
Data protection, rights and access: 1998 Data protection act
The Act is made up of eight principles designed to safeguard the rights of individuals with regard to information held about them by organisations.
The act also defines data, data controllers and data processors, personal data, and personal sensitive data. It is important to understand each of these terms in relation to your research if you are dealing with human subjects.
For purposes of the Data Protection Act, data can be held on computers or in paper files, for the purposes of processing or record-keeping.
The tabs on the right provide further information about data controllers, personal data, and personal sensitive data.
- Data Controllers
- Personal data
- Sensitive data
A data controller is “a person or organisation who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.” For research, a data controller may be yourself as an individual or it may be the University (particularly in the case of staff researchers).
A data processor may be designated or out-sourced by the data controller; but it is the data controller who is held responsible for compliance.
Obligations apply throughout the period when you are processing personal data – as do the rights of individuals in respect of that personal data. So you must comply with the Act from the moment you obtain the data until the time when the data has been returned, deleted or destroyed. (Or perhaps, appropriately transformed into a public use dataset for purposes of sharing.)
Personal data simply regards records or other information that on its own or linked with other data, can reveal the identity of an actual living person. So, for example, you may use numbers rather than names as identifiers in a survey, but if you hold another record linking those numbers to the actual names, then each record is considered to contain personal information.
In order to use personal information lawfully, you may only need to satisfy two conditions:
- You have obtained consent from the data subject.
- You are processing personal data for the legitimate interests of the University or a third party and your use does not cause unwarranted prejudice to the rights and freedoms, or the legitimate interests of the data subject.
If you are able to process anonymised data instead of personal data for your research by destroying the “key” between the identifiers and the personally identifying information, then you could be exempt from the Data Protection Act entirely.
Go to the next tab to learn which personal data is also sensitive.
"Sensitive personal data" means personal data combined with any of the following:
- the racial or ethnic origin of the data subject
- his or her political opinions
- his or her religious beliefs or other beliefs of a similar nature,
- whether she or he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
- his or her physical or mental health or condition,
- his or her sexual life,
- the commission or alleged commission by him or her of any offence, or
any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings or the sentence of any court in such proceedings.
The safest way to avoid holding sensitive personal data is to avoid collecting or holding information to do with the topics above unless your research actually requires it!