Toolkit - Student Researcher

If your research project does or is likely to collect and process peoples Personal Data (and/or Sensitive Personal Data), then you will must consider and comply with the data protection requirements. Considering any data protection implications at the easliest opportunity is both a legal obligation under General Data Protection Regulations (GDPR) and obvioulsy makes it much easier to make necessary changes to your project design.

Remember, we not only have a legal obligation to comply with data protection law (and there can be both university and individual criminal offences associated with breaches of data protection law and well as significant financial penalties for the university), but we also have a moral responsibility to our research subject to ensure that we treat them fairly and look after their private information. In addition both the universities reputation as a research organisation, and your reputation as a research professional is at risk!

Step 1

Determine whether you are dealing with Personal Data and/or Sensitive Personal Data (see Data Protection Guidance below for more information)

Step 2

Clearly define the purpose for collecting the data which will lead to determining what personal data you will require (and what you don't require). This will help to determine the the 'Purpose Limitation' and 'Data Minimisation' required under data protection legislation. (See Data Protection Guidance below)

Step 3

Determine what your legal basis for each processing activity will be (see Guidance below)

Step 4

Conduct a Data Protection Impact Assessment (DPIA) to highlight personal data risk and identify suitable mitigation / risk reduction measures - see guidance below

Step 5 

Review the DPIA with the Data Protection Officer and implement recommendations. Repeat DPIA if necessary.


See also the Research Support wwebpages at


Guidance on specific areas

The MRC has produced the following guidance training for using personal data in research activities (note this is currently written for compliance with the Data Protection Act and will need to be updated for the GDPR - however, the core principles will be very similar)