Data Protection

Data Protection

UK GDPR is defined in the Data Protection Act 2018 and includes provisions to comply with EU GDPR that was introduced in May 2018. 

The General Data Protection Legislation and Data Protection Act enable greater accountability and transparency by those who process personal data. The legislation offers enhanced rights to individuals whose data is being processed. In the context of research, UK GDPR has the potential to further benefit research and archiving, helping to improve trust and confidence between the public and universities, and between researchers and their participants.

So, what are the key things to look out for if you are involved in research with personal data, collecting it, using it or archiving it?

1. Research is in the public interest

Research organisations must have a lawful basis to collect, use or store personal data. Research – whether conducted in universities, research council institutes, the NHS or other public authorities – is ‘a task in the public interest’. When processing special categories of personal data, like data about health or ethnicity, UK GDPR specifically recognises that this is ‘necessary for scientific research purposes in accordance with safeguards’. This assures research participants that research organisations will use their data for public good and to protect their privacy.

2. Consent to take part in research is important
The usual consent process to take part in research, which is at the heart of ethical research, gives participants control over whether they participate and allow their data to be used. Together with public task as the lawful basis, such consent provides dual protection. This builds public trust.

3. UK GDPR recognises that research data is valuable, it can be kept long-term
UK GDPR recognises the value of scientific research, important collections of data do not need to be destroyed, they can be retained indefinitely for research. Data can be used for multiple research purposes regardless of the initial reason for collection. UK GDPR supports UK Research and Innovation (UKRI) data sharing objectives.

4. UK GDPR forces a record of historical decision-making
Long-term retention needs to be adequately supported and periodically reviewed; organisations must justify why data need to be retained, which can be useful to refer back to in the future. Through its councils, UKRI funds data preservation and retention.

5. UK GDPR safeguards reflect current research good practice
Research must meet safeguards including technical and organisations measures. These protect participants’ interests: Good security and access systems, storing in pseudonymised or anonymised form where possible, only using special categories of data for public good, and not causing substantial damage or distress to participants. Our robust research governance and ethics systems already deliver this.

UK GDPR is useful for research, it recognises that research is special and largely conforms, allowing it certain privileges. It legalises much of the current good practice in research, placing people at the centre, something that has formed the cornerstone of ethical research for many years.


For more information on the requirements of new data protection legislation, please see the ICO guide and the MRC Regulatory Support Centre.