Data Protection in Research

If your research project does or is likely to collect and process peoples Personal Data (and/or Sensitive Personal Data), then you will need to consider and comply with the data protection requirements.

Step 1

Determine whether you are dealing with Personal Data and/or Sensitive Personal Data

Step 2

Define the purpose for collecting the data which will lead to determining what personal data you will require.

Step 3

Determine what your legal basis for processing will be (this will often be part of our public task (for normal data) and for the specific Research purposes (Art 9.2(j) GDPR) for sensitive personal data)

Step 4

Conduct a Data Protection Impact Assessment (DPIA) if neccesary (or advised)

Step 5

Consider the following (implement outcomes from the DPIA if applicable)

- how you can provide suitable transparency information;

- security of your data (both at rest and when it is moving)

- how long you keep the data

- whether you can anonymise or pseudonymise the data.


Reusing existing Personal Data for research

Normally we would be restricted from using exisiting Personal Data for purposes which were not specified to the data subject at the time the data was collected.

However, Art 6(4) may allow processing for a purpose other than that for which the personal data has been collected. Art 5(1)b specifically states that "Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes."

Please seek further guidance from the DPO


Further Information

See the Research Governance Toolkit or the general Research Support pages for more info

The Medical Research Council (MRC) have some useful guides and information on their GDPR webpages.