3.1 Data protection
Researchers collect data that is often personal or sensitive. These two terms have specific legal meanings within the General Data Protection Regulation (2018) and, aligned with this, the Data Protection Act (2018). While the GDPR does not refer only to data collected for research purposes, but to all data collection and use (termed in the documentation as data processing), it is still relevant to research data. Universities, funders and those within particular settings such as schools, youth groups, local authorities, will expect researchers to abide by the local and current data protection regulations and to have a data management plan for any personal or sensitive data.
Personal data is defined within the GDPR as:
any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. The GDPR applies to both automated personal data and to manual filing systems... This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Personal data includes audio and visual data, as well as that held as text or in numeric format.
Sensitive data or ‘special categories of personal data’ are defined within the GDPR as follows:
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. These include:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life
- sexual orientation.
In order to lawfully process special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.
There are ten conditions for processing special category data in the GDPR itself, but the Data Protection Act 2018 introduces additional conditions and safeguards. (The Data Protection Act 2018 is a UK specific act, which complements the GDPR in readiness for the UK leaving the European Union).
You must determine your condition for processing special category data before you begin this processing under the GDPR, and you should document it.
Applying the information you have reviewed so far about what counts as personal and sensitive data, test your understanding in Activity 4.
Activity 4 What is personal or sensitive data – legally?
Click through to each poll below and give your answer to the following questions. After making your choice and viewing the results, use your browser’s back button to return to this page and then click the ‘Answer’ tab.
Poll 1 Which of the following data being exchanged do you think meets the criteria for personal data? You can vote for more than one scenario.
Poll 2 Which of the following data collected about you would be classed as ‘sensitive’? You can vote for more than one scenario.
Poll 1: Scenario 1 (this would be correct); Scenario 2 (this would be incorrect); Scenario 3 (this would be correct as it was recorded).
Poll 2: Data type 1 (this would be incorrect); Data type 2 (this would be correct); Data type 3 (this would be incorrect).