The Data Protection Principles for Research (notes to accompany presentation)
Researchers should be aware that the processing of any information relating to identifiable living
individuals constitutes ‘personal data processing’ and is subject to the provisions of the Data
Protection Act 1998, including the following eight Data Protection Principles.
Principle 1 - Personal data shall be processed fairly and lawfully.
A research information sheet/consent form should satisfy the requirement for personal data to be
processed fairly and lawfully. The information provided should inform the data subject of your identify
(i.e. a research student at the UoE), the purposes for which their personal data will be used, who will
have access to the data and any disclosures made etc. There is also a requirement for the
processing to be justified, one of the following conditions must be met:
-
The data subject has given his consent to the processing.
The processing is necessary for the performance of a contract to which the data subject is a party.
The processing is necessary for compliance with a legal obligation.
The processing is necessary in order to protect the vital interests of the data subject.
The processing is necessary for the administration of justice etc.
The processing is necessary for the purposes of legitimate interests pursued by the data
controller.
For the processing of sensitive personal data (e.g. ethnic origin, political/religious beliefs, sexual life
etc) a condition from the following (incomplete) list must also be met:
- The data subject has given his explicit consent to the processing of the personal data.
- The information has been made public as a result of steps deliberately taken by the data subject.
- The processing is of sensitive personal data consisting of information as to racial or ethnic origin,
is necessary for the purpose of identifying or keeping under review the existence or absence of
equality of opportunity.
Principle 2 - Personal data shall be obtained only for one or more specified purposes, and
shall not be processed in any manner incompatible with that purpose(s).
If the data is not processed to support measures or decisions with respect to individuals AND the
processing will not cause substantial damage and distress to any data subject research data is
exempt from Principle 2 of the Act. Thus, personal data obtained for other purposes (e.g. mark data
collected to be used in examination boards) may be processed for research even if that purpose was
not made explicit to data subjects.
However, in spite of this exemption, the data subject should still be informed of any new purposes of
data processing and the identity of the data controller and any disclosures that may be made
(Principle 1). Such notification may be avoided if:
• The data has been obtained directly from the data subject but the purpose of processing the data for
research was not known at the time and it is subsequently deemed ‘not practicable’ to provide the
relevant information
• The data has been obtained from a third party; and provision of such information would involve
disproportionate effort. The data controller (i.e. University) should record the reasons for believing
that ‘disproportionate effort’ applies.
Principle 3 - Personal data must be adequate, relevant and not excessive.
Principle 4 - Personal data must be accurate and up to date.
Clearly, once research data has been collected it may become out-of-date quite quickly. However, the
requirement expressed in Principle 4 is only that data be kept up-to-date where necessary. In most
cases research work will only ever be based on information representing the situation at a particular
moment in time, and there will be no reason to update this information as circumstances change.
Principle 5 – Personal data shall not be kept for longer than is necessary.
If the data is not processed to support measures or decisions with respect to individuals AND the
processing will not cause substantial damage and distress to any data subject research data is
exempt from Principle 5 of the Act. Thus, data processed for research may be retained indefinitely.
However despite being exempt from Principle 5, research data is not exempt from Principle Three
("data shall be adequate, relevant and not excessive…") or Principle Seven
("appropriate…measures shall be taken against unauthorised or unlawful processing of personal data
and against accidental loss or destruction…of personal data"). There are strong arguments in favour
of anonymising research data being held in the long-term, as anonymised data is inherently secure
against accidental disclosure and, arguably, more satisfactorily answers the need for data to be held
only where relevant and not excessive. For many research projects there may never be any need for
data to be directly associated with the individuals who provided it, in these cases you should collect
data anonymously wherever this will have no ill-effects on the conduct and results of the research.
Principle 6 - Personal data shall be processed in accordance with the Data Subjects rights.
If the data is not processed to support measures or decisions with respect to individuals AND the
processing will not cause substantial damage and distress to any data subject research data is
exempt from Principle 6 of the Act. This means that data processed for research are not open to
subject access requests (i.e. the data subject is not entitled to a copy of their personal data).
Principle 7 - Personal data should be guarded against accidental loss or destruction of or
damage to data.
The requirements for appropriate security of data laid down in Principle 7 must be respected.
Data/information storage must be secure e.g. paper files should be stored in a locked filing cabinet.
Files kept on a PC should be made secure with the use of login passwords / password protected etc.
The level of security required for personal data should be proportionate with the sensitivity of the data
and the risk of damage if data were disclosed. When destroying records it is important that care is
taken to dispose of records securely.
Principle 8 - Personal data shall not be transfered outside the EEA unless that country
ensures an adequate level of protection.
International research collaborations involving transfer of personal data to countries outside the EEA
may not take place unless that country has adequate data protection regulations, or the explicit
consent of the data subject has been obtained (this can be achieved by making clear to the subject
that data would be transferred overseas as they submit that data). Or, where this is not the case,
anonymising the data to ensure that it is impossible for the recipient to identify individuals from it.
Caroline Dominey
Records Manager
December 2009
Useful resources
University of Exeter Data Protection website: http://www.exeter.ac.uk/dataprotection/
Information Commissioner’s website: http://www.ico.gov.uk/
The Impact of the Data Protection Act 1990 on Socio-Legal Research:
http://www.kent.ac.uk/nslsa/images/slsadownloads/onedayconferences/rosemary jay slsa paper.doc
The Data Protection Act 1998: http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1