Division of General Counsel, Governance and Compliance

Research and Data Protection

Research and data protection

Data protection legislation applies whenever we are processing personal data at the University. Processing includes the collection, recording, analysis, storage, dissemination and even deletion of data, so any research involving personal data will amount to processing and the research will need to comply with the legislation.

Personal data is anything that enables a living person to be identified. It includes information that enables a person to be directly identified, such as their name, as well as information that enables them to be indirectly identified, such as a research participant number. In particular, personal data includes the physical, physiological, genetic, mental, economic, cultural or social identity of a living person.

Research with human participants will almost always involve the processing of personal data.

What is our lawful basis for processing personal data in research?

We must always have a lawful basis for processing personal data and, in the context of research activities, our lawful basis is carrying out a task “in the public interest or in the exercise of official authority vested in the controller”, known as ‘public task’.

Under our Royal Charter, the purpose of the University is to “advance learning and knowledge by teaching and research to the benefit of the wider community”, meaning research activities are part of our ‘public task’.

Do I need individual’s consent to process their data?

Although you need to obtain the consent of your participants to take part in your research project to meet ethical requirements, you do not need to have their consent to process their personal data. Our lawful basis for processing personal data in research activities is our public task, and so you do not rely on ‘consent’ as the lawful basis for processing their personal data.

Please be careful not to include ‘consent’ for processing personal data in your participant consent form. If your form suggests that consent is required to process personal data, then that consent can also be withdrawn and you will not be able to use the data in your research.

The University publishes template research documents for Participant Information Sheets and Participant Consent forms. If you have any queries about what should be included in your participant information sheet or consent form, please contact the Data Protection Officer.

What about special category data, such as health data?

When we are processing special category data we need to meet one of the conditions to be able to collect and use that data. Scientific and historical research is one of those conditions so, as long as you are processing special category data for research purposes, you do not need separate consent to use the data. 

If you are using special category data for research purposes though, you need to meet the following:

  • The processing must be in the public interest;
  • It is not likely to cause substantial damage or distress to the individual; and
  • The processing must not be for the purpose of measures or decisions about a particular person, unless it is necessary for approved medical research.

What data protection principles apply to research?

Although there are some limited exemptions for research activities, you will need to comply with most of the requirements of data protection legislation. The key principles are:

  • You should process personal data in a fair and transparent manner;
  • Any personal data must be adequate, relevant and limited to what is necessary for your research;
  • Personal data should be accurate and, where necessary, kept up to date;
  • You must ensure that personal data is kept secure.

What is the data protection exemption for research?

Some of the obligations in data protection legislation are limited when personal data is processed for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. This is sometimes referred to as the research exemption.

For the exemption to apply, though, there must be appropriate safeguards in place to protect the rights and freedoms of individuals and any processing must be in keeping with recognised ethical standards for research.

Purpose limitation principle

Usually, personal data should be collected for a specified and explicit purpose and must not be processed in a way that is incompatible with that purpose – known as the purpose limitation principle. However, when processing personal data for ‘scientific or historical research purposes’, the data can be used for other research purposes. For example, personal data collected for research project X can also be used for research project Y.

Storage limitation principle

The ‘storage limitation’ principle means that data should not be kept for longer than is necessary for the purpose for which it was obtained. However, the legislation allows personal data that is processed for research purposes to be kept for longer periods.

What data rights to research participants have?

Data protection legislation gives individuals a number of rights in relation to their personal data, known as data subject rights. But when we are processing personal data for research purposes, the following rights do not apply:

  • the right to information about whether their personal data is being processed, the purpose of processing, what personal data is held and other information about their data;
  • the right of access including the right to be provided with a copy of their personal data being processed by the University;
  • the right to have inaccurate or incomplete personal data rectified or completed;
  • the right to restrict the processing of their personal data; and
  • the right to object to the processing of personal data.

Third parties and international transfers

If your research project includes working with other institutions or third parties in a way that involves the processing of personal data, we may need to have written agreements or contracts in place with them. For further information or advice, please contact the Data Protection Officer or the Research Contracts team.

If your research project will involve personal data being transferred outside of the United Kingdom, then additional requirements apply. This might arise, for example, when using institutions or third parties to collect data for you in other countries, to store data (e.g. cloud hosted data in another country), or to analyse data (e.g. sending biometric samples to a lab in another country).

Personal data can be transferred to countries where there is an adequacy decision in place. This means that the UK Secretary of State has decided that their data protection arrangements are adequacy and provide the equivalent safeguards as our own legislation. If data is being transferred to a country without an adequacy decision, then additional contractual clauses will need to be in place first and please contact the Data Protection Officer.

Further information

You might find our Research and Data Protection flowchart helpful in understanding the data protection requirements and exemptions for research activities.

If you have any other queries about how the data protection legislation applies to research, please contact the Data Protection Officer.


Last updated 1 December 2021