Skip to main content

Handling of Personal and Sensitive Data

Identifiable or sensitive data about living individuals requires safe handling for research integrity and compliance with the law.

Using personal data in research

All research data containing personal data is subject to the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (internal site), which forms the data protection regime in the UK. The Act, enforced by the Information Commissioner's Office, outlines organisations’ responsibilities to personal data. It also gives individuals rights over their data.

There are also professional bodies’ ethics codes for research to review before collecting and storing personal data. The ESRC produced a comprehensive list of ethics codes and guidelines

Ethical approval

Research using or collecting personal data needs ethical approval before the project starts. The Ethics Toolkit has been developed to support researchers through this process. 

Research data

The overarching rule is to only collect personal and sensitive data if the research requires it. If you do need to use personal or sensitive data, GDPR makes special provisions for research data as long as it fulfils all the following conditions:

  • you are using the data only for research purposes (this includes statistical and historical research)
  • you do not use the information to support decisions about the research subject or any other living person
  • you do not use the data in such a way that it causes substantial damage or distress to the subjects
  • you do not make the results of the research available in a way that identifies any of the research subjects (except if you have explicit consent from the subjects for them to be identified – see ICO guidance on GDPR)

Anonymising data

If you use secondary data that is anonymised there is no requirement to comply with the GDPR, but best practice for handling data is still recommended. If you have identifiable data that requires sharing the data needs to be anonymised.

There are excellent resources to guide you through anonymising data:

NHS Digital Data

If identifiable NHS data are used in your research, you must take care to follow your NHS Trust’s information governance policies and procedures, especially those concerned with ICT security and information risk.

If you do not have, and cannot obtain, research subjects’ consent to use their data in your research, you will need to apply for permission to acquire the data via section 251 of the NHS Act 2006.

Identifiable data held by NHS Trusts may not be:

  • held outside Trust systems without the written approval of your Trust’s Information Governance Manager and / or Caldicott Guardian
  • copied to portable devices, unless approved or supplied by the Trust’s IM&T / information governance function, using approved encryption software and devices
  • stored on PC hard drives (the ‘C’ drive) and shared drives (the 'S' drive)
  • transmitted by email except within nhsmail
  • stored with ‘cloud’ providers

See additional guidance for Information Governance for obtaining Health & Social Care (HSCIC) data.

Consent

It is important to consider the role of consent in allowing data to be preserved and shared. To meet funder requirements and for the wider benefit to science. 

The UK Data Archive have created excellent guidance on consent and includes.

If you would like the RDS to review a project’s consent forms for new or existing projects please get in touch.

Please also note that the University has an ethical review process that should be completed by the PI for each project, and supporting guidance has been developed to support this process. 

REDCap

REDCap is a browser-based Electronic Case Report Form (eCRF) system, designed to capture research data from both research staff in medical settings and directly from patients via online tools.

REDCap is typically used to facilitate secure data capture and analysis for research projects including single and multi-site studies, but more advanced implementations include services such as randomisation, pre-screening and electronic consent.

The system is managed by the NJRO Research Informatics Team, who ensure that patient data is only accessible by authorised individuals and is appropriately anonymised for analysis.