skip to primary navigationskip to content

General Data Protection Regulation

In the UK, there are legal constraints on the collection and use of personal data, which also apply to scientific research. Personal data is defined in GDPR as any data relating to an identified or identifiable person. This can include things such as names, email addresses, and unique IDs, but also potentially location data, IP addresses, device identifiers such as MAC addresses, and information specific to the person in question (such as relating to health, physical attributes, behaviours, economic status, social activity, and so on). If your research requires you to collect, store or otherwise process any personal data about e.g. your participants, then the General Data Protection Regulation (GDPR) will apply (‘processing’ means performing any operation on the data, including collection, storage, retrieval, alteration, consultation, use, and so on).

The GDPR is interpreted by the Information Commissioner’s Office (ICO), an independent authority set up to uphold public information rights and data privacy for individuals. The implications of the GDPR are explained in the following ICO guidance (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/).

The person(s) whose data you process have the right to be informed about that processing of their personal data, and should be told about any third parties with whom the data will be shared. This is a key transparency requirement under the GDPR.

You must have a valid legal basis to process personal data. This can involve obtaining ‘consent’ from those involved in your scientific research to process their personal data. You can do this explicitly for example by having them signing a consent form (for guidance see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent/). If consent has not been obtained, you must ensure they are provided with appropriate ‘privacy information’. The requirements for privacy information are quite precise - if you plan to follow this route, you need to investigate further (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/).

In all cases, you must be clear from the outset about why you are processing someone’s personal data, and what you intend to do with it (the 'original purpose'). All processing of personal data must be fair and subject to appropriate safeguards in accordance with GDPR. Additionally, all processing of personal data must comply with the data processing principles set out in GDPR (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/).