Skip to main content

Information for researchers

Anybody processing personal data in the course of their research activities must do so in accordance with the UK GDPR and the Data Protection Act 2018 (DPA). Being able to demonstrate compliance with the law is often a pre-condition of securing funding from research councils and other bodies.

There are many types of research taking place at the University, this guidance applies to most types but if your research involves children, special category data, or automatic processing or decision-making about individuals, then you should seek further advice from the Information Governance Team dpo@leeds.ac.uk.  This data may pose a higher risk to the rights and freedoms of the individual and require that you complete a Data Protection Impact Assessment (DPIA).

Personal Data Flows From the EU 
An adequacy decision was made on 28th June 2021 by the European Commission and most data can continue to flow from the EU and the EEA to the UK, without additional safeguards.

If you have concerns about any transfer of personal data to or from the EU or EEA please seek advice from the Information Governance Team dpo@leeds.ac.uk.

Where you are only collecting personal data for administrative purposes (e.g. contact details) keep these separate from your research data; also note that personal data which has been robustly and irreversibly anonymised is not personal data.

What is personal data?
What are the principles of the UK GDPR?
What about consent?

What is personal data?

Personal data is about living people which can be identified from that data. It includes obvious identifying information, such as name or address, as well as pseudonymised data which has identifiers removed but can be re-identified either through the use of a key or by the addition of other available information, for example an NHS number.

There is a further sub-set described as “special category” personal data which is defined as data which revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and data concerning health, sex life or sexual orientation.  This data is considered to be particularly sensitive and requires additional safeguards, for more information contact dpo@leeds.ac.uk.

What are the principles of the UK GDPR?

You must have a lawful basis for processing personal data, and an additional lawful basis for processing special category personal data.

The University is a public body and, as such, usually uses “the performance of a task carried out in the public interest” as our lawful basis for processing personal data.

In order to process special category personal data, we usually rely on “archiving in the public interest, scientific or historical research purposes, or statistical purposes” as our additional lawful basis. However, we must demonstrate that safeguards have been put in place to protect the individuals whose data we are processing; these include technical and organisational measures to keep the data safe and the use of pseudonoymisation (where anonymisation is not possible).

In order to rely on these legal bases we must also be able to demonstrate that the research is unlikely to cause substantial damage or distress, and that the research is in the public interest.

As well as complying with Data Protection legislation, the University expects that any research project which involves personal data about identifiable individuals will have been approved by the relevant Research Ethics Committee.

The UK GDPR also requires that researchers only collect the minimum amount of personal data which they require (data minimisation) and that data is stored securely.

Informed, valid consent is the cornerstone of ethical research involving people. It is a legal requirement for participation in regulated clinical trials; for the collection of human tissue and in order to access information about individuals which is held under a duty of confidentiality (where data is identifiable, sensitive and not held in the public domain; or where the person disclosing the information considers it private and it was shared with the expectation of confidentiality).

Whilst consent is unlikely to be your lawful basis for processing personal data as part of your research project under the UK GDPR, it still needs to be obtained as part of the ethical process of securing participation in your research.

Please refer to the University’s  Informed Consent Protocol.

What must I tell participants?

Where you are collecting data from research participants you must be fair and transparent in providing up front information about what the personal data will be used for, how it will be handled, what the research participant’s rights are and how they can act upon those rights.

The following individual rights afforded under the DPA are restricted where the personal data is being used for research which is conducted in the public interest:

  • The right to access data that we hold.
  • The right to rectify data that we hold.
  • The right to erase the data that we hold.
  • The right to restrict how we process the data that we hold.
  • The right to object to the processing of the data that we hold.
  • The right to receive the data that we hold in a commonly used format.

These restrictions are intended to protect the integrity of research projects, but can be only be applied where we can demonstrate that we have applied safeguards for the individuals involved.

For further detail see the Research Participant Privacy Notice

NHS patients please see the Health Research Authority (HRA) Information about Patients.

What can I do with personal data collected for research purposes?

You must process the personal data in the way that you described to the participant at the outset of the project. If you need to release personal data to other organisations for the purposes of your research project you will need a suitable data sharing agreement in place.  Please contact Research and Innovation Service (RIS) for further information; the University has Data Sharing Agreement and Data Processing Agreement templates, these are currently under review, so if you require one please contact the Information Governance Team.

There are data controllers and data processors. A data controller is the main decision maker, they exercise control over the purposes and means of processing of the data. Processors act on behalf of, and only on, instructions from the relevant controller. To determine whether you are a data controller or a data processor you need to consider your role and responsibilities in relation to your data processing activities.

You are able to carry out further research using personal data from your project as long as you continue to comply with the safeguards outlined above. Any new research project using personal data will require new ethical review.

Increasingly, there is an expectation that research data will be deposited into an archive where it can be made available to other researchers.  The Research Data Leeds repository is the institutional research data repository for the University.

More information is available on the Research and Innovation Service website, including specific guidance on research projects which involve health-related data.