Collecting, using and sharing data in research with people requires taking into consideration the legal landscape and expected ethical standards for research.
The Data Protection Act and the General Data Protection Regulation
Researchers must adhere to data protection requirements when managing or sharing personal data. Personal data is defined within the legislation as ‘any information relating to an identified or identifiable natural person’. However, it is important to remember that not all research data obtained from people count as personal data. If data are anonymised and an individual is no longer identifiable then the Act and Regulation will not apply, as the information no longer constitutes 'personal data'.
The Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) provide some exceptions for research data when the necessary safeguards are in place, and applies only to personal or special categories data, and not to all research data in general, nor to anonymised data.
The DPA and GDPR define 6 principles that need to be complied with when processing personal data. All personal data must:
Researchers will also need to have a legal basis for processing personal data, of which there are 6 possible grounds:
In the context of research, there appears to likely be 3 most applicable grounds for the processing of personal data: (i) consent or (ii) public interest (public task) or (iii) legitimate interest. It will be essential that an assessment is made by the data controller for each individual research project to identify the most appropriate grounds for the processing of the personal data for that research project. This will need recording on the information sheet (or consent form), and the processing ground should not be changed at a later date.
The DPA, the GDPR and sharing data
Are any information relating to an identified or identifiable natural person.
Special categories data
These are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person's sex life or sexual orientation.
Defined as a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.