Obligations when sharing data

Collecting, using and sharing data in research with people requires taking into consideration the legal landscape and expected ethical standards for research. 

Duty of confidentiality
Data Protection Act

The Data Protection Act and the General Data Protection Regulation

Researchers must adhere to data protection requirements when managing or sharing personal data. Personal data is defined within the legislation as ‘any information relating to an identified or identifiable natural person’. However, it is important to remember that not all research data obtained from people count as personal data. If data are anonymised and an individual is no longer identifiable then the Act and Regulation will not apply, as the information no longer constitutes 'personal data'.

The Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) provide some exceptions for research data when the necessary safeguards are in place, and applies only to personal or special categories data, and not to all research data in general, nor to anonymised data.

The DPA and GDPR define 6 principles that need to be complied with when processing personal data. All personal data must:

  1. be processed lawfully, fairly and transparently
  2. be kept to the original purpose
  3. be minimised (i.e. only the personal data that is necessary is collected)
  4. have the accuracy upheld
  5. be removed if they are not necessary
  6. be kept confidential and their integrity maintained

Researchers will also need to have a legal basis for processing personal data, of which there are 6 possible grounds:

  1. consent of the data subject
  2. necessary for the performance of a contract
  3. legal obligation placed upon controller
  4. necessary to protect the vital interests of the data subject
  5. carried out in the public interest or is in the exercise of official authority
  6. legitimate interest pursued by controller

In the context of research, there appears to likely be 3 most applicable grounds for the processing of personal data: (i) consent or (ii) public interest (public task) or (iii) legitimate interest. It will be essential that an assessment is made by the data controller for each individual research project to identify the most appropriate grounds for the processing of the personal data for that research project. This will need recording on the information sheet (or consent form), and the processing ground should not be changed at a later date.

The DPA, the GDPR and sharing data


  • Do you really need to collect personal data? Often information such as participants' names and addresses are collected for administrative purposes only and have no research value. Not collecting personal data in the first place may make it easier to manage and share your data. Alternatively, if they do need to be collected, for example, for follow-up interviews, they should be stored separately from research data.
  • Inform your participants about use of personal data. All researchers must inform research participants about how any personal data collected about them will be used, stored, processed, transferred and destroyed.


Personal data

Are any information relating to an identified or identifiable natural person.

Special categories data

These are: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person's sex life or sexual orientation.

Data controller

Defined as a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Statistics and Registration Services Act
Ethical obligations
Research ethics review

Back to top