Compliance checklist for conducting research on personal and special category data
Compliance checklist for conducting research on personal and special category data
Data protection legislation places responsibility on the University to control the processing of personal and special categories of personal data for scientific or historical research and statistical purposes within the University.
The processing must meet the principles of the legislation, though there are limited exemptions for research. See our page on research with personal data for further information.
The following points should help determine whether your research project (planned, new, or existing) is subject to data protection legislation and, if so, what precautions you must take.
Work your way through all the points unless you conclude, after point 1, that data protection legislation does not apply to your research project. If you are unsure at any stage, you must consult the DP&FOI Office.
- Ensure that you know what is meant by personal data and special categories of data. If your research project does not involve such data then data protection legislation does not apply.
- Ensure that you understand what is meant by "research on personal data", and the conditions applied to this research.
- Ensure that you know and apply the additional rules relevant to research on special categories of data.
- Ensure that you have considered and determined an appropriate lawful basis for the processing of the personal and special categories of personal data.
- Ensure that you know the limited exemptions which may apply to your research project.
- Complete a Data Protection Impact Assessment, whether the proposed data processing is low, medium, or high risk. See the University's Information Risk Classifications (PDF, 226KB) for further guidance.
- Strip out any identifying information that is not needed to meet the data minimisation principle. To increase the security of the processing, make the research data pseudonymous or anonymous (if practical and to no disadvantage to the research). Do not supply a "key" to pseudonymised data to anyone unless required.
- Ensure that your technical and organisational safeguards meet the security requirements of the data protection legislation. Be particularly cautious when physically taking research data outside of the University. See our page on information security.
- Research data remains subject to data transfer requirements of the data protection legislation. If the research data is (a) transferred into the University or (b) being transferred outwith the University at any stage, ensure that an appropriate data sharing agreement is in place that covers data protection requirements and responsibilities.
- Review the Research Strategy & Innovation Office's publication Code of Good Practice in Research, part of the Research Integrity Framework, which provides recommendations on documenting results and storing primary data based on the requirements of several Research Councils. The guidance takes into account:
- The legal and regulatory framework for particular types of research;
- The terms and conditions imposed by external research sponsors;
- The commercial, political or ethical sensitivity of particular types of research, or any research for particular external sponsors.
- Ensure that when the research data is no longer required, it is retained in line with the Code of Good Practice in Research, or is securely destroyed. The Research Data Management team provides facilities for the deposit of research data that may be required to be retained after the termination of the research project.
-
Contact the Research Regulation and Compliance (RRC) team if your research is concerned with the health and social care sector. The RRC team provide advice on the necessary approvals and permissions required for research involving health and social care patients, their relatives and carers, staff, data, tissue, and facilities. Please consult the RRC team and MVLS Ethics Committee webpages for further guidance.