Data Protection & Freedom of Information Office

Introduction

Many students (undergraduate and postgraduate) carry out research projects as part of their studies.  Some research projects involve the use of information relating to identifiable living persons. Such information is known as personal data.

The processing of personal data is regulated by legislation, most notably the UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. In this guidance, this is referred to as ‘data protection legislation’.

Almost anything that can be done with personal data counts as ‘processing’, including collecting, recording, storing, using, analysing, combining, disclosing, or deleting it.

Responsibility for processing personal data is given to the controller and the processor of the personal data.

• The ‘controller’ is the individual or organisation that makes decisions about what personal data is processed and how it is processed.
• The ‘processor’ is the individual or organisation that processes the data following the instructions of the controller.

Under data protection legislation, the controller of personal data is responsible for ensuring that personal data is processed in line with 6 key principles.

This guidance relates to personal data only. Guidance on wider research data can be found on the University’s Research Data Management webpages.

Who is data controller?

The student and UofG are joint controllers of personal data.

This is because:

• The student decides what personal data they need to use to carry out the research and how the personal data will be used to answer the research questions; and
• UofG, through the supervisor, provides guidance and direction to the student on what personal data they need to use to carry out the research and, through the DP&FOI Office, provides guidance to the student on how to comply with data protection legislation.
• As joint controllers, the student and UofG are jointly responsible under data protection legislation for the processing of the personal data. The sections below set out the respective responsibilities of the student and UofG for compliance with data protection legislation.

Student responsibilities

Students are responsible for ensuring that the personal data is processed lawfully, fairly, and transparently, with guidance from UofG (Principle 1).

This responsibility includes:

• establishing a lawful basis for processing the personal data.
• providing any required information to the individuals whose personal data is being used for the research project via a Privacy Notice.

Students are also responsible for:

• determining the purpose for which the personal data will be processed (Principle 2).
• that the personal data is limited to what is necessary in relation to the purpose for which the personal data will be processed (Principle 3).
• that the personal data is accurate and, where necessary, kept up to date (Principle 4).
• not keeping the personal data for any longer than is necessary for the purpose (Principle 5).
• for selecting appropriate technological and operational measures to protect personal data, including measures made available by the University (Principle 6).

University responsibilities

UofG is responsible for:

• providing guidance to students on how to process data lawfully, fairly and transparently (Principle 1).
• providing a mechanism whereby individuals can make requests in respect of their personal data used for the research project, such as requests to update or to obtain a copy of personal data (Principles 3 and 4).
• providing guidance to students on appropriate records retention (Principle 5).
• making available appropriate technological and operational measures, such as IT infrastructure and IT security training, to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage (Principle 6).
• putting in place written contracts with any processors of the personal data engaged in relation to a research project (e.g. external transcription services).

Who is data processor?

UofG may routinely engage third parties to carry out its responsibilities as a joint controller, in particular in relation to IT systems used to store personal data.

Some projects may require a specific third party to carry out some actions in relation to personal data, for example a transcription or translation company. That third party would be a data processor.

When sharing data with a third party, you must establish appropriate measures and safeguards to ensure compliance with data protection legislation. This should be done via a data sharing agreement. 

What happens when a student leaves?

If a student leaves UofG , the student should note that whether or not they can take a copy of the personal data with them will depend on whether this would comply with data protection legislation and the research project’s ethics approval.

In these circumstances, the student can seek further guidance from the University’s DP&FOI Office.

Further information

Students may seek advice regarding their responsibilities as a joint data controller from their supervisor of studies and from the DP&FOI Office.

The following DP&FOI Office webpages are specific to the use of personal data in research:

• Retention of research data
• Research on personal data
• Research checklist

Other useful guidance and templates can be found on the DP&FOI Office's webpages.