This guidance is intended for students undertaking research or other work involving information about living, identifiable individuals as part of their programme of study at the University of Edinburgh.
If you are carrying out research for an established University research group, please use the guidance 'Research and the Data Protection Act' and not this document.
Its purpose is to provide advice on data protection compliance and ethical best practice in the handling of information about living, identifiable individuals.
The Data Protection Act 1998 protects the rights of individuals when you process &è ;personal data&è¡; about them, including obtaining, holding and destroying it.
The definition of personal data is highly complex. For day-to-day purposes, it is best to assume that all information about a living, identifiable individual is personal data. This includes any expression of opinion by or about the individual.
The Data Protection Act 1998 and you
In most circumstances, students are responsible for ensuring that their work with information about living, identifiable individuals complies with the requirements of the Data Protection Act. The document, Personal data processed by students, provides an explanation of why this is the case.
Personal data processed by students
If your research is strictly for domestic purposes related to your own personal academic use whilst studying at the University, then your research may be exempt from the Data Protection Act. However, you should still work as if the legislation applies as it also aligns with ethical best practice.
If you are doing a work-based study and the organisation concerned uses your results in its business, the Act will apply.
The Data Protection Principles
The key requirements of the Data Protection Act are set out in eight data protection principles:
- Personal data shall be processed fairly and lawfully. Tell people what you are using the information for and who will see it. Obtain their consent.
- Personal data shall be obtained only for specific purposes relevant to your research and not used for anything else. However, you can reuse data for research provided that the information is not being used to take decisions about individuals and if you are sure no damage or distress will occur to the participants.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and kept up to date, if necessary. You do not need to update datasets that represent a situation at a particular time e.g. heart rate after a training exercise.
- Personal data shall be kept no longer than is necessary. Delete personal data as soon as it is no longer needed for your research or to validate your research results.
- Personal data shall be processed in accordance with the rights of individuals, including the right to receive a copy of information that is held about them, the right to update or amend it and, in certain circumstances, the right to prevent the use of personal data.
- Personal data must be kept securely with appropriate measures taken against unlawful or unauthorised processing and accidental damage or loss.
- Personal data shall not be transferred outside the European Economic Area.
Ten steps to responsible use of personal data
- Before you start, carefully consider what personal data you need to collect for your project and obtain the consent of your supervisor or other relevant member of University staff.
- Obtain consent from the data subject. For research this will usually be in writing. Discuss with your supervisor any concerns about obtaining consent prior to collecting personal data.
- Give a clear explanation of what you are going to do with the data to the people participating in your research.
- Do not collect or keep data that is not necessary for your research. Anonymise data if possible by removing names and other identifying information.
- Ensure that all personal data, especially opinions, is recorded accurately.
- Respect reasonable requests to update or delete data you have collected.
- Store personal data securely. If you are using information that is already public knowledge such as the names of Olympic medal winners, you will not need to take any security measures. However if you are recording less public information, you must ensure that the information is secure. Options to consider include encryption or storing information in locked cabinets.
- Do not disclose data to anyone except the individual concerned.
- Obtain consent from the participants before transferring data outside the European Economic Area.
- Securely destroy personal data no earlier than four months and no later than six months after you are notified that the Board of Examiners has confirmed your mark for that particular piece of work.
Need more advice?
If you have any concerns regarding data protection, please discuss these with your supervisor.
The Records Management Section has published a number of guidance documents on data protection. The guidance has been written for University staff but the general principles may be relevant to you.
About this document
Date: November 2014
Author: Vanessa Rodnight & Susan Graham