This document provides an overview of the UK Data Protection Act for researchers. It discusses what constitutes personal and sensitive data, the responsibilities of data controllers and subjects, and the 8 data protection principles. Researchers must obtain proper consent, securely store data, only retain it as long as necessary, and ensure proper reuse and destruction. Anonymization and sharing data requires careful handling. The university's policies on research governance, ethics, information security and records management must also be followed. Failure to comply with these standards could result in sanctions from the Information Commissioner's Office.

1. An intro to the Data Protection Act for
researchers and how to handle
breaches
Anne Cameron, Legal Compliance Manager
Where to go for help?
• http://http://www.kcl.ac.uk/aboutkings/governance/index.aspx
• For further information or guidance, email: legal-
compliance@kcl.ac.uk or telephone 020 7848 4344

3. Personalinformation: the big picture
The Data Protection Act 1998 (DPA)
•Sets the broad rules, supersedes the 1984 Act
•Implements EU directive
Scope of the Act
•What is personal data?
•What is sensitive data?
•What is a data controller?
•What is a data subject and what are their rights?
8 data protection principles
Sanctions
•Oversight by the ICO
•Damages for mishandling personal information
But hold on isn’t there an exemption for research…
•Scope of s.33
•Important to see it in relation to the rest of the Act – all the other
principles still apply

4. The Data Protection Act 1998
The Act says that Data Controllers must process
personal data in accordance with 8 data protection
principles
1.fairly and lawfully
2.only for specified and lawful purposes
3.that are adequate, relevant and not excessive
4.that are accurate and, where necessary, up to date
5.for no longer than is necessary
6.in accordance with individual’s rights
7.securely
8.in the EEA

5. Why bother tolookafter it?
•Optimum use of data
•Widest circulation of findings
•Minimum hassle with administration
•Containable future liabilities

6. Who is responsibleanyway?
•PI is responsible during the course of the
study and for making proper arrangements
afterwards
•Sponsor/ employer sets the context
•For roles and responsibilities in research
governance see the Research Governance
Framework for Health and Social Care

7. The Collegegood practiceframework
Mandatory requirements
• Academic Regulations for Research Degrees
• Guidelines on Good Practice in Academic Research
• Research ethics committees, College and NHS
College policies
• Information Security Policy
• Data Protection Policy and Freedom of Information Policy
• Records Management Policy
• Data Loss assesment and reporting procedure
Documentation and support
• IT Security Toolkit
• Records Management Toolkit
• Ethics support

8. Beforemy research:funding applications
•Funders make requirements which are
binding on the recipient after the award is
made
•May seek detailed information about
information management within the project
•Will refer to specific policies, for instance
Wellcome Guidelines on Good Research
Practice

9. Beforemy research:ethics
•Requirements from research councils. See
the MRC and ESRC
•Mandatory for relevant College research
•Mandatory for NHS research

10. Beforemy research:participantsand consent
•Targeting participants. Are they approaching
you or are you approaching them?
•Fair processing notices. What are they and
are they required for my research?
•Can I ever get access to information without
further consent?

11. During my research:processingpersonaldata
•What does data processing mean under the
DPA? The conditions in Schedule 2 and,
where relevant, Schedule 3 apply
•What are the risks with careless processing?
•Some types of information raise other legal
issues. Defamatory material for instance must
be handled carefully

12. During my research:anonymisation
•What does anonymisation actually mean?
•What are the legal implications of
anoymisation?
•Does everything always have to be
anonymised?

13. During my research:data sharing and exchange
•Is it legitimate to share personal data with co-
researchers?
•How far can personal data be shared beyond
the team?
•There are special considerations when
personal data crosses borders. Exchanges
within the EEA are all under the same privacy
regime. Outside the EEA different rules apply

14. Aftermy research:retention
•Why bother to keep research information at
all?
•If I need to keep it then how long should I
keep it for?
•If I need to destroy it then what’s the best
way?

15. Aftermy research:reuse
•Can data be used for other, different
research?
•Remember that the public has a right of
access to College information under the
Freedom of Information Act 2000. This covers
research information too
•What happens when data subjects die? Does
the DPA still apply?

16. The Undertaking
As a result of personal data losses at King’s the Information
Commissioners Office has had College sign an Undertaking as
follows:-

17. What this means to you.
If you work/carry put research at King’s and hold
personal data you have two choices
If you hold personal data on a laptop, smart phone ,
USB stick or other mobile devices they must be
encrypted.
Or
You don’t carry personal data on those devices.

19. Doesn’t exist on it’s own
• The common law of confidence
• Even though the DPA allows access the law of
confidence may still apply
• Duty may arise in contract
• Human Rights Act 1998
• Human Tissue Act 2004 ( effect September
2006)
• Ethical and professional standards
• Health and Social care Act 2012 ( for sec251)
• Contd.

20. Records
P: 0207 848 2283
E: records-management@kcl.ac.uk
Legal Compliance
P: 0207 848 4344
E: legal-compliance@kcl.ac.uk
Contacts andquestions
Any questions?