Data Protection Act

Data Protection Act

The Data Protection Act gives individuals (known as data subjects) rights regarding the personal data - that is data which relate to a living individual who can be identified from the data - organisations hold about them and gives organisations responsibilities regarding that data. These responsibilities are codified as eight data protection principles. There are additional requirements for sensitive personal data.

The Act makes special provisions for research if your research fulfils all of the following conditions:

  • You are using the information exclusively for research purposes (includes statistical or historical research purposes). The information must have no other use, not even an incidental use.
  • You are not using the information to support measures or decisions relating to any identifiable living individual (not just the data subject but anyone who may be affected by your research).
  • You are not using the data in a way that will cause, or is likely to cause, substantial damage or substantial distress to any data subject.
  • You will not make the results of your research, or any resulting statistics, available in a form that identifies the data subjects. For example if you use case studies in your research report you may choose to disguise the names of the individuals. However, if you describe their circumstances in detail it may be possible for someone to identify that individual, in which case you would not meet this criterion.

If you want to use personal data for your research you have two options:

  • Comply with the Data Protection Act; or
  • Anonymise the data that you use so that it no longer falls within the Act’s definition of personal data.

Please note, data is only completely anonymised if it is impossible to identify the individuals from that information plus any other information that the University holds or is likely to hold. For example, if you anonymise a list of participants by giving each a number and then keep a separate list of the numbers and the names of the participants to which they refer, the data is not completely anonymised and would still qualify as personal data under the Act.

The University provides a Researcher's Guide to the Data Protection Act.  This should be read in conjunction with the University's Data Protection Policy.