Common questions about data protection and research Common questions about data protection and research

Q: I'm collecting personal data as part of my research. What are my obligations?
Q: Does the Act still apply after I have anonymised my research data? What is anonymisation anyway?
Q: Can I share my dataset with other researchers as their research interests are similar to mine?
Q: How long can I keep personal data for the purposes of research?
Q: My research is looking at the personal data of people from 1700s. Does the DPA still apply to this?
Q: Do I have to provide access to personal data to research subjects from whom it was collected? Can research subjects request the personal data that they have given me?
Q: My research involves work with children. Are there any special conditions?
Q: I want to publish my research. Do I need to get permission from the data subjects?
Q: Is data protection part of the ethical approval process for my project?
Q: I am doing fieldwork. How can I ensure that the personal data collected is kept safe during the fieldwork, and while being transported back to the University?
Q: I am doing fieldwork abroad collecting personal data. Do the local data protection rules apply to it, or does the UK DPA law apply to it?
Q: My research is funded externally. Who owns the personal data that I collect?
Q: I'd like to store personal data in the cloud. What should I be aware of before I set this up?
Q: I'm involved in a project which involves sharing information with other partners in the project. What should I be considering?

Q: I'm collecting personal data as part of my research. What are my obligations?
A: Your project should be approved by the relevant research ethics committee which will consider your obligations under the DPA. UEA's Research and Enterprise Service can advise on which committee applies to your work. Contact the ISD information compliance team if you have any further questions after you have completed this process. 

Q: Does the Act still apply after I have anonymised my research data? What is anonymisation anyway?
A: The DPA only applies to personal data. If the anonymisation is sufficient to prevent any individual from being identified, then the DPA does not apply to the data. Guidance on anonymisation is available from the Information Commissioner's Office. Anonymisation should prevent anyone - regardless of their level of knowledge - from being able to identify an individual from the information. The anonymisation process is typically more involved than just removing obvious identifiers such as name and address.

Q: Can I share my dataset with other researchers as their research interests are similar to mine?
A: Yes, there is an allowance under the DPA which permits this sharing under certain conditions. The original data subject should have been informed that the data collected may be used by other research project. However, recipients of the dataset are not permitted to use the dataset to follow up any further questions with the data subjects featured in the dataset. See s.33 of the DPA.  

Q: How long can I keep personal data for the purposes of research?
A: You can keep the data indefinitely. The DPA states that to do so the ‘relevant conditions' must apply, that is, the data must not be not processed in a way that would ‘support measures or decisions with respect to particular individuals', nor in a way that would or would be likely to cause harm to the data subject. See s.33 of the DPA for further details.

Q: My research is looking at the personal data of people from 1700s. Does the DPA still apply to this?
A: No, the DPA only applies to living individuals, and anyone alive in 1700s would be dead by now.

Q: Do I have to provide access to personal data to research subjects from whom it was collected? Can research subjects request the personal data that they have given me?
A: Where the ‘relevant conditions' apply, research data would not need to be disclosed under a data subject access request, provided the research outputs do not identify individuals.

Q: My research involves work with children. Are there any special conditions?
A: There are special conditions under the University's Research and Enterprise Services Research Ethics Policy, but the data protection rights of children are no different from those of an adult. Data about a child is their personal data, and they, not their parent or guardian, still have rights of access to it. 

Q: I want to publish my research. Do I need to get permission from the data subjects?
A: You cannot publish personal information without the consent of your data subjects. The processing must be fair. This issue should have been handled in the initial consideration of the research by the ethics committee. If you change your intentions around publication, you should also revisit the research protocol and approval by the relevant committee. 

Q: Is data protection part of the ethical approval process for my project?
A: Yes, data protection is covered by ethics committees.

Q: I am doing fieldwork. How can I ensure that the personal data collected is kept safe during the fieldwork, and while being transported back to the University?
A: If you are collecting the data on a mobile electronic device, the data should be encrypted. If your device does not support encryption (audio and video recorders generally do not encrypt their recordings), the device should be transferred to a physically secure environment as soon as possible to minimise the risk of the data being lost. Note, you should consider the physical security of the devices holding the data as well as the encryption of the data itself.

Q: I am doing fieldwork abroad collecting personal data. Do the local data protection rules apply to it, or does the UK DPA law apply to it?
A: If the University is the data controller of the data, then UK DPA rules apply wherever it is being collected. It is also likely that local data protection rules will also apply to the data in the country where it is being collected. Contact the ISD information compliance team for further advice.

Q: My research is funded externally. Who owns the personal data that I collect?
A: The responsibilities under the Act fall on the data controller (i.e. the body that determines the purpose and manner in which personal data are processed). It is not dependent on who funds the research, unless that research is being conducted under a contract where the funder has determined the purpose and manner of the processing. Under these circumstances, the University would be acting as a data processor.

Q: I'd like to store personal data in the cloud. What should I be aware of before I set this up?
A: The UEA Information Classification and Data Management policy addresses the question of selecting appropriate storage solutions for information dependent on its classification. Personal data is at least confidential (because the DPA will apply to it), and use of any offsite storage locations or any transmission of the data off site requires the data first to be encrypted. There are other considerations which must also be taken into account before selecting an offsite storage provider – particularly Principle 8 of the DPA. The guidance appended to the policy helps with making suitable checks. 

Q: I'm involved in a project which involves sharing information with other partners in the project. What should I be considering?
A: Refer to the data sharing checklist available from the ICO website before sharing information with another institution.