Data Protection Act
Meeting the Requirements of the Data Protection Act (1998)
This section attempts to clarify the responsibilities of social science researchers within the law as defined by this Act.
NOTE: THIS MATERIAL IS NOT INTENDED AND SHOULD NOT BE TREATED AS LEGAL ADVICE. THE UNIVERSITY OF LANCASTER CAN ACCEPT NO LIABILITY IN NEGLIGENCE OR OTHERWISE TO THOSE WHO RELY DIRECTLY OR INDIRECTLY ON INFORMATION PROVIDED IN THIS DOCUMENT.
The guidelines provided here are drawn from the draft document produced by the Lancaster University Data Protection Project. It is recommended that researchers check any updates or amendments to the Data Protection Act (1998).
Social science researchers are accountable to the law because it is believed that self-regulation and voluntary codes of practice are not sufficient to protect the rights of research participants (Lee 1993). The Data Protection Act (1998) came into effect on 1 March 2000 and replaces the first Data Protection Act (1984). Under the 1998 Act, the definition of ‘personal data processing’ refers to the processing of any information (whether in electronic, paper or other relevant formats such as video or audio-tape) that relates to an identifiable, living individual. Therefore, researchers using personal data, of any sort, that is not totally anonymous (see later comments) are bound to comply with this Act and the eight data protection principles described below.
There are some exemptions from the Data Protection Act for personal data which is being used for research; these are defined in section 33 of the Act and affect principles 2, 5 and section 7 (which in turn affects principle 6). Note that these exemptions apply only when data are not processed to support measures or decisions pertaining to particular individuals. Whilst the outcomes of research often affect individuals, this is acceptable as long as they have not been targeted or identified by the processing of personal data used for the research. Additionally, these exemptions only apply where processing data for research purposes will not cause substantial damage or distress to research participants.
- First Principle: Personal data shall be processed fairly and lawfully.
Obtaining consent from research participants to process their personal data satisfies this first principle.
Additional conditions are laid down if the personal data is sensitive (see next section). Under the ‘fair processing’ requirements of the Act, researchers also need to provide the following information to research participants wherever possible:
- The identity of the researcher, such as status and affiliation with a university department; research body; statutory, private or third sector organisation;
- The purpose(s) that the data will be used for, such as a PhD thesis; policy report; and future publications;
- The identity of other people who might have access to the raw data, such as members of the research team or supervisors.
- Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Research data is exempt from this principle and so personal data collected for one purpose can be analysed for a different purpose. However, researchers should make all reasonable efforts to inform research participants about any new purposes of data processing, wherever possible. Participants should also be informed if it is likely that anonymized data will be deposited in archives for secondary use by other researchers (as increasingly stipulated by organisation funding research – see Secondary Data Sources).
- Third Principle: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Social researchers should only collect and process personal details which are necessary to the research project.
- Fourth Principle: Personal data shall be accurate and, where necessary, kept up to date. In most cases social research will only ever be based on information which represents a situation at a particular moment in time and so there would be no reason to update the personal information collected.
- Fifth Principle: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Research data is exempt from this principle and can be retained indefinitely; although, in practice, ethical review tends to require researchers to state how long the data will be kept before it is destroyed (around 5-7 years often being the norm). However, if the researcher has promised the participant that tapes and/or transcripts will be destroyed at the end of the research process then this promise must be honoured.
- Sixth Principle: Personal data shall be processed in accordance with the rights of data subjects under this Act. Social research is exempt from part of this principle in that any data processed for research purposes does not have to be made available to participants as long as the results of the research do not identify individuals. However, in some types of social research, especially qualitative research, it is considered good ethical practice to obtain feedback from participants on their interview transcript and/or the results of data analysis.
- Seventh Principle: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Researchers must take steps to ensure that personal data is kept securely, whether it is in a locked filing cabinet or as password protected files on a computer. Special care must be taken when handling personal data outside the university. It is recommended that anonymisation of data should be carried out as far as possible to increase the security of data processing, particularly if data is being transferred to colleagues based at a different institution. The use of registered mail should be considered when sending back transcripts to participants, especially if they contain sensitive data or have not been anonymised. It is also good practice to inform research participants of the manner in which their personal data will be protected from unauthorised access.
- Eighth Principle: Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data. The safest option is to obtain explicit consent for overseas transfer from research participants during the data collection phase.
A more detailed description of these principles can be found elsewhere (Information Commissioner 2001).
The Act defines several categories of personal data that are considered to be of a sensitive nature and are, therefore, subject to additional conditions which have to be met if the data is to processed legitimately. Information about a research participant that falls into any of the following categories is deemed to be sensitive personal data (Information Commissioner 2001:22):
- The racial or ethic origin of the participant;
- Political opinions of the participant;
- The religious beliefs or other beliefs of a similar nature held by the participant;
- Whether the participant is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
- The physical or mental health or condition of the participant;
- The sexual life of the participant;
- The commission or alleged commission by the participant of any offence;
- Any proceedings for any offence committed or alleged to have been committed by the participant, the disposal of such proceedings or the sentence of any court in such proceedings.
The processing of sensitive personal data for research purposes may only be carried out if one of the following conditions in Schedule 3 is met:
- The research participant has provided explicit consent for their personal data to be processed (ideally in writing);
- Medical research is being carried out by a health professional or someone who owes a similar duty of confidentiality;
- Analysis of racial/ethnic origins is being carried out for the purpose of equal opportunities monitoring;
- It has been additionally provided for by the Secretary of State.
More information about the additional requirements when processing sensitive personal data is provided elsewhere (Information Commissioner 2001).
Whilst it appears simple to meet the conditions of explicit consent by providing information to the participant about the purposes of the research, together with how the data will be stored and used, there is confusion about what constitutes explicit informed consent (Strobl, et al. 2000). Nonetheless, it is recommended that the researcher obtains signed and dated consent from the participant using a consent form which includes at least a project synopsis (see Section 5: Informed Consent). If this cannot be obtained then verbal consent, which is recorded, would also be considered as a record of explicit informed consent.
Data which is completely anonymised and which can never be reconstructed to reveal the identity of the participant does not constitute personal data and so is exempt from the Act. In practice it is difficult to achieve true anonymisation although it is advisable to strip all identifying information that is not needed for the research (see section 2.2.5 in Information Commissioner, 2001).
When presenting personal data within a publication, researchers will usually be able to disguise the identity of participants. If it is not possible to discuss a case without identifying the individual because of the level of detail provided about the individual’s personal circumstances or unique role within an organisation (e.g. research with ‘elites’) for example, then consent must be obtained from the research participant before publication can proceed.
The Data Protection Act requires that anyone who is processing personal data needs to notify the Commissioner and provide information about the processing they are carrying out. Research that is being carried out for a degree, such as PhD research, is generally covered by the notifications held by the Higher education Institution. Individual PhD researchers should check this with their institution, but in such cases they do not need to notify the Commissioner. University staff undertaking research are also likely to be covered by their university notifications.
When undertaking research, it is advisable for researchers to contact the Data Protection Officer at their University, either individually or through their Principle Investigator (PI) or supervisor, to check that their research is covered by the notifications held by their institution. If the research lies outside these notifications then action can be taken to expand the notifications as necessary so that the Institution continues to comply with the Data Protection Act.
Akeroyd, A. V. (1991) 'Personal information and qualitative research data: Some practical and ethical problems arising from data protection legislation', in N. G. Fielding and R. Lee (eds) Using Computers in Qualitative Research, London: Sage Publications Ltd, pp. 89-106.
(Problems of using personal data within research and the Data Protection Act.)
Information Commissioner (2001) Data Protection Act 1998: Legal Guidance, (Internet), Information Commissioner. Available from http://www.dataprotection.gov.uk/dpr/dpdoc.nsf
(Official guide to the Data Protection Act (1998) which aims to indicate how the provisions of the Act should be interpreted.)
Lee, R. M. (1993) Doing Research on Sensitive Topics, London: Sage Publications Ltd.
(Covers many of the aspects of undertaking research which generates sensitive data.)
Strobl, J., Cave, E. and Walley, T. (2000) 'Data protection legislation: interpretation and barriers to research', British Medical Journal 321(7261): 890-892.
(Data Protection Act (1998) and its problems within medical research. Ethics committees are interpreting the Act in varying ways which is causing confusion. The issues of consent, anonymisation and access to patients records are particularly confused.)
http://www.dpa.lancs.ac.uk/about.htm - home of the Lancaster University Data Protection Project.
Provides information about the Act and how it relates to higher education institutions and research.
http://www.dataprotection.gov.uk - home page of the Information Commissioner who is responsible for the Data Protection and Freedom of Information Acts.
Provides information about the Data Protection Act and provides links to related publications