Under data protection legislation, ‘Appropriate safeguards’ must be put in place where personal data is processed for research purposes.
- Requirements Relating to Appropriate Safeguards
- Summary of Appropriate Safeguards
- Third-party Governance Requirements
- Further Guidance
- Source: Appropriate Safeguards [pdf]
- Ensure you understand the categories of data as relevant to data protection legislation
- Definition of Categories of Data e.g. Personal data, special category etc.
Applies only to researchers, who are processing personal data. If you are processing anonymised data as part of your research, this guidance does not apply to your work. If you are processing pseudonymised personal data as part of your research, then this guidance applies to your work.
When appropriate safeguards are put in place then researchers can benefit from a series of research-specific exemptions from powerful individual rights that could significantly impair their research project.
Researchers at UCL should generally rely on the following as their legal basis for processing:
- For all personal data:
- Article 6(1)(e) of the GDPR , i.e. the ‘public task’ basis. For further information on this, please see UCL’s Statement of Tasks in the Public Interest;
- For special category data:
- Article 9(2)(j) of the GDPR and Schedule 1, paragraph 4 of the DPA 2018, ie for research purposes; and
- For personal data relating to criminal convictions or offences:
- Article 10 GDPR and Schedule 1, paragraph 4 of the DPA 2018, ie for research purposes.
- Where the ‘research purposes’ basis is used
The processing must be:necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; carried out in accordance with Article 89(1) of the GDPR, as supplemented by section 19 DPA 2018; and • (in respect of special category data) in the public interest.
Approved medical research falls under the UK Policy Framework Health and Social Care Research and more information can be found here. If you think that your research falls within the definition of ‘approved medical research’, this should be highlighted when you are applying for data protection registration and ethical approval through UCL. The steps for these procedures can be found here.
Approved medical research
The term ‘approved medical research’ has a specific definition in the DPA 2018 which includes medical research carried out by a person who has the approval to carry out that research from—a research ethics committee recognised or established by the Health Research Authority; a relevant NHS body e.g. an NHS trust or NHS foundation trust; or United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965.
In the UK, the requirements of Article 89(1) GDPR will not be met unless the provisions of Section 19 DPA 2018 are also complied with.
Section 19 DPA 2018
Section 19 DPA specifies that the processing must not:cause substantial damage or distress to individuals; or support measures or decisions with respect to a particular individual, unless the purposes for which the processing is necessary to include the purposes of ‘approved medical research’.
Article 89(1) of the GDPR states that processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, must be subject to ‘appropriate safeguards’ for the rights and freedoms of the data subject.
The safeguards specified under Article 89(1) GDPR include:putting in place technical and organisational measures to protect the rights and freedoms of data subjects, including measures to ensure data minimisation e.g. pseudonymised personal data; and where the purposes of the research can be fulfilled by using anonymised data, then anonymised data should be used. In the UK, the requirements of Article 89(1) GDPR will not be met unless the provisions of Section 19 DPA 2018 are also complied with.
- Exemptions from certain data protection law obligations
The GDPR and the DPA 2018 provide for several exemptions from the rights of data subjects where personal data is processed in a research context, provided the requirements of Article 89(1) and
section 19 DPA 2018 are fulfilled.
Where appropriate safeguards are in place, researchers may benefit from exemptions to the following GDPR provisions relating to data subject rights:Article 15(1) to (3) GDPR (confirmation of processing, access to data and safeguards for third country transfers); Article 16 GDPR (right to rectification);
Please note that these exemptions can only be relied upon to the extent that the application of the above GDPR provisions would seriously impair the achievement of your specific research purposes.
You must contact the data protection team immediately if you receive any requests from data subjects wishing to exercise their rights.
- Article 18(1) GDPR (restriction of processing)
- Article 21(1) GDPR (objections to processing).
Taking into account the legislative provisions set out above, UCL researchers must implement the following ‘appropriate safeguards’ when carrying out research, in particular, Research involving the processing of special category information or personal data relating to criminal convictions or offences.
|Appropriate safeguard||Further description|
|Collect only the minimum amount of personal data required to carry out the research.||You should collect only the personal data required to carry out the research – do not collect any additional personal data simply on the basis that it may be useful in the future. You should also take care to recruit only the number of participants that is necessary for you to fulfil the purposes of the research. You should avoid collecting more personal data than is necessary.|
|Use pseudonymised personal data.|
Where compatible with your research purposes, you should ensure that you use pseudonymised personal data. Please note that where UCL pseudonymises data and holds the key, it will still be classed as personal data for the purposes of data protection legislation. For an overview of the differences between anonymised data and pseudonymised personal data, read this guidance:
|Anonymise data where possible.|
Personal data should not be used where the research purpose can be fulfilled by further processing with pseudonymised or, better still, anonymised data. See the following for steps to anonymising data:
For more detailed guidance on anonymization, read the Information Commissioner’s code.
|Implement safeguards against accidental disclosure and loss or corruption of research data.|
You will need to consider carefully technical issues such as how and where the personal data will be stored. It may be appropriate to use the UCL Data Safe Haven service, which provides a technical solution for storing, handling and analysing identifiable data. The Data Safe Haven network also includes tools that can render personal data into anonymous data or pseudonymous personal data. If you choose to operate outside of the Data Safe Haven, any personal data stored on removable media must be strongly encrypted.
You will also need to consider how your project is organised and run so that individuals working with personal data are aware of their obligations and treat personal data confidentially and securely.
You will also need to assess the information risks associated with your project and any transfers of data.
You will need to plan and implement good practice in data management and document this as part of your research process. The plan and execution should form a critical part of the research process.
You should ensure that the master copy of your research data is kept secure and on UCL drives or shares. Guidance on how to do all of this is available here:
|Ensure that the processing will not cause substantial damage or distress to individuals.||You must ensure that the processing will not cause substantial physical or psychological harm or financial loss to the relevant individuals.|
|Ensure that the processing will not be used to support measures or decisions with respect to a particular individual.||The only exception to this is where you are carrying out approved medical research (as defined in the DPA 2018).|
|Comply with relevant UCL policies and procedures and obtain ethics committee approval where required.|
You will need to comply with all relevant UCL policies and procedures, including the IT security policy and the data protection policy. You must complete the following training:
You must also obtain data protection approval and ethics committee approval for your research project where this is required. UCL policies regarding research data, information security and data protection can be found here:
|Comply with relevant ethical standards.||You will need to comply with all applicable ethical standards when carrying out your research; this may include obtaining informed consent of individual participants - see section E Consent and ethical issues here for further information on consent – and specialist ethical codes of conduct.|
|Ensure that special category data is processed in the public interest.||UCL’s view is that the data protection and ethics approval processes will help to ensure that research carried out is in the public interest. You should think about how your research is intended to benefit the public when designing the project and applying for the relevant approvals. Please contact us using the details set out below if you require further guidance on this point.|
If your research is subject to the governance requirements of any third party such as the HRA or MRC, then you will need to comply with both this UCL guidance note and all relevant requirements imposed by that third party.
Please note that specific guidance on appropriate safeguards has been produced by bodies such as the Medical Research Council (see here) and the Health Research Agency (see here). If your research is subject to the governance requirements of any third party such as the HRA or MRC, then you will need to comply with both this UCL guidance note and all relevant requirements imposed by that third party.
This guidance relates to data protection, ethics and Information governance, if you have questions then contact the appropriate team.
If you require further guidance then please contact the correct department as per below.