Guide for Researchers collecting personal data
The UK General Data Protection Regulation (the UK GDPR) and the UK Data Protection Act 2018 (the DPA) require organisations to be transparent about the personal data that they collect.
Organisations are required to be clear and concise in informing people what information they have, why they have it, what they do with it, who they share it with and how long they keep it for. This is known as privacy information and is disclosed to people in a Privacy Notice.
For researchers there are specific implications that affect your work:
- Transparency: Researchers need to be transparent with people about what they do with the personal information they collect.
- Privacy Notice & Participant Information Sheet: These provide details to participants in clear and plain language. Templates and advice on content must be followed.
- Lawful basis: 'Public interest task' covers the majority of the University’s research work and likely be the most common legal basis for processing personal data and 'for research purposes' covers the use of special category data.
- Rights of Individuals: Exemptions for research are available, seek advice from the Information Governance Office if contacted by a participant.
- Pseudonymised data: Pseudonymised data is subject to data protection law.
To learn about how data protection applies to research work, read the guidance available in the following My Research Essentials posts:
https://myresearchessentials.medium.com/7b28e2d244c7
https://myresearchessentials.medium.com/c9e4ecc877f5#17db
What do I need to consider as a researcher?
Data Management Plan
The Data Management Plan outlines how a research project will manage data both during the research and after the project is completed. You are asked to add in detail (proportionate to the nature of your research) about what personal data will be collected, processed and stored.
High risk processing assessments
If your research is likely to involve high risk processing the relevant researcher or PI may need to complete an Information Governance Risk Review which may ultimately lead to a full Data Protection Impact Assessment being carried out. This will be done in consultation with the Information Governance Office. For more information as to what constitutes ‘high risk’ processing read the following ICO guidance and examples.
Contracts
If your research involves sharing personal data with another organisation (ie not just the anonymised outcomes) a contract must be in place. Contact the contracts office for advice.
This will involve agreeing who the ‘data controller’ is and where necessary, who the ‘data processor’ is. Often the University will be the controller but this needs assessing once we gain from the Principle Investigator, an understanding of which party is deciding on the means and purpose of the research.
Participant Information Sheets
Ensure that your participant information sheet and consent forms include sufficient information to meet the UK GDPR requirement of transparency. You can find out more about Participant Information Sheets in this post.
Pseudonymisation and Anonymisation
UK GDPR does not apply to anonymous data, however researchers should consider whether or not an individual can be identified even after the usual identifiers have been removed. If data can be combined from different sources (including publicly available information) it may allow a person to be identified — whether by the research team or by another person.
Note that the process of anonymising personal data is covered by UK GDPR.
Pseudonymisation is a method of disguising the identities of individuals to whom information relates. It may involve removing a common identifier and using a pseudonym (eg a randomly allocated number), enabling data to be collected about the same individual without recording their identity. Pseudonymising data can be useful in research as a method of applying a safeguard to protect individuals’ privacy.