Internal, open access

Using personal data in research

Personal data used for research purposes must be used in accordance with the Data Protection Act 1998 (DPA). The rights and obligations set out in the DPA are designed to apply generally, but there are certain exemptions to accommodate special circumstances. One such exemption is where personal data are processed for research purposes; this includes statistical or historical purposes. The personal data must have no other use, not even incidental use. The term "research purposes" is not defined in the Act.

Researchers should avoid using personal data wherever possible. They should carefully consider whether such processing is necessary to achieve their purpose(s). Wherever possible, researchers should process data that has had identifying information removed. Ideally, researchers should use data that has been effectively anonymised as the Data Protection Act 1998 will no longer apply to such data.

Where personal data is used for research purposes in this way, the personal data may be exempt from some (but not all) of the data protection principles provided that both the following conditions apply:

  • The personal data are not processed to support measures or decisions with respect to particular individuals (not just the individual subjects, but anyone who may be affected by the research), and
  • The personal data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

When both these conditions apply, the personal data are exempt from:

  • The second data protection principle. This means that personal data can be processed for research purposes other than for which they were originally obtained. The second data principle is defined on the website of the Office of the Information Commissioner in the section Data Protection Principles
  • The fifth data protection principle. This means that personal data for research purposes can be held indefinitely. The fifth data protection principle is defined on the website of the Office of the Information Commissioner in the section Data Protection Principles
  • The data subject's right of access to his personal data if a subject access request is submitted about the handling of the data, provided that the research results, or any resulting statistics, are effectively anonymised. However, in this case, the data controller may still choose to disclose the information to the data subject, unless by doing so they would breach another individual's data protection rights. The data subject's right of access is defined in Section 7 of the Data Protection Act.

There is no blanket exemption from the data protection principles. Therefore, the following apply:

  • Research data subjects should be informed of any new data processing purposes, the identity of the data controller, and any disclosures that may be made
  • Research data subjects must be able to meaningfully exercise their right to object to the data processing because it would cause/has caused, them significant damage or distress
  • Requirements for appropriate security of data must be respected, including appropriate levels of security for sensitive data
  • Data may not be transferred to researchers in a non-EEA country, unless certain conditions are met as described on the website of the Office of the Information Commissioner in the section on Sending personal data outside the European Economic Area (principle 8).

All research using human subjects, human samples (however obtained) or human personal data to be undertaken in the University, or under the auspices of the University, however funded, cannot be carried out without the approval of the University's Research Ethics Committee.

Heads of School are responsible for having procedures in place within their School that identify and review all projects that might fall within the Research Ethics Committee's terms of reference, as described in Research ethics. However, the Research Ethics Committee will not consider the data protection aspects of a project so the following data protection guidance notes have been prepared to help researchers to deal with data protection issues. These should be read in conjunction with the University's guidance on Research ethics and the Quality Assurance in Research website.

The data protection guidance notes cover the following topics:


Things to do now

Contact IMPS

Page navigation


Search Form

A-Z lists