Compliance checklist for conducting research on personal and special category data

Compliance checklist for conducting research on personal and special category data

Data protection legislation places responsibility on the University to control the processing of personal and special categories of personal data for scientific or historical research and statistical purposes within the University.

The processing must meet the principles of the legislation, though there are limited exemptions for research. See our page on research for further information.

The following points should help determine whether your research project (planned, new, or existing) is subject to data protection legislation and, if so, what precautions you must take.

Work your way through all the points unless you conclude, after point 1, that data protection legislation does not apply to your research project. If you are unsure at any stage, you must consult the DP&FOI Office.

  • Ensure that you understand what is meant by "research on personal data", and the conditions applied to this research.
  • Ensure that you have considered and determined an appropriate lawful basis for the processing of the personal and special categories of personal data.
  • Ensure that you know the limited exemptions which may apply to your research project.
  • Strip out any identifying information that is not needed to meet the data minimisation principle. To increase the security of the processing, make the research data pseudonymous or anonymous (if practical and to no disadvantage to the research). Do not supply a "key" to pseudonymised data to anyone unless required.
  • Ensure that your technical and organisational safeguards meet the security requirements of the data protection legislation. Be particularly cautious when physically taking research data outside of the University. More information is available via Information Security.
  • Research data remains subject to data transfer requirements of the data protection legislation. If the research data is (a) transferred into the University or (b) being transferred outwith the University at any stage, ensure that an appropriate data sharing agreement is in place that covers data protection requirements and responsibilities.
  • Review the Research Strategy & Innovation Office's publication Code of Good Practice in Research, part of the Research Integrity Framework, which provides recommendations on documenting results and storing primary data based on the requirements of several Research Councils. The guidance takes into account:
    • The legal and regulatory framework for particular types of research;
    • The terms and conditions imposed by external research sponsors;
    • The commercial, political or ethical sensitivity of particular types of research, or any research for particular external sponsors.
  • Ensure that when the research data is no longer required, it is retained in line with the Code of Good Practice in Research, or is securely destroyed. The Research Data Management team provides facilities for the deposit of research data that may be required to be retained after the termination of the research project.
  • Contact the Research Regulation and Compliance (RRC) team if your research is concerned with the health and social care sector.  The RRC team provide advice on the necessary approvals and permissions required for research involving health and social care patients, their relatives and carers, staff, data, tissue, and facilities.  Please consult the RRC team and MVLS Ethics Committee webpages for further guidance.