Data Protection


Guidance for researchers on the implications of the GDPR and DPA 2018


This guidance note has been compiled to provide an overview of data protection key points for researchers, in line with the General Data Protection Regulation (GDPR) and the new UK Data Protection Act 2018. When referring to both, this guidance note will use the term ‘new data protection legislation’.
This document was last updated on 24 May 2018. It may be updated further as relevant guidance on the issues raised is published by the UK Information Commissioner’s Office (ICO).

A. Scope

This guidance applies to researchers who are processing personal data, i.e. information relating to an identified or identifiable living person. Note that ‘processing’ means any operation - collecting, storing, using, transferring, disclosing or destroying - performed on personal data.

This means that if you are collecting or accessing personal data, including re-using existing data, that either identifies or could be linked to a living individual, then this guidance and GDPR applies. If you are processing truly anonymised data, then your research activity falls outside the scope of these guidelines. Note that this means the data should be completely anonymous on receipt (collection/accessing); if you have personal data but then make that personal data anonymous, that will still be a processing operation and the and GDPR and this guidance applies. If you are a researcher processing personal data, then you must comply with the requirements of the new data protection legislation, in addition to the common law duty of confidentiality and all relevant ethical requirements.

B. Legal bases for the processing of personal data

Before researchers can collect and/or use any personal data as part of a research project, an appropriate legal basis for the processing of the data must be identified.

Researchers must be explicit about what this basis is and document it both as part of their ethics application and in the information they provide to participants, eg information sheets. Article 6(1) of the GDPR sets out the following six possible legal bases for processing of personal data:

(a) Consent
(b) Contract
(c) Legal obligation
(d) Vital interests
(e) Public task
(f) Legitimate interests

UCL’s view is that, for the vast majority of research undertaken at the University, the appropriate legal basis for processing personal data will be Article 6(1)(e), i.e. the ‘public task’ basis. This applies where the processing is necessary for UCL to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.

UCL is a public authority for the purposes of data protection legislation and it has taken the view that the ‘public task’ basis should generally be relied upon in a research context. It is important to note that when we talk about consent as a legal basis, we are referring to only that – the legal basis – we are not referring to ‘ethical informed consent’ which will still be required in addition to the legal basis. UCL has produced a ‘Statement of Public Tasks’ outlining the categories of processing that are deemed to fall within the Article 6(1)(e) basis.

In accordance with ICO guidance, UCL has considered factors such as its Charter and Statutes in order to determine what types of processing should be included in this list, and has categorised research generally as being one of its ‘public tasks’. Note that if you intend to process, ie collect/use, either ‘special category’ information; or data relating to criminal convictions or offences is used, you will need an additional legal basis for processing that particular data and further safeguards will need to be put in place. Information on these requirements is outlined in Sections C and D respectively.

C. Research involving ‘special category personal data’ or information relating to criminal convictions/offences

Under the GDPR, most what was known as ‘sensitive personal data’ under the Data Protection Act 1998 has been rebranded as ‘special category personal data’; this is:

  • data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership;
  • data concerning health (the physical or mental health of a person, including the provision of health care services);
  • data concerning sex life or sexual orientation; or
  • genetic or biometric data processed to uniquely identify a natural person.

As stated above, in addition to the lawful basis for other research data, you need a further basis (meaning a specific justification) for processing ‘special category personal data’ (under GDPR Article 9(2) and the Data Protection Act 2018). UCL’s view is that the most appropriate legal basis to rely upon when processing ‘special category personal data’ for research purposes is Article 9(2)(j), i.e. where the processing is necessary for
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Reliance on this condition requires UCL to ensure that the processing meets the public interest test and ‘appropriate safeguards’ are in place. These ‘appropriate safeguards’ include:

  • Using ‘technical and organisational measures’ to ensure data minimisation, e.g. pseudonymisation;
  • Using anonymised data where possible;
  • Not processing in ways that are likely to cause substantial damage or distress to individuals;
  • Not supporting measures or decisions with respect to individuals; and
  • Having the assurance that research ethics committee approval is in place where needed.

UCL’s view is that the ethics application, data protection registration process and review itself will help ensure that the research is in the public interest. In circumstances where it is not possible to rely on Article 9(2)(j) GDPR, it may be possible to establish that another condition under Article 9(2) GDPR applies. Examples of alternative conditions include the following:

  • Article 9(2)(a) - the research participant has given explicit consent to the processing of the personal data for one or more specified purposes. (Note that consent as a lawful basis should only be used if no other condition applies, as the GDPR imposes very strict requirements – consent must be freely given, specific and informed (covering all relevant purposes for the processing by all relevant parties) and unambiguous. A positive action is required to opt in – ‘implied consent’ is not acceptable – and individuals may withdraw their consent at any time, which may cause problems for researchers and the use of the data at a later stage.);
  • Article 9(2)(e) - processing relates to personal data which are manifestly made public by the research participant (this may apply when using certain social media for example); or
  • Article 9(2)(i) - processing is necessary for reasons of public interest in the area of public health, such as protecting against cross border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

However, reliance on any of these alternative grounds is not UCL’s recommended approach. Researchers should justify why they wish to rely on any condition other than Article 9(2)(j) GDPR as part of their data protection registration.
Again it is important to note that the above refers to the legal basis, and does not in any way remove the ethical requirement to obtain informed consent from participants to access and use their special category personal data. If you are accessing such data as secondary data, then you should still clarify whether the original participants’ consent for their data being used is still valid.

D. Data relating to criminal convictions and offences

As with special category data, if you want to process, ie use/collect, personal data relating to criminal convictions and offences, a specific legal basis will need to be established first (under both Article 6 and Article 10 GDPR).

As Article 10 GDPR only allows for the processing of personal data ‘under the control of official authority’ or as authorised by EU or Member State law, this means that researchers will need to show that one of the grounds set out in the Data Protection Act 2018 applies. For researchers, UCL’s view is that the most relevant condition for processing criminal convictions and offences personal data will be that the processing ‘is necessary for archiving purposes, scientific or historical research purposes or statistical purposes’.

Under the Data Protection Act 2018, reliance on this condition requires UCL to ensure that the same ‘appropriate safeguards’ listed above in respect of ‘special category personal data’ are in place. As is the case with ‘special category personal data’, it may be possible to rely on an alternative basis for processing, although this is not UCL’s recommended approach. Researchers should justify why they wish to rely on any condition other than Article 9(2)(j) GDPR.

E. Consent and ethical issues

In order to obtain ethical approval for a project and to comply with accepted ethical standards for research, researchers will generally still need to obtain the informed consent of individual participants for their involvement in the research.

GDPR recital 33 notes that research must act in a manner that is ‘in keeping with recognized ethical standards for scientific research’, and the UCL REC and other ethical review boards will usually expect informed consent. In effect in order to use personal data for research you need two bases; the legal basis (GDPR) and the ethical basis (informed consent). For example, a person may be asked to consent to participate in research (ethical basis) and told that, if they agree to participate, data about them will be processed for a task in the public interest (legal basis). Here, the legal basis for data processing will be ‘public task’ rather than consent.

While consent to participate in a project that is obtained for ethics purposes must be fully informed and freely given, in addition to meeting other requirements, researchers do not therefore need to obtain consent that meets the high standards set out in the GDPR, which is:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

F. Fairness and transparency

The GDPR requires UCL to use personal information in a fair and transparent manner. Treating research participants fairly and transparently is also important from an ethics perspective, and to ensure that any disclosure of confidential information meets the requirements of the common law duty of confidentiality.

Researchers must be as transparent as possible about the uses to which data will be put and any risks involved. This usually requires that the research participant is provided with appropriate information about how and why their data will be processed through the provision of an Information Sheet. Participants can then give their ‘fully informed’ consent to take part in the research. The Information Sheet must include the legal basis relied upon for the processing (as stated above, this will generally be the ‘public task’ basis).

For clarity, researchers who process ’special category personal data’ as part of their project must state both the Article 6 and the Article 9 GDPR conditions they are relying on in both their ethics application and in the information they supply to participants. For criminal convictions/offences personal data, the basis under established under both Article 6 and Article 10 GDPR and must be documented in the ethics application and in the information supplied to research participants Information provided to participants must be:

  • Concise, transparent, intelligible;
  • Provided in easily accessible form, using clear, plain and simple lay language;
  • Prepared with consideration of the audience e.g. information addressed specifically to a child; and
  • Provided by an appropriate means (e.g. in writing, orally, electronically).

An annotated template Information Sheet is available on the Ethics website which can be used as a basis to craft your own Information Sheet that is specific to your research project. Further details are set out in the University’s privacy notice, and guidance on creating a local privacy notice can be found here.
However, please note that in the case of participant observation and other forms of ethnographic research, an alternative method of communicating information about the research may be appropriate.

G. Accountability

In order to comply with the new ‘accountability’ requirement under the GDPR, UCL must be able to demonstrate compliance with the new data protection legislation.

In practice, this means that in addition to simply establishing a legal basis for processing:

i. The selected basis must be documented as part of the data protection registration;
ii. Evidence of the fair processing information provided to individuals must be kept; and
iii. Evidence must also be kept of how the other data protection principles (set out in Section H below) have been complied with as part of the research project.

Meeting i-iii above means that researchers should submit such information as part of the data protection registration process and keep their own record of this.

H. Data protection principles

Researchers must observe the following GDPR principles when processing personal data in the context of a research project:


Personal data shall be:

Lawfulness, fairness and transparency

processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.


accurate and, where necessary, kept up to date.

Storage limitation

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In accordance with the new accountability requirement, UCL must also be able to demonstrate compliance with the above principles.Further  commentary on these principles may be found on the ICO website here.

I. Further guidance

We hope that you find this guidance helpful. If you require any further information on the issues raised in this document, please use the following contact details: