Download Word version of this document

** indicates significant changes made 26/07/02

Research is a crucial function of most higher education institutions. Within disciplines such as sociology, health studies, physiology etc., research often will involve the processing of sensitive personal data. Such data processing occurs not only in academic research, but also where statistical analysis of personal data is carried out by administrative, academic or service departments to study trends in performance, use of services, etc. Many HEIs are involved in international research collaborations that may involve transfer of personal data overseas.

Many purposes of data processing for research are not necessarily determined at the time the data is obtained. For example, information collected by NHS staff concerning the outcome of operations might later be used by academic staff for research into the effectiveness of medical procedures. Principle 2 of the Act requires that personal data may only be processed for one or more specified and lawful purposes, which would therefore exclude such processing of personal data for research in cases where that had not been specified at point of collection. However, the Act provides specific exemptions for data processing for research (the definition of which includes historical and statistical analysis). These are not blanket exemptions from the data protection Principles, and institutions and researchers must be aware of where and when they apply. NB The criteria for these exemptions differ where sensitive personal data is processed.

Schedule 1 Principle 1. Fair Processing

Section 33 Exemptions from Principles 2, 5 and 6

Schedule 3. Conditions for Processing Sensitive Data

Data Protection (Processing of Sensitive Personal Data) Order 2000 – SI 417

Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 – SI 185

1. Researchers should be aware that the processing of any information relating to an identifiable living individual constitutes ‘personal data processing’ and is subject to the provisions of the Data Protection Act 1998, including the eight data protection Principles. However, there are certain exemptions in the Act relating to the processing of data for research - these are defined by Section 33, and relate to Principles 2, 5 and 7, and Section 7. However, it should be noted that these exemptions apply only where the data are not processed to support measures or decisions with respect to particular individuals. Additionally, these exemptions apply only in cases where the processing of data for research will not cause substantial damage and distress to any data subject.

2. Research data is exempt from Principle 2 of the Act. Thus, personal data obtained for other purposes (e.g. mark data collected to be used in examination boards) may be processed for research even if that purpose was not made explicit to data subjects. However, notwithstanding this exemption, the data subject should still be informed of any new purposes of data processing and the identity of the data controller and any disclosures that may be made (Principle 1). Such notification may be avoided if:

a) The data has been obtained directly from the data subject but the purpose of processing the data for research was not known at the time and it is subsequently deemed ‘not practicable’ to provide the relevant information (Schedule 2 Pt II 2(1)b).

b) The data has been obtained from a third party; and provision of such information would involve disproportionate effort; and no prior demand for information has been made by the data subject; and the data controller records the reasons for believing that ‘disproportionate effort’ applies (SI 185). The commissioner has advised that assessing disproportionate effort should include factors such as cost, time and ease of provision of information weighed against benefit to the individual: certainly, where data is obtained from elsewhere, particularly if the data is not recent, then it may be impossible, or at least disproportionately difficult, to inform the data subjects.

3. Research data is exempt from Principle 5 of the Act. Thus, data processed for research may be retained indefinitely, and will not be considered "out of date", however long it may be held.

4. Research data is exempt from Principle 7, and Section 7, of the Act. Thus, data processed for research are not open to subject access requests, so long as the results of any research (in articles, research reports, dissertations etc) do not identify data subjects.

5. The processing of sensitive personal data for research purposes may only be carried out if one of the conditions in Schedule 3 is satisfied:

(a) the explicit consent (ideally in writing) of the data subject has been obtained.

(b) medical research is being carried out by a health professional or someone who owes a similar duty of confidentiality (N.B. health professional includes a scientist employed by a health service body as head of department – which may cover some HEI-based researchers).

c) it is an analysis of racial/ethnic origins, carried out for the purpose of equal opportunities monitoring.

d) it has been additionally provided for by the Secretary of State. The Data Protection (Processing of Sensitive Personal Data) Order 2000 allows for sensitive data processing which: ‘is in the substantial public interest and is necessary for research purposes and does not support measures with respect to the particular data subject except with their specific consent nor cause or be likely to cause substantial damage and distress’.

6. It is important that those undertaking research (whether staff or students) are aware that most of the Data Protection Principles still apply to their work.

a) Fair Processing of Data

Despite the exemption from Principle 2, research data subjects should still be informed of any new purposes of data processing and the identity of the data controller and any disclosures that may be made. If this involves disproportionate effort then data controllers may avoid this obligation, noting in their records the reasons for believing that disproportionate effort would be required (though this is not fool-proof and may be subject to legal challenge).

b) Security of Data

The requirements for appropriate security of data laid down in Principle 7 must be respected including appropriate levels of security for sensitive data and security of data processed by researchers outside the institution (see JISC Code of Practice). It is advised that anonymisation of data should be carried out to as great an extent as possible to increase the security of data processing.

c) International Research

International research collaborations involving transfer of personal data Data may not be transferred to countries outside the EEA (Principle 8) unless that country has adequate data protection regulations, or the explicit consent of data subject has been obtained, or there is an appropriate contract with the recipient of the data, specifying appropriate data protection requirements that must be upheld. Thus, institutions must be exceptionally careful when contemplating the transfer of research data overseas: in most cases, the only safe option will be to ensure that data subjects give explicit consent for overseas transfer during data collection.

1. How is research ‘in the substantial public interest’, as specified in the Data Protection (Processing of Sensitive Personal Data) Order 2000 be defined/evaluated?

No definitions for this were or have been given as yet. It is currently advised that researchers using this exemption include a statement in the project initiation document (or equivalent) indicating the potential benefits to the public of their research

If the data is completely anonymised and no ‘key’ to their identity is held or is likely to come into the possession of the data controller then the Act will not apply as this no longer constitutes ‘personal data’. The commissioner acknowledges that true anonymisation may be difficult to achieve in practice, but encourages identifying information not needed for research to be stripped, in line with the requirements of the data protection principles.

Clearly, once research data has been collected it may become out-of-date quite quickly. However, the requirement expressed in Principle 4 is only that data be kept up-to-date where necessary. In most cases research work will only ever be based on information representing the situation at a particular moment in time, and there will be no reason to update this information as circumstances change. Care needs to be taken, however, in cases where research is being conducted that will support measures or decisions taken concerning individuals: in such cases it may be essential for data to be timely and accurate.

In most cases, researchers will be able to disguise the identity of research subjects in any published results. However, some reports will describe in detail an individual subject’s circumstances, which may allow them to be identified by those reading the report. Researchers must be careful, therefore, to include the minimum possible personal information in reports that look at individual cases. If it proves impossible to discuss a case without identifying the individual, then that individual must give consent before publication can go ahead.

Schedule 3 (para.9) of the Act provided that such research may be carried out if it is done with the intention of determining equality of opportunity and with a view to enabling the promotion or maintenance of equality. NB. Such processing should be carried out with appropriate safeguards for the rights and freedoms of the data subject.

The outcomes of research may inevitably affect individual(s). This is acceptable if they have not been targeted or identified by the processing of personal data used for the research.

The Act does not define the term "research" as such, but it does identify the circumstances in which research processing will qualify for the exemptions offered by the Act. The exemptions only apply if "(a) …the data are not processed to support measures or decisions with respect to particular individuals and (b) …the data are not processed in such a way that substantial damage or distress is, or is likely to be, caused to any data subject" (Section 33).

Hence, much market research activity undertaken by HEIs will count as research and will enjoy the benefit of the research exemptions (which are, that data may be used for research purposes even where it was not originally collected for that purpose, may be kept indefinitely, and are exempt from Subject Access so long as any results do not identify individuals). For example, if module enrolment data is later analysed to determine trends in the take-up of certain subjects for marketing purposes, then this would be covered by the exemption. If this data was then used for mailing purposes (so, for example, any student who had taken a "Basic French" module was then mailed to inform them of a new "Improver’s French" module) then again the exemption would hold.

It should be noted, however, that in cases where data is collected with the full intention of it being used for research (amongst other) purposes then subjects should be informed of this at point of collection.

Whilst Section 33 clearly states that data held for research purposes "may, notwithstanding the fifth data protection principle, be kept indefinitely", research data are not exempt from Principle Three ("data shall be adequate, relevant and not excessive…") or Principle Seven ("appropriate…measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction…of personal data"). Hence, there are strong arguments in favour of anonymising research data being held in the long-term, as anonymised data is inherently secure against accidental disclosure and, arguably, more satisfactorily answers the need for data to be held only where relevant and not excessive. In fact, for many research projects there may never be any need for data to be directly associated with the individuals who provided it, and so care should be taken to collect data anonymously wherever this will have no ill-effects on the conduct and results of the research.

Section 33 of the Act exempts research data from Principles 2 (further processing for an unspecified purpose) and 5 (data should not be kept for longer than is necessary), and Section 7 (subject access). However, there is no exemption from Principle 8, which relates to overseas transfer. Thus, if an institution wishes to transfer research data overseas, it will have to rely on either gaining consent (this can be achieved by making clear to the subject that data would be transferred overseas as they submit that data) or, where this is not the case, anonymising the data to ensure that it is impossible for the recipient to identify individuals from it.

Staff should be clearly warned that, notwithstanding the research data exemptions of Section 33, they are not entitled to make private use of data controlled by their institution unless they have the explicit permission of their institution. Assuming that such permission is sought, then institutions need to have a formal policy on such matters. This should take into account whether any research data may be supplied in anonymised form (in which case there should be no further data protection issues to consider) and any issues arising from a staff member being granted access to personal data which they would not be entitled to see in pursuit of their usual duties and responsibilities.

Though Section 33 does imply that such disclosures may be permitted (particularly 33(5) – "personal data are not to be treated as processed otherwise than for research…merely because the data are disclosed to any person for research purposes only"), the possibility of such disclosures should be made clear to students, and institutions may wish to consider giving all students an opt-out from such disclosures. In addition, the Commissioner’s Office has expressed the view that, where any research will involve obtrusive activities (e.g. if questionnaires are to be mailed to subjects, or subjects are to be asked to undertake interviews), then consent must first be sought.