This page provides detailed guidance on the University of Cambridge’s expectations for researchers whose academic research involves the processing of personal data. Researchers who regularly carry out research projects using personal data are advised to familiarise themselves with this guidance.
Researchers seeking an introduction to the main points of the guidance can read the one page 'Quick Guide' developed to accompany the full guidance. For ease, the UREC-approved criteria of very high risk data processing (detailed in section E) can also be accessed in the link below.
- Academic Research Involving Personal Data: Quick Guide
- UREC-approved criteria of very high risk data processing (Section E)
The quick guidance is not designed to be comprehensive and should be read alongside the full guidance, to which it refers.
The full guidance is divided into sections as follows:
- Defines personal data and explains where data protection considerations will not apply at all in a research context (Section A).
- Outlines the standard requirements for organisations processing personal data – in terms of adherence to the data protection principles, the various data subject rights, and organisational accountability requirements (Section B).
- Outlines the two sets of exemptions from these standard requirements for academic research – setting out how and when the requirements don’t apply (Section C).
- Explains how these two sets of exemptions work in practice for academic research projects of various types – including guidance about when and how to deploy documentation for research participants, data management plans and data security measures (Section D).
- Summarises how data protection considerations (and the exemptions) interact with research ethics (Section E)
- Summarises how data protection considerations (and the exemptions) interact with the separate law of confidentiality, especially in a medical research context (Section F)
- Provides detailed guidance on writing Participant Information Sheets (or equivalents), where required (Section G).
- Provides detailed guidance on writing consent forms for research participants, where required (Section H).
- Provides specific guidance on considerations regarding data sharing and re-use for research purposes, where applicable (Section I).
- Links to selected further sources of advice and guidance (Section J).
This guidance is aligned with the legal requirements of the UK General Data Protection Regulation and the Data Protection Act 2018.
This guidance is designed to be generally applicable across the University. However, given that issues raised by academic research vary across disciplines, it should be read alongside guidance produced locally (by Department, Faculty or School). Researchers requiring Health Research Authority (HRA) approval must comply with HRA guidelines as well as University and legal expectations. Links to local and HRA guidance are provided at the end of this page.
Personal data is defined in law as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”, UK GDPR Article 4(1).
Personal data only relates to living individuals.
Data that has been fully de-identified (anonymised) is not classed as personal data and data protection legislation does not apply. For data to be considered de-identified, however, it is necessary to determine whether a determined third party could identify the individual from whom the personal data was obtained, for example by combining indirect identifiers or by combining with publically available data sets and sources.
Please note that pseudonymised data (i.e. personal data for which identifiers are physically split and stored separately from the rest of the dataset, but kept within the same organisation) remain classed as personal data for legal purposes.
The Information Commissioner’s Office, which regulates data protection law in the UK, has produced a helpful Anonymisation Code of Practice which contains further detail (note this Code is currently under revision).
The UK General Data Protection Regulation has applied in the UK since 1 January 2021. It replaced the EU-wide GDPR that was applied across the EU from 25 May 2018. This legislation creates a range of expectations for the processing of personal data. There are also a number of exemptions, many of which apply to research. This section provides an overview of the full expectations and should be read alongside section C which sets out the exemptions that apply to research.
Under data protection legislation, and unless exemptions apply, personal data must generally be processed in accordance with the data protection principles, meaning that it should be:
- Processed (i.e. collected, handled, stored, disclosed and destroyed) fairly, lawfully and transparently. This requires those who process personal data to:
- Consider how their use of personal data affects the individuals to whom it relates and, if there is detriment to the individuals, consider whether or not this is justified (fairness)
- Have a valid ‘legal basis’ for the processing of the data (e.g. that the processing is necessary to operate a contract with an individual or for the performance of a task carried out in the public interest) (lawfulness).
- Comply with any obligations to inform those whose data they intend to use of what they intend to use it for, about which there are various required headings (transparency).
- Processed only for specified, explicit and legitimate purposes. This ensures that personal data cannot be used for purposes that are incompatible with the original purpose for which they were collected.
- Adequate, relevant and limited. This requires those who process personal data to only collect the personal data that is necessary for their purpose and not to share personal data with others unless this is required for that purpose.
- Accurate (and rectified if inaccurate). Inaccurate personal data does not support the purpose for which it was collected and is therefore unnecessary (see point 3 above). This does not apply to projects or activities for which the purpose is to create a static record of personal data, which if updated would no longer meet that purpose.
- Kept for no longer than necessary.
- Processed securely. This requires appropriate technical and organisational measures to protect personal data against unauthorised or unlawful use and accidental loss, destruction or damage. These measures will generally include technological precautions and other steps such as training, anonymisation or physical security.
In addition, the data protection legislation provides specific rights to individuals in relation to their personal data unless exemptions apply (as is indicated above, please note that a number of exemptions are likely to apply to research):
- The right to be informed about how their personal data is used. This overlaps with the notion of ‘transparent’ processing under point 1 above.
- The right of access to their personal data. This also overlaps with the notion of ‘transparent’ processing under point 1 above.
- The right to have their inaccurate personal data rectified.
- The right to have their personal data erased where appropriate.
- The right to restrict the processing of their personal data pending its verification or correction.
- The right to receive copies of their personal data in a machine readable and commonly used form.
- The right to object to processing of their data.
- The right not to be subject to a significant decision based solely on automated decision-making using their personal data (e.g. a factory worker’s pay and benefits are linked to an automated system assessing their productivity).
Data protection legislation also imposes several accountability requirements, mostly on the University as an organisation. These include carrying out Data Protection Impact Assessments (DPIAs) on ‘high risk’ processing activities and having appropriate contracts in place when outsourcing functions that involve the processing of personal data, including transferring personal data outside the UK.
The requirements set out in section B are unlikely to apply in full to University research. There are two exemptions to the standard data protection expectations that can apply to University research:
- Research purposes exemption
- Academic expression exemption
The exemptions are explained in detail in sections C1 and C2 below.
Personal data that are processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are subject to an exemption that is designed to enable research in the public interest and protect the integrity of research datasets.
This exemption is not automatic and its applicability should be considered on a case by case basis. It applies only to processing for these research purposes where:
- Appropriate technical and organisational safeguards exist to protect the personal data e.g. data minimisation, pseudonymisation, or access controls.
- The processing will not result in measures or decisions being taken about individuals (except for interventional medical purposes approved by an NHS/HRA research ethics committee).
- There is no likelihood of substantial damage or distress to the data subject from the processing.
- The application of the standard data protection expectations would prevent or seriously impair the achievement of the scientific or historical research purposes.
If these standards are met, the exemptions are the following:
- Personal data collected for other purposes may be re-used for research purposes.
- Personal data used for research is exempt from the requirement to keep it for no longer than necessary.
- The right to access personal data does not apply (provided the research results will be made public in a form that does not identify the participant).
- The following rights do not apply:
- Right to have inaccurate personal data rectified.
- Right to have personal data erased.
- Right to restrict processing pending verification or correction.
- Right to object to processing.
Please note that this means that all other standard GDPR expectations set out in section B will continue to apply. Personal data will continue to need to be processed fairly, lawfully and transparently; be adequate, relevant and limited; be accurate; and be processed securely. In addition, data subjects retain the right to be informed of how their data will be used and the right not to be subject to decision making solely on automated decision making based on their data. The right that any personal data provided to data subjects is in a machine readable and commonly used format also remains, but is highly unlikely to apply due to the exemption from the right to access. The accountability requirements also continue to apply.
It should be stressed that the exemption only applies where the application of standard data protection expectations would prevent or seriously impair the achievement of the research purpose. If this is not the case (for example it would not impact your research to erase the personal data of an individual who requests it) then the original rights continue to apply.
In addition, there is a second exemption that applies to particular types of research carried out by the University. Personal data processes for journalistic, artistic, literary or academic purposes can be subject to this exemption, which is designed to protect the principle of ‘freedom of expression’. This exemption primarily applies to much academic arts and humanities research and some social science research that processes personal data. As with the research purposes exemption, it is not automatic and only applies to processing that is:
- Processed with a view to publication of academic (or journalistic, literary and/or artistic) material;
- There is a reasonable belief that the publication would be in the public interest;
- There is a reasonable belief that the application of the standard data protection expectations would be incompatible with the academic purpose.
In particular this exemption is likely to be suitable for research projects that include processing for which use of the scientific or historical research purposes exemption might reasonably be considered incompatible with the purpose of the processing. Research projects that are highly likely to be subject to this exemption include, for example:
- Research involving the processing of personal data for which the requirement to inform the data subject of how their data will be used and may be incompatible with the purpose. For example, a biography of a living public figure or economic research discussing the actions and decisions of individual business people or policy makers.
- Research in the public interest that involves the processing of personal data in order to criticise the views or actions of an individual or group in a manner that might cause them distress. For example, to publically criticise the policies of a politician or decisions of a member of the judiciary.
In effect, this exemption will apply for projects for which a similar argument on the basis of ‘freedom of expression’ could be made for the research being undertaken as for journalistic, literary and/or artistic expression. It is therefore most likely to apply to research concerning those who play a role in public life.
This exemption is much wider than the research purposes exemption. It provides exemption from all the requirements and rights set out in section B with the exception of the security principle and the right of a data subject not to be subject to decision making solely on automated decision making based on their data. It also provides limited exemptions from the accountability requirements, notably removing the standard restrictions on transfers of personal data outside the UK.
Researchers should ensure that they understand the exemption under which they will be using personal data as this will dictate what they need to do in order to comply with data protection legislation.
As a rule of thumb, the academic expression exemption is most likely to apply to research in the humanities and social sciences concerning those who play a role in public life.
Sections D1 and D2 explain what steps researchers will need to take when using the academic expression exemption and the research purposes exemption.
If you are using the academic expression exemption, it will often be unlikely to need to take significant action to comply with data protection legislation. Your primary responsibility is to ensure that the exemption does indeed apply i.e. that you hold a responsible belief that your research is in the public interest and should not reasonably be carried out under the research exemption. The need to consider incompatibility with the GDPR is of particular significance. While compliance with one provision might reasonably be considered incompatible with your purpose, this does not mean that compliance with another provision will necessarily also be incompatible. For example, if you are interviewing a politician primarily on matters relating to their role in public life, it may well be unreasonable to ensure that processing does not cause him or her substantial damage or distress (for example by using the information collected in a paper that criticises a political policy supported by said politician). Nevertheless, it is highly unlikely that it would be unreasonable to specify how the data that you collect will be used, e.g. that it may be published and whether publication will be in an identified or non-identified format. In addition, you must continue to comply with the University’s ethical expectations, which may include the requirement to seek consent from participants (for ethical rather than legal reasons). It is also important to comply with the University’s research ethics review system, which will ensure that any projects requiring a more formal data protection risk assessment are subject to the appropriate review.
If you are using the research purposes exemption you will need to take a number of steps to ensure that your processing of personal data is compliant with data protection legislation.
D2a. Processing lawfully: Legal bases
As set out in section B, in order to process personal data lawfully a ‘legal basis’ is required.
Provided the processing of personal data is essential for a research project to be undertaken, University researchers processing personal data for research may normally do so on the basis that the processing is “necessary for the performance of a task carried out in the public interest”.
In addition, the processing of ‘special category personal data’, i.e. personal data that is considered to be more sensitive requires a ʻspecial legal basisʼ. Special category personal data includes information about an individual’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- Trade Union membership;
- genetics;
- biometrics (where used for ID purposes);
- health;
- sex life or sexual orientation.
Information about an individual’s actual or alleged criminal convictions and offences is not formally defined as ‘special category personal data’ but the same provisions apply in terms of the legal basis requirement.
Using the legal basis of “task in the public interest” is not enough if you are processing special category data. Researchers should also use the basis:
- That the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
For special category personal data, the public interest should be proportionate to the additional risk posed by the processing of special category personal data – where relevant, this judgement may be made by a research ethics committee or, in exceptionally complex cases, by the completion of a formal DPIA.
It is important to note that researchers should not normally rely on consent as a basis for processing personal data. Any project that seeks to rely on consent for its data processing will be subject to additional legal requirements under data protection legislation which may have a significant impact on the research, particular the long-term integrity of the research record. In particular, consent used as a legal basis must be able to be revoked at any time and if that took place the personal data would need to be destroyed immediately.
Please note: For projects in which researchers collect personal data that is not in the public domain (either directly from individuals or indirectly) consent may be required for ethical or common law reasons. It can also be an important contributing factor to demonstrating that personal data is being processed fairly. Nonetheless, it is important that even in such cases consent should not be presented to the participant as the legal basis for data processing.
D2b. Processing transparently
In general, researchers need to ensure that they provide data subjects with appropriate information about how their personal data will be used in their research project. There is a prescribed set of information (transparency information, often referred to as a 'privacy notice') that must always be provided as part of this process. For projects in which personal data will be collected from the research participants directly this would normally be provided in a participant information sheet or equivalent (see Section G for further guidance on participant information sheets).
Some transparency information will be the same for every research project undertaken under the auspices of the University of Cambridge, in particular the identification of the University as the data controller, contact details of the University Data Protection Officer, information on data subject rights, and the right to lodge complaints with the Information Commissioner’s Office. As such, a generic statement for research participants has been published on the University website, meaning that individual projects need only provide information that necessarily differs from project to project. When providing such transparency information (and as part of all participant information sheets), researchers must include the following statement and weblink:
For further general information about the University of Cambridge’s use of your personal data as a participant in a research study, please see https://www.information-compliance.admin.cam.ac.uk/data-protection/research-participant-data
In addition to the link to the University-wide statement, the following transparency information should be provided.
- The purpose of the processing and the legal bases on which the data is being processed (remember that this will not be consent – see section D2a above).
- The third parties you might share any personal data with (e.g. other research institutions). This should be as precise as possible without unduly restricting future research use (e.g. “research teams in this organisation and external research organisations, such as universities and commercial companies, in this country and abroad for scientific research purposes”). Personal data should only be shared with those groups that the data subject was informed about as part of the PIS. Although it is not legally necessary to detail the third parties if the data you share with them will be fully de-identified, it is good practice (and in many disciplines is expected) to mention this anyway.
- Details of any plans to export the personal data to a country outside the UK (e.g. to share it with a research institution outside the UK), and what safeguards (e.g. UK adequacy regulations or contractual provisions) are in place to protect the confidentiality of the transferred data – note that this does not apply if you will fully de-identify the data before such an export.
- Details of any plans to supplement the personal data you collect from the participants with personal data about them from other sources (e.g. pre-existing research datasets you have access to or personal data from public sources).
- The retention period of the data or what criteria are used to determine the retention period. Data protection legislation does acknowledge that personal data used for research purposes may need to be kept for very long periods (e.g. for clinical trials or in longitudinal studies) or even indefinitely, but if it is reasonable to de-identify personal data then this should be done as soon as practicable. (The general published transparency information for research participants does refer to usual data retention periods, but if your long-term data management plans are known it is good practice to detail them).
- Whether the collection of the data will lead to automated decision making, including profiling, that will produce legal effects or otherwise similarly effect a particular data subject. If this is the case, also provide information about how decisions are made, their significance and the consequences. This may include, for example, actions that will be taken by the research team if the data collection reveals an immediate health or safety risk to the participant or others. Note that ‘automated decision-making’ refers to purely automated decisions that have a legal or similarly significant effect on the individuals. If there is any element of human intervention, or if there is no effect on the individuals (e.g. algorithms are used to analyse a pseudonymised dataset for research purposes only), then there is no need to worry about automated decisions in a research context.
In principle, the requirements above apply regardless of whether personal data is collected directly from data subjects or when it has been obtained from another source. Where the personal data has not been collected directly from the data subjects, it should be provided to them within a reasonable period, specifically:
- Within one month of obtaining the personal data, OR
- If the personal data is to be used to contact the data subject, by the time of contact, OR
- If disclosure to another recipient is planned, by the time of the disclosure.
This information may be provided to data subjects by the original collector of the data if appropriate. In addition to the transparency information set out above, it should also include details of the source from which the personal data originated and, if applicable, whether this was a publically accessible source and details of the categories of personal data concerned.
There is an exemption to the requirement to provide transparency information to data subjects when the personal data has not been collected directly from them if supplying the information to the data subjects would be impossible or would involve disproportionate effort (e.g. there are no or very limited contact details for participants) or giving the information to the data subjects is likely to render impossible or seriously impair the objectives of the processing (i.e. undermining the research itself). In such circumstances transparency information should be made publically available, e.g. on a project website, in place of providing the information directly to the data subjects. The level of granularity required here should depend on the level of risk posed to the data subjects by the processing of the personal data. The University will continue to publish very general information on personal data processing underway within the institution, including as regards research.
The transparency requirements outlined above apply to new projects and any ongoing study that collects new personal data after 25 May 2018. Projects (for example longitudinal studies) that were already underway at 25 May 2018 will need to issue new transparency information for any new personal data collection. This does not necessarily need to be in the form of a new participant information sheet provided directly to the research participants. For example, some ongoing projects may not have full and up-to-date contact details for all participants in which case less direct means may be used, such as posting the new transparency information in a project newsletter, website or social media account.
In normal circumstances, projects that were alreadyh underway at 25 May 2018 would need to seek amendments to their ethical approvals to change a participant information sheet. The University Research Ethics Committee has, however, agreed that any changes or communications made solely for the purposes of complying with the change to data protection legislation that occurred on 25 Mat 2018 will be a non-substantial and non-notifiable amendment (i.e. researchers do not need to seek permission for or inform their ethics committee of the changes). The Health Research Authority agreed the same principle for projects that have been provided with ethical approval by the HRA: see the HRA guidance for further details.
Projects that do not collect new information after 25 May 2018 will only be affected if the project previously explicitly informed participants that the legal basis for the processing was consent; this will require a new participant information sheet to be provided. As the requirement to inform individuals about the legal basis for data processing is a new one, it is unlikely that may projects will have explicitly informed participants that their personal data is processed on the basis of their consent.
D2c. Processing accurately and relevantly
To comply with data protection legislation researchers must carefully plan their collection of personal data to ensure that:
- Personal data is only collected if it is genuinely required for their research. Any collection of personal data that is not required for your research project will not be covered by your legal basis;
- Any personal data processed is collected and stored in a manner that makes it suitable for the research purposes (i.e. it is accurate, effectively curated and kept up to date if necessary);
- Personal data is only shared with those who need it for the purposes of the research;
- Where possible personal data is anonymised or pseudonymised promptly.
To achieve this researchers will need adequate data management plans/arrangements. For further guidance on research data management see: https://www.data.cam.ac.uk/
D2d. Processing securely
Data management plans and arrangements must also include adequate measures to protect personal data against unauthorised use, accidental loss, destruction or damage. This is likely to include a range of technical/IT, physical and organisational measures to protect the personal data. It will also include adherence to the principle of data minimisation (i.e. collecting only the absolute minimum date required for a purpose and promptly anonymising or pseudonymising data where possible), see section D2c above.
The research exemption only applies where appropriate safeguards are in place, so it is vital that these are established.
Researchers should seek appropriate advice on data security (from departmental and University IT and information compliance teams) and periodically review the measures taken to ensure that they remain appropriate. The level of appropriate security will depend on the level of risk posed by the processing of the personal data.
Compliance with the common law duty of confidentiality (see section F) is also part of processing securely.
D2e. Processing fairly
The requirement under data protection legislation to process fairly is linked to all the expectations set out in D2a-d, particularly processing transparently.
It also requires researchers to consider whether the use of personal data has any detrimental effect on the data subject and, if so, how this is justified. For University research this requirement is primarily met through the research ethics review process, under which all research that poses more than minimal ethical risk is subject to appropriate ethical review (see section E). Where research projects seek consent for ethical reasons this also helps to demonstrate that personal data is being processed fairly.
Regardless of data protection legislation requirements, researchers must ensure that they remain compliant with the University’s expectations for research ethics (https://www.research-integrity.admin.cam.ac.uk/research-ethics).
Consent
While consent should not be the legal basis for the processing of personal data, the University of Cambridge expects, as part of its framework for research ethics, that any research project that collects personal data (necessarily directly) from human participants that is not already in the public domain will normally do so on the basis of free and informed consent obtained at an appropriate point in the research process. The definition of free and informed consent is judged according to disciplinary norms and so is unlikely to be identical to the definition of this provided in data protection legislation.
To obtain free and informed consent, a researcher should:
-
provide sufficient and appropriate information about the research, to allow participants to make a meaningful choice about whether or not to take part;
-
ensure that they do not apply any explicit or implicit coercion to participate.
(See the ESRC guidance on freely given informed consent for one further elucidation of this concept.)
Any proposal to collect personal data from human participants without free and informed consent, for example where the nature of the research or participants makes this impossible, should be approved as part of the appropriate ethical review process. Failure to obtain free and informed consent, without appropriate ethical approval for this, may unnecessarily restrict your ability to use and share such data, or publish results.
Research Ethics Approval
The University expects that all research projects involving human participants and personal data comply with local and central policies for research ethics review and approval. All researchers should be aware of and comply with their local research ethics review policies and processes and the University’s Policy on the Ethics of Research Involving Human Participants and Personal Data.
University research ethics approval processes are aligned with some of the accountability requirements of data protection legislation.
Where a project involving personal data has been identified as posing sufficient ethical risk to require formal ethical review beyond self-assessment or similar processes, all committees will expect an applicant to provide, in broadly defined and (where appropriate) indicative terms, at least the following factual information:
-
from what types of data subject or other entity it is expected that such personal data will be collected;
-
what types of such personal data are planned or likely to be collected;
-
whether it is expected that such personal data will be shared outside the research team and if so with whom;
-
whether it is expected that any such personal data will be shared or stored in services located outside the UK;
-
how long such personal data will be retained or the criteria on the basis of which this will be determined;
-
what security measures will be in place to protect such personal data (e.g. pseudonymisation or limitations on access).
Committees may also, at their discretion and in line with disciplinary norms, ask applicants for additional information concerning their planned use of personal data. The content of the response will vary according to the nature of the project to be reviewed.
Committees will also ask principal investigators to confirm whether their use of personal data poses a very high ethical risk. In making this initial judgement about whether the project is high-risk, principal investigators are advised to refer to the discipline-specific bespoke criteria set out by the relevant REC. The following points are indicative of the information that RECs may expect the principal investigators to consider (where applicable):
a) Utilisation of personal data that is highly and unusually sensitive, particularly where publication of this information could be extremely harmful to the career or personal life of the individual concerned especially where it concerns vulnerable groups.
b) The processing of personal data that, in the event of a security breach or inappropriate publication, might endanger the physical health or safety of the individual concerned.
c) Processing of identifiable biometric or genetic data or the tracking of an identifiable individual’s location or behaviour where the processing poses a plausible risk of harm or significant adverse effect to the individual to whom the data relates in a way that is unusual for the type of research being undertaken.
d) Profiling individual children or other vulnerable individuals.
e) The collection of sensitive personal data, the monitoring of public spaces, or the profiling of individuals on a large scale in a way that is unusual for the type of research being undertaken.
f) Direct collection of personal data without the research participant providing consent, where it would normally be provided in comparable research.
g) Collection or combination of personal data using a highly innovative technological or organisational solution for which there is a plausible risk of harm or significant adverse effect to individual persons that is unusual for the type of research being undertaken.
h) Automated decision-making or profiling that leads to a significant effect for research participants on an individual basis (please note that this is highly unlikely to occur in research).
Any projects processing personal data in a manner that poses a very high ethical risk will be referred by the Chair of the Committee to the University’s Information Compliance Office and/or Data Protection Officer for further advice.
Researchers must also be aware of their responsibilities under the common law of confidentiality. This is separate from data protection legislation. Personal data is considered to be confidential if it:
- Is not in the public domain
- Can be related to an identifiable individual
- Has a degree of sensitivity associated with it
- Is given with the expectation that it will be kept confidential.
Information given in confidence is not secret, but must only be handled in line with the data subjects’ ‘reasonable expectations’. Thus, the sharing of the data would be unacceptable if the individual who provided the information would be unreasonably surprised by that sharing. For example, if information is collected by a researcher in confidence, it is likely to be acceptable to share this within his or her research team, but not to share it outside the research team. Similarly it is reasonable to assume that patients will expect their confidential medical information to be shared within their clinical care team, but not necessarily with external research groups. The group in which confidential information may be shared can be expanded by informing the research participants, usually in participant information sheets, of the intention to share their personal data with particular groups and obtaining their consent for this.
Confidential data may also be processed or shared where there is a clear public interest to do so. (In any case, disclosures of confidential data to meet a legal obligation or to prevent a crime or for safeguarding reasons are permissible.)
In addition, there is a process to allow confidential information to be disclosed for medical research even if this is not in line with the reasonable expectations of the data subject. This can only be done under the Health Service (Control of Patient Information) Regulations 2002 by applying via the Confidentiality Advisory Group in England and Wales or equivalent arrangements elsewhere in the UK.
Confidential information may also be shared if it is robustly anonymised. For guidance see the Information Commissioner’s Office’s Anonymisation Code of Practice: https://ico.org.uk/for-organisations/guide-to-data-protection/anonymisation/ (Note: this Code is currently under revision).
The above considerations dp not affect the legal basis for personal data processing under data protection legislation, which will normally remain that the processing is “necessary for the performance of a task carried out in the public interest”.
As noted in the sections above, Participant Information Sheets (PIS) are generally required for both data protection and ethical reasons.
The PIS should provide potential participants with the necessary understanding of the purpose, methods, risks and benefits of the research and the planned use of the data to be collected to make an informed decision as to whether to participate in your research project.
The PIS should also include all relevant information required under data protection legislation. It will also provide potential participants with contact details to submit any further questions that they might have.
The content and form of each PIS will depend on the nature of, and the level of risk posed by, the specific research project for which they have been designed. In general, however, the PIS should be a clear document that provides the necessary information while being easily understood by those for whom it has been written (for example it should be age appropriate).
While each PIS is likely to be different, the following core pieces of information should normally be included:
- Details of the research project (e.g. title, funding source, sponsoring institution);
- The purpose of the research;
- What participation will involve and what types of personal data will be collected from research participants (e.g. names, addresses, full dates of birth, full postcodes, genetic data, and any other information or medical samples that are linked to information that could identify the participant), with a particular focus on any special category personal data that will be collected.
- The benefits and disadvantages/risks of participation;
- A clear statement that participation is entirely voluntary and that participants can withdraw from the project at any time without prejudice, now or in future. This should also include a clear statement as to how the participants can withdraw from the study and what would happen to their data if they withdrew. If it will not be possible to remove participant data from a study after they have provided it, or at any later stage (for example after anonymisation), this should be clearly stated;
- Details of what will happen to the data collected and the results of the research, e.g.:
- How the data collected will be handled and protected (e.g. confidentiality, pseudonymisation, de-identification, data access and security arrangements);
- How results will be disseminated;
- Details of potential future re-use of data for research (see below for more details).
- Details of who to contact for further information and how to raise a concern.
- The other types of transparency information set out in section D2b above, including a link to the University's generic statement on use of personal information of research participants (This is not strictly necessary if the exemption for academic purposes applies, but this particular exemption will apply very rarely to research projects that necessitate a PIS aimed at research participants).
As noted in the sections above, consent forms are generally required for reasons of research ethics and they can also help to demonstrate that personal data is being accessed fairly (one of the principles of data protection legislation). As explained elsewhere in this guidance, though, it is important to stress that consent is not normally the legal basis for the processing of personal data in a research context.
The consent form should be a short document (usually no longer than a side of A4) that concisely covers the core statements to which the participant is being asked to agree in clear and concise language. The participant should be asked to sign, print their name and date the form and, where appropriate, should be given the opportunity to agree or disagree with each statement. Space should also be provided on the consent form for the investigator taking the consent to sign, print their name and date the form.
Electronic consent forms may be used where appropriate (e.g. online or computer-based studies).
While consent forms will differ according to the project, they should normally include at least the following or similar statements:
- I have read and understood the Participant Information Sheet;
- I have been given the opportunity to ask questions and have had them answered to my satisfaction;
- I agree to take part in this project;
- I understand that my participation is voluntary and that I am free to withdraw such participation at any time without giving a reason;
- A statement that asks the participant to note their understanding of any procedures for handling any personal data collected (e.g. confidentiality, anonymisation, etc.);
- A statement or statements that asks the participant to consent to proposals for data sharing and re-use (whether in de-identified and/or identifiable form) for future research (this should include any plans to provide the data to a commercial company, also see Section I for more information);
- (If relevant and as appropriate) A statement that asks the participant to consent to the export of their personal data outside the UK (e.g. to share it with another research institution or on an international database). You are not legally obliged to provide this statement if the data will be fully de-identified before any such export, however it is advisable to do so where possible as some funders and other stakeholders require this or expect it as part of good practice.
- (If relevant) A statement that asks the participant to consent to any planned audio or visual recording.
Consent forms should be retained in a secure place as evidence of consent to participation.
It is increasingly a condition of research funding that research data should be shared with others and made open for re-use (insofar as that is possible within the relevant legal and ethical frameworks).
The possibility of the re-use of data should be considered when preparing a PIS and/or consent form. Normally this will take the form of a statement in the consent form asking for consent for suitably de-identified research data to be shared outside of the University.
Researchers are advised not to unnecessarily restrict any consent requested for data sharing and data re-use. Unless there is a good reason for placing a restriction on the use of data, consent forms should normally clearly request consent for suitably de-identified data to be used for any purpose beyond the specific project for which they were collected. If necessary or appropriate, researchers may also seek consent for identifiable or pseudonymised personal data to be used for similar research purposes beyond the specific project for which they were collected. Consent forms should also not unnecessarily restrict consent for use of data to researchers based in Cambridge, in academia or the UK.
University guidance
The following University research ethics committees provide their own specific guidance on data protection, especially with regard to PIS and consent forms. Those seeking ethical review from these committees should read and comply with this guidance:
- Cambridge Psychology Research Ethics Committee, Participant information sheets and consent forms guidance
- Faculty of Music, Consent Form Templates
General data protection guidance is available on the Information Compliance Office webpages.
External guidance
Additional guidance on transparency and consent standards and processes (including the writing of consent forms and PIS) is available from the following external providers: