Research projects, in particular life science projects, will involve the collection and processing of large amounts of personal data, including health information which is considered special category data requiring additional protections. That means it is fundamental researchers to consider all data protection principles and follow the data protection rules to ensure the privacy and confidentiality of the individuals involved as well as the integrity of any research data.

It can be difficult to know exactly what to do so below are 5 key steps that should be taken to comply with data protection rules when using personal data in research projects.

Identify an “appropriate purpose”

Data protection rules require that before you process any personal data, you need to have an appropriate purpose, and failure to do so will mean us of the data is unlawful and in breach of the rules. The purpose limitation principle states that “personal data should only be collected for specified, explicit and legitimate purposes”. This means before a researcher collects any personal data, they need to consider what they plan to collect, why they need the information and how they will use the information. A very broad reaching “to do anything” type purpose will not comply with data protection rules. Researchers should also consider if there any additional purposes which are ancillary to the main purpose and document these at the outset. Once the relevant purposes have been identified, the researcher should give any individual clear and transparent information to data subjects about the collection of personal data, normally by giving them a privacy notice, and obtain their explicit consent where necessary.

Obtain informed consent

Informed consent is a fundamental principle of ethical research, and it is also one of the lawful basis for processing special category personal data in the UK. Informed consent of the individuals will likely be used to enable research purposes. Researchers will need to show that individuals have been fully informed about how their data will be used, who will have access to it, and the measures in place to protect their privacy. While not a legal requirement, having consent in writing is highly recommended but this does not (and should not) stop individuals exercising their right to withdraw consent at any time. Researchers will need to keep up-to-date and accurate lists of individuals who have consented and any who have withdrawn consent, and remove any data where consent is withdrawn.

Implement appropriate security measures

Researchers should implement appropriate technical and organizational measures to ensure the security of the data, such as encryption, access controls, and regular backups. Data should be stored on secure servers and only accessed by authorized personnel.

Part of the appropriate security measures should be a clear retention policy and process that deletes personal data that is no longer required and ensures it is securely deleted or destroyed.

Limit data sharing

Researchers should limit the sharing of personal data to only those who have a legitimate need to access it. This includes collaborating with other researchers, institutions, or commercial partners. Before sharing any data, researchers should assess the risks and benefits of the sharing and ensure that appropriate safeguards are in place to protect the privacy and confidentiality of the data. Particular care should be taken when sharing personal data out with the UK when additional rules will apply.

Researchers should also ensure there are data sharing arrangements in place documenting responsibilities and obligations.

Consider anonymization or pseudonymization

To protect the privacy of individuals, researchers might consider either anonymisation or pseudonymisation techniques to remove or replace identifying information from the data.

Anonymised personal data is data that has been stripped of all identifying information so that it cannot be linked back to an individual. This means that even if someone wanted to identify the individual, they wouldn't be able to. Researchers should be careful in saying data is anonymised unless it has been fully stripped of personal identifiers. If piecing together different strands of data could lead to an individual being identified, it will not be considered anonymised. For example, removing a name will not anonymise the data if address, date of birth and sex are still included in data sets.

Pseudonymised personal data, on the other hand, is data that has been stripped of some identifying information and replaced with pseudonyms or codes. This means that someone could potentially identify the individual if they had access to both the pseudonymised data and the key that links the pseudonyms to the real identities.

Both approaches will enhance privacy and data protection, but only anonymised data will sit out with the data protection rules.

How can we help

In additional to following ethical rules surrounding research projects, researchers will also need to follow data protection rules within the UK (and potentially further afield). Failure to do so may result in enforcement action but the Information Commissioners’ Officer, a claim for compensation from research participants and a risk to the researchers own reputation and integrity.

If you are considering a research project, it is important to get proper legal advice before you start to make sure you start off on the right foot. Get in touch with our IPDC team who are able to help with general compliance as well as privacy notices, consent forms and data sharing arrangements to keep your research project compliant with data protection rules.