Data Protection Act
The Data Protection Act 1998 contains some important provisions to allow the use of both non-sensitive and sensitive personal data for research.
The Act became law in the UK in March 2000, and implements the EU Data Protection Directive 95/46. It is the keystone in UK information law, and regulates the use of personal data held manually and on computer. The aim of the Act is to protect the rights of the individual (’the data subject’) about whom data is obtained, stored, processed or supplied.
There are a number of important issues that researchers must familiarise themselves with before applying for or using personal data for research purposes.
What are ‘personal data’ and ‘sensitive personal data’?
Section 1(1) of the Data Protection Act defines ‘personal data’ as data that relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person with respect to the individual.
Sensitive personal data
‘Sensitive personal data’ is defined in section 2 of the Data Protection Act as personal data consisting of information relating to the data subject with regard to racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; the commission or alleged commission by the data subject of any offence; or any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
Can personal data be used for research?
There are two important considerations concerning whether personal data can be used for research.
Is consent required from the data subject to legitimately process personal data for research?
The processing of all non-sensitive personal data for research must be both fair and lawful and meet at least one of the six conditions contained in Schedule 2 of the Data Protection Act. One of those six conditions provides that personal data processing will be legitimised where the processing is necessary for the ‘legitimate interests’ pursued by the data controller. If the requirements of the ‘legitimate interests’ condition can be satisfied, it may be possible to rely on this condition to use non-sensitive personal data for research without consent from the data subject.
The Information Commissioner’s Office (ICO) guidance states that it takes “a wide view” of the ‘legitimate interests condition’: the processing does not have to be “necessary” in the sense of there being no alternative way of achieving the intended outcome; provided that the data controller’s interests are legitimate, the processing is likely to be acceptable where the data subject is not prejudiced. The ‘legitimate interests condition’ may therefore remove the need for consent in some cases where there is consideration of a balance between the legitimate interests of those to whom the data would be disclosed; and prejudice to the rights, freedoms and legitimate interests of data subjects.
Where the information concerned is sensitive personal data, at least one other of the Schedule 3 conditions set out in the DPA must also be met before the processing can comply with the First Data Protection Principle that personal data must be processed fairly and lawfully. The processing of sensitive personal data will usually require the individual’s “explicit consent” (see Schedule 3 DPA).
Can personal data be used for purposes other than collected?
Section 33 of the Data Protection Act relates to personal data which are processed (or further processed) ‘only for research purposes’ (undefined, but includes statistical or historical purposes). To qualify for the research exemption, the research must be able to comply with the following ‘relevant conditions’:
(a) that the data are not processed to support measures or decisions with respect to particular individuals, and
(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
Once these ‘relevant conditions’ have been satisfied, the further processing of personal data for research may be used:
- for purposes other than it was originally obtained for (therefore exempt from the Second Data Protection Principle); and
- the personal data may be kept indefinitely (therefore exempt from the Fifth Data Protection Principle); and
- the personal data will be exempt from the data subject’s rights of access where ‘the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them’ (section 33(4)).
Section 33 does not, however, give exemption to the remaining data protection principles which apply to personal data provided and/or used for research. Researchers wishing to use personal data should be aware that most of the data protection principles will still apply (notably the requirement to keep data secure) and, although the data subject’s consent to the processing is not always required, one of the other conditions relevant for the purposes of the fair and lawful processing of personal data will still be required where consent is absent. The First Data Protection Principle requiring personal data to be fairly and lawfully processed still needs to be adhered to, even if the ‘research exemption’ applies.
Please remember that the DPA does not apply where personal data have been successfully anonymised, and the anonymised information can be used for research without consideration of the section 33 exemption.
Are names personal data?
‘Personal data’ is defined in s.1(1) of the Data Protection Act 1998 (DPA) as “data which relate to a living individual who can be identified
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”
Although an individual’s name by itself may not constitute personal data for the purposes of the Data Protection Act, it should be remembered that a single datum (the word ‘data’ is plural), which is not personal when processed by one person, may become personal when it is processed by another person depending on the purpose of the processing and the potential impact of the processing on individuals.
It is therefore the opinion of the Administrative Data Research Network (ADRN) that where a dataset contains at least a person’s name or other potentially identifiable data (such as address or date of birth) then this is to be classed as ‘personal data’ and therefore treated in accordance with the Data Protection Act.
When does a researcher become a data controller?
A data processor is a person or organisation that ‘processes’ personal data on behalf of another person or organisation. A data controller is a person or organisation that has full authority to decide how and why personal data is to be ‘processed’.
A data controller is the entity responsible for complying with data protection law. Section 1(1) of the Data Protection Act defines a data controller as ‘a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any data are, or are to be, processed’. The Information Commissioner’s Office (ICO) may order data controllers to pay penalties of up to £500,000 for serious breaches of the Data Protection Act.
The way in which a researcher handles personal data will determine whether or not a researcher becomes a data controller, and consequently whether or not a monetary penalty notice could be prepared and issued against that individual. A researcher may become a data controller in his/her own right where data is used for that individual’s own purposes, and he/she may therefore be liable to be served with a monetary penalty notice if any of the data protection principles are breached. This would mostly likely occur when a researcher has been provided with personal data for research purposes from a data holding organisation and then passed on the data to another third party who use it for purposes other than it was originally obtained for.
Further readingData Protection Act 1998 - Act in full (PDF) (256Kb) What is personal data? (73Kb)