The Data Protection Principles for Research (notes to accompany presentation) Researchers should be aware that the processing of any information relating to identifiable living individuals constitutes ‘personal data processing’ and is subject to the provisions of the Data Protection Act 1998, including the following eight Data Protection Principles. Principle 1 - Personal data shall be processed fairly and lawfully. A research information sheet/consent form should satisfy the requirement for personal data to be processed fairly and lawfully. The information provided should inform the data subject of your identify (i.e. a research student at the UoE), the purposes for which their personal data will be used, who will have access to the data and any disclosures made etc. There is also a requirement for the processing to be justified, one of the following conditions must be met: - The data subject has given his consent to the processing. The processing is necessary for the performance of a contract to which the data subject is a party. The processing is necessary for compliance with a legal obligation. The processing is necessary in order to protect the vital interests of the data subject. The processing is necessary for the administration of justice etc. The processing is necessary for the purposes of legitimate interests pursued by the data controller. For the processing of sensitive personal data (e.g. ethnic origin, political/religious beliefs, sexual life etc) a condition from the following (incomplete) list must also be met: - The data subject has given his explicit consent to the processing of the personal data. - The information has been made public as a result of steps deliberately taken by the data subject. - The processing is of sensitive personal data consisting of information as to racial or ethnic origin, is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity. Principle 2 - Personal data shall be obtained only for one or more specified purposes, and shall not be processed in any manner incompatible with that purpose(s). If the data is not processed to support measures or decisions with respect to individuals AND the processing will not cause substantial damage and distress to any data subject research data is exempt from Principle 2 of the Act. Thus, personal data obtained for other purposes (e.g. mark data collected to be used in examination boards) may be processed for research even if that purpose was not made explicit to data subjects. However, in spite of this exemption, the data subject should still be informed of any new purposes of data processing and the identity of the data controller and any disclosures that may be made (Principle 1). Such notification may be avoided if: • The data has been obtained directly from the data subject but the purpose of processing the data for research was not known at the time and it is subsequently deemed ‘not practicable’ to provide the relevant information • The data has been obtained from a third party; and provision of such information would involve disproportionate effort. The data controller (i.e. University) should record the reasons for believing that ‘disproportionate effort’ applies. Principle 3 - Personal data must be adequate, relevant and not excessive. Principle 4 - Personal data must be accurate and up to date. Clearly, once research data has been collected it may become out-of-date quite quickly. However, the requirement expressed in Principle 4 is only that data be kept up-to-date where necessary. In most cases research work will only ever be based on information representing the situation at a particular moment in time, and there will be no reason to update this information as circumstances change. Principle 5 – Personal data shall not be kept for longer than is necessary. If the data is not processed to support measures or decisions with respect to individuals AND the processing will not cause substantial damage and distress to any data subject research data is exempt from Principle 5 of the Act. Thus, data processed for research may be retained indefinitely. However despite being exempt from Principle 5, research data is not exempt from Principle Three ("data shall be adequate, relevant and not excessive…") or Principle Seven ("appropriate…measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction…of personal data"). There are strong arguments in favour of anonymising research data being held in the long-term, as anonymised data is inherently secure against accidental disclosure and, arguably, more satisfactorily answers the need for data to be held only where relevant and not excessive. For many research projects there may never be any need for data to be directly associated with the individuals who provided it, in these cases you should collect data anonymously wherever this will have no ill-effects on the conduct and results of the research. Principle 6 - Personal data shall be processed in accordance with the Data Subjects rights. If the data is not processed to support measures or decisions with respect to individuals AND the processing will not cause substantial damage and distress to any data subject research data is exempt from Principle 6 of the Act. This means that data processed for research are not open to subject access requests (i.e. the data subject is not entitled to a copy of their personal data). Principle 7 - Personal data should be guarded against accidental loss or destruction of or damage to data. The requirements for appropriate security of data laid down in Principle 7 must be respected. Data/information storage must be secure e.g. paper files should be stored in a locked filing cabinet. Files kept on a PC should be made secure with the use of login passwords / password protected etc. The level of security required for personal data should be proportionate with the sensitivity of the data and the risk of damage if data were disclosed. When destroying records it is important that care is taken to dispose of records securely. Principle 8 - Personal data shall not be transfered outside the EEA unless that country ensures an adequate level of protection. International research collaborations involving transfer of personal data to countries outside the EEA may not take place unless that country has adequate data protection regulations, or the explicit consent of the data subject has been obtained (this can be achieved by making clear to the subject that data would be transferred overseas as they submit that data). Or, where this is not the case, anonymising the data to ensure that it is impossible for the recipient to identify individuals from it. Caroline Dominey Records Manager December 2009 Useful resources University of Exeter Data Protection website: http://www.exeter.ac.uk/dataprotection/ Information Commissioner’s website: http://www.ico.gov.uk/ The Impact of the Data Protection Act 1990 on Socio-Legal Research: http://www.kent.ac.uk/nslsa/images/slsadownloads/onedayconferences/rosemary jay slsa paper.doc The Data Protection Act 1998: http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1