A researcher who collects, stores, uses, discloses or destroys identifiable personal information – as defined as in the next paragraph – about living individuals, must comply with the requirements of the Data Protection Act 1998 (DPA) and the Common Law duty of confidence. A researcher who collects, stores, uses, discloses or destroys identifiable personal information about deceased individuals, must comply with the requirements of the Common Law duty of confidence. The collection, storage, use, disclosure or destruction of anonymised personal information, whether relating to the living or the deceased, falls outside the scope of these legal requirements.
The DPA applies to 'personal data', which are data that relate to a living individual who can be identified either from those data alone or from those data taken in conjunction with other information that is available to the person who controls the data. This is the meaning of 'identifiable personal information' here. The use of identifiable personal information in research should be reduced so far as possible. Thus researchers should always think carefully about (a) whether it is necessary to use identifiable personal information, and (b) at what stage de-identification might be
possible without compromising the integrity of the research. All uses of personal information should be defensible as both accurate and relevant.
If it is necessary to use identifiable personal information, this should generally only be done with consent. It may be possible to use such data without consent - when the material is already in the public domain, for example – but consent is to be preferred, unless it can be shown to be inappropriate for some reason.
When gathering identifiable personal information researchers should aim at all times to ensure that its processing is defensible as both 'fair and lawful'. This requires as much transparency as possible about the uses to which data will be put and any risks that might be involved.
Personal information must be kept secure at all times. The level of security should be proportionate to the risks inherent in the nature of the data, but all personal information should be kept securely.
Although personal information should not be retained for longer than necessary, it is recognised that, as long as relevant conditions are satisfied, research may require the retention of data for long periods and that this may be justified.
Personal data that are processed for research purposes may be exempt from a DPA subject-access request. In general, the disclosure of identifiable information, including information that may be identifiable to others, should be avoided wherever possible. If it is necessary to disclose personally identifiable information, or information that may be potentially identifiable, then this should usually only be done with the consent of the individuals involved.
Finally, the common law duty of confidence applies to research, as to all other activities. Individuals have a reasonable expectation of privacy with respect to confidential information that refers to them. Any use of such confidential information that exceeds that which an ordinary person could reasonably be said to expect constitutes a breach of confidence.
With acknowledgment to the University of Sheffield