UK Data Protection Act 1998 (DPA)
It is important that those undertaking research are aware that the Data Protection Principles embodied in the DPA apply to their work. Social science research often involves the processing of personal data. Researchers should be aware that the processing of any information relating to an identifiable living individual constitutes ‘personal data processing’ and is subject to the provisions of the Data Protection Act 1998. Helpful guidance can be found at the ICO guide to data protection.
The Data Protection Act 1998 does not apply to anonymised personal data, which do not identify the individual. Anonymised datasets can be used for research without making use of the Section 33 exemption of the Act. Organisations and individual researchers should be aware that data anonymisation and the concept of anonymisation itself may be problematic. The ICO states that “it is essential to carry out a thorough risk analysis on the likelihood and potential consequences of re-identification at the initial state of producing and disclosing anonymised data”. The ICO advises that ensuring an adequate level of anonymisation should take into account the likelihood of re-identification being attempted; the likelihood of re-identification being successful; the anonymisation techniques which are available to use; and the quality of the data after anonymisation has taken place, and whether this will meet the needs of the organisation using the anonymised information.
Researchers and research organisations should be aware that collection of personal data through re-identification without the individual’s knowledge or consent may constitute unlawful personal data collection. Researchers should be aware of the legal framework in which they operate and that deliberate unauthorised identification is likely to breach Data Protection or confidentiality laws. The ESRC will handle unauthorised identification under research misconduct policies which include possible sanctions, such as withdrawal of funds from researchers who deliberately attempt to re-identify individuals without their consent.
The UK Data Service can offer advice regarding anonymisation of datasets for archiving and sharing.
Research organisations should ensure that appropriate practical arrangements are in place to maintain the integrity and security of research data. Clear direction should be provided on where responsibilities reside in all these areas. Researchers should be aware of the threat to data integrity and security presented by routinely-used collection and storage methods, such as computer files on hard drives and similar devices, portable computing equipment and memory, email and databases. Periodic audit of data storage arrangements at all levels is likely to be necessary to ensure compliance with both legal obligations and good research practice. Researchers should be encouraged to undertake regular staff training as another means to ensure they are following best practice.
Researchers should also ensure that proposals involving subcontracted social surveys and third parties such as polling companies or other market research providers contracted to secure data do so according to the ethics principles set out in our framework. These organisations often operate according to codes of practice developed by bodies such as the Market Research Society. The research ethics committee, when reviewing the proposal, should be considering these issues.
Publicly available data which do not fall under the DPA definition
While data collected and stored as a record at an individual level are considered personal data, material already in the public domain are not. For example, published biographies, newspaper accounts of an individual’s activities and published minutes of a meeting would not be considered ‘personal data’ requiring ethics review, nor would interviews broadcast on radio or television or online, nor diaries or letters in the public domain. However, researchers should consider broader ethics issues potentially arising from their research which are not limited to the nature and availability of the research data, but may include dissemination and impact activities throughout the lifecycle of the research.
Research that involves anonymised records and datasets that exist in the public domain may only require a light-touch review. This includes, for example, datasets available through the Office for National Statistics or ESRC’s data service providers where appropriate permissions have already been obtained, and where the risk of identifying individuals from the information provided is negligible. Specific regulations relate to the use of administrative and controlled data (other data producers are likely to specify their own restrictions on the access and use of their data).
Researchers are now making greater use of datasets that have been generated through internet-mediated technology and social media (eg Facebook or Twitter). Researchers should consider the ethics issues which arise; for example, the interpretation of anonymity and whether participants (eg social media users) would consider data in the public domain to be private, the meaning of informed consent in this context, and what permissions a researcher has over the data supplied by the data producer.
EU Data Protection Regulation
In January 2012, the European Commission published a proposal for a Data Protection Regulation which will replace the existing directive. The EU regulation is expected to be in force by 2018. Researchers whose research may involve the handling of personal data commencing over this period will need to ensure that they understand the developing implications of the new EU regulation for their research.