The Data Protection Act and GDPR

The Data Protection Act, the General Data Protection Regulation, and the UK GDPR

Researchers must adhere to data protection requirements when managing or sharing personal data. The UK General Data Protection Regulation (GDPR) applies, if:

  • A researcher based in the UK collects personal data about people anywhere in the world.
  • A researcher outside the UK collects personal data on UK citizens.

Personal data is defined within the legislation as ‘any information relating to an identified or identifiable natural person’, whereby the person can be identified directly or indirectly.

It is important to remember that not all research data obtained from people count as personal data. If data are anonymised and an individual is no longer identifiable then the Act and Regulation will not apply, as the information no longer constitutes ‘personal data’. The Medical Research Council has produced clear guidance on identifiability, anonymisation and pseudonymisation.

The Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR) provide some exceptions for research data when the necessary safeguards are in place, and applies only to personal or special categories data, and not to all research data in general, nor to anonymised data.

When researchers are undertaking research projects, which span across the EU, then the General Data Protection Regulation (GDPR) will also need to be considered and adhered to.

Currently, the UK GDPR and the GDPR are aligned (meaning broadly that they place the same legal obligations on researchers), but in the future, the two pieces of legislation may diverge as the UK has now left the EU. It will therefore be important for researchers to ensure that they gain local support from their university Data Protection Officer (DPO) when their research project will span across the EU. Please find out more about the main areas involved:

The DPA and the UK GDPR define six principles that need to be complied with when processing personal data. All personal data must:

  1. Be processed lawfully, fairly and transparently.
  2. Be kept to the original purpose.
  3. Be minimised (i.e. Only the personal data that is necessary is collected).
  4. Have the accuracy upheld.
  5. Be removed if they are not necessary.
  6. Be kept confidential and their integrity maintained.

Researchers will also need to have a legal basis for processing personal data, of which there are six possible grounds:

  1. Consent of the data subject.
  2. Necessary for the performance of a contract.
  3. Legal obligation placed upon controller.
  4. Necessary to protect the vital interests of the data subject.
  5. Carried out in the public interest or is in the exercise of official authority.
  6. Legitimate interest pursued by controller.

In the context of research, the three most applicable grounds for the processing of personal data are consent, public interest (public task) or legitimate interest. However, consent is likely to be the most widely used as a grounds for processing of personal data.

Consent is commonly used for ethical reasons in research with human participants, for example to ask participants to participate voluntarily in the research, explaining what the research will involve, which data will be collected and how these data will be used.

Consent can also be used as a legal basis for the processing of personal data. It is important to distinguish consent for the processing of personal information from other consent processes or requirements.

One way to achieve this in practice is for researchers to indicate clearly in a consent form, where the participant’s consent is being asked for processing their personal data and where consent is being asked for taking part in the research, for use of the collected information, etc.

Be specific and granular so that you get separate consent for separate things. Our model consent form helps researchers to addresses this.

Under the UK GDPR, consent needs to be freely given, informed, unambiguous, specific (granular) and a clear affirmative action. Consent cannot be inferred from silence, from pre-ticked boxes or from inactivity. Consent forms need to be in easy language.

Consent for processing personal data needs to be documented. An obvious way to do this is by using written consent forms. But that may not always be possible in research. Verbal consent discussions and agreements can be audio-recorded if the participants agree, or the consent process and wording used can be written out in detail.

In cases where researchers are collecting and processing special categories of personal data, explicit consent can be used as additional condition to do this. Explicit consent means that the person must give an express statement of consent, for instance in a written statement.

An assessment should be made by the data controller for each research project, to identify the most appropriate grounds for the processing of the personal data for that research project. This will need recording and the processing ground cannot be changed at a later date.

The UK GDPR specifies the rights a data subject has when their personal data are processed:

  • The right to be informed.
  • The right of access.
  • The right of rectification.
  • The right to erasure (the ‘right to be forgotten’).
  • The right to restrict processing.
  • The right to data portability.
  • The right to object.
  • Rights in relation to automated individual decision-making and profiling.

The rights that will be relevant to processing personal data for your research project will depend on the nature of the project; the chosen processing ground; and the country that the research takes place in.

EU Member States are able to apply certain ‘derogations’ (or exemptions) of data subjects’ rights, such as in relation to research and archiving. Researchers will therefore need to refer to national legislation, whilst consulting with their local DPO to identify which rights can be derogated locally.

The UK GDPR makes provisions for processing personal data for research and archiving purposes, so  long as certain safeguards are in place. The safeguards include technical and organisational measures, data minimisation and pseudonymisation.

Further processing of personal data, for the purposes of archiving, scientific, historical research and statistical collection, is not considered to be incompatible with the initial purposes of data collection, even when this purpose has not been expressly mentioned earlier. Also, in research, personal data may be stored for longer periods.

We provide here practical guidance, examples and question/answers on how to apply the UK GDPR in research:

Personal data

Any information relating to an identified or identifiable natural person, whereby the person can be identified, directly or indirectly.

This may, for example, include photographs, email messages and data recorded by closed-circuit television (CCTV), if a person can be identified from this.

It also includes data identified by reference numbers, where a separate list can be used to match the reference numbers to named individuals. It, however, does not mean that all information provided during research by a person (e.g. During interviews) is personal data. If a person cannot be identified directly or indirectly from the information, then the information is not defined as personal data.

Identifiable natural person

One who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories data

Personal data that is combined with information on a person’s race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.

Data controller

A person or organisation who determines the purposes for which and the manner in which personal data are processed.

Data processor

A person who processes data on behalf of the controller.

Data processing

Any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.

Pseudonymisation

Processing the personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, which needs to be kept separately and subject to technical and organisational measures.

For example, if you de-identify individuals in a survey by giving each respondent a numeric identifier, the data will technically remain personal and under the UK GDPR be classified as pseudonymised data, if you (the data controller) have another file which links that numeric information to the real names or other personal information.

If you destroy the linkage key between the identifiers and the personally identifying information, then it classifies as anonymised data and no longer falls under the requirements of the UK GDPR.