Obligations when sharing data

Collecting, using and sharing data in research with people requires taking into consideration the legal landscape and expected ethical standards for research. 

Duty of confidentiality
Data Protection Act

Data Protection Act

Researchers must adhere to data protection requirements when managing or sharing personal data. However, not all research data obtained from people count as personal data. If data are anonymised then the Act will not apply as they no longer constitute 'personal data'.

The Data Protection Act 1998 (DPA) provides some exceptions for research data and applies only to personal or sensitive personal data, and not to all research data in general, nor to anonymised data. The new EU General Data Protection Regulation will come into effect in 2018 and will also play a key role in managing and sharing research data.

The DPA defines 8 principles that deal with the processing of personal data relating to identifiable living people. All such data must be:

  • Processed fairly and lawfully
  • Obtained and processed for a specified purpose
  • Adequate, relevant and not excessive for the purpose
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with the rights of data subjects, for example, the right to be informed about how data will be used, stored, processed, transferred, destroyed; and the right to access information and data held
  • Kept secure
  • Not transferred abroad without adequate protection

The DPA and sharing data


  • Do you really need to collect personal data? Often information such as participants' names and addresses are collected for administrative purposes only and have no research value. Not collecting personal data in the first place may make it easier to manage and share your data. Alternatively if they do need to be collected, for example, for follow-up interviews, they should be stored separately from research data.
  • Inform your participants about use of personal data. All researchers must inform research participants about how any personal data collected about them will be used, stored, processed, transferred and destroyed. Personal data can only be disclosed if explicit consent has been given to do so, although there may be exceptions for legal reasons.


Personal data

Personal data are records or other information that on its own, or linked with other data or information in the possession of the data controller, can reveal the identity of an actual living person.

Sensitive personal data

Sensitive personal data are data on a person's race, ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged to have been) committed, disposal of such proceedings or the sentence of any court in such proceedings.

Data controller

Defined as a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Statistics and Registration Services Act
Ethical obligations
Research ethics review

Back to top