Collecting, using and sharing data in research with people requires taking into consideration the legal landscape and expected ethical standards for research.
Data Protection Act
Researchers must adhere to data protection requirements when managing or sharing personal data. However, not all research data obtained from people count as personal data. If data are anonymised then the Act will not apply as they no longer constitute 'personal data'.
The Data Protection Act 1998 (DPA) provides some exceptions for research data and applies only to personal or sensitive personal data, and not to all research data in general, nor to anonymised data. The new EU General Data Protection Regulation will come into effect in 2018 and will also play a key role in managing and sharing research data.
The DPA defines 8 principles that deal with the processing of personal data relating to identifiable living people. All such data must be:
The DPA and sharing data
Personal data are records or other information that on its own, or linked with other data or information in the possession of the data controller, can reveal the identity of an actual living person.
Sensitive personal data
Sensitive personal data are data on a person's race, ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged to have been) committed, disposal of such proceedings or the sentence of any court in such proceedings.
Defined as a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.