Handling sensitive & personal information
Research data may contain information about living, identifiable individuals, or other information that is sensitive, for example about criminal justice or national security. You are responsible for ensuring your handling of all this information is secure and complies with the law.
Using personal data in research
All research data containing personal data is subject to the Data Protection Act 1998. The Act, which is enforced by the Information Commissioner's Office, outlines organisations’ responsibilities with regard to personal data and gives individuals rights over their data. The UCL Data Protection Office offers essential information about the Data Protection Act, including the General Data Protection Regulation (GDPR) reform.
- Ethical approval and registration
Research using personal data needs ethical approval to ensure that the research conforms to general ethical principles and standards. There are three main routes for this at UCL:
- The UCL Research Ethics Committee approves research involving healthy volunteers, vulnerable groups and certain other categories.
- The UCL / UCLH / Royal Free Joint Research Unit (JRO) is responsible for the clinical research portfolio: research involving NHS patients and those who do not have capacity to consent to participate in research, clinical trials of drugs, medical devices, and human tissue.
- For research undertaken within the UCL Institute of Education (IOE), ethical approval should be sought from the IOE Research Ethics Committee.
Regardless of who is responsible for ethical approval, all research using personal data must be registered with the UCL Data Protection Officer before any collection of data begins. A Research Registration Form should be used to register such projects.
- What data to use
If you do need to use personal data, the Act makes special provisions for research data, as long as it fulfils all of the following conditions:
- You are using the data only for research purposes. This includes statistical and historical research.
- You do not use the information to support decisions about the research subject or any other living person.
- You do not use the data in such a way that it causes substantial damage or substantial distress to the subject.
- You do not make the results of the research available in a way that identifies any of the research subjects (except if identification is part of the explicit consent condition - see Data Protection Principle 1). Students and supervisors should be particularly careful about the potential for identifying individuals in theses containing interview transcripts.
If you meet all these conditions, you will then need to comply with the Principles.
- Anonymising data
If you do not need to identify research subjects, you should not collect personal data, or should anonymise the data. Projects using anonymised data do not have to be registered with the Data Protection Officer and you do not have to worry about compliance with the Act.
Data is only truly anonymised if it is impossible to identify subjects from that information and, if relevant, any other information that UCL holds. For example, if you have a list of research subjects and anonymise it by giving each one a number, but keep a list of the numbers with the names of the subjects, the information has not been anonymised. In this case, it is personal data, and the project must be registered.
Here are a few resources to help you anonymise your data:
- Protecting NHS data
If you use identifiable patient information for your research, you should use anonymised or pseudonymised data wherever possible, following IT for SLMS guidance. However, if identifiable data is absolutely required, you must take care to follow your NHS Trust’s information governance policies and procedures, especially those concerned with ICT security and information risk, as well as the Joint Research Office's Standards Operating Procedures (JRO’s SOPs). Section 10 of the UCL Data Protection Policy deals specifically with research data.
UCL Data Safe Haven can be used to store such personal sensitive data. Information and guidance is available.
If you do not have, and cannot practicably obtain, research subjects’ consent to use their data in your research, you will need to apply for permission to obtain the data via section 251 of the NHS Act 2006. You should contact the Information Governance Advisory Service to do this.
Identifiable data held by NHS Trusts may not be:
- Held outside Trust systems without the written approval of your Trust’s Information Governance Manager and / or Caldicott Guardian
- Copied to portable devices, unless approved or supplied by the Trust’s IM&T / information governance function, using approved encryption software and devices
- Stored on PC hard drives (the ‘C’ drive) and shared drives (the 'S' drive)
- Transmitted by email except within nhsmail
- Stored with ‘cloud’ providers.
Remote access to NHS systems must always be via equipment owned and controlled by the relevant Trust, enabled by a virtual private network. You must not attempt to circumvent NHS institutional firewalls by using remote desktop software such as GoToMyPC, and you must not connect or download data to your own mobile device, including smartphones.
Guidance is available to understand all legal requirements, including
- the duty of confidentiality
- the Data Protection Act
- the Freedom of Information Act
- the Mental Capacity Act
- the article 8 of the Human Rights Act
- the Statistics and Registration Services Act
Professional bodies’ ethics codes should also be taken into account in your research project. See the useful ESRC list of ethics codes and guidelines produced by professional bodies such as the British Educational Research Association, the British Psychological Society, the British Society of Criminology, the British Society of Gerontology and many more.