Skip to content Exit mobile menu

GDPR and data protection

The Data Protection Act (2018) and GDPR apply to all personal data that you collect and process as part of your research project. Personal data is any data which could identify a living individual such as a name, a picture of an identifiable face, a National Insurance number etc.  Personal data only ceases to become personal data when it is anonymised, not when it is pseudonised . A list of St Mary's student registration numbers is personal data because anybody with appropriate access to the correct systems can work out who an individual is from that data.

Data which identifies factors such as medical history, religious or political beliefs is particularly sensitive and is termed "special category data".

When you collect, process and store personal  data there are various principles and safeguards that you must comply with. You must also be able to demonstrate a legal basis for collecting the personal data

 If the data you are collecting does not identify any living individuals then you do not need to worry about data protection legislation and GDPR.

Principles of data protection

Under the legislation, all personal data that you collect for your research project must follow the following principles

  • You must have a lawful basis to collect it and collect it in a fair and transparent manner (See section below)
  • The data you collect must be for a specific purpose and must not be used for another purpose in the future
  • The amount of personal data you collect should be kept to an absolute minimum
  • The data must be accurate
  • The data should not be stored for any longer than is necessary (But the law does not lay down specific limits)
  • The data must be stored safely and securely to prevent it being lost or coming into the hands of others

 If any of your data is lost or if somebody gains unauthorised access to it you must report it to the University's Data protection Officer immediately (

The Government, through the Information Commissioner's Office (ICO) can impose huge fines for data leaks and breaches. There are also potential significant fines for failing to report a data breach to the ICO.

What is my legal basis for collecting personal data?

Under the Data protection Act there are six legal bases which can be used to justify the collection of personal data. It is advisable to identify and document the legal bases which you will rely on at the start of a project and include it in your ethics application

  • Consent
  • Necessary for a contract
  • Necessary to comply with a legal obligation
  • Necessary to protect vital interests
  • Necessary for a task carried out in the public interest or in the exercise of official authority
  • legitimate interests


Whilst it is important for ethical reasons to ensure that participants are clear what personal data is being collected and for what purpose, ethical consent is not the same as consent to process personal data. For the latter consent must be very specific and be active (eg a signature or click on a specific box is required). Consent to personal data collection bundled as part of ethical consent could not necessarily be relied upon as data collection consent. In addition consent can be withdrawn. In most cases it is advisable to identify a legal basis other than consent upon which to rely.

The University is a public authority for the purposes of data protection legislation. Research is part of our public task and our research becomes publically available and is in the public interest. Therefore the legal basis for collecting personal data in university funded research is that it is necessary for a task carried out in the public interest.

Research carried out for a commercial organisation for its own internal use could not rely on this legal basis.

Special category (sensitive) personal data

If special category personal data is being collected you must provide an additional legal basis for collecting it.  

Article 9(2)(j) allows for collection of special category personal data "where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes."

The Data Protection Act schedule 1, paragraph 4 allows for collection which is  "necessary for archiving purposes, scientific or historical research purposes or statistical purposes.."

It is important to make sure that you

  • Have ethical approval for the collection of personal data
  • Have put in place the appropriate safeguarding to ensure the security of the data
  • Anonymise or destroy the data as soon as it is appropriate to do so
  • Do not collect any personal data for which you do not have a clear documented reason to collect
  • Only use the data for the stated reasons, not for any other purpose

In order to rely on these bases the research must clearly be in the public interest and the intent should be to make the research publically available (Eg through publication in the academic literature). A research project which, for example, was entirely for the benefit of a commercial company would probably not be able to rely on these bases and an alternative basis (eg consent) would need to be found.

Privacy Notice

To help you to make these decisions St Mary's has a Privacy Notice Guide which should be completed at the start of a research project

St Mary's RDM Policy

The St Mary's RDM policy requires researchers to

  • Register details of each new research project with Research Services to ensure record-keeping of University research activity and enable planning of support service provision
  • Create a Data Management Plan (DMP) for every research project regardless of the project's funding status. DMPs outline how data collected for a project will be handled both during and after the project. Use of the Digital Curation Centre's DMP Online tool is recommended to assist with creation of DMPs
  • Update the DMP during the research project as and when circumstances change, maintaining the DMP as a 'living document'
  • Maintain metadata and descriptive documentation on the data during and after the research project. This should provide sufficient information on the structure, context and file format of the data to enable it to be located and reused by future researchers. Any proprietary software required to read and use the data should be clearly stated
  • Store and manage research data in line with legal, ethical, contractual, regulatory and intellectual property requirements as relevant to the specific project. These requirements will vary greatly according to the subject matter of the research and include meeting any specific requirements laid down by external funders. Additional security measures will be necessary in some cases for research involving personal or sensitive information
  • Store working research data in a manner that preserves its integrity and minimises risk of data loss. This includes making regular backup copies of research data and not relying on a single storage location
  • Deposit the 'selected' research data (i.e. that which supports the conclusions of the research) in an appropriate data repository or archive at the conclusion of the project, together with the appropriate descriptive metadata to enable discovery by others. The metadata  should ideally include a Digital Object Identifier (DOI), thereby providing a stable identifier and link back to the data. External services designed to facilitate data deposit include Figshare and Zenodo, as well many discipline-specific data repositories. Data may also be deposited in the St Mary's University Open Research Archive.
  • Preserve the deposited research data for at least 10 years after publication of the research it supports
  • Make the deposited research data openly accessible in the chosen repository wherever possible, unless there are specific legal, ethical, contractual or intellectual property-related reasons to do otherwise
  • Provide a Data Access Statement in the published research output (e.g. journal article or book) giving details of where the supporting data or material can be accessed, the DOI for the data and any restrictions placed on access to the data due to legal, ethical, contractual or regulatory requirements.