Handling of Personal and Sensitive Data
Identifiable or sensitive data about living individuals require safe handling for research integrity and compliance with the law.
Using personal data in research
All research data containing personal data is subject to the General Data Protection Regulation (GDPR) and Data Protection Act 2018, which forms the data protection regime in the UK. The Act, enforced by the Information Commissioner's Office, outlines organisations’ responsibilities to personal data. It also gives individuals rights over their data.
There are also professional bodies’ ethic codes for research to review before collecting and storing personal data. The ESRC produced a comprehensive list of ethic codes and guidelines.
Research using or collecting personal data needs ethical approval before the project starts. The Ethics Toolkit has been developed to support researchers through this process.
The overarching rule is to only collect personal and sensitive data if the research requires it. If you do need to use personal or sensitive data, GDPR makes special provisions for research data as long as it fulfils all the following conditions:
- You are using the data only for research purposes (this includes statistical and historical research)
- You do not use the information to support decisions about the research subject or any other living person
- You do not use the data in such a way that it causes substantial damage or distress to the subject
- You do not make the results of the research available in a way that identifies any of the research subjects (except if you have explicit consent from the subjects for them to be identified – see ICO guidance on GDPR)
If you use secondary data that is anonymised there is no requirement to comply with the GDPR. But best practice for handling data is still recommended.
If you have identifiable data that requires sharing the data needs to be anonymised.
There are excellent resources to guide you through anonymising data: