Academic Research involving personal data

The UK General Data Protection Regulation has applied in the UK since 1 January 2021. It replaced the EU-wide GDPR that was applied across the EU from 25 May 2018. This legislation creates a range of expectations for the processing of personal data. There are also a number of exemptions, many of which apply to research. This section provides an overview of the full expectations and should be read alongside section C which sets out the exemptions that apply to research.

Under data protection legislation, and unless exemptions apply, personal data must generally be processed in accordance with the data protection principles, meaning that it should be:

1. Processed (i.e. collected, handled, stored, disclosed and destroyed) fairly, lawfully and transparently. This requires those who process personal data to:
   • Consider how their use of personal data affects the individuals to whom it relates and, if there is detriment to the individuals, consider whether or not this is justified (fairness)
   • Have a valid ‘legal basis’ for the processing of the data (e.g. that the processing is necessary to operate a contract with an individual or for the performance of a task carried out in the public interest) (lawfulness).
   • Comply with any obligations to inform those whose data they intend to use of what they intend to use it for, about which there are various required headings (transparency).
2. Processed only for specified, explicit and legitimate purposes. This ensures that personal data cannot be used for purposes that are incompatible with the original purpose for which they were collected.
3. Adequate, relevant and limited. This requires those who process personal data to only collect the personal data that is necessary for their purpose and not to share personal data with others unless this is required for that purpose.
4. Accurate (and rectified if inaccurate). Inaccurate personal data does not support the purpose for which it was collected and is therefore unnecessary (see point 3 above). This does not apply to projects or activities for which the purpose is to create a static record of personal data, which if updated would no longer meet that purpose.
5. Kept for no longer than necessary.
6. Processed securely. This requires appropriate technical and organisational measures to protect personal data against unauthorised or unlawful use and accidental loss, destruction or damage. These measures will generally include technological precautions and other steps such as training, anonymisation or physical security.

In addition, the data protection legislation provides specific rights to individuals in relation to their personal data unless exemptions apply (as is indicated above, please note that a number of exemptions are likely to apply to research):

1. The right to be informed about how their personal data is used.  This overlaps with the notion of ‘transparent’ processing under point 1 above.
2. The right of access to their personal data. This also overlaps with the notion of ‘transparent’ processing under point 1 above.
3. The right to have their inaccurate personal data rectified.
4. The right to have their personal data erased where appropriate.
5. The right to restrict the processing of their personal data pending its verification or correction.
6. The right to receive copies of their personal data in a machine readable and commonly used form.
7. The right to object to processing of their data.
8. The right not to be subject to a significant decision based solely on automated decision-making using their personal data (e.g. a factory worker’s pay and benefits are linked to an automated system assessing their productivity).

Data protection legislation also imposes several accountability requirements, mostly on the University as an organisation. These include carrying out Data Protection Impact Assessments (DPIAs) on ‘high risk’ processing activities and having appropriate contracts in place when outsourcing functions that involve the processing of personal data, including transferring personal data outside the UK.

Personal data that are processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are subject to an exemption that is designed to enable research in the public interest and protect the integrity of research datasets.

This exemption is not automatic and its applicability should be considered on a case by case basis. It applies only to processing for these research purposes where:

1. Appropriate technical and organisational safeguards exist to protect the personal data e.g. data minimisation, pseudonymisation, or access controls.
2. The processing will not result in measures or decisions being taken about individuals (except for interventional medical purposes approved by an NHS/HRA research ethics committee).
3. There is no likelihood of substantial damage or distress to the data subject from the processing.
4. The application of the standard data protection expectations would prevent or seriously impair the achievement of the scientific or historical research purposes.

If these standards are met, the exemptions are the following:

1. Personal data collected for other purposes may be re-used for research purposes.
2. Personal data used for research is exempt from the requirement to keep it for no longer than necessary.
3. The right to access personal data does not apply (provided the research results will be made public in a form that does not identify the participant).
4. The following rights do not apply:
   • Right to have inaccurate personal data rectified.
   • Right to have personal data erased.
   • Right to restrict processing pending verification or correction.
   • Right to object to processing.

Please note that this means that all other standard GDPR expectations set out in section B will continue to apply. Personal data will continue to need to be processed fairly, lawfully and transparently; be adequate, relevant and limited; be accurate; and be processed securely. In addition, data subjects retain the right to be informed of how their data will be used and the right not to be subject to decision making solely on automated decision making based on their data. The right that any personal data provided to data subjects is in a machine readable and commonly used format also remains, but is highly unlikely to apply due to the exemption from the right to access. The accountability requirements also continue to apply.

It should be stressed that the exemption only applies where the application of standard data protection expectations would prevent or seriously impair the achievement of the research purpose. If this is not the case (for example it would not impact your research to erase the personal data of an individual who requests it) then the original rights continue to apply.

Researchers should ensure that they understand the exemption under which they will be using personal data as this will dictate what they need to do in order to comply with data protection legislation. 

As a rule of thumb, the academic expression exemption is most likely to apply to research in the humanities and social sciences concerning those who play a role in public life.

Sections D1 and D2 explain what steps researchers will need to take when using the academic expression exemption and the research purposes exemption. 

If you are using the research purposes exemption you will need to take a number of steps to ensure that your processing of personal data is compliant with data protection legislation.

D2a. Processing lawfully: Legal bases

As set out in section B, in order to process personal data lawfully a ‘legal basis’ is required.

Provided the processing of personal data is essential for a research project to be undertaken, University researchers processing personal data for research may normally do so on the basis that the processing is “necessary for the performance of a task carried out in the public interest”.

In addition, the processing of ‘special category personal data’, i.e. personal data that is considered to be more sensitive requires a ʻspecial legal basisʼ. Special category personal data includes information about an individual’s:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• Trade Union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life or sexual orientation.

Information about an individual’s actual or alleged criminal convictions and offences is not formally defined as ‘special category personal data’ but the same provisions apply in terms of the legal basis requirement.

Using the legal basis of “task in the public interest” is not enough if you are processing special category data.  Researchers should also use the basis: 

• That the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

For special category personal data, the public interest should be proportionate to the additional risk posed by the processing of special category personal data – where relevant, this judgement may be made by a research ethics committee or, in exceptionally complex cases, by the completion of a formal DPIA.

It is important to note that researchers should not normally rely on consent as a basis for processing personal data. Any project that seeks to rely on consent for its data processing will be subject to additional legal requirements under data protection legislation which may have a significant impact on the research, particular the long-term integrity of the research record. In particular, consent used as a legal basis must be able to be revoked at any time and if that took place the personal data would need to be destroyed immediately.

Please note: For projects in which researchers collect personal data that is not in the public domain (either directly from individuals or indirectly) consent may be required for ethical or common law reasons. It can also be an important contributing factor to demonstrating that personal data is being processed fairly. Nonetheless, it is important that even in such cases consent should not be presented to the participant as the legal basis for data processing.

D2b. Processing transparently

In general, researchers need to ensure that they provide data subjects with appropriate information about how their personal data will be used in their research project. There is a prescribed set of information (transparency information, often referred to as a 'privacy notice') that must always be provided as part of this process. For projects in which personal data will be collected from the research participants directly this would normally be provided in a participant information sheet or equivalent (see Section G for further guidance on participant information sheets).

Some transparency information will be the same for every research project undertaken under the auspices of the University of Cambridge, in particular the identification of the University as the data controller, contact details of the University Data Protection Officer, information on data subject rights, and the right to lodge complaints with the Information Commissioner’s Office. As such, a generic statement for research participants has been published on the University website, meaning that individual projects need only provide information that necessarily differs from project to project.  When providing such transparency information (and as part of all participant information sheets), researchers must include the following statement and weblink:

For further general information about the University of Cambridge’s use of your personal data as a participant in a research study, please see https://www.information-compliance.admin.cam.ac.uk/data-protection/research-participant-data

In addition to the link to the University-wide statement, the following transparency information should be provided.

• The purpose of the processing and the legal bases on which the data is being processed (remember that this will not be consent – see section D2a above). 
• The third parties you might share any personal data with (e.g. other research institutions). This should be as precise as possible without unduly restricting future research use (e.g. “research teams in this organisation and external research organisations, such as universities and commercial companies, in this country and abroad for scientific research purposes”). Personal data should only be shared with those groups that the data subject was informed about as part of the PIS. Although it is not legally necessary to detail the third parties if the data you share with them will be fully de-identified, it is good practice (and in many disciplines is expected) to mention this anyway.
• Details of any plans to export the personal data to a country outside the UK (e.g. to share it with a research institution outside the UK), and what safeguards (e.g. UK adequacy regulations or contractual provisions) are in place to protect the confidentiality of the transferred data – note that this does not apply if you will fully de-identify the data before such an export.
• Details of any plans to supplement the personal data you collect from the participants with personal data about them from other sources (e.g. pre-existing research datasets you have access to or personal data from public sources).
• The retention period of the data or what criteria are used to determine the retention period. Data protection legislation does acknowledge that personal data used for research purposes may need to be kept for very long periods (e.g. for clinical trials or in longitudinal studies) or even indefinitely, but if it is reasonable to de-identify personal data then this should be done as soon as practicable. (The general published transparency information for research participants does refer to usual data retention periods, but if your long-term data management plans are known it is good practice to detail them).
• Whether the collection of the data will lead to automated decision making, including profiling, that will produce legal effects or otherwise similarly effect a particular data subject.  If this is the case, also provide information about how decisions are made, their significance and the consequences. This may include, for example, actions that will be taken by the research team if the data collection reveals an immediate health or safety risk to the participant or others.  Note that ‘automated decision-making’ refers to purely automated decisions that have a legal or similarly significant effect on the individuals. If there is any element of human intervention, or if there is no effect on the individuals (e.g. algorithms are used to analyse a pseudonymised dataset for research purposes only), then there is no need to worry about automated decisions in a research context.

In principle, the requirements above apply regardless of whether personal data is collected directly from data subjects or when it has been obtained from another source. Where the personal data has not been collected directly from the data subjects, it should be provided to them within a reasonable period, specifically:

• Within one month of obtaining the personal data, OR
• If the personal data is to be used to contact the data subject, by the time of contact, OR
• If disclosure to another recipient is planned, by the time of the disclosure.

This information may be provided to data subjects by the original collector of the data if appropriate. In addition to the transparency information set out above, it should also include details of the source from which the personal data originated and, if applicable, whether this was a publically accessible source and details of the categories of personal data concerned.

There is an exemption to the requirement to provide transparency information to data subjects when the personal data has not been collected directly from them if supplying the information to the data subjects would be impossible or would involve disproportionate effort (e.g. there are no or very limited contact details for participants) or giving the information to the data subjects is likely to render impossible or seriously impair the objectives of the processing (i.e. undermining the research itself). In such circumstances transparency information should be made publically available, e.g. on a project website, in place of providing the information directly to the data subjects. The level of granularity required here should depend on the level of risk posed to the data subjects by the processing of the personal data. The University will continue to publish very general information on personal data processing underway within the institution, including as regards research.

The transparency requirements outlined above apply to new projects and any ongoing study that collects new personal data after 25 May 2018. Projects (for example longitudinal studies) that were already underway at 25 May 2018 will need to issue new transparency information for any new personal data collection. This does not necessarily need to be in the form of a new participant information sheet provided directly to the research participants. For example, some ongoing projects may not have full and up-to-date contact details for all participants in which case less direct means may be used, such as posting the new transparency information in a project newsletter, website or social media account.

In normal circumstances, projects that were alreadyh underway at 25 May 2018 would need to seek amendments to their ethical approvals to change a participant information sheet. The University Research Ethics Committee has, however, agreed that any changes or communications made solely for the purposes of complying with the change to data protection legislation that occurred on 25 Mat 2018 will be a non-substantial and non-notifiable amendment (i.e. researchers do not need to seek permission for or inform their ethics committee of the changes). The Health Research Authority agreed the same principle for projects  that have been provided with ethical approval by the HRA: see the HRA guidance for further details.

Projects that do not collect new information after 25 May 2018 will only be affected if the project previously explicitly informed participants that the legal basis for the processing was consent; this will require a new participant information sheet to be provided.  As the requirement to inform individuals about the legal basis for data processing is a new one, it is unlikely that may projects will have explicitly informed participants that their personal data is processed on the basis of their consent.

D2c. Processing accurately and relevantly

To comply with data protection legislation researchers must carefully plan their collection of personal data to ensure that:

• Personal data is only collected if it is genuinely required for their research. Any collection of personal data that is not required for your research project will not be covered by your legal basis;
• Any personal data processed is collected and stored in a manner that makes it suitable for the research purposes (i.e. it is accurate, effectively curated and kept up to date if necessary);
• Personal data is only shared with those who need it for the purposes of the research;
• Where possible personal data is anonymised or pseudonymised promptly.

To achieve this researchers will need adequate data management plans/arrangements. For further guidance on research data management see: https://www.data.cam.ac.uk/

D2d. Processing securely

Data management plans and arrangements must also include adequate measures to protect personal data against unauthorised use, accidental loss, destruction or damage. This is likely to include a range of technical/IT, physical and organisational measures to protect the personal data. It will also include adherence to the principle of data minimisation (i.e. collecting only the absolute minimum date required for a purpose and promptly anonymising or pseudonymising data where possible), see section D2c above.

The research exemption only applies where appropriate safeguards are in place, so it is vital that these are established.

Researchers should seek appropriate advice on data security (from departmental and University IT and information compliance teams) and periodically review the measures taken to ensure that they remain appropriate. The level of appropriate security will depend on the level of risk posed by the processing of the personal data.

Compliance with the common law duty of confidentiality (see section F) is also part of processing securely.

D2e. Processing fairly

The requirement under data protection legislation to process fairly is linked to all the expectations set out in D2a-d, particularly processing transparently.

It also requires researchers to consider whether the use of personal data has any detrimental effect on the data subject and, if so, how this is justified. For University research this requirement is primarily met through the research ethics review process, under which all research that poses more than minimal ethical risk is subject to appropriate ethical review (see section E). Where research projects seek consent for ethical reasons this also helps to demonstrate that personal data is being processed fairly.

Researchers must also be aware of their responsibilities under the common law of confidentiality. This is separate from data protection legislation. Personal data is considered to be confidential if it:

• Is not in the public domain
• Can be related to an identifiable individual
• Has a degree of sensitivity associated with it
• Is given with the expectation that it will be kept confidential.

Information given in confidence is not secret, but must only be handled in line with the data subjects’ ‘reasonable expectations’. Thus, the sharing of the data would be unacceptable if the individual who provided the information would be unreasonably surprised by that sharing. For example, if information is collected by a researcher in confidence, it is likely to be acceptable to share this within his or her research team, but not to share it outside the research team. Similarly it is reasonable to assume that patients will expect their confidential medical information to be shared within their clinical care team, but not necessarily with external research groups. The group in which confidential information may be shared can be expanded by informing the research participants, usually in participant information sheets, of the intention to share their personal data with particular groups and obtaining their consent for this.

Confidential data may also be processed or shared where there is a clear public interest to do so.  (In any case, disclosures of confidential data to meet a legal obligation or to prevent a crime or for safeguarding reasons are permissible.)

In addition, there is a process to allow confidential information to be disclosed for medical research even if this is not in line with the reasonable expectations of the data subject. This can only be done under the Health Service (Control of Patient Information) Regulations 2002 by applying via the Confidentiality Advisory Group in England and Wales or equivalent arrangements elsewhere in the UK.

Confidential information may also be shared if it is robustly anonymised. For guidance see the Information Commissioner’s Office’s Anonymisation Code of Practice: https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/ (Note: this Code is currently under revision).

The above considerations dp not affect the legal basis for personal data processing under data protection legislation, which will normally remain that the processing is “necessary for the performance of a task carried out in the public interest”.

As noted in the sections above, consent forms are generally required for reasons of research ethics and they can also help to demonstrate that personal data is being accessed fairly (one of the principles of data protection legislation). As explained elsewhere in this guidance, though, it is important to stress that consent is not normally the legal basis for the processing of personal data in a research context.

The consent form should be a short document (usually no longer than a side of A4) that concisely covers the core statements to which the participant is being asked to agree in clear and concise language. The participant should be asked to sign, print their name and date the form and, where appropriate, should be given the opportunity to agree or disagree with each statement. Space should also be provided on the consent form for the investigator taking the consent to sign, print their name and date the form.

Electronic consent forms may be used where appropriate (e.g. online or computer-based studies). 

While consent forms will differ according to the project, they should normally include at least the following or similar statements:

• I have read and understood the Participant Information Sheet;
• I have been given the opportunity to ask questions and have had them answered to my satisfaction;
• I agree to take part in this project;
• I understand that my participation is voluntary and that I am free to withdraw such participation at any time without giving a reason;
• A statement that asks the participant to note their understanding of any procedures for handling any personal data collected (e.g. confidentiality, anonymisation, etc.);
• A statement or statements that asks the participant to consent to proposals for data sharing and re-use (whether in de-identified and/or identifiable form) for future research (this should include any plans to provide the data to a commercial company, also see Section I for more information);
• (If relevant and as appropriate) A statement that asks the participant to consent to the export of their personal data outside the UK (e.g. to share it with another research institution or on an international database). You are not legally obliged to provide this statement if the data will be fully de-identified before any such export, however it is advisable to do so where possible as some funders and other stakeholders require this or expect it as part of good practice.
• (If relevant) A statement that asks the participant to consent to any planned audio or visual recording.

Consent forms should be retained in a secure place as evidence of consent to participation.