Research and the Data Protection Act
Further information for researchers at the University carrying out projects involving data protection.
This guidance provides advice and a checklist for researchers to ensure compliance with the Data Protection Act.
This guidance covers the implications of the Data Protection Act for research data and ensures that you are able to comply with the legislation.
Audience and background
The University of Edinburgh is a world-class research organisation. Some of the research undertaken by the University uses information about identifiable living individuals, for example research into the social skills of toddlers requires information about children, and medical research often requires patient information. The use of personal information for research falls within the remit of the Data Protection Act.
What is the Data Protection Act?
The Data Protection Act gives individuals (known as data subjects) rights regarding the personal data organisations hold about them and gives organisations responsibilities regarding that data.
These responsibilities are codified as eight data protection principles. There are additional requirements for sensitive personal data, about which the University must be particularly cautious.
How does the Data Protection Act affect me?
The University is committed to best practice in all areas of research, which includes conformity with the law. Information about the University's commitment is detailed in the Code of Good Practice in Research.
In many respects the Data Protection Act reinforces the good practices promoted by professional bodies via their codes of ethics and standards of practice. For example, the College of Arts, Humanities and Social Sciences Research Ethics Checklist includes data protection considerations.
The penalties for not complying with the Data Protection Act can be very serious. If the University is shown to be in breach of the Act it can be sued. This is expensive in terms of staff time, legal fees and any resulting award. In some cases individual members of staff may be found responsible resulting in a criminal record and a fine of up to £5,000.
What is personal data?
The Data Protection Act applies to personal data as defined on the Records Management Section website.
If the data does not meet this definition, the Data Protection Act does not apply and there is no need for you to read further.
What to do
If you want to use personal data for your research you must either comply with the Data Protection Act or anonymise the data that you use so that it no longer falls within the Act's definition of personal data.
Option 1: Comply with the Act
If you cannot anonymise the data (see below) you must make arrangements to meet all of the requirements of the Act. See a researcher's guide to the data protection principles.
Option 2: Anonymise data
Where possible you may choose to completely anonymise the personal data you use. The data is only completely anonymised if it is impossible to identify the individuals from that information plus any other information that the University holds or is likely to hold.
For example if you anonymise a list of patients by giving each patient a number and then keep a separate list of the numbers and the names of the patients to which they refer, the data is not completely anonymised and would still qualify as personal data under the Act.
If you do not keep a 'key' to the identities of the patients and it is not possible for the patients to be identified from any other information, such as sick leave data, that the University holds, or is likely to hold, then the data is completely anonymised. In this case you can use the data without making arrangements to comply with the Data Protection Act because the data will no longer fall within the Act's definition of personal data.
If you are able to meet the requirements of option two and decide to anonymise your research data the rest of this guidance does not apply to your research.
How does the Act affect my research?
The Act makes special provisions for research if your research fulfils all of the following conditions:
- You are using the information exclusively for research purposes (includes statistical or historical research purposes). The information must have no other use, not even an incidental use.
- You are not using the information to support measures or decisions relating to any identifiable living individual (not just the data subject but anyone who may be affected by your research).
- You are not using the data in a way that will cause, or is likely to cause, substantial damage or substantial distress to any data subject.
- You will not make the results of your research, or any resulting statistics, available in a form that identifies the data subjects. For example if you use case studies in your research report you may choose to disguise the names of the individuals. However, if you describe their circumstances in detail it may be possible for someone to identify that individual, in which case you would not meet this criterion.
This guidance is written on the basis that your research does fulfil these conditions.
If you cannot fulfil the conditions please contact the Records Management Section, as further obligations will apply.
If you can fulfil the conditions you must comply with all of the requirements laid out in the Researcher's guide to the data protection principles. A checklist has been provided to help you.
About this guidance
Date: April 2008
Author: Anne Thompson