Guide 4 - Research
Use of personal data in research
Guide 4 - Research
1. What are the essential elements of the Data Protection Act?
The Act sets out to ensure that people may only process data about other living individuals where they have a clear legal purpose for doing so. It requires a regime of fairness and transparency in such processing. Hence, the processing must be fair to the individual, who must be kept informed of the collection, use and distribution of their personal data and, in some cases, this can only be done with their express consent. The Act also gives the individual certain rights of access to their personal data, whether that data be stored electronically or as written records in structured files. All processing of personal data has to be registered. The requirements of the Act are encompassed in the eight Data Protection Principles, which form part of the Act and are set out in the College's Data Protection Policy. Where personal data are used in research, there are some permitted exemptions from compliance with some of these Principles, as indicated below.
2. What must I do to comply with the Act?
As stated above, personal data must be processed in accordance with the eight Data Protection Principles. Thus, the data must be obtained and processed fairly and lawfully, be processed only for specific legal purposes, be adequate, relevant and not excessive for those purposes, be accurate and kept up to date, be kept safe from unauthorised access, accidental loss or destruction and must not be transferred outside the European Economic Area without due safeguards unless the Data Subject has given their consent. Under the Act, sensitive personal data must normally be processed only with the Data Subject's explicit consent, however, where it is processed for research purposes, that consent need not be sought where the results of the research are not used to take decisions about that person and no substantial damage or distress is likely to be caused to that person by processing those data.
The Data Protection Act defines sensitive as “information, facts, intentions or opinions relating to the racial or ethnic origin of the Data Subject, their political opinions, religious beliefs, membership of a Trade Union, physical or mental health, sex life, commission or alleged commission of any offence”.
3. What precautions should I take when processing personal data for research purposes?
You are advised that,
3.1 where personal data are to be used for research purposes, that there has been an adequate review, in advance of processing, to ensure that the requirements of the 1998 Act, and in particular the Data Protection Principles, can be adhered to;
3.2 the purpose for which that database or dataset is used is registered with the Data Protection Co-ordinator of your Department/Division/Centre (CAU);
3.3 Data Subjects whose personal data is to be used in research are fully informed that their data will be so used, and for what purposes.
3.4 with a few exceptions Data Subjects have a right to object to the processing of their personal data where they can establish that such processing would cause them significant damage or distress;
3.5 particular care should be taken when the processing involves sensitive personal data as the Act lays down specific conditions for this;
3.6 processing of personal data which has been coded or anonymised, but for which links to a person can still be made by reference to a key to the code or to other identifiers, are still subject to the DP Act 98 and to the College data Protection Policy;
3.7 the DP Act 98 and the College Data Protection Policy apply equally to written records held in a structured filing system, microfiche records and video recordings as well as to computerised records;
3.8 research carried out for the NHS or under contract for a commercial organisation is subject to notification by that body and to that organisation's own Data Protection policies, not the College. However, any data which has not been fully anonymised and is downloaded with permission from an NHS or other external system to a College system constitutes a College database and has to be registered as such;
3.9 reviews must be made of the processing to ensure that compliance with the Act is being maintained at least annually;
3.10 in whatever form personal data is held it should be kept securely with the level of security dependent on the sensitivity of the personal data.
4. What processing is exempt from compliance with the Act?
4.1 Personal data may be processed for purposes other than that for which they were originally obtained if that processing does not lead to decisions being made about an individual, eg. Prognosis or treatment, and is not likely to cause substantial damage or distress to any individual. That data may also be held indefinitely.
4.2 Where the results of processing personal data for research purposes do not identify a data subject, that data subject does not have a right of access to that data.
4.3 Unless other living individuals can be identified from the processing of data about individuals who are no longer living it is exempt from compliance with the Act and such processing does not have to be registered
4.4 Personal data which is anonymised (see CoP on Processing Personal Data) is also exempt from compliance with the Act and the registration process.