Data Protection for Researchers

Research involving the use of personal data is required to fully comply with the provisions of the Data Protection Act 1998. Data protection requirements need to be fully considered when submitting research applications and undertaking research projects involving the collection and use of personal data. Information Assurance Services can provide advice and assistance to ensure compliance with the legislation. Some of the key considerations are outlined below.

Purpose of the Data Protection Act 1998

The Data Protection Act exists to provide a framework for the proper management of personal data. The Act defines personal data as data which relate to a living individual who can be identified from those data. The Act places responsibilities upon individuals and organisations that process personal data and establishes specific rights for data subjects (the individuals who are the subject of the data) in relation to their personal data.

Data Protection principles

At the core of the Act are eight data protection principles. Any individual or organisation processing personal data is required by law to ensure that any personal data in their possession is managed in accordance with these key rules.

Data must be:

  1. processed fairly (i.e. the data subject is aware how their data will be used) and lawfully;
  2. obtained for a specified and lawful purpose and not processed in any manner incompatible with the purpose; 
  3. adequate, relevant and not excessive for the purpose; 
  4. accurate and up-to-date;
  5. not kept for longer than necessary for the purpose; 
  6. processed in accordance with the data subject’s rights;
  7. kept safe and secure from unauthorised processing, or accidental loss, damage or destruction;
  8. not transferred to a country or territory outside the European Economic Area unless that country has equivalent levels of protection for personal data.

Personal data collected for research purposes

Researchers are required to comply with the requirements established by the data protection principles. However, the legislation contains an exemption which entails that some of these rules are slightly different when collecting and processing personal data for research purposes.

Data gathered for the purposes of research activity are exempt from being processed in accordance with the second and fifth data protection principles. This means that personal information can be processed for purposes other than those for which it was originally obtained and it can be held indefinitely. These exemptions only apply if the personal data are not processed to support measures or decisions relating to particular individuals and are not processed in such a way that substantial damage or distress may be caused to any of the data subjects.

In practice this means that researchers can keep records of questionnaires and contacts so that research can be re-visited at a later date or data can be subsequently re-analysed in support of a research project looking at an associated area. However, it is vital that, despite these exemptions, researchers understand that the Act does not provide a blanket exemption from all the data protection principles for data provided and used for research purposes. Researchers using personal data should be aware that most of the data protection principles still apply (the requirement to keep data secure being a particular concern) and that specific measures must be taken on each occasion data are collected for research purposes.

Fully Anonymised Data

If the data are completely and genuinely anonymised and no key to the identity of the data subject is held by (or is likely to come into the possession of) a researcher, then the Data Protection Act does not apply as such information is not considered to be personal data within the terms of the Act (i.e. data which relate to a living individual who can be identified from those data). It should be noted though that true anonymisation of data is difficult to achieve in practice and if identification is at all possible then the Act does still apply.

Data Protection Act compliance requirements

Researchers collecting personal data as part of a research project are required to take the following measures regarding the fair processing of personal data and security considerations as a minimum to ensure compliance with the Data Protection Act. Research applications will usually be required to include detail of how these measures will be enacted.

The most appropriate approach is to ensure that research subjects are given as much information as is reasonably possible from the outset about their involvement in the project and about how information about them will be used and managed.

Researchers must also be mindful of a research subject’s right to object to the processing of data on the grounds that such processing would cause them (or has caused them) significant damage or distress.

Fair processing

In order to comply with the first and most important data protection principle, researchers must inform research subjects as far as possible of:

  • the purpose of the research for which personal data about them will be collected;
  • how their personal data will be used; and
  • who will have access to their data.

It would also be helpful to state how long the data will be retained if this is known, although this is less important due to the exemption relating to the retention of data.


Stringent security provisions must be in place to ensure that personal data is protected from unauthorised access or accidental loss, damage or destruction. Data subjects should be made aware of these measures as part of the process of collecting their personal data and informing them of the nature of the research project and how data about them will be used and managed.

Access to personal data by data subjects

The Data Protection Act provides all individuals with the right to request access to their own personal data held by the University. Information that identifies individuals that is gathered as part of research activity is exempt from this right of access where the data is managed in accordance with the relevant data protection principles and the results of the research are not made available in a form that identifies the data subject.

Further advice and detailed practical guidance on appropriate research practices involving personal data and compliance with the Data Protection Act can be obtained by contacting Information Assurance Services.

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.

Data Protection Officer

The Data Protection Officer is:

Elisabeth Taoudi, Data Protection Officer and In-House Commercial Lawyer, University of Leicester, University Road, Leicester, LE1 7RH

0116 229 7640