Skip to main content

Handling of Personal and Sensitive Data

Identifiable or sensitive data about living individuals requires safe handling for research integrity and compliance with the law.

Using personal data in research

All research data containing personal data is subject to the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (internal site), which forms the data protection regime in the UK. The Act, enforced by the Information Commissioner's Office, outlines organisations’ responsibilities to personal data. It also gives individuals rights over their data.

There are also professional bodies’ ethics codes for research to review before collecting and storing personal data. The ESRC produced a comprehensive list of ethics codes and guidelines

Ethical approval

Research using or collecting personal data needs ethical approval before the project starts. The Ethics Toolkit has been developed to support researchers through this process. 

Research data

The overarching rule is to only collect personal and sensitive data if the research requires it. If you do need to use personal or sensitive data, GDPR makes special provisions for research data as long as it fulfils all the following conditions:

  • you are using the data only for research purposes (this includes statistical and historical research)
  • you do not use the information to support decisions about the research subject or any other living person
  • you do not use the data in such a way that it causes substantial damage or distress to the subjects
  • you do not make the results of the research available in a way that identifies any of the research subjects (except if you have explicit consent from the subjects for them to be identified – see ICO guidance on GDPR)

Anonymising data

If you use secondary data that is anonymised there is no requirement to comply with the GDPR, but best practice for handling data is still recommended. If you have identifiable data that requires sharing the data needs to be anonymised.

There are excellent resources to guide you through anonymising data: