Allowing staff access only to that personal data which is essential for their function
  • Training staff about the security measures in place and how to report breaches of security
  • Formalising arrangements with partners, colleagues and other organisations on how personal data will be secured and how security audits will be undertaken
  • Contingency planning for security breaches.

Security breaches can have legal, financial and reputational repercussions. They can involve formal investigations and decisions by regulators and law enforcement agencies. Other potential impacts include:

  • The University’s reputation may be severely affected by adverse media reporting
  • It may become more difficult to find subjects willing to participate in research
  • Grant funding and the integrity or esteem of your research may be affected
  • The University's ability to recruit and retain students and staff may be diminished.

Ethical approval and legal advice

There are several instances where you may need further advice and guidance about compliance with data protection legislation due to the nature of your research project. These may include projects for which:

  • You are not able to provide a complete privacy notice
  • You are not able to seek the explicit consent of individuals
  • You wish to act despite the expressed objections of the individual
  • Providing a privacy notice or seeking consent would require a disproportionate effort
  • You are requesting or using personal data provided by external bodies, not by the individual

You need to consider compliance with other legislation or regulations that affect your research area or discipline. In these cases you should first approach the chair of your departmental Ethics Sub-Committee or the Research Office. In some cases, the University’s Data Protection Officer and Information Governance Unit will be of further assistance. Some cases may require formal legal advice.

Subject access requests and complaints about the processing of personal data

Data protection legislation requires that the University deals promptly with requests for personal data and complaints about the processing of personal data. Whilst you may be able to deal with minor requests or complaints informally or through established processes, you must bring these to the attention of the Information Governance Unit as soon as possible if you are at all unsure as to how to proceed or need further data protection guidance. There may be grounds and provision to refuse complaints and requests for personal data.

Please see www.dur.ac.uk/ig/dp/ for more information.

Policies, training, guidance and contacts

This guidance may not provide all the information you require. You may need to review additional information or contact other internal or external individuals. Further suggested sources are:

University Policies

Ensuring Sound Conduct in Research (www.dur.ac.uk/hr/policies/research/)

Data Protection Policy (www.dur.ac.uk/ig/policies/dppolicy/)

Information Security Policy (www.dur.ac.uk/ig/policies/ispolicy/

Records Management Policy and Strategy (www.dur.ac.uk/ig/policies/rm/)

Records Management Policy for Business Emails (www.dur.ac.uk/ig/policies/)

Training

Online Data Protection Training (www.dur.ac.uk/ig/training/)

Research Office training (www.dur.ac.uk/research.office/local/research_events/)

Internal Guidance and Contacts

Information Governance Unit (www.dur.ac.uk/ig/igu)

Information Governance (www.dur.ac.uk/ig/)

Data Protection (www.dur.ac.uk/ig/dp/)

Information Security (www.dur.ac.uk/ig/is/)

Freedom of Information (www.dur.ac.uk/ig/foi/)

Requests from the public for University-held information (www.dur.ac.uk/ig/foi/requests/)

Records and Information Management (www.dur.ac.uk/ig/rim/)

Research Office (www.dur.ac.uk/research.office/)

Research Governance, Ethics and Safety (www.dur.ac.uk/research.innovation/governance/integrity/governance/)

Computing and Information Services (www.dur.ac.uk/cis/)

IT Policy and Regulations (www.dur.ac.uk/cis/policy/)

IT Security (www.dur.ac.uk/cis/security/)