Data Protection and Research
1 Purpose
This document draws members' attention to the provisions of theData Protection Act 1998which relate to research activities, and outlines actions required to achieve compliance with the Act.
2 Background
- The Data Protection Act 1998 became law on 1 March 2000. However, the Act allowed for a transitional period to enable organisations to achieve compliance with the Acts provisions. This transitional period ended in October 2001, at which time the Act came fully into force.
- The Data Protection Act 1998supersedes theData Protection Act 1984, and represents a significant extension of the scope of data protection compared to the 1984 Act. In particular, whilst the 1984 Act only applied to automated data, the 1998 Act applies to both manual and automated data.
- The Act lays down principles of good information handling which are designed to make sure that personal data is used in a way which is fair to individuals and protects their rights.
3 Personal data
- The Act applies to personal data, which are defined as data from which a living individual can be identified. It does not apply to generic information about companies, nor to aggregated statistical data or anonymised data, nor to information about deceased individuals.
- The Act classifies certain types of personal data as sensitive. The following types of information fall into the category of sensitive personal data:
- ethnic or racial origin;
- political opinions;
- religious beliefs;
- trade union membership;
- physical or mental health;
- sex life;
- criminal offences or alleged criminal offences.
Inappropriate use of information of this kind is potentially very prejudicial to the data subject; the Act therefore requires that extra precautions be taken when processing sensitive personal data.
- Researchers may seek to anonymise data used in research, by removing names and other personal identifiers, or by assigning a code to research subjects. However, it should be borne in mind that such actions may not be sufficient to anonymise data. For example, if a researcher retains a list of which codes have been allocated to which research subjects, the data would not be considered to be anonymised in terms of the 1998 Data Protection Act, as it would still be possible to identify individuals. Similarly, even if the names of research subjects are removed, it may still be possible to identify individuals by using a combination of other personal identifiers, such as age or gender. It should not be assumed, therefore, that taking steps to anonymise personal data means that the provisions of the Act do not apply.
4 Fair processing
- The First Data Protection Principle requires that data subjects be informed of the purposes for which their data will be processed, including any disclosures that may be made. This fair processing statement should be provided to data subjects at the time information is initially collected about them.
- If information is being obtained directly from the data subject by, for example, requesting them to complete a questionnaire, provision of the fair processing statement can be easily incorporated into this process. However, in some cases researchers will be using data obtained from a third party, rather than directly from the data subject. The fact that data were obtained from a third party does not automatically exempt the researcher from providing a fair processing statement; however, it may be possible to claim that providing such a statement would involve disproportionate effort on the part of the researcher.
- In deciding whether or not the disproportionate effort argument would apply, researchers should evaluate the time, cost, and ease or difficulty of providing research subjects with a fair processing statement, and balance this against the benefit/prejudice to the research subject of being provided with/not being provided with such a statement. Factors to be considered in making this evaluation include the size of the research sample, whether contact details for the individuals are already available and if not, how difficult it would be to obtain them, and the purpose and likely outcomes of the research and their effect on the individuals concerned. It is highly recommended that this evaluation process be documented in writing.
- It may be that a researcher regularly obtains personal data from a particular third party. In this case, the simplest course of action is for the researcher's fair processing statement to be provided to the data subjects at the same time as the third party provides its own statement.
- Legal Services.canprovide advice on wording an appropriate fair processing statement.
Aquestionnaire has also been produced(see Annex 1)which is intended to assist researchers in determining whether or not a fair processing statement is required.
5 Legitimate basis for processing
- The First Data Protection Principle also requires data controllers to have a legitimate basis for their processing of personal data. The Act lists a number of legitimate bases, one of which must apply before processing can take place.
- Where data is being obtained directly from the data subject, the simplest legitimate basis to use is consent of the data subject to the processing. A consent clause can easily be incorporated into the fair processing statement provided to the data subject.
- Where data has been obtained from a third party, and evaluation suggests that disproportionate effort would be involved in providing a fair processing statement, there will be no opportunity to obtain consent from the data subject. In this case, another
legitimate basis can be used: that the processing is necessary for the pursuit of legitimate interests by the data controller, except where this would cause prejudice to the rights, freedoms or legitimate interests of the data subject.
- When sensitive personal data (see paragraph 3.2 above), are being processed, the requirements for a legitimate basis for processing are even more stringent. The data controller, as well as fulfilling one of the legitimate bases as described in paragraphs 5.2 and 5.3 above, must also fulfil one of the additional legitimate bases for processing sensitive personal data listed in the Act.
- When sensitive personal data are obtained directly from the data subject, the easiest additional legitimate basis to fulfil is that the data subject has given explicit consent to the processing. The Act does not explain the difference between consent and explicit consent; however, it has been suggested that explicit consent should be in writing and should involve a positive response on the part of the data subject i.e. an opt-in rather than an opt-out system should be used, and consent should not be inferred from non-response by the data subject. It has also been suggested that the requirement for explicit consent means that the particular purposes for which the sensitive personal data will be used should be stated very clearly and specifically in the fair processing statement. Again, a consent clause can be incorporated into the fair processing statement.
- When sensitive personal data are obtained from a third party and consent cannot be obtained from the data subject, the additional legitimate basis that would apply for processing sensitive personal data is as follows: the processing is in the substantial public interest, is necessary for research purposes and does not support measures with respect to individuals or cause damage or distress.
6 Security
- The Seventh Data Protection Principle states that appropriate measures must be taken to protect personal information from loss or damage, and from disclosure to third parties. It is particularly important to comply with this Principle when sensitive personal data are being processed. Researchers should ensure that:
- for personal data held on computer, appropriate access control mechanisms such as password protection and restricted access are applied;
- personal data held in manual files are handled in a way that prevents accidental or deliberate access by third parties eg by keeping data in locked filing cabinets or secure rooms;
- personal data used for research is disposed of in an appropriate way when the research has been completed. Paper files containing personal data should be shredded, and any information stored on the hard disk of a computer should be wiped by degaussing, rather than by simply deleting files;
- where personal data is processed off-site, for example when laptops are used by staff at home or when travelling, particular care is taken to prevent loss or accidental disclosures.
Further information on security issues can be found in the University's Information Security Policy and its associated guidelines. These documents can be accessed from the Legal Services section of Registry's Staffnet site.
7 The Third and Eighth Data Protection Principles
- The Third Data Protection Principle states that personal data should be adequate, relevant and not excessive for the purpose for which it is being processed. This should be borne in mind when designing questionnaires to elicit information from data subjects. For example, if personal identifiers such as names and addresses are not required in order to carry out the research, the data subject should not be asked for this information.
- The Eighth Data Protection Principle states that personal data must not be transferred outside the European Economic Area (the EU countries plus Norway, Iceland and Liechtenstein) without appropriate safeguards. In most cases, this will mean that the data subject has consented to the transfer, having been made aware that consent means that their information will be available in countries with no data protection legislation. This Principle needs to be taken into account by researchers involved in collaborative projects including participants outside the EEA.
8 Exemptions
- Fortunately for researchers, the Act provides exemptions from some of the Data Protection Principles for processing of personal data for research purposes.
- The Second Data Protection Principle states that personal data shall be processed only for specified purposes ie a data controller may not use personal data for purposes other than those originally intended and specified to the data subject in the fair processing statement. However, in recognition of the fact that much research relies on data which was originally collected for an entirely different purpose, the Act provides an exemption from the Second Principle when personal data is processed for research purposes.
- The Fifth Data Protection Principle states that personal data shall not be kept for longer than is necessary for the purpose for which they are being processed. However, data processed for research purposes is exempt from this Principle and may be kept indefinitely.
- The Sixth Data Protection Principle confers a number of rights upon individuals, one of which is the right of subject access i.e. the right of a data subject to see and to have a copy of all the information held about him or her by an organisation. However, this right does not apply to personal data used for research purposes, provided that the results of the research are not made public in a form that identifies individuals.
- It is important to note that the three exemptions described above only apply when the two safeguard conditions are met. These are:
- the research should not support measures against specific individuals;
- the research should not cause damage or distress to individuals
9 Research students
Staff who are supervising research students should be aware that the right of subject access (see paragraph 8.4 above) means that research, and indeed undergraduate, students are able to see any files supervisors may hold on them. This includes assessments, references and examiners comments. Similarly, staff are entitled to see any reports, comments or complaints about them produced by the students they are supervising. Further information on subject access, and guidance on writing references for students, can be accessed via Legal Services section of Registry's Staffnet site.
10 Ethical Approval
This document covers data protection issues only; staff carrying out research using personal data should be aware that there may be wider ethical issues, and that approval may need to be sought from the Ethics Committee.
Annex 1 QUESTIONNAIRE ON THE USE OF PERSONAL DATA IN RESEARCH
Thequestionnaire is designed to ensure that any data protection implications arising out of your research project can be identified and addressed. Please contact the Legal Services teamif you have any queries about the questionnaire or about general data protection issues.