Where the purpose of research using personal data relating to living individuals is not measures or decisions targeted at particular individuals, and provided that the research does not cause substantial damage or distress to Data Subjects, the following exemptions apply under the Data Protection Act:
- exemption from the Second Principle, meaning that personal data can be processed for purposes other than those for which it was originally obtained;
- exemption from the Fifth Principle, meaning that personal data can be held indefinitely;
- exemption from the Data Subject's right of access to his or her personal data, where the data is processed solely for research purposes and the results do not identify data subjects.
Researchers (whether staff or students) are otherwise bound to observe the eight Data Protection Principles, and where they are responsible for a research project to consider systematically the way in which they will comply with the Data Protection Act. Data generated and processed in the course of research projects continues to be covered by the College's Notification when held off-site in electronic or paper form. Care should be exercised when travelling - especially when holding large amounts of data on laptops.
It is recommended that as far as possible guidance be provided to Data Subects whose personal data will be used in research as to why the data is being collected, and the purposes for which it will be used, and that there be a suitable mechanism for Data Subjects to object to processing of the data on the grounds that it would cause them, or has caused them, significant damage or distress. (Where researchers are using data collected by others, there will be no straightforward way of contacting data subjects directly, and in this case these recommendations should be disregarded).
Researchers in the College, whether staff or student, must apply and abide by any relevant security requirements contained in agreements with outside bodies who may furnish personal data for research purposes.
Personal data associated with research projects carried out in the course of employment or study at the College must not be transferred to the control of another institution for processing, storage or destruction without the prior written consent of the Pro-Warden (Research and Enterprise) (copied to the College Data Protection Officer).
In the case of inter-institutional joint research projects involving shared data care should be taken to establish at each stage which institution has responsibility for the data under the Data Protection Act and has the appropriate provisions within its Notification.
The Lancaster University data protection project under the HEFCE Good Management Practice initiative has published guidelines on research issues which may be useful for more detailed reference.