Further information for researchers at the University carrying out projects involving data protection.
This guidance provides advice and a checklist for researchers to ensure compliance with the Data Protection Act.
This guidance covers the implications of the Data Protection Act for research data and ensures that you are able to comply with the legislation.
The University of Edinburgh is a world-class research organisation. Some of the research undertaken by the University uses information about identifiable living individuals, for example research into the social skills of toddlers requires information about children, and medical research often requires patient information. The use of personal information for research falls within the remit of the Data Protection Act.
The Data Protection Act gives individuals (known as data subjects) rights regarding the personal data organisations hold about them and gives organisations responsibilities regarding that data.
These responsibilities are codified as eight data protection principles. There are additional requirements for sensitive personal data, about which the University must be particularly cautious.
The University is committed to best practice in all areas of research, which includes conformity with the law. Information about the University's commitment is detailed in the Code of Good Practice in Research.
In many respects the Data Protection Act reinforces the good practices promoted by professional bodies via their codes of ethics and standards of practice. For example, the College of Arts, Humanities and Social Sciences Research Ethics Checklist includes data protection considerations.
The penalties for not complying with the Data Protection Act can be very serious. If the University is shown to be in breach of the Act it can be sued. This is expensive in terms of staff time, legal fees and any resulting award. In some cases individual members of staff may be found responsible resulting in a criminal record and a fine of up to £5,000.
The Data Protection Act applies to personal data as defined on the Records Management Section website.
If the data does not meet this definition, the Data Protection Act does not apply and there is no need for you to read further.
If you want to use personal data for your research you must either comply with the Data Protection Act or anonymise the data that you use so that it no longer falls within the Act's definition of personal data.
If you cannot anonymise the data (see below) you must make arrangements to meet all of the requirements of the Act. See a researcher's guide to the data protection principles.
Where possible you may choose to completely anonymise the personal data you use. The data is only completely anonymised if it is impossible to identify the individuals from that information plus any other information that the University holds or is likely to hold.
For example if you anonymise a list of patients by giving each patient a number and then keep a separate list of the numbers and the names of the patients to which they refer, the data is not completely anonymised and would still qualify as personal data under the Act.
If you do not keep a 'key' to the identities of the patients and it is not possible for the patients to be identified from any other information, such as sick leave data, that the University holds, or is likely to hold, then the data is completely anonymised. In this case you can use the data without making arrangements to comply with the Data Protection Act because the data will no longer fall within the Act's definition of personal data.
If you are able to meet the requirements of option two and decide to anonymise your research data the rest of this guidance does not apply to your research.
The Act makes special provisions for research if your research fulfils all of the following conditions:
This guidance is written on the basis that your research does fulfil these conditions.
If you cannot fulfil the conditions please contact the Records Management Section, as further obligations will apply.
If you can fulfil the conditions you must comply with all of the requirements laid out in the Researcher's guide to the data protection principles. A checklist has been provided to help you.
Date: April 2008
Author: Anne Thompson