Information Services Division


Legal basis

Understanding your legal basis for processing personal data is the best starting point for handling data the right way.

Until the General Data Protection Regulation came into force on 25th May 2018, consent was the most common legal basis for processing personal data for research purposes. For most research, consent is still vital for fair processing to start due to the common law duty of confidentiality.

If your study does not use consent as a means of fair processing then your data must be either adequately anonymised or you must gain approval from an arm of the government such as the Confidentiality Advisory Group (CAG) which authorises applications to use personal data without consent in some limited circumstances, and are part of the Health Research Authority in the Department of Health.

Consent requires that you ask before using someone's data for purposes for which they did not already consent to. For healthcare purposes it is implied that consent is given when someone attends for care.

The GDPR introduces a new legal basis which will normally be in addition to consent for research which is "carrying out a task in the public interest, or otherwise in exercise of official authority". Researchers will therefore need to demonstrate this new legal basis whenever they handle personal data for research.