X Close

Research Data Management Blog


FAQs on UCL's Research Data Management


Personal and sensitive research data & the law

By Nazlin Bhimani, on 22 January 2016

dataMuch research data about people – even sensitive data – can be shared ethically and legally if researchers employ strategies of informed consent, anonymisation and controlling access to data.  However, researchers obtaining data from people are expected to maintain high ethical standards and comply with relevant legislation and duties.

This guidance is generally provided by professional bodies, host institutions and funding organaisations. The laws that govern the use of data, in addition to the duties of confidentiality, include the following Acts:

Duties of Confidentiality

Before I present the individual acts, it is important to note that every researcher has duty to maintain the confidentiality of a research participant. Although the ‘duties of confidentiality’ are not law (as they have not been established by statute but developed through case law), consent forms constitute a form of contract. As such, disclosure of confidential information is considered a breach of contract and therefore contravenes the duties of confidentiality. The only exception to this is if the disclosure is made ‘in the public interest’.

Data Protection Act (1998)

Researchers collecting data must also be aware of the Data Protection Act (1998). It is advisable to consider whether you really need to collect personal data before you begin your research project because often information such as names and addresses are collected for administrative purposes but have no research value and therefore not collecting it in the first place will make it easier for you to manage and share your data.

If you do collect this information, you are advised to store it separately from the research data (which will inevitably be coded in some way for analysis). It is also important that research participants are aware of what data you are collecting about them, how it will be used, stored, processed, transferred and destroyed. You can only disclose personal data if explicit consent has been given to do so although again, there may be exceptions to this for legal reasons.

Article 8 of the Human Rights Act (1998)

Related to the Duties of Confidentiality and the Data Protection Act is Article 8 of the Human Rights Act (1998) which enshrines the right to respect for private and family life. Researchers should know that

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  1. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Freedom of Information Act (2000)

The Freedom of Information Act (or FoI as it is commonly referred to) was established in 2000 to increase transparency in the public sector.  It gives people the right to request access to recorded information held by public sector organisations. This includes requests for research data from universities and publicly funded research organisations. The exceptions to the FoI are:

  • personal data cannot be requested;
  • information that is accessible by other means e.g. via a website, cannot be requested;
  • information intended for future publication can be protected until it is published
  • information that is subject to a confidentiality agreement, such as in a signed consent form or sensitive data held under restricted access by a data archive.

Further information on UCL guidelines on data protection and FoI is available here.

Mental Capactity Act (2005)

Under the Mental Capacity Act (2005) any research that proposes to involve the recruitment of participants aged 16 and above who lack (or lose) capacity to consent to take part in the research must have ethical approval by a recognised appropriate body such as the Social Care Research Ethics Committee or certain National Research Ethics Service Research Ethics Committees.

University Ethics Committees are NOT recognised as appropriate bodies and so are unable to approve research.  Further information and guidance for researchers can be viewed here. The Mental Capacity Act Code of Conduct is available here.

Statistics and Registration Service Act (2007)

And finally, the Statistics and Registration Service Act 2007.  This only applies to data designated as ‘Official Statistics’ including the statistics produced by the Office for National Statistics (ONS), central government, and devolved administrations. Section 39(1) of the Act states that it is a criminal offense for an ‘Approved researcher’ to enable the deduction of personal information from data used in research projects:

“If the identity of that person is specified, can be deduced from the information, or can be deduced from the information taken together with any other published information, then this will constitute an offence”.

Further information on research data sources, ethical guidelines and legislation is available on the IOE LibGuide at http://libguides.ioe.ac.uk/researchdata.

Leave a Reply