This guidance draws your attention to the provisions of the Data Protection Act 1998 (DPA) relating to research activities, and outlines the actions required to achieve compliance with the Act. This includes information about registering your research project with Legal Services.
- Personal data
The DPA lays down principles of good information handling which is designed to ensure that personal data is used in a way that is fair to individuals and protects their rights. The DPA applies to personal data, i.e. data from which a living individual can be identified.
The Act does not apply to information about deceased people, but you may still owe a duty of confidentiality after death.
- Sensitive personal data
The DPA classifies certain types of personal data as sensitive. The following types of information fall into the category of sensitive personal data:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Physical or mental health
- Sexual life
- Commission of offences or alleged offences
The processing of sensitive personal data for research purposes may only be carried out if one of the following conditions is satisfied:
- the explicit consent (ideally in writing) of the data subject has been obtained
- medical research is being carried out by a health professional or someone who owes a similar duty of confidentiality
- it is an analysis of racial/ethnic origins, carried out for the purpose of equal opportunities monitoring
- is in the substantial public interest and is necessary for research purposes and does not support measures with respect to the particular data subject except with their specific consent nor cause or be likely to cause substantial damage and distress'.
- Anonymisation in research
In order to gain a better understanding of anonymisation, you should first be aware of what is personal data and the definition that applies.
Personal data is defined as that which relates to a living individual who:
- Can be identified from that data
- Can be identified from that data and any other information which is in the possession of, or likely to come into the possession of, the data controller.
What is anonymisation?
Anonymisation refers to the process of removing personal identifiers (directly and indirectly) that may lead to an individual being identified from that information, or combined together with other information.
Examples of personal identifiers are listed below:
You can often directly identify an individual from their name, address, postcode, telephone number, photograph or image, or some other unique personal characteristic.
An individual may be indirectly identifiable when certain information is linked together with other sources of information. This may include, for example, their place of work, job title, salary, their age, their postcode or even the fact that they have a particular diagnosis or condition.
The primary reason for undertaking anonymisation is to protect an individuals’ privacy.
The data protection principles do not apply to information that been permanently rendered anonymous so that individuals are not identifiable. However, if you are unable to fully anonymise your research data, then it will still be subject to the data protection principles. This is not to say that taking steps to reduce the chance that an individual might be identified should not be undertaken; it is good practice to do so wherever possible. Legally, however the Data Protection Act still applies to this weakly anonymised data.
Risk of re-identification
The Information Commissioner’s Office has developed a “motivated intruder” test. This test determines whether an individual, who does not have any specialist skills, or prior knowledge, but is competent enough to access resources, such as the internet, to identify an individual from whose personal data the anonymized data has been derived.
The Information Commissioners’ Office has produced a anonymisation code of practice (pdf) which includes the motivated intruder test.
Pseudonymisation – The technical process of replacing person identifiers with other values (pseudonyms) from which the identities of individuals cannot be intrinsically inferred
When data has been pseudonymised, it still retains a level of information in the retained data that may allow tracking back of the identifiable data in its original state. With anonymised data the level of detail is reduced rendering a reverse compilation impossible. With this in mind, if you will be processing any personal data (e.g. details of individual participants on consent forms), then it will still be subject to the data protection principles, and registration is required.
Do I need a data protection registration?
Research projects which are using truly anonymised or aggregated information do not have to be registered with Legal Services and you do not have to worry about compliance with the Data Protection Act 1998. However, if you have collected identifiable data but then taken steps to psedonymise this but ultimately you are still able to identify the participants registration will be required as you will still be processing personal data.
Likewise, if you are using consent forms containing names and the contact details of participants as part of your recruitment process you will be processing personal data even if the actual research data obtained is not identifiable as a result registration is still required.
Two videos have been recorded by the national centre for research methods where they give an outline of the anonymisation decision making framework.
The first gives the outline of the basic concepts:
The second outlines the ten steps of the framework:
- International research
International research collaborations involving transfer of personal data may not be transferred to countries outside the EEA unless that country has adequate data protection regulations, or the explicit consent of the data subject has been obtained, or there is an appropriate contract with the recipient of the data, specifying appropriate data protection requirements that must be upheld. Thus, researchers must be exceptionally careful when contemplating the transfer of research data overseas. In most cases, the safe option will be to ensure that data subjects give explicit consent for overseas transfer during data collection.
You may be able to transfer data to other countries outside of the EEA if you have the subjects' explicit consent (which can be requested on the consent form) or a contract with the recipient of the data, which provides the data with suitable protection.
In view of the recent European Court of Justice ruling on the validity of the US Safe Harbour agreement and the implications for UCL, further information is available from:
- Student led research
In most circumstances students are responsible for ensuring that their research involving living, identifiable individuals complies with the requirements of the Data Protection Act. UCL is the data controller (legally responsible) for personal data processed by students only in very limited circumstances such as research led by a university research group. Generally only postgraduate research would fall into this category; in all other circumstances students’ process data for their own purposes and not UCL’s.
- Research registration
It is expected that all research and researchers will comply with all the legal requirements and University polices, procedures and guidelines, and in particular the University Data Protection Policy.
All research projects using personal data must be registered with Legal Services before the data is collected. This includes projects approved by the Joint Research Office (a partnership between University College London, UCL Hospitals NHS Foundation Trust and the Royal Free Hampstead NHS Trust) and other departmental ethics committees. Download and complete:
Researchers from within IOE follow a slightly different process. Further information is available from:
The application form should be completed electronically and sent together with copies of any supporting documentation that you are using.
- Guidance on completing the data protection registration form
All research which involves a collection or use of identifiable data relating to living individuals must be registered so that we can ensure that the data is obtained and processed in accordance with the data protection principles. This applies equally to research led by UCL staff and students.
Any processing (widely defined and covers all manner of use including obtaining, recording, holding, altering, retrieving, destroying or disclosing data) of personal data must be registered with Legal Services before the data is collected. This includes projects approved by the Joint Research Office (a partnership between UCL, UCL Hospitals NHS Foundation Trust and the Royal Free Hampstead NHS Trust), and other departmental ethics committees.
This form should only be completed if identifiable data is being collected and used as part of research because identifiable data is personal data and data protection law applies. The Act does not apply to data rendered anonymous (also known as de-identified), so that the data subjects are not identifiable. In this instances, registration will not be required.
Applications which involve the use of NHS data should also contact the Information Governance Advisory Service, which include the Data Safe Haven facility. While it is managed by UCL’s School of Life and Medical Sciences (SLMS), it is available to all. Further information is available at:
Guidance on completing the application form
All sections of the application form should be completed. Sections which are not applicable should be marked as ‘N/A’. Any application form which has not been completed sufficiently will be returned for further amendment, or clarification.
The title of the research should correspond with any other supporting documentation (e.g. information sheets, consent forms). Please include the proposed start and end date.
The Chief Investigator (CI); Principal Investigator (PI), has overall responsibility of the research being carried out. In the case of research being carried out by students, this is normally the students’ supervisor. The contact details of the CI; PI, and, or student Supervisor should be included in this section. (Please note that a student – undergraduate, postgraduate or research postgraduate cannot be the PI for Ethics purposes).
The details of the data collector(s) should be included in this section. (Provide details of the individuals that will be involved in obtaining/collecting the personal data. If the applicant is not the PI provide the student’s details.
Please summarise the main purposes of the research, including an explanation of the aims, design, methodology and plans for analysis that you propose to use. If the research involves the collection of personal data overseas then you must ensure that you provide details in this section.
You should describe the potential participants you are going to include in the research. Please explain any selection criteria for those being recruited.
Give an outline as to the type of data being processed e.g. names, dob, contact details, medical condtions/diagnosis details. Please specify whether the data will be identifiable, anonymised, or pseudo-anonymised. Include a description as to how it will be collected.
In this section, please describe whether the results of the research will be shared, and how, and where it will be published.
In this section, please describe the methods of recruitment that you intend to use from the invitation of the research through to the point of consent being sought.
It is important that prospective participants are provided with sufficient information, so that they can make a free and informed decision about their involvement with research. This can be achieved by the use of an information sheet, or other document to invite prospective participants to participate. The use of consent forms will ensure that the participants of the research has expressly consented for their personal data to be processed.
Please provide details of the security arrangement that will be in place for the research.There must be appropriate levels of security in place for the personal data being processed, both from within, and outside of the university.
The level of security, will be largely dependent as to the type of personal data being processed. Personal data which is to be held electronically, should have appropriate measures in place to minimise any risk, and to prevent unauthorised access, accidental loss, or destruction e.g. encryption. To increase the security of data processing, it is advisable to anonymise/pseudo-anonymise data to as great an extent as possible.
You should provide details of where the locations of the research is being conducted, including information about the circumstances in which the research may be transferred to other countries. If the personal data is to be transferred outside the European Economic Area (EEA), then the participants must have expressly consented to such a transfer.
If the recipient of any transfer cannot guarantee that the data it will receive will not remain within the EEA, or is on the EC approved list of adequacy, then you must have model contract clauses in place for any transfer outside the EEA.
If you are considering using a cloud provider, you should ensure that you are aware of the circumstances in which the cloud provider will process the information it receives. Some providers often have servers where data is stored, and backed up within a number of different countries. Further information on the transfer of personal data overseas is available at:
In order to administer the UCL Data Protection Policy, and ensure UCL's commitment to comply with the DPA, we ask all departments to have a point of contact (Coordinator) for us to be able to disseminate any relevant information regarding the DPA.
As a prerequisite for registration, you should ensure that your local coordinator is made aware of the research, before forwarding to Legal Services for the process to be completed.
If you are applying for ethics approval, please provide the research identification number. Research which does not require ethics approval should provide further details in this section.
If you are receiving sponsorship for your research. Please provide details of the individual, company, institution, funding council, or another organisation which takes responsibility for the initiation, management and/or financing of the research.
Any supporting documentation (e.g. information sheets, consent forms, protocols, questionnaires, advertisement of project, other interview formats, or other documentation being used to invite/inform participants about your research etc.) must be submitted with the application form.
Submitting your application
The completed application form should be sent (electronically) to firstname.lastname@example.org with copies of any supporting documentation.
What Happens Next?
Upon review, the application form will be returned with the appropriate registration number, which may be quoted on the ethics application form, or any other related forms. Applicants should normally allow 5 working days for their application to be processed.
- Research Ethics
If you are applying to the UCL Research Ethics Committee for approval of your research project, you are also required to gain approval from Legal Services that it complies with the DPA, and that you have included the appropriate registration number in your application form.
We may have some questions about the information you provide, but you will normally be provided with a registration number within five working days of submitting the form.
The period leading up to meetings of the UCL Research Ethics Committee is always very busy, and you should allow more time for your application to be processed. It is therefore very important to check in good time whether you need to register your project.
Further advice and guidance on Research Ethics at UCL is available from:
Researchers who are applying to the IOE Research Ethics Committee (IOE REC) follow a slightly different process but they are also required to ensure that it complies with the DPA, and gain approval from Legal Services.
Further advice and guidance on the IOE REC and the data protection registration process is available from:
- Information Governance Advisory Service
Researchers in the School of Life and Medical Sciences (SLMS) who work with sensitive data should be aware of and comply with the SLMS Information Governance Framework. Studies requesting data from the Health and Social Care Information Centre (HSCIC) may be required to submit an Information Governance Toolkit assessment. This is a requirement for Section 251 exemptions. In these cases, IT for SLMS can provide support and guidance on completing the IG Toolkit. More information about the SLMS IG Framework and supporting services can be found here:
Researchers should be aware of the distinction between identifiable, pseudonymised and anonymous data as there's often an assumption that the last two are equivalent.
Further information on anonymisation is also provided by SLMS:
Further information is also available from the Information Commissioner's Office anonymisation code of practice:
Copyright is a legal right that gives the control of original works for its use and distribution to the creator of the material. Copyright is therefore an important consideration for researchers who gather information during the life cycle of a research project. Ownership will often rest with the contributing research participants, rather than the researcher who are carrying out the activity.
In order to avoid the exploitation of the copyright owner’s material it is important that researchers seek advice before it is copied, reformatted or used. Further information is available at:
- Research amendments
We need to be notified of changes to your research which shall effect data protection compliance. Examples of the changes are that new personal data is collected, such as collecting contact details, ethnicity, religion, sexuality etc., more health data. Other changes might be that the data is to be shared with another organisation or with an organisation/researcher based in a country outside the EEA, or that personal data is going to be used for a new purpose e.g. further research.
- Studies requiring Health Research Authority Approval
In May 2018, the General Data Protection Regulation will come into force and replace the Data Protection Act 1998..
Guidance from the MRC and HRA is currently awaited but preliminary reading suggest that the Data Controller ie UCL or UCLH will have many more legal obligations which will require new policies and processes.
Some aspects of data protection are still evolving and there is a new Data Protection Bill (DPB) currently working its way through Parliament that will complement the GDPR. This DPB will provide further clarity over matters such as the use of exemptions for research purposes and the extent of individuals’ rights over personal data used in research.
UCL has published general information about the GDPR on these web pages. Among other things these pages explain Privacy Notices, the importance of Data Holdings survey and provides general information in relation to consent. The pages will be updated regularly as implementation proceeds. In addition to this general information, research teams should be aware of the following:
- Genetic data eg DNA or RNA which can identify the individual is now unambiguously subject to the Data Protection principles.
- Data breaches must be reported in 72 hours.
- Particular types of research where the data subjects are vulnerable may require a Data Privacy Impact Assessment. This is formal process for documenting the nature of the processing, the proportionality and necessity of processing, the management the risks to the rights of data subjects and the views of data subjects or their representatives.
- There will be a requirement to insert relevant GDPR compliant clauses in all active contracts.
- The new accountability principle means that data controllers, eg UCL and UCLH, will be required to document compliance with the Regulation. This will require the creation of a register of personal data assets held, showing what personal data is collected, how it is used, how it is secured, if it is shared and how long it is retained.
- For research that is likely to result in a high risk to data subjects a Data Protection Impact Assessment will be required. This is formal process for documenting the nature of the processing, the proportionality and necessity of processing, the management the risks to the rights of data subjects and the views of data subjects or their representatives.
- Depending on the risk to data subjects, there may be a requirement to insert relevant GDPR compliant clauses in all active contracts.